Install: TruSTAR for FIR

Updated 5 months ago by TruSTAR

Fast Incident Response (FIR) is an cybersecurity incident management platform designed to enable the easy creation, tracking, and reporting of cybersecurity incidents. 

Time to install: 30 minutes

User Guide: TruSTAR for FIR

How TruSTAR Works with FIR

The TruSTAR App for FIR enables you to send FIR incidents or events to TruSTAR and receive back enrichment on Observables using any of the Intelligence Sources you have set up on the TruSTAR platform. This can accelerate response time to threats by confirming the severity of Observables seen in your organization.

Requirements

  • Fast Incident Response (available on Github)
  • A TruSTAR account, with access to your API key and API secret information.

Installing the App

Download the TruSTAR app here

  1. Copy that downloaded fir_trustar folder to the root directory of your FIR instance.
  2. In a terminal window, execute this command to install Python dependencies for the TruSTAR App:
    $ pip install -r fir_trustar/requirements.txt
  3. In $FIR_HOME/fir/config/installed_app.txt, add this line to the end of the file to enable the TruSTAR App:
    fir_trustar
  4. In the terminal window ($FIR_HOME), execute this command to sync the TruSTAR tables in the databasa schema:
    $ ./manage.py migrate fir_trustar
  5. In the terminal window ($FIR_HOME), execute these commands:
    $ ./manage.py migrate --settings fir.config.production
    $ ./manage.py collectstatic --settings fir.config.production
    $ sudo restart fir

For latest versions of Ubunto, use these sudo commands instead:

  • sudo service fir_uwsgi restart
  • sudo service nginx reload

More information about installing a plug-in to FIR.

 Configuring the App

To use the TruSTAR App for FIR, you must configure two items:

  • Add user permissions that enable one or more FIR users to interact with TruSTAR.
  • Set parameters for accessing the TruSTAR platform.

Adding Permissions

Follow these steps to allow a user to access and exchange data with the TruSTAR platform.

  1. Log into Fir as admin.
  2. Select the ADMIN tab on the top menu bar.
  3. Under the Site Administration section, locate the Authentication and Authorization section.
  4. Create a new user or select an existing user.
  5. In the Available User Permissions column, filter the user permissions using fir_trustar
  6. In the Available Groups box, move Incident Handlers to the Chosen Groups box by using the arrow between Available and Selected.
  7. Click Save to save your changes.

Setting Parameters

After you set up permissions for one or more users, you need to specify how the TruSTAR App will work.

  1. Log into FIR and go to user’s profile page.
  2. In the TruSTAR Configuration section, specify the parameters in the table below.

Parameter

Required

Description

API Key

Yes

Used to make API calls. Finding your API Key

API Secret

Yes

Used when making API calls. Finding your API Secret

Submission Enclave ID(s)

Yes

The Enclave(s) to import data from. To import data from multiple enclaves, separate each Enclave ID with a comma and no spaces. You must specify at least one Enclave ID.

Retrieving your Enclave IDs

Auto-submit

No

Select this to automatically submit a new FIR Incident Report to TruSTAR.

Sharing Enclave ID(s)

No

A comma-separated list of Enclave IDs to share reports and indicators to in TruSTAR.

Allow Redact

No

Select this to redact a TruSTAR Report before sharing it into other Enclaves. The redaction process uses the redaction list your organization has stored in TruSTAR.

Allow Share

No

Select this to enable sharing of reports between TruSTAR Enclaves.

Enrichment Enclave ID(s)

No

The Enclave(s) to use for enriching Observables. To use multiple enclaves, separate each enclave ID with a comma and no spaces. You must specify at least one Enclave ID.

Retrieving your Enclave IDs

Auto-enrich Observables

No

Select this to automatically enrich Observables in a FIR report with all available data and metadata from TruSTAR. All data returned from TruSTAR is shown in the Threat Lookup table in FIR.

  1. Click Save when done to save these changes.

You are now ready to use the TruSTAR Workflow App for FIR.


How Did We Do?