TruSTAR Glossary

Updated 2 weeks ago by TruSTAR


Analytics is the capability in TruSTAR that uses two metrics -- Mean Time to Detection (MTTD) and Mean Time to Response (MTTR) -- that are key to analyzing how well your security systems are performing. You can track these metrics to understand how much coverage your intelligence sources are providing and then determine ways to increase your coverage. (Available Q1 2021) Related article: Analytics


A piece of data that adds context for an Indicator, such as a TTP, a campaign, a malware family, or a threat actor. Attributes help TruSTAR to categorize an indicator as malicious or not. Related article: TruSTAR Ontology

Attributes Parser

This feature is relevant only to the Phishing Triage feature and Normalized Indicator Scoring.


A campaign in cybersecurity terms is a group of incidents, TTPs, and/or threat actors that work together on an attack. An Indicator may include campaign information as an attribute that provides context for its maliciousness.


Capabilities are the processes you build in TruSTAR to connect and leverage intelligence across your ecosystem of tools, teams, and partners. Capabilities include governance, workflows, advanced searching, scoring, and analytics. Related article: Product Overview: Capabilities


Collecting data the first step in the Intelligence Pipeline, where you import internal Events and Intelligence Sources. You can send data to TruSTAR via Workflow Apps, Managed Connectors, email, custom scripts, or the TruSTAR Web App. Related article: Product Overview: Collect

Community Enclave

A Community Enclave is available to all users, and anyone can submit information to this kind of Enclave. For example, the COVID-19 OSINT Community Enclave was created by TruSTAR to aid in identifying malicious data related to the COVID-19 pandemic.


This is the process of matching new data with existing data in TruSTAR. For example, a new Observable submitted to a TruSTAR Enclave is automatically correlated with data in all the Enclaves you have access to in TruSTAR. You can also correlate reports between Enclaves using a custom script.


Coverage is the surface area of where intelligence sources add labels to unlabeled data in the form of scores or context. The goal of threat intelligence is to maximize this coverage by choosing the best sources for your organization, given any budget constraints.

Data-centric Security Automation

Data-centric security automation, compared to app-centric automation, mandates that you manage intelligence separate from the apps where you automate actions. For example, your organization may use a detection tool that can identify data that may be malicious. Rather than import sources into that detection tool, you export the data to an Intelligence Management Platform that enriches the data by correlating it with intelligence sources, returning the enriched data to the detection tool as well as to other tools in your workflow, such as SOAR or SIEM tools. Related article: TruSTAR Overview


A cloud-based data repository with access control where you organize and store events or intelligence in the TruSTAR Platform. Enclaves are divided into two categories:

  1. Event Enclaves store raw data that comes in to TruSTAR as cases, alerts, events, emails, logs, etc. TruSTAR includes these kinds of Event Enclaves:
  • Internal - Raw data, such as logs and cases, from your organization
  • Phishing Triage - Raw emails sent to TruSTAR as part of the Phishing Triage feature
  1. Intelligence Enclaves store enriched data that can be used in workflows to determine if an event is malicious or benign. TruSTAR supports five kinds of Intelligence Enclaves:

Related article: Enclaves

Enclave Inbox

An email inbox directly connected to a specific Enclave. You can use this feature to submit incident and alert information directly to your Enclaves via email. Emails sent to this inbox are processed and then submitted to the Enclave every minute.


As part of the Intelligence Pipeline, TruSTAR queries all the Intelligence Enclaves you have access to for matches with the Observables it is processing. All information found in those Enclaves is added to the Observable, enriching it and transforming it into an Indicator.


An Event in TruSTAR is an anomalous behavior or activity that is observed and captured by your internal systems, such as an alert, email, case, or issue. Each event contains one or more observables. Events submitted to TruSTAR are stored in Event Enclaves.


Governance is how you manage control and permissions in TruSTAR, including multi-factor authentication and enterprise-level single sign-on (SSO). The core of governance within the TruSTAR platform is the seamless control and secure dissemination of data using EnclavesRelated article: Governance

Historical Intelligence

Historical Intelligence is your organization’s curated data from incidents and investigations. This can include Internally generated reports, closed cases and associated tags. This is the most useful source for your security workflow because it contains the most relevant and vetted context compared to external sources. See also Internal Data


An Indicator is an entity or data object, such as a URL, an IP address, a hash or an email address associated with an attribute or set of attributes. Indicators establish a baseline for badness of an entity. See also Vetted Indicator.

Indicator Prioritization

Indicator Prioritization is an intelligence workflow that takes Indicators from the selected sources and prioritizes them using normalized indicator scores and attributes, filters them by specific factors, and then sends the Indicators that remain to either an Enclave or to a third-party tool. (Available Q1 2021)

Intelligence Management Platform

These tools like TruSTAR help you manage internal and external intelligence sources to accelerate detection of and response to malicious events.

Intelligence Pipeline

An Intelligence Pipeline can improve data quality by eliminating outdated or incorrect elements and then normalize data from multiple sources into a single data model and schema, regardless of the original data structures. This provides the highest fidelity intelligence in structured outputs (such as JSON) that support automated actions in your security workflows. Related article: Product Overview: Data Processing

Intelligence Report

An Intelligence Report contain one or more Indicators and related attributes that can help provide context to determine if an event is malicious or benign.

Intelligence Source

The TruSTAR platform includes a variety of data sources that provide information about events and observables. Some of these soruces are external, such as Open Source Intelligence and Premium Intelligence, while others are internal, such as the Historical Intelligence generated by your organization. See also Threat Intelligence

Intelligence Workflow

An Intelligence Workflow is a no-code process for creating customized intelligence pipelines that automate data processing. For each pipeline, you can specify sources, the transformations to make, and destinations for the enriched data. The TruSTAR platform offers two standard intelligence workflows: Phishing Triage and Indicator Prioritization. Related article: Product Overview: Intelligence Workflows

Internal Data

Internal data is the raw data generated within your organization, such as logs, emails, and network traffic. This raw data is what you submit to TruSTAR to be enriched and then shared internally and/or externally to assist in security investigations and detections. Internal data is stored in an Event Enclave. See also Historical Intelligence


JSON is an open standard, lightweight data-interchange format. JSON uses human-readable text to store and transmit data objects consisting of attribute–value pairs and array data types.

Malware Family

A malware family is a group of applications with similar attack techniques. An Indicator may include information about a malware family as an attribute that provides context for the Indicator's maliciousness.

Managed Connector

This is a lightweight plug-in that provides a one-way connection between TruSTAR and a third-party Intelligence Source or Workflow App. Built using the TruSTAR Unified API, Managed Connectors are available through TruSTAR’s Customer Success organization. Related article: Managed Connectors


Mean-Time-to-Detection (MTTD) is the amount of time between when a potential threat enters the network and when it is either prioritized for action or it is dismissed as a viable event. One example of this is an email containing a URL. The MTTD is the total time from when that email enters the organization's network until it is judged as malicious or safe.


Mean-Time-to-Response (MTTR) is the average amount of time it takes to respond to a threat. Once a suspicious event has been detected, you need to get context about it to determine the severity and nature of your response. In the case of that email with the suspicious URL, you want to see if there are known security issues and, based on that information, take action.


A real-time knowledge base of adversary behaviors observed in the wild, which can be useful when investigating security incidents. TruSTAR users can automatically extract MITRE ATT&CK techniques and tactics from Premium Intelligence sources. Related article: MITRE ATT&ACK Framework

Normalized Indicator Score

The TruSTAR platform converts all third-party scores for an Indicator into a single, standardized value, called a normalized indicator score. TruSTAR's scoring system uses a scale of 0-3 where 0 is Benign, 1 is Low, 2 is Medium and 3 is High. For example, a source may assign an Indicator the score of "Somewhat Malicious," which translates to 2 in the TruSTAR scoring system. Related article: Normalized Indicator Scores


An Observable is an entity, such as a URL, an IP address, a hash, or an email address. Observables do not always establish a baseline for whether an entity is good or bad, but they are useful for creating relationships between two or more data entities that can then lead to assigning a Safe or Malicious label to that Observable. The TruSTAR Platform supports more than a dozen types of ObservablesSee Also Indicator

Open Source Intelligence

Open Source Intelligence is a public data stream that is available to everyone, including blogs, RSS feeds, and Open APIs. This type of source is generally less curated and provides less valuable labels (such as scores). You can view all available Open Source Intelligence offerings on the TruSTAR website.

Original Indicator Score

An Original Indicator Score is a score assigned by any intelligence source to an Indicator. Because different sources score using different techniques, a single Indicator may have a High score from one source, a value of 9 from another source, and a Malicious score from a third source, leading to confusion when trying to determine the true maliciousness of that indicator. TruSTAR normalizes these original indicator scores into a single normalized indicator score.

Phishing Triage

Phishing Triage is an intelligence workflow that takes submitted emails and prioritizes them using normalized indicator scores and Indicator attributes from your Intelligence Sources. The workflow then (automatically or with a human in the loop) stores those Indicators and Events in a vetted Enclave for use by your security tools. Related article: Phishing Triage Overview

Premium Intelligence Source

Premium Intelligence Sources are privately maintained data sources that require some commercial relationship with the provider or membership in a group, such as an ISAC/ISAO. The providers of these sources are intelligence specialists who curate and disseminate valuable enriched intelligence. You can view all available Premium Intelligence Sources on the TruSTAR website.

Priority Event Score

A Priority Event Score is created when TruSTAR aggregates normalized indicator scores for an event (such as an email) and assigns a score that reflects the overall priority of the event. Priority event scoring is available as part of the Phishing Triage feature set. Related article: Priority Event Scores

Priority Indicator Score

A Priority Indicator Scores is created when TruSTAR enriches an Indicator by pulling original scores from intelligence sources, converting them to a single normalized indicator score, and then assigns a Priority Indicator Score to that Indicator, based on the maximum of the available normalized scores. This score is used in specific workflow tools, such as the TruSTAR App for Splunk Enterprise Security (ES). Related article: Priority Indicator Scores

Redaction Library

The Redaction Library is the list of terms specified by your organization that will be removed from a Report before sharing or exporting it from TruSTAR. Related article: Redaction Library


The company safelist (formerly called whitelist) is the list of Observables that will never be processed for your organization's users. This feature does not support the use of wildcards or CIDR blocks. Related article: Company Safelist

Scripted Extension

This is a REST API script that TruSTAR has created to manage data in TruSTAR Enclaves and to exchange data with third-party applications. See also Managed Connectors

Searching is the capability that provides advanced searching and filtering using attributes, tags, and notes attached to Indicators.  You can use either the TruSTAR REST API or the TruSTAR Web App to search for an Indicator and then view a summary of it or deep-dive into Intelligence Reports that contain that Indicator. 

Sharing Enclave

A Sharing Enclave is a data repository that is available to members of a specific ISAC/ISAO organization. For example, the RH-ISAC Sharing Enclave is available to members of the Retail and Hospitality ISAC.

Threat Actor

A threat actor is data that identifies or describes an adversary. This data can include motivations, desired results, and historical behavior. An Indicator may include information about threat actors as an attribute that provides context for the Indicator's maliciousness.

Threat Intelligence

Threat Intelligence provides an outside opinion, or context, on Observables, such as maliciousness or attributes that can include actors, campaigns, malware, CVEs, and other non-malicious objects. You can combine external intelligence sources with your internal historical data to label and score internal events or suspicious alerts, automating the process of investigation and accelerating your response to events. See also Intelligence Source

TruSTAR Python SDK

The TruSTAR Python SDK is a Python package that can be used to easily interact with the TruSTAR Rest API from within any Python program. It is compatible with both Python 2 and Python 3; however some of the example scripts that use the package specifically target Python 2. Related link: SDK Documentation


The TruSTAR REST API supports programmatic access to the full range of TruSTAR capabilities. The REST API offers a set of unified endpoints that you can use to access, clean, and normalize intelligence across multiple sources, then send it to specific destinations, such as teams, tools, or TruSTAR Enclaves. Related link: API Documentation

TruSTAR Web App

The TruSTAR Web App is a lightweight browser-based tool that you can use to manage users, enclaves, whitelisting, redaction, workflow, searches, and more. Related article: Web App Overview


Originally, a military term that stands for tactics, techniques, and procedures. In cybersecurity, a TTP denotes how adversaries operate, such as intended victims, patterns, and malware used, and what tools and personas they use in their attacks. An Indicator may include TTP information as an attribute that provides context for its maliciousness.

Use Case

Use cases in the TruSTAR platform cover how most cybersecurity professionals work:

  • Detect: Make detection workflows more accurate by reducing false positives.
  • Triage: Leverage internal and external sources to identify malicious vs safe items for prioritizing new events as they occur.
  • Investigate: Enrich data in by searching for Indicators across all available sources, then deep-dive into source intelligence reports to get context.
  • Disseminate: Customize, control, and share intelligence with tools, teams, and communities.

Vetted Indicator

When an Observable has been enriched into an Indicator, that data object contains attributes that provide context, such as scores, tags, and other information. You can review these Indicators and filter them into a specific Enclave to create a group of Indicators that are clearly malicious to your business. TruSTAR refers to these as Vetted Indicators.

Workflow App

A Workflow App is a fully functional, bi-directional integration with a third-party tool. These purpose-built Apps can assist in detecting security events, enriching alerts and incident investigations, or streamline intelligence management in response and orchestration applications.

How Did We Do?