Phishing Triage Commands for Demisto

Updated 1 week ago by Elvis Hovor

The TruSTAR App for Demisto supports three commands as part of the Phishing Triage feature set in TruSTAR:

  • Fetch Submitted Emails
  • Fetch Indicators
  • Set Triage Status

For more information on the Phishing Triage feature in general, see Phishing Triage Basics.

Fetch Indicators

In the TruSTAR App for Demisto, this command fetches all Indicators in the Phishing Vetting Indicators Enclave that fit the criteria specified in the command.

This command is only available if you have the Phishing Triage feature enabled in TruSTAR

Format

trustar-get-phishing-indicators

Example

!trustar-get-phishing-indicators from_time="7 days ago"

Inputs

Argument

Description

Required

normalized_indicator_score

Normalized Indicator score to use in selecting Indicators for the return output.

Legal values are -1, 0, 1, 2, 3. You can specify multiple values by separating the values with commas. The default is to return items with any legal value.

No

priority_event_score

Priority event score of the email submission. Only emails with the specified scores will be returned.

Legal values are -1, 0, 1, 2, 3. You can specify multiple values by separating the values with commas. The default is to return items with any legal value.

No

from_time

Start of time window. Legal formats are

  • ISO 8601 (YYYY-MM-DD HH:MM:SS
  • Relative time LAST <##> <time period> where an example is LAST 1 MONTH

Default is the last 24 hours.

No

to_time

End of time window. Legal formats are

  • ISO 8601 (YYYY-MM-DD HH:MM:SS
  • Relative time LAST <##> <time period> where an example is LAST 1 MONTH

Default is the current time.

No

status

Intel Reports that match the specified status.

Legal values are UNRESOLVED, CONFIRMED, and IGNORED. You can specify more than one value by separating the values using commas. The default is to return items with any legal value.

No

Output

If no input arguments are specified, this command returns the most recent 1000 Indicators found in the Phishing Vetted Indicators Enclave. Otherwise, it returns up to 1000 of the Indicators that match the conditions set by the input arguments. The output is returned in the format below.

Path

Type

Description

TruSTAR.PhishingIndicator.indicatorType

string

Indicator Type

TruSTAR.PhishingIndicator.normalizedIndicatorScore

number

Indicator normalized score

TruSTAR.PhishingIndicator.originalIndicatorScore.name

string

Indicator original score name

TruSTAR.PhishingIndicator.originalIndicatorScore.value

string

Indicator original score value

TruSTAR.PhishingIndicator.sourceKey

string

Indicator source key

TruSTAR.PhishingIndicator.value

string

Indicator value

File.Name

string

The full file name.

<Indicator>

string

Supported Indicators

DBotScore.Indicator

string

The indicator we tested

DBotScore.Type

string

The type of the Indicator. See Supported Indicators.

DBotScore.Vendor

string

Vendor used to calculate the score

DBotScore.Score

number

The actual score

Fetch Submitted Emails

In the TruSTAR App for Demisto, this command fetches all emails from the Phishing Vetting Indicators Enclave that fit the criteria specified in the command.

This command is only available if you have the Phishing Triage feature enabled in TruSTAR

Format

trustar-get-phishing-submissions

Example

!trustar-get-phishing-submissions from_time="Last 7 days"

Inputs

Argument

Description

Required

priority_event_score

Priority event score of the email submission. Only emails with the specified scores will be returned.

Legal values are -1, 0, 1, 2, 3. You can specify multiple values by separating the values with commas. The default is to return items with any legal value.

No

from_time

Start of time window. Legal formats are

  • ISO 8601 (YYYY-MM-DD HH:MM:SS
  • Relative time LAST <##> <time period> where an example is LAST 1 MONTH

Default is the last 24 hours.

No

to_time

End of time window. Legal formats are

  • ISO 8601 (YYYY-MM-DD HH:MM:SS
  • Relative time LAST <##> <time period> where an example is LAST 1 MONTH

Default is the current time.

No

status

Email submissions that match the specified status.

Legal values are UNRESOLVED, CONFIRMED, and IGNORED. You can specify more than one value by separating the values using commas. The default is to return emails with any legal value.

No

Output

A list of all Intel Reports in the Phishing Vetted Indicators Enclave that match the command arguments.

If no arguments are specified, the command returns up to 1000 of the most recent Intel Reports in that enclave.

Set Triage Status

In the TruSTAR App for Demisto, this command sets the Phishing Triage status for the specified email.

This command is only available if you have enabled the Phishing Triage feature in TruSTAR.

Format

trustar-set-triage-status

Example

!trustar-set-triage-status submission_id=xxxx-yyyy-zzzzz status=CONFIRMED

Inputs

Argument

Description

Required

submission_id

The ID of the Intel Report created by TruSTAR after it processed an email submission.

Yes

status

Status to be applied to the email. Legal values are UNRESOLVED, CONFIRMED or IGNORED. You can only specify one value with this argument.

Yes

Output

None


How Did We Do?