Find Correlated Reports

GET /1.3/reports/correlated


Returns a paginated list of all reports that contain any of the provided indicator values.


Indicator values submitted to this endpoint should be values that are known to exist in TruSTAR - they should have come from either the get-indicators-for-report or search-indicators endpoint. IOC values that do not exist in TruSTAR will cause the call to fail.


This endpoint uses query-string params, not a JSON body. URL and domain IOCs will cause calls to this endpoint to fail. Strip them out of the list of indicators before submitting.


Queries to this endpoint take a long time to process. To avoid timeouts, submit small lists of indicator values (recommend 25 or fewer) to this endpoint.


Parameter Required Default Description
indicators X   Indicator values. Adhere to warnings and notes above.
enclaveIds   All enclaves the user has READ access to. A comma-separated list of enclave IDs. Only reports in these enclaves will be returned.
pageNumber   0 which page of the result set to get
pageSize   25 the number of results per page

Response (200)

A page of Report.

Example Usage


curl -k -H "Authorization: Bearer {access_token}" \


    "items": [
            "id": "00618551-1924-431d-8e05-ca8eeeec2dcb",
            "created": 1517561071043,
            "updated": 1517561080713,
            "title": "Hit by malware",
            "distributionType": "ENCLAVE",
            "timeBegan": 1517561071028,
            "reportBody": "We got hit with the WANNACRY virus the other day.",
            "enclaveIds": [
            "id": "a9e5ebd9-26c4-4683-b75c-e3976f33f206",
            "created": 1517559481323,
            "updated": 1517559481425,
            "title": "Do we have WANNACRY?",
            "distributionType": "ENCLAVE",
            "timeBegan": 1517559477175,
            "reportBody": "We think we might have WANNACRY...",
            "enclaveIds": [
    "hasNext": false,
    "pageSize": 25,
    "pageNumber": 0