Get Indicator List

GET /1.3/indicators

Warning

Deprecated! This endpoint is still active for backwards-compatibility, but has been replaced by /1.3/indicators/search, which is much faster and more flexible than this one. To achieve the same results as this endpoint, use the search endpoint with an empty search term.

Note

The time range parameter for this endpoint will be truncated to 7 days.

Description

Returns a page of indicators from private enclaves that match the specified filters. This endpoint does not return indicators from Open-Source and Closed-Source enclaves.

All parameters are optional: if nothing is specified, the latest 50 indicators accessible by the user will be returned (matching the view the user would have by logging into Station).

The from and to parameters, if provided, filter indicators based on their last updated times, not their created times.

The result will contain a page key, which indicates the current result page. To get the next page, increment this value and request it as startPage in the query. The first page is page 0.

If you need to get indicators for a large date window, strongly recommend running multiple queries against this endpoint of 5 days each and aggregating the results because that operation will take significantly less time than querying this endpoint with a large time window and cycling through all pages of the query’s return. Every time you ask this endpoint for the next page, it re-runs the entire query against TruSTAR’s database, flips through the result’s pages, and returns you the page you asked for. Cycling through pages of a large query will take significantly more time (10x in testing) than it will to break your query into 5-day chunks and aggregate the results.

Parameters

Parameter Required Default Description
from   7 days ago Start of time window (Unix timestamp - milliseconds since epoch). Values more than 7 days before to will be truncated to reduce the time range to a max size of 7 days.
to   current time End of time window (Unix timestamp - milliseconds since epoch).
pageSize   100 Size of page to return within time range. Max allowed size is 1000.
pageNumber   0 The page to start returning results from.
enclaveIds   all enclaves (PRIVATE only) the user has READ or FULL access to. Comma separated list of PRIVATE enclave IDs to search for indicators in.
tagIds     A list of tag IDs to filter by: only reports containing ALL of these tags will be returned.
excludedTagIds     A list of tag IDs to exclude: reports containing ANY of these tags will be excluded from the results.

Response (200)

A page of Indicator objects, sorted by updated time, descending. Response will contain page and hasNext fields, indicating the current page number for the results and whether there are additional results.

Example Usage

Request

curl -k -X GET -H "Authorization: Bearer {access_token}" \
   "https://api.trustar.co/api/1.3/indicators?pageSize=5&enclaveIds=955df9ff-0b68-4934-a680-f3ae2c867445,a3c36b7f-e1cd-47c3-8f6b-8e81c134a4ae&from=1521755469007&to=1522360269007&tagIds=81d0d8db-a12c-40fd-ad17-71d31ccf027a&excludedTagIds=a2259ea3-83c3-4bcc-8385-d19423878342"

Response

{
    "page": 0,
    "hasNext": true,
    "items": [
        {
            "indicatorType": "URL",
            "value": "www.api.com"
        },
        {
            "indicatorType": "URL",
            "value": "www.hello.com"
        },
        {
            "indicatorType": "URL",
            "value": "www.emailing.com"
        },
        {
            "indicatorType": "URL",
            "value": "www.emailed.com"
        },
        {
            "indicatorType": "URL",
            "value": "www.dream.com"
        },
    ]
}