Get Indicator Metadata¶
POST /1.3/indicators/metadata
Warning
This endpoint has replaced GET /1.3/indicators/{value}/metadata
and GET /1.3/indicators/metadata
, which have been deprecated.
Description¶
Provide metadata associated with an indicator, including: indicatorType
, value
, noteCount
, sightings
, firstSeen
, lastSeen
, enclaveIds
, tags
(each tag contains guid
, name
, and enclaveId
attributes), source
, notes
, and guid
. Metadata attributes are calculated based on the enclaves included in the “enclaveIds” parameter. The source
attribute will only be returned if the indicator was submitted to Station through the Submit Indicators endpoint. If the indicator was extracted from a report that the user submitted to Station, it will not have a source
attribute.
The request method must be POST
because a JSON body is required for the request.
Parameters¶
Query String Parameters¶
Parameter | Required | Default | Description |
---|---|---|---|
enclaveIds | all enclaves the user account has read+ access to. | Enclaves to consider when calculating metadata attribute values. |
Request Body Parameters¶
The request JSON body must be a well-formed JSON list, where each entry is an object with the following values.
Parameter | Required | Default | Description |
---|---|---|---|
value | X | The indicator value to query. | |
indicatorType | The indicator type. This parameter is only necessary in rare cases where an indicator value has been associated with multiple types due to context. |
Note
If the indicatorType
field is used, it must be present for all entries in the list.
Response (200)¶
An indicator metadata object containing the metadata for the requested indicator.
Example 1:¶
(“indicatorType” not specified)
curl -k -H "Content-Type: application/json" \
-X POST \
-d '[{"value":"1.2.3.4"}, {"value":"www.example.com"}]' \
-H "Authorization: Bearer {token}" \
"https://api.trustar.co/api/1.3/indicators/metadata"
Request JSON body:
[
{
"value": "1.2.3.4"
},
{
"value": "www.example.com"
}
]
Example 2:¶
(“indicatorType” specified)
curl -k -H "Content-Type: application/json" \
-X POST \
-d '[{"value":"1.2.3.4", "indicatorType":"IP"}, {"value":"www.example.com", "indicatorType":"URL"}]' \
-H "Authorization: Bearer {token}" \
"https://api.trustar.co/api/1.3/indicators/metadata"
Request JSON body:
[
{
"value":"1.2.3.4",
"indicatorType":"IP"
},
{
"value":"www.example.com",
"indicatorType":"URL"
}
]
Response¶
(same for both examples)
Note
priorityLevel
is present in the response but is deprecated.
[
{
"indicatorType": "IP",
"value": "1.2.3.4",
"priorityLevel": "NOT_FOUND",
"noteCount": 3,
"sightings": 6,
"firstSeen": 1532495940000,
"lastSeen": 1532495940000,
"enclaveIds": [
"4dfb66f8-1dfc-406d-a0ed-b517ff043053"
],
"tags": [
{
"guid": "c05436cf-db96-41a9-b4bc-d182befcf961",
"name": "tag_2",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
},
{
"guid": "aaa4968c-39c9-4c2f-9591-5fa140fa388c",
"name": "tag_1",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
}
],
"source": "Somewhere",
"notes": [
"First note.", "Second note.", "Third note."
],
"guid": "IP|1.2.3.4"
},
{
"indicatorType": "URL",
"value": "www.example.com",
"priorityLevel": "NOT_FOUND"
"noteCount": 3,
"sightings": 8,
"lastSeen": 1532495940000,
"enclaveIds": [
"4dfb66f8-1dfc-406d-a0ed-b517ff043053"
],
"tags": [
{
"guid": "7cf538a8-f8d5-469d-9dbb-9b3762ea7dbb",
"name": "a_different_tag",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
},
{
"guid": "c05436cf-db96-41a9-b4bc-d182befcf961",
"name": "tag_2",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
},
{
"guid": "aaa4968c-39c9-4c2f-9591-5fa140fa388c",
"name": "tag_1",
"enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
}
],
"source": "Somewhere else",
"notes": [
"This is a note.", "This is a second note.", "This is third note."
],
"guid": "URL|www.example.com"
}
]