Phishing Workflow in the TruSTAR Web App
You can use the Phishing Triage panel in the TruSTAR Web App to view, filter, and manage phishing events submitted by users in your organization. By default, these events are submitted into the Phishing Events Enclave.
How It Works
The Phishing Triage feature uses automation to
- Extract and enrich Indicators from specified intelligence sources
- Normalize scores from those sources into a single Normalized Indicator Score
- Assign a Priority Event Score using the Normalized Indicator Scores
You can then use the Phishing Panel in the TruSTAR Web App to
- View phishing events that need review
- Filter by Date, Priority Event Score, or Intel Report Status
- Confirm or Ignore an Intel Report
Accessing the Phishing Triage Panel
To display the Phishing Triage panel, click the Phishing Triage icon on the Navigation Bar.
Filtering Phishing Reports
You can use the buttons on the Phishing Triage menu bar to control what Intel Reports are displayed.
- Include Unknown Scores: Events with no correlated Indicators are scored as Unknown, so these are probably of low interest when investigating phishing events.
- Score Filter: Choose to display events that have a specific Priority Event Score.
- Status: Display events that you have confirmed as malicious, ignored as non-malicious, or left Unresolved while investigations continue.
- Date: Choose the date range of the events you wish to review.
Viewing a Single Phishing Report
Each event submitted to the Phishing Emails Enclave is displayed as a separate card. The card front summarizes the event, including the title (usually the email subject), dates of submission and any updates, and the source Enclave.
To view a detailed list of the Indicators, click the Grid icon in the upper right of the card. This opens the Breakdown by Source card view where you can see the Normalized Indicator Scores listed by Enclave.
Opening the Event in Graph View
To view the full event in a new TruSTAR Web App window, click the Reports Graph View icon in the upper right. This opens the event in Reports Graph view, where you can use the power of that view to explore details and correlations.
Confirming or Ignoring a Report
To confirm that an event is a phishing attack, click the Confirm Risk button in the lower right corner.
To confirm that the event is not malicious, click Ignore in the lower right corner.
Exporting Confirmed Indicators
After you have confirmed a series of events as malicious, you can export the Indicators in those confirmed events and use them in other tools within your organization.
- Filter by Status to display all confirmed events.
- Click the Download Indicators button to export all the Indicators in .csv format.