Get Indicator Summaries

POST /1.3/indicators/summaries

Description

Provides structured summaries about indicators, which are derived from intelligence sources on the TruSTAR Marketplace that the user has access to.

Reports from many sources on the TruSTAR Marketplace represent intelligence about specific indicators. TruSTAR extracts and normalizes important information from these reports and presents them in the form of indicator summaries.

These summaries are not created by TruSTAR analysts, they are simply normalized representations of information directly extracted from reports from third-party intelligence sources on the TruSTAR Marketplace.

Response

The response JSON is a page of Indicator Summary objects.

Indicator Summary

A structured summary of an indicator, derived from data provided by an intelligence source about the indicator.

Field Type Description
value String The indicator’s value.
reportId String The ID of the report for this summary.
enclaveId String The ID of the report’s enclave.
source IntelligenceSource An object containing information about the source that the report came from.
score IndicatorScore The score of the report, according to the source.
created Integer The created or first seen timestamp of the indicator, according to the source.
updated Integer The updated or last seen timestamp of the indicator, according to the source.
description String The description of the indicator, according to the source.
attributes List[IndicatorAttribute] A list of attributes about the indicator, according to the source.

Indicator Attribute

An attribute of the indicator, derived from the data provided by the intelligence source.

Field Type Description
name String The name of the attribute, e.g. “Actors” or “Malware Families”
value Any The value of the attribute, e.g. “North Korea” or “Emotet”
logical_type String Describes how to interpret the value field, e.g. could be “timestamp” if value is an integer.
description String A description of how to interpret this attribute. This corresponds to the attribute name, i.e. this will be the same for all attributes in a source with the same name.

Indicator Score

The indicator’s score, as provided by the intelligence source.

Field Type Description
name String The name of the score type, e.g. “Risk Score” or “Malicious Confidence”
value String The value of the score, as directly extracted from the source, e.g. “HIGH” or “78”

Intelligence Source

An object representing the intelligence source.

Field Type Description
key String A string that uniquely identifies the source, e.g. “virustotal”
name String A human-readable name of the source, as a human-readable string, e.g. “VirusTotal”

Parameters

The request JSON body must be a well-formed JSON list, where each entry is the string value of an indicator, as represented in the TruSTAR system.

Warning

The indicator values must exactly match values in the TruSTAR system. In order to perform a fuzzy match, you must first use the Search Indicators endpoint to lookup the exact indicator values, then provide them to this endpoint.

Query String Parameters

Parameter Required Default Description
enclaveIds   all of the user’s enclaves The enclaves to search for indicator summaries in. These should be enclaves containing data from sources on the TruSTAR Marketplace.
pageSize   25 Size of page to return within time range. Max allowed size is 100.
pageNumber   0 The page to start returning results from.

Response (200)

A page of IndicatorSummary objects.

Example Usage

curl -k -H "Content-Type: application/json" -X POST -d '["LOCKY", "23.121.54.102"]' -H "Authorization: Bearer {token}" "https://api.trustar.co/api/1.3/indicators/summaries?enclaveIds=fdb4676c-1e02-47ad-b19a-24e5867c5485"

Request Body

[
    "LOCKY",
    "23.121.54.102"
]

Response

{
    "pageNumber": 0,
    "totalPages": 1,
    "pageSize": 25,
    "totalElements": 2,
    "items": [
        {
            "reportId": "5dc52e41-4d22-43cc-92b2-bcca62f02a52",
            "updated": 1565074829435,
            "enclaveId": "fdb4676c-1e02-47ad-b19a-24e5867c5485",
            "source": {
                "key": "crowdstrike_indicator",
                "name": "CrowdStrike"
            },
            "type": "MALWARE",
            "value": "LOCKY",
            "score": {
                "name": "Malicious Confidence",
                "value": "high"
            },
            "attributes": [
                {
                    "name": "Malware Families",
                    "value": [
                        "njRAT"
                    ]
                },
                {
                    "name": "Indicator Type",
                    "value": "campaign_id"
                },
                {
                    "name": "Relations Count",
                    "value": 20
                }
            ]
        },
        {
            "reportId": "1af288dc-9479-44ca-8ea1-b25bcaa961e3",
            "updated": 1565074288021,
            "enclaveId": "fdb4676c-1e02-47ad-b19a-24e5867c5485",
            "source": {
                "key": "crowdstrike_indicator",
                "name": "CrowdStrike"
            },
            "type": "IP",
            "value": "23.121.54.102",
            "score": {
                "name": "Malicious Confidence",
                "value": "low"
            },
            "attributes": [
                {
                    "name": "IP Address Types",
                    "value": [
                        "TorProxy"
                    ]
                },
                {
                    "name": "Indicator Type",
                    "value": "ip_address"
                },
                {
                    "name": "Relations Count",
                    "value": 0
                }
            ]
        }
    ],
    "empty": false,
    "hasNext": false
}