Document toolboxDocument toolbox

TruSTAR

[ 1 Connect TruSTAR with Devo SOAR ] [ 2 Actions for TruSTAR ] [ 2.1 Search Indicators ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Get Indicator Metadata ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Find Correlated Reports ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Search Reports ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Get Report Details ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 2.6 Get Tags For Report ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 2.7 Get Indicators For Report ] [ 2.7.1 Input Field ] [ 2.7.2 Output ] [ 3 Release Notes ]

TruSTAR is an intelligence management platform that helps enterprises easily enrich and operationalize their security data. The platform uses Enclave architecture to fuse and correlate intelligence sources, helping analysts speed investigations and simplify workflows

Connect TruSTAR with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for TruSTAR.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. User API Key: The API key used to connect to the TruSTAR.

  9. User API Secret: The API Secret used to connect to the TruSTAR.

  10. After you've entered all the details, click Connect.

Actions for TruSTAR

Search Indicators

Searches for all indicators that contain the given search term. Also allows filtering by date, enclave, and tags. Results are maximum of 10,000 records and ordered by last seen time, descending.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Column name from the parent table to lookup value for start time (Default is Batch start time).

 

Example: 1595332218573, Unix timestamp - milliseconds since epoch.

Optional

 

End Time

Column name from the parent table to lookup value for end time (Default is Batch end time).

 

Example: 1595332218573, Unix timestamp - milliseconds since epoch.

Optional

 

Jinja Template for Search Term

Jinja-templated string for the term to search for (Default is empty value).

 

Example: {{column1}}, {{column2}}.

Optional

 

Jinja Template for Enclave IDs

Jinja-templated comma-separated list of enclave ids, only indicators found in reports from these enclaves will be returned (Default is empty value).

 

Example: {{column1}}, {{column2}}.

Optional

 

Jinja Template for Entity Types

Jinja-templated comma-separated list of entity/indicator types to filter by (Default is empty value). Example: {{column1}}, {{column2}}.

Optional

Jinja Template for Tags

Jinja-templated comma-separated tags to filter by, only indicators containing ALL of these tags will be returned (Default is empty value). Example: {{column1}}, {{column2}}.

Optional

Jinja Template for Excluded Tags

Jinja-templated comma-separated excluded tags to filter by, indicators containing ANY of these tags will be excluded from the results (Default is empty value).

 

Example: {{column1}}, {{column2}}.

Optional

 

Limit

The maximum number of results to return per input row (Default is 10000).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of indicators.

Get Indicator Metadata

Provide metadata associated with an indicator.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Indicator Value

Column name from parent table containing indicator value.

Required

Indicator Type

Column name from parent table containing indicator type (Default is empty value).

Required

Jinja Template for Enclave IDs

Jinja-templated comma separated enclave ids to restrict to. All information returned will pertain only to these enclaves (Default is empty value).

 

Example: {{column1}}, {{column2}}.

Required

 

Jinja Template for Request Multiple IOC Metadata With List Of Indicators Value & Type

Jinja-templated list of indicators value & Type, This will overwrite the values of Indicator Type and Indicator Value parameter. Example: [{\"value\":\"{{value1_column}}\", \"indicatorType\":\"{{type1_column}}\"}, {\"value\":\"{{value2_column}}\", \"indicatorType\":\"{{type2_column}}\"}].

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Details of indicator

Find Correlated Reports

Find a list of all reports that contain any of the provided indicator values.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Jinja Template for Indicator Values

Jinja-templated comma separated indicator values.

 

Example: {{column1}}, {{column2}}.

Required

 

Jinja Template for Enclave IDs

Jinja-templated comma separated enclave ids. All information returned will pertain only to these enclaves (Default is empty value).

 

Example: {{column1}}, {{column2}} .

Required

 

Limit

The maximum number of results to return per input row (Default is 100000).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Reports

{json}{ "created": 1604645086742, "distributionType": "ENCLAVE", "enclaveIds": [ "7a33144f-aef3-442b-87d4-dbf70d8afdb0" ], "error": null, "has_error": false, "id": "a55b18f6-c93d-45c1-acb7-0d2f741eb421", "timeBegan": 1604645086713, "title": "TLP AMBER BEC Share 11/5", "updated": 1604645086742 }

Search Reports

Searches for all reports that contain the given search term. Also allows filtering by date, enclave, and tags. Results are ordered by updated time, descending.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 1595332218573, Unix timestamp - milliseconds since epoch.

Optional

End Time

Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 1595332218573, Unix timestamp - milliseconds since epoch.

Optional

Jinja Template for Search Term

Jinja-templated string for the term to search for (Default is empty value).

 

Example: {{column1}}, {{column2}}.

Optional

 

Jinja Template for Enclave IDs

Jinja-templated comma-separated list of enclave ids, only indicators found in reports from these enclaves will be returned (Default is empty value).

 

Example: {{column1}}, {{column2}}.

Optional

 

Jinja Template for Tags

Jinja-templated comma-separated tags to filter by, only indicators containing ALL of these tags will be returned (Default is empty value). Example: {{column1}}, {{column2}}.

Optional

Jinja Template for Excluded Tags

Jinja-templated comma-separated excluded tags to filter by, indicators containing ANY of these tags will be excluded from the results (Default is empty value).

 

Example: {{column1}}, {{column2}}.

Optional

 

Limit

The maximum number of results to return per input row (Default is 100000).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of reports.

Get Report Details

Finds a report by its internal or external id.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Jinja Template for Report ID

Jinja-templated string for report id or external tracking id.

 

Example: {{column1}}

Required

 

Report ID Type

Select option for report id type (Default is Internal).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Report Details

Get Tags For Report

Returns the list of tags that a specified report has been tagged with. The enclave ID of each tag is simply the enclave ID of the report.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Jinja Template for Report ID

Jinja-templated string for report id or external tracking id.

 

Example: {{column1}}.

Required

 

Report ID Type

Select option for report id type (Default is Internal).

Optional

Limit

The maximum number of results to return per input row (Default is 100000).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Report Tags

Get Indicators For Report

Returns a list of all indicators contained in a specified report.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Jinja Template for Report ID

Jinja-templated string for report id or external tracking id.

 

Example: {{column1}}.

Required

 

Report ID Type

Select option for report id type (Default is Internal).

Optional

Apply White List

Select option for apply white list (Default is True) and whitelisted indicators will be filtered out; otherwise, all indicators will be included but will contain a field whitelisted, representing whether they have been whitelisted or not.

Optional

Limit

The maximum number of results to return per input row (Default is 100000).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Report Indicators

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem