Get Phishing Indicators¶
POST /1.3/triage/indicators
Description¶
Returns a paginated list of indicators found in phishing submissions that fit the given criteria.
Query String Parameters¶
| Parameter | Required | Default | Description |
|---|---|---|---|
| pageSize | 25 | The number of results per page. Max allowed size is 1000. |
Request Body Parameters¶
| Parameter | Required | Default | Description |
|---|---|---|---|
| from | 24 hours ago | Start of time window as a unix timestamp (milliseconds since epoch). The start of the time window must be within 1 month from the current time. | |
| to | current time | End of time window as a unix timestamp (milliseconds since epoch). | |
| normalizedIndicatorScore | [3] |
List of normalized indicator scores. | |
| priorityEventScore | [-1, 0, 1, 2, 3] |
List of priority scores; only indicators found in phishing submissions marked with one of these scores will be returned. | |
| status | ["UNRESOLVED"] |
List of statuses for submissions; only indicators found in phishing submissions marked with one of these statuses will be returned. | |
| enclaveIds | All enclaves the user has READ access to |
Comma-separated list of enclave ids. | |
| cursor | pageNumber: 0 |
A Base64-encoded string that contains information on how to retrieve the next page. If you don’t pass a cursor value,
it will default to retrieve the first page.
NOTE: This is a system generated string that is returned as the nextCursor value in the responseMetadata
part of the request response. The cursor value used to retrieve the next page must match the nextCursor
value from the previous response in order to avoid unexpected behavior. |
Response (200)¶
A page of PhishingIndicator objects found in phishing submissions that meet the specified criteria.
Note: The nextCursor returned in the responseMetadata is a system generated string that is returned only if there are
more pages to retrieve. This string is to be used as the cursor parameter value when performing subsequent requests. If the
nextCursor value is empty, there are no more pages to fetch for.
Example Usage¶
Request¶
curl -k -X POST -H "Authorization: Bearer {access_token}" -H "Content-Type: application/json" \
-d '{"from" : 1582235870000,"to": 1582245870000,"normalizedIndicatorScore": [2,3], "status":["CONFIRMED"]}' \
"https://api.trustar.co/api/1.3/triage/indicators?pageSize=2"
Response¶
{
"responseMetadata": {
"totalItems": 10,
"nextCursor": "eyJwYWdlTnVtYmVyIjoxLCJwYWdlU2l6ZSI6Miwib2Zmc2V0Ijo0fQ=="
},
"items":[
{
"indicatorType":"IP",
"value":"209.85.219.44",
"sourceKey": "crowdstrike",
"normalizedIndicatorScore": 2,
"originalIndicatorScore": {
"name": "Malicious Confidence",
"value": "medium"
}
},
{
"indicatorType":"URL",
"value":"www.suspicious.com",
"sourceKey": "virus_total",
"normalizedIndicatorScore": 3,
"originalIndicatorScore": {
"name": "Risk Score",
"value": "78"
}
}
]
}