Updated 1 year ago by TruSTAR

The TruSTAR REST API enables you to easily synchronize report information available in TruSTAR with the monitoring tools and analysis workflows you use in your infrastructure. All API access is over HTTPS, and all data is transmitted securely in JSON format.

Changes in Version 2.0

Version 2.0 introduces some changes from previous versions of the TruSTAR REST API:

  • Support for Intel Workflows
  • Introduces the term Submission to cover Intelligence Sources, Events, and Indicators. Some endpoints can be used for any Submission, while other endpoints are specific to one type of Submission, for example, Submission Event endpoints.
  • Replaces Reports with Intelligence
  • Replaces Whitelists with Safelists

API Coverage

The API provides endpoints for these functional areas of the TruSTAR platform:




Endpoints for Authentication (API Key and API Secret).


Ping command


Gets a list of Enclaves that the user has permissions to access.


Endpoints to create a new Safelist library, add or delete entries, and delete a Safelist library. Other endpoints support migrating the Company whitelist to a Safelist library, retrieve a Safelist library by its GUID, parse terms from a chunk of text, and get the list of summaries for the Safelist libraries for your organization.


Endpoints to search for Indicators and update tags.


Endpoints to get observables in a submission, search for observables, and remove or add tags to an observable.


Endpoints for submissions (Intelligence Sources, Events, or Indicators) that you can use to get status, search, redact text, or alter tags.

Submission Event

Endpoints to create, update, upsert, find, or delete Events.

Submission Indicators

Endpoints to create, update, upsert, find, or delete Indicators.

Submission Intelligence

Endpoints to create, update, upsert, find, or delete Intelligence.


Endpoints that support Intel Workflow functionality

How Did We Do?