Reports¶
Incident reports are the primary resource in TruSTAR’s data model. Reports can be read, created, updated, and deleted through the API.
Warning
Reports can no longer belong to multiple enclaves. The list of enclave IDs on a report will always have length 1. This will remain an array, always of size 1, to ensure backwards compatibility for this API version.
Endpoints¶
Schema¶
Field | Description |
---|---|
id | the internal ID of the report (a GUID) |
externalTrackingId | the external ID of the report (any string, user-defined) |
created | the time of creation, in milliseconds since epoch |
updated | the time of the last update, in milliseconds since epoch |
title | the report title |
timeBegan | the user-defined time when the incident began, in milliseconds since epoch |
distributionType | ENCLAVE or COMMUNITY - if COMMUNITY, the report is open to the community.
This field is deprecated, but is retained for backwards compatibility. The Community has been transitioned
to an enclave, so all reports have a distributionType of ENCLAVE. |
reportBody | the body of the report |
enclaveIds | A list of exactly 1 enclave ID that the report has been submitted to. After removing support for submission to multiple enclaves, this field remains a list to ensure backwards compatibility. |
notes | A list of objects, which contain each note on the report. Each object contains the note , the email of the
user who wrote the note, and the time the note was created and last updated .
WARNING: Notes are deprecated and will be removed soon. This field has been added to allow clients to export
existing notes for historical records. |
Sample JSON¶
{
"id": "cabd7d8c-3aad-46a3-906a-cfd27ad6f965",
"created": 1520829291772,
"updated": 1520829291883,
"timeBegan": 1520829291726,
"title": "Malicious Activity!!!",
"distributionType": "ENCLAVE",
"reportBody": "Some malicious thing happened, it had to do with some_malware.exe and 103.255.61.39.",
"enclaveIds": [
"291af346-dbd1-4bc0-9c69-be20af157fb0"
]
}