TruSTAR

TruSTAR is an intelligence management platform that helps enterprises easily enrich and operationalize their security data. The platform uses Enclave architecture to fuse and correlate intelligence sources, helping analysts speed investigations and simplify workflows

Integration with LogicHub

Connecting with TruSTAR

To connect to TruSTAR following details are required

  • Label: Connection name.
  • User API key: The API key used to connect to the TruSTAR.
  • User API Secret: The API Secret used to connect to the TruSTAR.

Actions with TruSTAR

Search Indicators

Searches for all indicators that contain the given search term. Also allows filtering by date, enclave, and tags. Results are maximum of 10,000 records and ordered by last seen time, descending.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 1595332218573, Unix timestamp - milliseconds since epoch.
  • End Time (Optional): Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 1595332218573, Unix timestamp - milliseconds since epoch.
  • Jinja Template for Search Term (Optional): Jinja-templated string for the term to search for (Default is empty value). Example: {{column1}}, {{column2}}.
  • Jinja Template for Enclave IDs (Optional): Jinja-templated comma-separated list of enclave ids, only indicators found in reports from these enclaves will be returned (Default is empty value). Example: {{column1}}, {{column2}}.
  • Jinja Template for Entity Types (Optional): Jinja-templated comma-separated list of entity/indicator types to filter by (Default is empty value). Example: {{column1}}, {{column2}}.
  • Jinja Template for Tags (Optional): Jinja-templated comma-separated tags to filter by, only indicators containing ALL of these tags will be returned (Default is empty value). Example: {{column1}}, {{column2}}.
  • Jinja Template for Excluded Tags (Optional): Jinja-templated comma-separated excluded tags to filter by, indicators containing ANY of these tags will be excluded from the results (Default is empty value). Example: {{column1}}, {{column2}}.
  • Limit (Optional): The maximum number of results to return per input row (Default is 10000).

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: List of indicators.

Get Indicator Metadata

Provide metadata associated with an indicator.

Inputs to this Action:

  • Connection: Choose connection that you have created.
  • Indicator Value: Column name from parent table containing indicator value.
  • Indicator Type (Optional): Column name from parent table containing indicator type (Default is empty value).
  • Jinja Template for Enclave IDs (Optional): Jinja-templated comma separated enclave ids to restrict to. All information returned will pertain only to these enclaves (Default is empty value). Example: {{column1}}, {{column2}}.
  • Jinja Template for Request Multiple IOC Metadata With List Of Indicators Value & Type (Optional): Jinja-templated list of indicators value & Type, This will overwrite the values of Indicator Type and Indicator Value parameter. Example: [{"value":"{{value1_column}}", "indicatorType":"{{type1_column}}"}, {"value":"{{value2_column}}", "indicatorType":"{{type2_column}}"}].

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Details of indicator

Find Correlated Reports

Find a list of all reports that contain any of the provided indicator values.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
    *Jinja Template for Indicator Values: Jinja-templated comma separated indicator values. Example: {{column1}}, {{column2}}.
  • Jinja Template for Enclave IDs (Optional): Jinja-templated comma separated enclave ids. All information returned will pertain only to these enclaves (Default is empty value). Example: {{column1}}, {{column2}} .
  • Limit: The maximum number of results to return per input row (Default is 100000).

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Reports
{
  "created": 1604645086742,
  "distributionType": "ENCLAVE",
  "enclaveIds": [
    "7a33144f-aef3-442b-87d4-dbf70d8afdb0"
  ],
  "error": null,
  "has_error": false,
  "id": "a55b18f6-c93d-45c1-acb7-0d2f741eb421",
  "timeBegan": 1604645086713,
  "title": "TLP AMBER BEC Share 11/5",
  "updated": 1604645086742
}

Search Reports

Searches for all reports that contain the given search term. Also allows filtering by date, enclave, and tags. Results are ordered by updated time, descending.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Column name from the parent table to lookup value for start time (Default is Batch start time). Example: 1595332218573, Unix timestamp - milliseconds since epoch.
  • End Time (Optional): Column name from the parent table to lookup value for end time (Default is Batch end time). Example: 1595332218573, Unix timestamp - milliseconds since epoch.
  • Jinja Template for Search Term (Optional): Jinja-templated string for the term to search for (Default is empty value). Example: {{column1}}, {{column2}}.
  • Jinja Template for Enclave IDs (Optional): Jinja-templated comma-separated list of enclave ids, only indicators found in reports from these enclaves will be returned (Default is empty value). Example: {{column1}}, {{column2}}.
  • Jinja Template for Tags (Optional): Jinja-templated comma-separated tags to filter by, only indicators containing ALL of these tags will be returned (Default is empty value). Example: {{column1}}, {{column2}}.
  • Jinja Template for Excluded Tags (Optional): Jinja-templated comma-separated excluded tags to filter by, indicators containing ANY of these tags will be excluded from the results (Default is empty value). Example: {{column1}}, {{column2}}.
  • Limit (Optional): The maximum number of results to return per input row (Default is 100000).

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: List of reports.

Get Report Details

Finds a report by its internal or external id.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Jinja Template for Report ID: Jinja-templated string for report id or external tracking id. Example: {{column1}}
  • Report ID Type (Optional): Select option for report id type (Default is Internal)

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Report Details

Get Tags For Report

Returns the list of tags that a specified report has been tagged with. The enclave ID of each tag is simply the enclave ID of the report.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Jinja Template for Report ID: Jinja-templated string for report id or external tracking id. Example: {{column1}}
  • Report ID Type (Optional): Select option for report id type (Default is Internal).
  • Limit: The maximum number of results to return per input row (Default is 100000).

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Report Tags

Get Indicators For Report

Returns a list of all indicators contained in a specified report.

Inputs to this Action:

  • Connection: Choose a connection that you have created.
  • Jinja Template for Report ID: Jinja-templated string for report id or external tracking id. Example: {{column1}}
  • Report ID Type (Optional): Select option for report id type (Default is Internal).
  • Apply White List (Optional): Select option for apply white list (Default is True) and whitelisted indicators will be filtered out; otherwise, all indicators will be included but will contain a field whitelisted, representing whether they have been whitelisted or not.
  • Limit: The maximum number of results to return per input row (Default is 100000).

Output of Action:
json containing following items:

  • has_error: True/False
  • error: message/null
  • result: Report Indicators

Did this page help you?