Phishing Workflow in the TruSTAR Web App

Updated 3 months ago by Elvis Hovor

You can use the Phishing Triage panel in the TruSTAR Web App to view, filter, and manage phishing events submitted by users in your organization. By default, these events are submitted into the Phishing Events Enclave.

How It Works

The Phishing Triage feature uses automation to

You can then use the Phishing Panel in the TruSTAR Web App to

  • View phishing events that need review
  • Filter by Date, Priority Event Score, or Intel Report Status
  • Confirm or Ignore an Intel Report

Accessing the Phishing Triage Panel

To display the Phishing Triage panel, click the Phishing Triage icon on the Navigation Bar.

If you do not see the Phishing Triage icon on your Navigation Bar, please contact your TruSTAR account representative about activating this feature.

Filtering Phishing Reports

You can use the buttons on the Phishing Triage menu bar to control what Intel Reports are displayed.

Filter options:

  • Include Unknown Scores: Events with no correlated Indicators are scored as Unknown, so these are probably of low interest when investigating phishing events.
  • Score Filter: Choose to display events that have a specific Priority Event Score.
  • Status: Display events that you have confirmed as malicious, ignored as non-malicious, or left Unresolved while investigations continue.
  • Date: Choose the date range of the events you wish to review.

Viewing a Single Phishing Report

Each event submitted to the Phishing Emails Enclave is displayed as a separate card. The card front summarizes the event, including the title (usually the email subject), dates of submission and any updates, and the source Enclave.

Click on the Priority Event Score to display a count of Indicators by Normalized Indicator Scores.

To view a detailed list of the Indicators, click the Grid icon in the upper right of the card. This opens the Breakdown by Source card view where you can see the Normalized Indicator Scores listed by Enclave.

If the event has been assigned a status, the grid icon is not displayed.

Opening the Event in Graph View

To view the full event in a new TruSTAR Web App window, click the Reports Graph View icon in the upper right. This opens the event in Reports Graph view, where you can use the power of that view to explore details and correlations.

Confirming or Ignoring a Report

To confirm that an event is a phishing attack, click the Confirm Risk button in the lower right corner.

To confirm that the event is not malicious, click Ignore in the lower right corner.

Exporting Confirmed Indicators

After you have confirmed a series of events as malicious, you can export the Indicators in those confirmed events and use them in other tools within your organization.

  1. Filter by Status to display all confirmed events.
  2. Click the Download Indicators button to export all the Indicators in .csv format. 


How Did We Do?