Get Indicator Metadata¶
POST /1.3/indicators/metadata
Warning
This endpoint has replaced GET /1.3/indicators/{value}/metadata and GET /1.3/indicators/metadata, which have been deprecated.
Description¶
Provide metadata associated with an indicator, including: indicatorType, value, priorityLevel, noteCount, sightings, firstSeen, lastSeen, enclaveIds, tags (each tag contains guid, name, and enclaveId attributes), source, notes, and guid. The metadata is determined based on the enclaves the user making the request has READ access to. The source attribute will only be returned if the indicator was submitted to Station through the “Submit Indicators” endpoint (POST /1.3/indicators) (docs here: https://docs.trustar.co/api/v13/indicators/submit_indicators.html ). If the indicator was extracted from a report that the user submitted to Station, it will not have a source attribute.
The request method must be POST because a JSON body is required for the request.
Parameters¶
The request JSON body must be a well-formed JSON list, where each entry is an object with the following values.
| Parameter | Required | Default | Description |
|---|---|---|---|
| value | X | The indicator value to query. | |
| indicatorType | The indicator type. This parameter is only necessary in rare cases where an indicator value has been associated with multiple types due to context. |
Note
If the indicatorType field is used, it must be present for all entries in the list.
Warning
If you experience repeated failures when querying this endpoint for the metadata for hundreds / thousands of indicators, try breaking your list into smaller lists of 500 indicators or less each.
Warning
Some IOCs just do not work with this endpoint and their presence in the list of indicators submitted to this endpoint will cause the entire endpoint call to fail and return an error. You may need to repeatedly split your list until you isolated those culprits. If you find them, send an email to support@trustar.co describing the situation and the measures you took, and a member of the customer success team will reach out to you to resolve it.
Response (200)¶
An indicator metadata object containing the metadata for the requested indicator.
Example Usage¶
“indicatorType” not specified:
curl -k -H "Content-Type: application/json" -X POST -d '[{"value":"1.2.3.4"}, {"value":"www.example.com"}]' -H "Authorization: Bearer {token}" "https://api.trustar.co/api/1.3/indicators/metadata"
“indicatorType” specified:
curl -k -H "Content-Type: application/json" -X POST -d '[{"value":"1.2.3.4", "indicatorType":"IP"}, {"value":"www.example.com", "indicatorType":"URL"]' -H "Authorization: Bearer {token}" "https://api.trustar.co/api/1.3/indicators/metadata"
Request Body¶
[
{
"value": "1.2.3.4"
},
{
"value": "www.example.com"
}
]
Response¶
[
{
"indicatorType": "IP",
"value": "1.2.3.4",
"priorityLevel": "LOW",
"noteCount": 3,
"sightings": 6,
"firstSeen": 1532495940000,
"lastSeen": 1532495940000,
"enclaveIds": [
"4dfb66f8-1dfc-406d-a0ed-b517ff043053"
],
"tags": [
{
"guid": "c05436cf-db96-41a9-b4bc-d182befcf961",
"name": "tag_2",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
},
{
"guid": "aaa4968c-39c9-4c2f-9591-5fa140fa388c",
"name": "tag_1",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
}
],
"source": "Somewhere",
"notes": [
"First note.", "Second note.", "Third note."
],
"guid": "IP|1.2.3.4"
},
{
"indicatorType": "URL",
"value": "www.example.com",
"priorityLevel": "LOW"
"noteCount": 3,
"sightings": 8,
"lastSeen": 1532495940000,
"enclaveIds": [
"4dfb66f8-1dfc-406d-a0ed-b517ff043053"
],
"tags": [
{
"guid": "7cf538a8-f8d5-469d-9dbb-9b3762ea7dbb",
"name": "a_different_tag",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
},
{
"guid": "c05436cf-db96-41a9-b4bc-d182befcf961",
"name": "tag_2",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
},
{
"guid": "aaa4968c-39c9-4c2f-9591-5fa140fa388c",
"name": "tag_1",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
}
],
"source": "Somewhere else",
"notes": [
"This is a note.", "This is a second note.", "This is third note."
],
"guid": "URL|www.example.com"
}
]