Reports

Incident reports are the primary resource in TruSTAR’s data model. Reports can be read, created, updated, and deleted through the API.

Warning

Reports can no longer belong to multiple enclaves. The list of enclave IDs on a report will always have length 1. This will remain an array, always of size 1, to ensure backwards compatibility for this API version.

Endpoints

• Submit Report
• Update Report
• Get Report Details
• Delete Report
• Copy Report
• Move Report
• Get Reports
• Find Correlated Reports
• Search Reports
• Redact Report

Schema

Field	Description
id	the internal ID of the report (a GUID)
externalTrackingId	the external ID of the report (any string, user-defined)
created	the time of creation, in milliseconds since epoch
updated	the time of the last update, in milliseconds since epoch
title	the report title
timeBegan	the user-defined time when the incident began, in milliseconds since epoch
distributionType	ENCLAVE or COMMUNITY - if COMMUNITY, the report is open to the community. This field is deprecated, but is retained for backwards compatibility. The Community has been transitioned to an enclave, so all reports have a distributionType of ENCLAVE.
reportBody	the body of the report
enclaveIds	A list of exactly 1 enclave ID that the report has been submitted to. After removing support for submission to multiple enclaves, this field remains a list to ensure backwards compatibility.

Sample JSON

{
    "id": "cabd7d8c-3aad-46a3-906a-cfd27ad6f965",
    "created": 1520829291772,
    "updated": 1520829291883,
    "timeBegan": 1520829291726,
    "title": "Malicious Activity!!!",
    "distributionType": "ENCLAVE",
    "reportBody": "Some malicious thing happened, it had to do with some_malware.exe and 103.255.61.39.",
    "enclaveIds": [
        "291af346-dbd1-4bc0-9c69-be20af157fb0"
    ]
}