TruSTAR
Version: 2.0.0
TruSTAR is an intelligence management platform that helps enterprises easily enrich and operationalize their security data. The platform uses Enclave architecture to fuse and correlate intelligence sources, helping analysts speed investigations and simplify workflows
Connect TruSTAR with LogicHub
- Navigate to Automations > Integrations.
- Search for TruSTAR.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- User API Key: The API key used to connect to the TruSTAR.
- User API Secret: The API Secret used to connect to the TruSTAR.
- After you've entered all the details, click Connect.
Actions for TruSTAR
Search Indicators
Searches for all indicators that contain the given search term. Also allows filtering by date, enclave, and tags. Results are maximum of 10,000 records and ordered by last seen time, descending.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 1595332218573, Unix timestamp - milliseconds since epoch. | Optional |
| End Time | Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 1595332218573, Unix timestamp - milliseconds since epoch. | Optional |
| Jinja Template for Search Term | Jinja-templated string for the term to search for (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Jinja Template for Enclave IDs | Jinja-templated comma-separated list of enclave ids, only indicators found in reports from these enclaves will be returned (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Jinja Template for Entity Types | Jinja-templated comma-separated list of entity/indicator types to filter by (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Jinja Template for Tags | Jinja-templated comma-separated tags to filter by, only indicators containing ALL of these tags will be returned (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Jinja Template for Excluded Tags | Jinja-templated comma-separated excluded tags to filter by, indicators containing ANY of these tags will be excluded from the results (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Limit | The maximum number of results to return per input row (Default is 10000). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of indicators.
Get Indicator Metadata
Provide metadata associated with an indicator.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Indicator Value | Column name from parent table containing indicator value. | Required |
| Indicator Type | Column name from parent table containing indicator type (Default is empty value). | Required |
| Jinja Template for Enclave IDs | Jinja-templated comma separated enclave ids to restrict to. All information returned will pertain only to these enclaves (Default is empty value). Example: {{column1}}, {{column2}}. | Required |
| Jinja Template for Request Multiple IOC Metadata With List Of Indicators Value & Type | Jinja-templated list of indicators value & Type, This will overwrite the values of Indicator Type and Indicator Value parameter. Example: [{"value":"{{value1_column}}", "indicatorType":"{{type1_column}}"}, {"value":"{{value2_column}}", "indicatorType":"{{type2_column}}"}]. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Details of indicator
Find Correlated Reports
Find a list of all reports that contain any of the provided indicator values.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Jinja Template for Indicator Values | Jinja-templated comma separated indicator values. Example: {{column1}}, {{column2}}. | Required |
| Jinja Template for Enclave IDs | Jinja-templated comma separated enclave ids. All information returned will pertain only to these enclaves (Default is empty value). Example: {{column1}}, {{column2}} . | Required |
| Limit | The maximum number of results to return per input row (Default is 100000). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Reports
{
"created": 1604645086742,
"distributionType": "ENCLAVE",
"enclaveIds": [
"7a33144f-aef3-442b-87d4-dbf70d8afdb0"
],
"error": null,
"has_error": false,
"id": "a55b18f6-c93d-45c1-acb7-0d2f741eb421",
"timeBegan": 1604645086713,
"title": "TLP AMBER BEC Share 11/5",
"updated": 1604645086742
}
Search Reports
Searches for all reports that contain the given search term. Also allows filtering by date, enclave, and tags. Results are ordered by updated time, descending.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 1595332218573, Unix timestamp - milliseconds since epoch. | Optional |
| End Time | Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 1595332218573, Unix timestamp - milliseconds since epoch. | Optional |
| Jinja Template for Search Term | Jinja-templated string for the term to search for (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Jinja Template for Enclave IDs | Jinja-templated comma-separated list of enclave ids, only indicators found in reports from these enclaves will be returned (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Jinja Template for Tags | Jinja-templated comma-separated tags to filter by, only indicators containing ALL of these tags will be returned (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Jinja Template for Excluded Tags | Jinja-templated comma-separated excluded tags to filter by, indicators containing ANY of these tags will be excluded from the results (Default is empty value). Example: {{column1}}, {{column2}}. | Optional |
| Limit | The maximum number of results to return per input row (Default is 100000). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of reports.
Get Report Details
Finds a report by its internal or external id.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Jinja Template for Report ID | Jinja-templated string for report id or external tracking id. Example: {{column1}} | Required |
| Report ID Type | Select option for report id type (Default is Internal). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Report Details
Get Tags For Report
Returns the list of tags that a specified report has been tagged with. The enclave ID of each tag is simply the enclave ID of the report.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Jinja Template for Report ID | Jinja-templated string for report id or external tracking id. Example: {{column1}}. | Required |
| Report ID Type | Select option for report id type (Default is Internal). | Optional |
| Limit | The maximum number of results to return per input row (Default is 100000). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Report Tags
Get Indicators For Report
Returns a list of all indicators contained in a specified report.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Jinja Template for Report ID | Jinja-templated string for report id or external tracking id. Example: {{column1}}. | Required |
| Report ID Type | Select option for report id type (Default is Internal). | Optional |
| Apply White List | Select option for apply white list (Default is True) and whitelisted indicators will be filtered out; otherwise, all indicators will be included but will contain a field whitelisted, representing whether they have been whitelisted or not. | Optional |
| Limit | The maximum number of results to return per input row (Default is 100000). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Report Indicators
Release Notes
v2.0.0- Updated architecture to support IO via filesystem
Updated about 1 year ago