Phishing Triage Commands for Demisto
The TruSTAR App for Demisto supports three commands as part of the Phishing Triage feature set in TruSTAR:
- Fetch Submitted Emails
- Fetch Indicators
- Set Triage Status
For more information on the Phishing Triage feature in general, see Phishing Triage Basics.
Fetch Indicators
In the TruSTAR App for Demisto, this command fetches all Indicators in the Phishing Vetting Indicators Enclave that fit the criteria specified in the command.
This command is only available if you have the Phishing Triage feature enabled in TruSTAR
Format
trustar-get-phishing-indicators
Example
!trustar-get-phishing-indicators from_time="7 days ago"
Inputs
Argument | Description | Required |
normalized_indicator_score | Normalized Indicator score to use in selecting Indicators for the return output. Legal values are -1, 0, 1, 2, 3. You can specify multiple values by separating the values with commas. The default is to return items with any legal value. | No |
priority_event_score | Priority event score of the email submission. Only emails with the specified scores will be returned. Legal values are -1, 0, 1, 2, 3. You can specify multiple values by separating the values with commas. The default is to return items with any legal value. | No |
from_time | Start of time window. Legal formats are
Default is the last 24 hours. | No |
to_time | End of time window. Legal formats are
Default is the current time. | No |
status | Intel Reports that match the specified status. Legal values are UNRESOLVED, CONFIRMED, and IGNORED. You can specify more than one value by separating the values using commas. The default is to return items with any legal value. | No |
Output
If no input arguments are specified, this command returns the most recent 1000 Indicators found in the Phishing Vetted Indicators Enclave. Otherwise, it returns up to 1000 of the Indicators that match the conditions set by the input arguments. The output is returned in the format below.
Path | Type | Description |
TruSTAR.PhishingIndicator.indicatorType | string | Indicator Type |
TruSTAR.PhishingIndicator.normalizedIndicatorScore | number | Indicator normalized score |
TruSTAR.PhishingIndicator.originalIndicatorScore.name | string | Indicator original score name |
TruSTAR.PhishingIndicator.originalIndicatorScore.value | string | Indicator original score value |
TruSTAR.PhishingIndicator.sourceKey | string | Indicator source key |
TruSTAR.PhishingIndicator.value | string | Indicator value |
File.Name | string | The full file name. |
<Indicator> | string | |
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the Indicator. See Supported Indicators. |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | number | The actual score |
Fetch Submitted Emails
In the TruSTAR App for Demisto, this command fetches all emails from the Phishing Vetting Indicators Enclave that fit the criteria specified in the command.
This command is only available if you have the Phishing Triage feature enabled in TruSTAR
Format
trustar-get-phishing-submissions
Example
!trustar-get-phishing-submissions from_time="Last 7 days"
Inputs
Argument | Description | Required |
priority_event_score | Priority event score of the email submission. Only emails with the specified scores will be returned. Legal values are -1, 0, 1, 2, 3. You can specify multiple values by separating the values with commas. The default is to return items with any legal value. | No |
from_time | Start of time window. Legal formats are
Default is the last 24 hours. | No |
to_time | End of time window. Legal formats are
Default is the current time. | No |
status | Email submissions that match the specified status. Legal values are UNRESOLVED, CONFIRMED, and IGNORED. You can specify more than one value by separating the values using commas. The default is to return emails with any legal value. | No |
Output
A list of all Intel Reports in the Phishing Vetted Indicators Enclave that match the command arguments.
If no arguments are specified, the command returns up to 1000 of the most recent Intel Reports in that enclave.
Set Triage Status
In the TruSTAR App for Demisto, this command sets the Phishing Triage status for the specified email.
This command is only available if you have enabled the Phishing Triage feature in TruSTAR.
Format
trustar-set-triage-status
Example
!trustar-set-triage-status submission_id=xxxx-yyyy-zzzzz status=CONFIRMED
Inputs
Argument | Description | Required |
submission_id | The ID of the Intel Report created by TruSTAR after it processed an email submission. | Yes |
status | Status to be applied to the email. Legal values are UNRESOLVED, CONFIRMED or IGNORED. You can only specify one value with this argument. | Yes |
Output
None