Download OpenAPI specification:Download
Welcome to the TruSTAR REST API documentation!
The TruSTAR REST API allows you to easily build integrations with the TruSTAR Data-Centric Security Automation platform.
To use the API you must generate an OAuth token using your API key and API secret. You can generate or retrieve your API access key and secret from your account settings page on Station.
To request an OAuth token, send a request to the Authentication endpoint, replacing %api-key%
and %api-secret%
with your API key and secret retrieved above:
curl -k -v -u %api-key%:%api-secret% \
-d "grant_type=client_credentials" \
https://api.trustar.co/oauth/token
This operation generates a security token that can be used to query the public API:
{"access_token":"041c1918-dbe4-47a5-94bf-f13bacf1b0f2","token_type":"bearer","expires_in":599,"scope":"read"}
Note - This token can only be used for up to 10 minutes. Once it has expired, you will need to make this call again to generate a fresh token. If you are programatically accessing the TruSTAR API with
a script, the best practice is to refresh the token before every call. If the previous token has not yet expired, then the https://api.trustar.co/oauth/token
endpoint will simply return the same token
as before, so there is no harm in requesting a fresh token before your current one has expired.
Below is an example API call using the token from above:
curl -k -X POST -H "Authorization: Bearer 041c1918-dbe4-47a5-94bf-f13bacf1b0f2" \
"https://api.trustar.co/api/2.0/indicators/search"
Headers
The API accepts 3 headers used to identify the type of client that the user is connecting with:
Client-Type:
The name of the client being used (Should be either “API” or “Python_SDK”)Client-Version:
The version of the client being used (Should be API version or Python SDK version)Client-Metatag:
“curl” if executing curl commands from the command-line, “python script” if using the SDK, or integration name (“Splunk”, “ServiceNow”, “Phantom”, “Jira”, etc.)Below is an example of a CURL call using these headers:
curl -k -X POST -H "Authorization: Bearer 041c1918-dbe4-47a5-94bf-f13bacf1b0f2" \
-H "Client-Type: API" \
-H "Client-Metatag: curl" \
"https://api.trustar.co/api/2.0/indicators/search"
Client-Type
will default to API
if the header is not found. The Python SDK is written to send PYTHON_SDK
for Client-Type
and the corresponding version for Client-Version
.
Get the list of all enclaves that the user has access to
name | string The name of the enclave |
templateName | string The template name of the enclave |
workflowSupported | boolean Whether the enclave is supported for workflows |
read | boolean The enclave permission present when the requesting user has READ access |
create | boolean The enclave permission present when the requesting user has CREATE access |
update | boolean The enclave permission present when the requesting user has UPDATE access |
id | string The unique guid of the enclave |
type | string Enum: "OPEN" "INTERNAL" "CLOSED_CONCRETE" "COMMUNITY" "OTHER" The type of enclave |
[- {
- "name": "string",
- "templateName": "string",
- "workflowSupported": true,
- "read": true,
- "create": true,
- "update": true,
- "id": "string",
- "type": "OPEN"
}
]
Find all of the entity terms that can be found from applying extraction rules on a chunk of text
entity required | string The value that is used for pattern matching the values to mark as safelisted |
type required | string Enum: "IP4" "IP6" "CIDR_BLOCK" "EMAIL_ADDRESS" "URL" "MD5" "SHA1" "SHA256" "REGISTRY_KEY" "SOFTWARE" "BITCOIN_ADDRESS" "PHONE_NUMBER" "DOMAIN" The type of safelist entry |
[- {
- "entity": "string",
- "type": "IP4"
}
]
Get the summaries for all the safelist libraries owned by this company
guid | string The unique guid of the safelist |
name | string The description of the safelist |
companyGuid | string The guid of the company that owns the safelist |
excerpt | string An excerpt of the safelist entries |
createdAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was created |
updatedAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was most recently updated |
createdBy | string The email address of the user that created the safelist |
updatedBy | string The email address of the user that most recently updated the safelist |
[- {
- "guid": "string",
- "name": "string",
- "companyGuid": "string",
- "excerpt": "string",
- "createdAt": 0,
- "updatedAt": 0,
- "createdBy": "string",
- "updatedBy": "string"
}
]
Create a new safelist library
name required | string [ 3 .. 120 ] characters The name of the new safelist library |
guid | string The unique guid of the safelist |
name | string The description of the safelist |
companyGuid | string The guid of the company that owns the safelist |
excerpt | string An excerpt of the safelist entries |
createdAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was created |
updatedAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was most recently updated |
createdBy | string The email address of the user that created the safelist |
updatedBy | string The email address of the user that most recently updated the safelist |
{- "name": "string"
}
{- "guid": "string",
- "name": "string",
- "companyGuid": "string",
- "excerpt": "string",
- "createdAt": 0,
- "updatedAt": 0,
- "createdBy": "string",
- "updatedBy": "string"
}
Retrieve a safelist library based on its GUID
safelistLibraryGuid required | string The guid of the safelist library to retrieve |
guid | string The unique guid of the safelist |
name | string The description of the safelist |
companyGuid | string The guid of the company that owns the safelist |
excerpt | string An excerpt of the safelist entries |
createdAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was created |
updatedAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was most recently updated |
createdBy | string The email address of the user that created the safelist |
updatedBy | string The email address of the user that most recently updated the safelist |
Array of objects (SafelistLibraryDetailEntry) [ items ] A list of the entries that the safelist library contains |
{- "guid": "string",
- "name": "string",
- "companyGuid": "string",
- "excerpt": "string",
- "createdAt": 0,
- "updatedAt": 0,
- "createdBy": "string",
- "updatedBy": "string",
- "entries": [
- {
- "guid": "string",
- "entity": "string",
- "type": "string",
- "createdBy": "string",
- "createdAt": 0
}
]
}
Add new entries to an existing safelist library
safelistLibraryGuid required | string The guid of the safelist library to modify |
required | Array of objects (ExtractedEntityTerm) non-empty [ 1 .. 2147483647 ] items [ items non-empty ] A list of safelist library entries to add |
guid | string The unique guid of the safelist |
name | string The description of the safelist |
companyGuid | string The guid of the company that owns the safelist |
excerpt | string An excerpt of the safelist entries |
createdAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was created |
updatedAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was most recently updated |
createdBy | string The email address of the user that created the safelist |
updatedBy | string The email address of the user that most recently updated the safelist |
Array of objects (SafelistLibraryDetailEntry) [ items ] A list of the entries that the safelist library contains |
{- "entries": [
- {
- "entity": "string",
- "type": "IP4"
}
]
}
{- "guid": "string",
- "name": "string",
- "companyGuid": "string",
- "excerpt": "string",
- "createdAt": 0,
- "updatedAt": 0,
- "createdBy": "string",
- "updatedBy": "string",
- "entries": [
- {
- "guid": "string",
- "entity": "string",
- "type": "string",
- "createdBy": "string",
- "createdAt": 0
}
]
}
Remove an entry from an existing safelist library
safelistLibraryGuid required | string The guid of the safelist library to modify |
entryGuid required | string The guid of the safelist library entry to delete |
Migrate the existing company whitelist into a default safelist library for the company. If the default safelist library already exists, this will make no changes.
guid | string The unique guid of the safelist |
name | string The description of the safelist |
companyGuid | string The guid of the company that owns the safelist |
excerpt | string An excerpt of the safelist entries |
createdAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was created |
updatedAt | integer <int64> The timestamp (Unix timestamp - milliseconds since epoch) when the safelist was most recently updated |
createdBy | string The email address of the user that created the safelist |
updatedBy | string The email address of the user that most recently updated the safelist |
[- {
- "guid": "string",
- "name": "string",
- "companyGuid": "string",
- "excerpt": "string",
- "createdAt": 0,
- "updatedAt": 0,
- "createdBy": "string",
- "updatedBy": "string"
}
]
Search for indicators and return a cursor page
pageSize | integer <int32> <= 999 Default: 25 |
queryTerm | string the term to search for. If empty, no search term will be applied, and all indicators matching the other filters will be returned. Otherwise, must be at least 3 characters in length. |
from | integer <int64> start of time window (Unix timestamp - milliseconds since epoch). Time range values must not exceed max size of 1 year. |
to | integer <int64> end of time window (Unix timestamp - milliseconds since epoch). Time range values must not exceed max size of 1 year. |
sortColumn | string Enum: "CREATED" "UPDATED" "PROCESSED_AT" the column used to sort the results |
sortOrder | string Enum: "ASC" "DESC" the order of the sort |
priorityScores | Array of integers <int32> [ items <int32 > ] only include results with one of the selected priority scores |
enclaveGuids | Array of strings only include results in one of the selected enclaves |
types | Array of strings Items Enum: "IP4" "IP6" "DOMAIN" "CIDR_BLOCK" "EMAIL_ADDRESS" "PHONE_NUMBER" "URL" "MD5" "SHA1" "SHA256" "REGISTRY_KEY" "SOFTWARE" "BITCOIN_ADDRESS" only include results of the selected types |
Array of objects (AttributeSearchEntity) [ items ] only include results that have the following attribute values | |
includedTags | Array of strings only include results that contain one of the following tags |
excludedTags | Array of strings don't include results that contain any of the following tags |
cursor | string an id to allow the search to continue from the end point of a previous search |
includeSafelisted | boolean whether to include safelisted indicators in results |
Array of objects (SearchPrioritizedIndicator) [ items ] | |
object (ResponseMetadata) |
{- "queryTerm": "string",
- "from": 0,
- "to": 0,
- "sortColumn": "CREATED",
- "sortOrder": "ASC",
- "priorityScores": [
- 0
], - "enclaveGuids": [
- "string"
], - "types": [
- "IP4"
], - "attributes": [
- {
- "value": "string",
- "type": "THREAT_ACTOR"
}
], - "includedTags": [
- "string"
], - "excludedTags": [
- "string"
], - "cursor": "string",
- "includeSafelisted": true
}
{- "items": [
- {
- "guid": "string",
- "enclaveGuid": "string",
- "workflowGuid": "string",
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "priorityScore": "UNKNOWN",
- "attributes": [
- {
- "value": "string",
- "type": "THREAT_ACTOR"
}
], - "userTags": [
- "string"
], - "submissionTags": [
- "string"
], - "scoreContexts": [
- {
- "enclaveGuid": "string",
- "sourceName": "string",
- "normalizedScore": 0,
- "weight": 0,
- "properties": {
- "property1": [
- "string"
], - "property2": [
- "string"
]
}
}
], - "created": 0,
- "updated": 0,
- "processedAt": 0,
- "validFrom": 0,
- "validUntil": 0,
- "safelisted": true
}
], - "responseMetadata": {
- "nextCursor": "string",
- "totalItems": 0
}
}
Update the user tags that are associated with an indicator. Note that a tag is always stored in lower case irrespective of input case type
guid required | string |
enclaveGuid required | string The guid of the enclave that contains the indicator |
addedTags | Array of strings unique Set of user tags to be added into the indicator |
removedTags | Array of strings unique Set of user tags to be removed from the indicator |
{- "enclaveGuid": "string",
- "addedTags": [
- "string"
], - "removedTags": [
- "string"
]
}
Find all observables contained in a submission
submissionId required | string The unique Id of the submission |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission |
pageSize | integer <int32> <= 999 Default: 100 |
pageNumber | integer <int32> Default: 0 |
Array of objects (ObservableDto) [ items ] | |
object (Pageable) | |
numberOfElements | integer <int32> |
first | boolean |
object (Sort) | |
last | boolean |
size | integer <int32> |
number | integer <int32> |
empty | boolean |
{- "content": [
- {
- "value": "string",
- "type": "IP4"
}
], - "pageable": {
- "unpaged": true,
- "pageNumber": 0,
- "pageSize": 0,
- "paged": true,
- "sort": {
- "unsorted": true,
- "sorted": true,
- "empty": true
}, - "offset": 0
}, - "numberOfElements": 0,
- "first": true,
- "sort": {
- "unsorted": true,
- "sorted": true,
- "empty": true
}, - "last": true,
- "size": 0,
- "number": 0,
- "empty": true
}
Search observables according to specified criteria
pageSize | integer <int32> <= 999 Default: 25 |
queryTerm | string the term to search for. If empty, no search term will be applied, and all indicators matching the other filters will be returned. Otherwise, must be at least 3 characters in length. |
from | integer <int64> start of time window (Unix timestamp - milliseconds since epoch). Time range values must not exceed max size of 1 year. |
to | integer <int64> end of time window (Unix timestamp - milliseconds since epoch). Time range values must not exceed max size of 1 year. |
sortColumn | string Enum: "FIRST_SEEN" "LAST_SEEN" the column used to sort the results |
sortOrder | string Enum: "ASC" "DESC" the order of the sort |
enclaveGuids | Array of strings only include results in one of the selected enclaves, if specified; otherwise, all enclaves the user has READ access to are applied by default |
types | Array of strings Items Enum: "IP4" "IP6" "DOMAIN" "CIDR_BLOCK" "EMAIL_ADDRESS" "PHONE_NUMBER" "URL" "MD5" "SHA1" "SHA256" "REGISTRY_KEY" "SOFTWARE" "BITCOIN_ADDRESS" only include results of the selected types, if specified; otherwise, all types are applied by default |
includedTags | Array of strings [ 0 .. 20 ] items only include results that contain one of the following tags |
excludedTags | Array of strings [ 0 .. 20 ] items don't include results that contain any of the following tags |
cursor | string an id to allow the search to continue from the end point of a previous search |
Array of objects (SearchObservable) [ items ] | |
object (ResponseMetadata) |
{- "queryTerm": "string",
- "from": 0,
- "to": 0,
- "sortColumn": "FIRST_SEEN",
- "sortOrder": "ASC",
- "enclaveGuids": [
- "string"
], - "types": [
- "IP4"
], - "includedTags": [
- "string"
], - "excludedTags": [
- "string"
], - "cursor": "string"
}
{- "items": [
- {
- "type": "IP4",
- "value": "string",
- "firstSeen": 0,
- "lastSeen": 0,
- "enclaveGuids": [
- "string"
], - "tags": [
- "string"
]
}
], - "responseMetadata": {
- "nextCursor": "string",
- "totalItems": 0
}
}
Adds or removes tags from a given observable and enclave.
observableValue required | string Observable value to tag or un-tag. |
enclaveGuid required | string The enclave guid where the indicator will be tagged or tag removed from. |
addedTags | Array of strings [ 0 .. 20 ] items unique List of tags to be added to observable. Existent tags will be ignored. Max number of tags is: 20 |
removedTags | Array of strings [ 0 .. 20 ] items unique List of tags to be removed from observable. Non-existent tags will be ignored. Max number of tags is: 20 |
addedTags | Array of strings unique Tags correctly created. |
removedTags | Array of strings unique Tags correctly deleted. |
{- "observableValue": "string",
- "enclaveGuid": "string",
- "addedTags": [
- "string"
], - "removedTags": [
- "string"
]
}
{- "addedTags": [
- "string"
], - "removedTags": [
- "string"
]
}
Search for submissions (intel, events and indicators) and return a cursor page
pageSize | integer <int32> <= 999 Default: 25 |
queryTerm | string The term to search for. If empty, no search term will be applied, and all results matching the other filters will be returned. Otherwise, must be at least 3 characters in length. |
from | integer <int64> start of time window (Unix timestamp - milliseconds since epoch). Time range values must not exceed max size of 1 year. |
to | integer <int64> end of time window (Unix timestamp - milliseconds since epoch). Time range values must not exceed max size of 1 year. |
enclaveGuids | Array of strings unique Only include results in one of the selected enclaves. |
includedTags | Array of strings [ 0 .. 20 ] items unique Only include results that contain one of the following tags. Maximum number of tags: 20 |
excludedTags | Array of strings [ 0 .. 20 ] items unique Do not include results that contain any of the following tags. Maximum number of tags: 20 |
cursor | string ID to allow the search to continue from the end point of a previous search |
sortColumn | string Enum: "CREATED" "UPDATED" The column used to sort the results |
Array of objects (SearchSubmission) [ items ] | |
object (ResponseMetadata) |
{- "queryTerm": "string",
- "from": 0,
- "to": 0,
- "enclaveGuids": [
- "string"
], - "includedTags": [
- "string"
], - "excludedTags": [
- "string"
], - "cursor": "string",
- "sortColumn": "CREATED"
}
{- "items": [
- {
- "guid": "string",
- "enclaveGuid": "string",
- "title": "string",
- "created": 0,
- "updated": 0,
- "tags": [
- "string"
]
}
], - "responseMetadata": {
- "nextCursor": "string",
- "totalItems": 0
}
}
Find and return the processing status of the submission
id required | string The unique Id of the submission |
id | string The ID of the submission |
status | string Enum: "SUBMISSION_PROCESSING" "SUBMISSION_SUCCESS" "SUBMISSION_FAILURE" "UNKNOWN" The processing status of the submission |
errorMessage | string The error that occurred if the submission failed to be fully processed. This value will only be present if the status is SUBMISSION_FAILURE |
{- "id": "string",
- "status": "SUBMISSION_PROCESSING",
- "errorMessage": "string"
}
Redact a submission using your company’s redaction library. All terms from your current redaction library will be applied to the title and body of your submission.
title required | string The title of the submission |
content required | string The content of the submission |
title required | string The title of the submission |
content required | string The content of the submission |
{- "title": "string",
- "content": "string"
}
{- "title": "string",
- "content": "string"
}
Bulk add and remove tags to/from a submission. Added tags that already exist on the submission, and removed tags that do not exist on the submission, will be ignored.
idType | string Enum: "INTERNAL" "EXTERNAL" Type of the ID used to identity the submission. |
enclaveId | string Enclave ID of the submission. This is only required when using EXTERNAL ID type. |
addedTags | Array of strings unique Tags to be added to the submission. Existing tags will be ignored. |
removedTags | Array of strings unique Tags to be removed from the submission. Non existing tags will be ignored. |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "idType": "INTERNAL",
- "enclaveId": "string",
- "addedTags": [
- "string"
], - "removedTags": [
- "string"
]
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Update a submission if it already exists or create a new one if it doesn't
id | string The unique Id of the submission to upsert |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission to upsert.It is required when idType is EXTERNAL |
mode | string Default: "OVERRIDE" Enum: "OVERRIDE" "APPEND" The update mode |
guid | string The guid of the submission. Should be null for write operations. |
title required | string The title of the submission |
content required | string The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
required | Array of objects (TagDto) [ 0 .. 20 ] items unique [ items ] A set of tags applied to the submission. It is required but can be empty. |
timestamp | integer <int64> A user-defined timestamp |
submissionVersion | integer <int32> The last known version of the submission |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "guid": "string",
- "title": "string",
- "content": "string",
- "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "tags": [
- {
- "name": "string"
}
], - "timestamp": 0,
- "submissionVersion": 0,
- "created": 0,
- "updated": 0
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Find and return a specific event submission
id required | string The unique Id of the submission to find |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission to find. It is required when idType is EXTERNAL |
guid | string The guid of the submission. Should be null for write operations. |
title required | string The title of the submission |
content required | string The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
required | Array of objects (TagDto) [ 0 .. 20 ] items unique [ items ] A set of tags applied to the submission. It is required but can be empty. |
timestamp | integer <int64> A user-defined timestamp |
submissionVersion | integer <int32> The last known version of the submission |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
{- "guid": "string",
- "title": "string",
- "content": "string",
- "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "tags": [
- {
- "name": "string"
}
], - "timestamp": 0,
- "submissionVersion": 0,
- "created": 0,
- "updated": 0
}
Update the data in an existing event submission
id required | string The unique Id of the submission to update |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission to update. It is required when idType is EXTERNAL |
guid | string The guid of the submission. Should be null for write operations. |
title required | string The title of the submission |
content required | string The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
required | Array of objects (TagDto) [ 0 .. 20 ] items unique [ items ] A set of tags applied to the submission. It is required but can be empty. |
timestamp | integer <int64> A user-defined timestamp |
submissionVersion | integer <int32> The last known version of the submission |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "guid": "string",
- "title": "string",
- "content": "string",
- "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "tags": [
- {
- "name": "string"
}
], - "timestamp": 0,
- "submissionVersion": 0,
- "created": 0,
- "updated": 0
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Create a new event submission
guid | string The guid of the submission. Should be null for write operations. |
title required | string The title of the submission |
content required | string The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
required | Array of objects (TagDto) [ 0 .. 20 ] items unique [ items ] A set of tags applied to the submission. It is required but can be empty. |
timestamp | integer <int64> A user-defined timestamp |
submissionVersion | integer <int32> The last known version of the submission |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "guid": "string",
- "title": "string",
- "content": "string",
- "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "tags": [
- {
- "name": "string"
}
], - "timestamp": 0,
- "submissionVersion": 0,
- "created": 0,
- "updated": 0
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Delete an existing event submission
id required | string The unique Id of the submission to delete |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission to delete. It is required when idType is EXTERNAL |
Update a submission if it already exists or create a new one if it doesn't
id | string The unique Id of the submission to upsert |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission to upsert |
mode | string Default: "OVERRIDE" Enum: "OVERRIDE" "APPEND" The update mode |
id | string The Id of the submission. Should be null for write operations. |
title required | string The title of the submission |
required | object (IndicatorContentDto) The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
timestamp | integer <int64> A user-defined timestamp |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
tags required | Array of strings [ 0 .. 20 ] items A set of tags applied to the submission. It is required but can be empty. |
submissionVersion | integer <int32> The last known version of the submission |
rawContent | string The raw content of the submission |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "id": "string",
- "title": "string",
- "content": {
- "indicators": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "validFrom": 0,
- "validTo": 0,
- "maliciousScore": "BENIGN",
- "confidenceScore": "LOW",
- "attributes": [
- {
- "entity": {
- "value": "string",
- "type": "THREAT_ACTOR"
}, - "validFrom": 0,
- "validTo": 0,
- "confidenceScore": "LOW"
}
], - "relatedObservables": [
- {
- "entity": {
- "value": "string",
- "type": "IP4"
}, - "validFrom": 0,
- "validTo": 0,
- "confidenceScore": "LOW"
}
], - "tags": [
- "string"
], - "properties": {
- "property1": "string",
- "property2": "string"
}
}
]
}, - "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "timestamp": 0,
- "created": 0,
- "updated": 0,
- "tags": [
- "string"
], - "submissionVersion": 0,
- "rawContent": "string"
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Find and return a specific submission
id required | string The unique Id of the submission to find |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission to find |
includeContent | boolean Default: false Whether to include the content in the return value |
id | string The Id of the submission. Should be null for write operations. |
title required | string The title of the submission |
required | object (IndicatorContentDto) The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
timestamp | integer <int64> A user-defined timestamp |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
tags required | Array of strings [ 0 .. 20 ] items A set of tags applied to the submission. It is required but can be empty. |
submissionVersion | integer <int32> The last known version of the submission |
rawContent | string The raw content of the submission |
{- "id": "string",
- "title": "string",
- "content": {
- "indicators": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "validFrom": 0,
- "validTo": 0,
- "maliciousScore": "BENIGN",
- "confidenceScore": "LOW",
- "attributes": [
- {
- "entity": {
- "value": "string",
- "type": "THREAT_ACTOR"
}, - "validFrom": 0,
- "validTo": 0,
- "confidenceScore": "LOW"
}
], - "relatedObservables": [
- {
- "entity": {
- "value": "string",
- "type": "IP4"
}, - "validFrom": 0,
- "validTo": 0,
- "confidenceScore": "LOW"
}
], - "tags": [
- "string"
], - "properties": {
- "property1": "string",
- "property2": "string"
}
}
]
}, - "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "timestamp": 0,
- "created": 0,
- "updated": 0,
- "tags": [
- "string"
], - "submissionVersion": 0,
- "rawContent": "string"
}
Update the data in an existing submission
id required | string The unique Id of the submission to update |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission to update |
id | string The Id of the submission. Should be null for write operations. |
title required | string The title of the submission |
required | object (IndicatorContentDto) The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
timestamp | integer <int64> A user-defined timestamp |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
tags required | Array of strings [ 0 .. 20 ] items A set of tags applied to the submission. It is required but can be empty. |
submissionVersion | integer <int32> The last known version of the submission |
rawContent | string The raw content of the submission |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "id": "string",
- "title": "string",
- "content": {
- "indicators": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "validFrom": 0,
- "validTo": 0,
- "maliciousScore": "BENIGN",
- "confidenceScore": "LOW",
- "attributes": [
- {
- "entity": {
- "value": "string",
- "type": "THREAT_ACTOR"
}, - "validFrom": 0,
- "validTo": 0,
- "confidenceScore": "LOW"
}
], - "relatedObservables": [
- {
- "entity": {
- "value": "string",
- "type": "IP4"
}, - "validFrom": 0,
- "validTo": 0,
- "confidenceScore": "LOW"
}
], - "tags": [
- "string"
], - "properties": {
- "property1": "string",
- "property2": "string"
}
}
]
}, - "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "timestamp": 0,
- "created": 0,
- "updated": 0,
- "tags": [
- "string"
], - "submissionVersion": 0,
- "rawContent": "string"
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Create a new submission
id | string The Id of the submission. Should be null for write operations. |
title required | string The title of the submission |
required | object (IndicatorContentDto) The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
timestamp | integer <int64> A user-defined timestamp |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
tags required | Array of strings [ 0 .. 20 ] items A set of tags applied to the submission. It is required but can be empty. |
submissionVersion | integer <int32> The last known version of the submission |
rawContent | string The raw content of the submission |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "id": "string",
- "title": "string",
- "content": {
- "indicators": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "validFrom": 0,
- "validTo": 0,
- "maliciousScore": "BENIGN",
- "confidenceScore": "LOW",
- "attributes": [
- {
- "entity": {
- "value": "string",
- "type": "THREAT_ACTOR"
}, - "validFrom": 0,
- "validTo": 0,
- "confidenceScore": "LOW"
}
], - "relatedObservables": [
- {
- "entity": {
- "value": "string",
- "type": "IP4"
}, - "validFrom": 0,
- "validTo": 0,
- "confidenceScore": "LOW"
}
], - "tags": [
- "string"
], - "properties": {
- "property1": "string",
- "property2": "string"
}
}
]
}, - "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "timestamp": 0,
- "created": 0,
- "updated": 0,
- "tags": [
- "string"
], - "submissionVersion": 0,
- "rawContent": "string"
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Delete an existing submission
id required | string The unique Id of the submission to delete |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the submission to delete |
Find and return a specific Intelligence submission
id required | string The unique Id of the intelligence submission to find |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the intelligence submission to find. It is required when idType is EXTERNAL |
guid | string The guid of the submission. Should be null for write operations. |
title required | string The title of the submission |
content required | string The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
required | Array of objects (TagDto) [ 0 .. 20 ] items unique [ items ] A set of tags applied to the submission. It is required but can be empty. |
timestamp | integer <int64> A user-defined timestamp |
submissionVersion | integer <int32> The last known version of the submission |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
{- "guid": "string",
- "title": "string",
- "content": "string",
- "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "tags": [
- {
- "name": "string"
}
], - "timestamp": 0,
- "submissionVersion": 0,
- "created": 0,
- "updated": 0
}
Update the data in an existing intelligence submission
id required | string The unique Id of the intelligence submission to update |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the intelligence submission to update. It is required when idType is EXTERNAL |
guid | string The guid of the submission. Should be null for write operations. |
title required | string The title of the submission |
content required | string The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
required | Array of objects (TagDto) [ 0 .. 20 ] items unique [ items ] A set of tags applied to the submission. It is required but can be empty. |
timestamp | integer <int64> A user-defined timestamp |
submissionVersion | integer <int32> The last known version of the submission |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "guid": "string",
- "title": "string",
- "content": "string",
- "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "tags": [
- {
- "name": "string"
}
], - "timestamp": 0,
- "submissionVersion": 0,
- "created": 0,
- "updated": 0
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Create a new intelligence submission
guid | string The guid of the submission. Should be null for write operations. |
title required | string The title of the submission |
content required | string The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
required | Array of objects (TagDto) [ 0 .. 20 ] items unique [ items ] A set of tags applied to the submission. It is required but can be empty. |
timestamp | integer <int64> A user-defined timestamp |
submissionVersion | integer <int32> The last known version of the submission |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "guid": "string",
- "title": "string",
- "content": "string",
- "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "tags": [
- {
- "name": "string"
}
], - "timestamp": 0,
- "submissionVersion": 0,
- "created": 0,
- "updated": 0
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Delete an existing Intelligence submission
id required | string The unique Id of the intelligence submission to delete |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the intelligence submission to delete. It is required when idType is EXTERNAL |
Update an intelligence submission if it already exists or create a new one if it doesn't
id | string The unique Id of the intelligence submission to upsert |
idType | string Default: "INTERNAL" Enum: "INTERNAL" "EXTERNAL" "UNRECOGNIZED" The type of the specified Id |
enclaveGuid | string The guid of the enclave containing the intelligence submission to upsert.It is required when idType is EXTERNAL |
mode | string Default: "OVERRIDE" Enum: "OVERRIDE" "APPEND" The update mode |
guid | string The guid of the submission. Should be null for write operations. |
title required | string The title of the submission |
content required | string The content of the submission |
enclaveGuid required | string The guid of the enclave the submission belongs to |
externalId | string The submission's unique ID in the original data source. This field is optional, but if used then it must be unique in the namespace for that data source. |
externalUrl | string A URL linking to the original object of the submission in the external source |
required | Array of objects (TagDto) [ 0 .. 20 ] items unique [ items ] A set of tags applied to the submission. It is required but can be empty. |
timestamp | integer <int64> A user-defined timestamp |
submissionVersion | integer <int32> The last known version of the submission |
created | integer <int64> When the submission was created in Submission Service. Long (epoch millis) |
updated | integer <int64> When the submission was updated in Submission Service. Long (epoch millis) |
id | string The ID of the submission |
submissionVersion | integer <int32> The version of the submission as of the last operation performed |
Array of objects (SubmissionWarningDto) [ items ] |
{- "guid": "string",
- "title": "string",
- "content": "string",
- "enclaveGuid": "string",
- "externalId": "string",
- "externalUrl": "string",
- "tags": [
- {
- "name": "string"
}
], - "timestamp": 0,
- "submissionVersion": 0,
- "created": 0,
- "updated": 0
}
{- "id": "string",
- "submissionVersion": 0,
- "warnings": [
- {
- "observable": {
- "value": "string",
- "type": "IP4"
}, - "field": "string",
- "value": "string",
- "message": "string"
}
]
}
Get the workflows for this company
type | string workflow type using as a filter. Exact match. |
name | string workflow name using as filter. Partial match. |
createdFrom | integer <int64> The result will include workflows created from this date.If it is null will be retrieved from the beginning. |
createdTo | integer <int64> The result will include workflows created up to this date.If it is null will be retrieved up-to now. |
updatedFrom | integer <int64> The result will include workflows updated from this date.If it is null will be retrieved from the beginning. |
updatedTo | integer <int64> The result will include workflows updated up to this date.If it is null will be retrieved up-to now. |
Array of objects (WorkflowDtoResponse) [ items ] The content returned by the search | |
object (Pageable) | |
totalPages | integer <int32> The total number of pages for this data set |
totalElements | integer <int64> The total number of elements for this data set |
numberOfElements | integer <int32> The number of elements returned in this page |
first | boolean Whether this is the first page in the data set |
object (Sort) | |
last | boolean Whether this is the last page in the data set |
empty | boolean Whether this page is empty |
size | integer <int32> The number of elements returned in this page |
number | integer <int32> The page number |
{- "content": [
- {
- "guid": "string",
- "name": "string",
- "created": 0,
- "updated": 0,
- "workflowConfig": {
- "type": "INDICATOR_PRIORITIZATION",
- "workflowSource": { },
- "workflowDestination": { }
}, - "safelistGuids": [
- "string"
]
}
], - "pageable": {
- "unpaged": true,
- "pageNumber": 0,
- "pageSize": 0,
- "paged": true,
- "sort": {
- "unsorted": true,
- "sorted": true,
- "empty": true
}, - "offset": 0
}, - "totalPages": 0,
- "totalElements": 0,
- "numberOfElements": 0,
- "first": true,
- "sort": {
- "unsorted": true,
- "sorted": true,
- "empty": true
}, - "last": true,
- "empty": true,
- "size": 0,
- "number": 0
}
Create a new workflow. A company cannot create more than 5 workflows. There cannot be more than 10 source enclaves per workflow.
name required | string [ 3 .. 120 ] characters The name of the workflow |
required | object (WorkflowConfigIWorkflowSourceIWorkflowDestination) The workflow configuration |
safelistGuids required | Array of strings unique The set of safelist library guids to associate with the workflow |
guid | string The unique guid for the workflow |
name | string The name of the workflow |
created | integer <int64> The timestamp (epoch millisecond time) when the workflow was created |
updated | integer <int64> The timestamp (epoch millisecond time) when the workflow was most recently updated |
object (WorkflowConfigIWorkflowSourceIWorkflowDestination) The workflow configuration | |
safelistGuids | Array of strings unique A set of guids corresponding to the safelist libraries that are used in this workflow |
{- "name": "string",
- "workflowConfig": {
- "type": "INDICATOR_PRIORITIZATION",
- "workflowSource": { },
- "workflowDestination": { }
}, - "safelistGuids": [
- "string"
]
}
{- "guid": "string",
- "name": "string",
- "created": 0,
- "updated": 0,
- "workflowConfig": {
- "type": "INDICATOR_PRIORITIZATION",
- "workflowSource": { },
- "workflowDestination": { }
}, - "safelistGuids": [
- "string"
]
}
Retrieve the workflow for the GUID
workflowGuid required | string The unique guid for the workflow |
guid | string The unique guid for the workflow |
name | string The name of the workflow |
created | integer <int64> The timestamp (epoch millisecond time) when the workflow was created |
updated | integer <int64> The timestamp (epoch millisecond time) when the workflow was most recently updated |
object (WorkflowConfigIWorkflowSourceIWorkflowDestination) The workflow configuration | |
safelistGuids | Array of strings unique A set of guids corresponding to the safelist libraries that are used in this workflow |
{- "guid": "string",
- "name": "string",
- "created": 0,
- "updated": 0,
- "workflowConfig": {
- "type": "INDICATOR_PRIORITIZATION",
- "workflowSource": { },
- "workflowDestination": { }
}, - "safelistGuids": [
- "string"
]
}
Update an existing workflow. A company cannot create more than 5 workflows. There cannot be more than 10 source enclaves per workflow.
workflowGuid required | string The unique guid for the workflow |
name required | string [ 3 .. 120 ] characters The name of the workflow |
required | object (WorkflowConfigIWorkflowSourceIWorkflowDestination) The workflow configuration |
safelistGuids required | Array of strings unique The set of safelist library guids to associate with the workflow |
guid | string The unique guid for the workflow |
name | string The name of the workflow |
created | integer <int64> The timestamp (epoch millisecond time) when the workflow was created |
updated | integer <int64> The timestamp (epoch millisecond time) when the workflow was most recently updated |
object (WorkflowConfigIWorkflowSourceIWorkflowDestination) The workflow configuration | |
safelistGuids | Array of strings unique A set of guids corresponding to the safelist libraries that are used in this workflow |
{- "name": "string",
- "workflowConfig": {
- "type": "INDICATOR_PRIORITIZATION",
- "workflowSource": { },
- "workflowDestination": { }
}, - "safelistGuids": [
- "string"
]
}
{- "guid": "string",
- "name": "string",
- "created": 0,
- "updated": 0,
- "workflowConfig": {
- "type": "INDICATOR_PRIORITIZATION",
- "workflowSource": { },
- "workflowDestination": { }
}, - "safelistGuids": [
- "string"
]
}