Install: TruSTAR for FIR
Fast Incident Response (FIR) is an cybersecurity incident management platform designed to enable the easy creation, tracking, and reporting of cybersecurity incidents.
Time to install: 30 minutes
How TruSTAR Works with FIR
The TruSTAR App for FIR enables you to send FIR incidents or events to TruSTAR and receive back enrichment on Observables using any of the Intelligence Sources you have set up on the TruSTAR platform. This can accelerate response time to threats by confirming the severity of Observables seen in your organization.
- Fast Incident Response (available on Github)
- A TruSTAR account, with access to your API key and API secret information.
Installing the App
Download the TruSTAR app here
- Copy that downloaded fir_trustar folder to the root directory of your FIR instance.
- In a terminal window, execute this command to install Python dependencies for the TruSTAR App:
$ pip install -r fir_trustar/requirements.txt
- In $FIR_HOME/fir/config/installed_app.txt, add this line to the end of the file to enable the TruSTAR App:
- In the terminal window ($FIR_HOME), execute this command to sync the TruSTAR tables in the databasa schema:
$ ./manage.py migrate fir_trustar
- In the terminal window ($FIR_HOME), execute these commands:
$ ./manage.py migrate --settings fir.config.production
$ ./manage.py collectstatic --settings fir.config.production
$ sudo restart fir
For latest versions of Ubunto, use these sudo commands instead:
- sudo service fir_uwsgi restart
- sudo service nginx reload
More information about installing a plug-in to FIR.
Configuring the App
To use the TruSTAR App for FIR, you must configure two items:
- Add user permissions that enable one or more FIR users to interact with TruSTAR.
- Set parameters for accessing the TruSTAR platform.
Follow these steps to allow a user to access and exchange data with the TruSTAR platform.
- Log into Fir as admin.
- Select the ADMIN tab on the top menu bar.
- Under the Site Administration section, locate the Authentication and Authorization section.
- Create a new user or select an existing user.
- In the Available User Permissions column, filter the user permissions using fir_trustar
- In the Available Groups box, move Incident Handlers to the Chosen Groups box by using the arrow between Available and Selected.
- Click Save to save your changes.
After you set up permissions for one or more users, you need to specify how the TruSTAR App will work.
- Log into FIR and go to user’s profile page.
- In the TruSTAR Configuration section, specify the parameters in the table below.
Used to make API calls. Finding your API Key
Used when making API calls. Finding your API Secret
Submission Enclave ID(s)
The Enclave(s) to import data from. To import data from multiple enclaves, separate each Enclave ID with a comma and no spaces. You must specify at least one Enclave ID.
Select this to automatically submit a new FIR Incident Report to TruSTAR.
Sharing Enclave ID(s)
A comma-separated list of Enclave IDs to share reports and indicators to in TruSTAR.
Select this to redact a TruSTAR Report before sharing it into other Enclaves. The redaction process uses the redaction list your organization has stored in TruSTAR.
Select this to enable sharing of reports between TruSTAR Enclaves.
Enrichment Enclave ID(s)
The Enclave(s) to use for enriching Observables. To use multiple enclaves, separate each enclave ID with a comma and no spaces. You must specify at least one Enclave ID.
Select this to automatically enrich Observables in a FIR report with all available data and metadata from TruSTAR. All data returned from TruSTAR is shown in the Threat Lookup table in FIR.
- Click Save when done to save these changes.
You are now ready to use the TruSTAR Workflow App for FIR.