Get Indicator Metadata

POST /1.3/indicators/metadata

Warning

This endpoint has replaced GET /1.3/indicators/{value}/metadata and GET /1.3/indicators/metadata, which have been deprecated.

Description

Provide metadata associated with an indicator, including: indicatorType, value, noteCount, sightings, firstSeen, lastSeen, enclaveIds, tags (each tag contains guid, name, and enclaveId attributes), source, notes, and guid. Metadata attributes are calculated based on the enclaves included in the “enclaveIds” parameter. The source attribute will only be returned if the indicator was submitted to Station through the Submit Indicators endpoint. If the indicator was extracted from a report that the user submitted to Station, it will not have a source attribute.

The request method must be POST because a JSON body is required for the request.

Parameters

Query String Parameters

Parameter Required Default Description
enclaveIds   all enclaves the user account has read+ access to. Enclaves to consider when calculating metadata attribute values.

Request Body Parameters

The request JSON body must be a well-formed JSON list, where each entry is an object with the following values.

Parameter Required Default Description
value X   The indicator value to query.
indicatorType     The indicator type. This parameter is only necessary in rare cases where an indicator value has been associated with multiple types due to context.

Note

If the indicatorType field is used, it must be present for all entries in the list.

Response (200)

An indicator metadata object containing the metadata for the requested indicator.

Example 1:

(“indicatorType” not specified)

curl -k -H "Content-Type: application/json" \
-X POST  \
-d '[{"value":"1.2.3.4"}, {"value":"www.example.com"}]' \
-H "Authorization: Bearer {token}"  \
"https://api.trustar.co/api/1.3/indicators/metadata"

Request JSON body:

[
    {
        "value": "1.2.3.4"
    },
    {
        "value": "www.example.com"
    }
]

Example 2:

(“indicatorType” specified)

curl -k -H "Content-Type: application/json" \
    -X POST \
    -d '[{"value":"1.2.3.4", "indicatorType":"IP"}, {"value":"www.example.com", "indicatorType":"URL"}]'  \
    -H "Authorization: Bearer {token}"    \
    "https://api.trustar.co/api/1.3/indicators/metadata"

Request JSON body:

[
   {
      "value":"1.2.3.4",
      "indicatorType":"IP"
   },
   {
      "value":"www.example.com",
      "indicatorType":"URL"
   }
]

Response

(same for both examples)

Note

priorityLevel is present in the response but is deprecated.

 [
     {
         "indicatorType": "IP",
         "value": "1.2.3.4",
         "priorityLevel": "NOT_FOUND",
         "noteCount": 3,
         "sightings": 6,
         "firstSeen": 1532495940000,
         "lastSeen": 1532495940000,
         "enclaveIds": [
             "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
         ],
         "tags": [
             {
                 "guid": "c05436cf-db96-41a9-b4bc-d182befcf961",
                 "name": "tag_2",
                 "enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
             },
             {
                 "guid": "aaa4968c-39c9-4c2f-9591-5fa140fa388c",
                 "name": "tag_1",
                 "enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
             }
         ],
         "source": "Somewhere",
         "notes": [
             "First note.", "Second note.", "Third note."
         ],
         "guid": "IP|1.2.3.4"
     },
     {
         "indicatorType": "URL",
         "value": "www.example.com",
         "priorityLevel": "NOT_FOUND"
         "noteCount": 3,
         "sightings": 8,
         "lastSeen": 1532495940000,
         "enclaveIds": [
             "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
         ],
         "tags": [
             {
                 "guid": "7cf538a8-f8d5-469d-9dbb-9b3762ea7dbb",
                 "name": "a_different_tag",
                 "enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
             },
             {
                 "guid": "c05436cf-db96-41a9-b4bc-d182befcf961",
                 "name": "tag_2",
                 "enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
             },
             {
                 "guid": "aaa4968c-39c9-4c2f-9591-5fa140fa388c",
                 "name": "tag_1",
                 "enclaveId": "4dfb66f8-1dfc-406d-a0ed-b517ff043053"
             }
         ],
         "source": "Somewhere else",
         "notes": [
             "This is a note.", "This is a second note.", "This is third note."
         ],
         "guid": "URL|www.example.com"
     }
]