Submit Report

POST /1.3/reports


Submit a new incident report, and receive the ID it has been assigned in TruSTAR’s system. The ID can be used to find the report through Station, or issue subsequent calls on the API.

Note that that a report cannot be tagged during submission. Tags can only be applied afterwards, through a separate call.


If a report contains more than 2000 indicators, it will be rejected with a 413 (payload too large) error code. See here for details.


This endpoint will respond as soon as the report has been stored, but it has not necessarily gone through all stages of processing. Report enrichment will occur over time. Some endpoints may respond 404 if a report is requested that has just recently been submitted.


The request JSON body should be a Report object.

Specifically, the body must be well formed json with the following fields:

Parameter Required Default Description
title X   Title of the report
reportBody X   Text content of report
externalTrackingId   null External tracking ID provided by user. Must be unique across all reports for a given company and enclave.
externalUrl   null URL for the external report that this originated from, if one exists. Limit 500 alphanumeric characters.
timeBegan   current time ISO-8601 formatted incident time with timezone, e.g. 2016-09-22T11:38:35+00:00
enclaveIds X   Array of exactly one enclave ID (available on Station under settings or through the GET /enclaves endpoint). Use the enclave ID, NOT the enclave name. After removing support for single enclave submission, this parameter must remain a list to ensure backwards compatibility.

Response (200)

The ID (a GUID) that the report has been assigned in TruSTAR’s system.

Example Usage


curl -k -H "Content-Type: application/json" -X POST -d \
   '{"title":"curl api-report", "reportBody":"This is a test report body with some indicators:, evil.exe,, hash d2dd1bcdd6d6cfac59ba9638d2cd886c ", "externalTrackingId": "M-1234", "timeBegan":"2016-09-22T11:38:35+00:00", "enclaveIds":["e27b914b-b1ee-4d25-b4b2-d50db5208b4d"]}' \
   -H "Authorization: Bearer {access_token}" ""