Demisto User Guide

Updated 2 weeks ago by Elvis Hovor

This document explains how to use the features of the TruSTAR App for Demisto

Creating Playbooks

You can automate workflows by creating playbooks in Demisto that use TruSTAR functionality.

  1. Select Playbook in the menu list.
  2. Select Create New Playbook and search for the TruSTAR actions in the Task library.
  3. Select the TruSTAR action you want to use in the playbook. Each action is described later in this document.
  4. Configure the associated parameters for that action and complete to add action to playbook. More details on how to setup demisto playbooks can be found here.

Working with Reports

You can use Demisto to submit, update, or delete reports in TruSTAR.

Submitting a Report to TruSTAR

Format: trustar-submit-report

Description: Submits a new incident report to TruSTAR and adds the new ID to the Demisto incident.

Example:

!trustar-submit-report report-body={'ip':8.8.8.2} title=testreport

Updating a Report

Format: trustar-update-report

Description: Updates the specified TruSTAR report. You can specify either the internal TruSTAR report ID or an external tracking ID. Only the fields included in the action will be updated; all others fields are left unchanged.

Example:

!trustar-update-report report-body={'ip':8.8.8.2'} report-id=b11d4516-9935-4be7-9d6a-4940b564d32e title=testreport

Deleting a Report

Format: trustar-delete-report

Description: Deletes the specified report. You can specify either the internal TruSTAR report ID or an external tracking ID.

Example:

!trustar-delete-report report-id=b11d4516-9935-4be7-9d6a-4940b564d32e

Searching for Reports

You can search for reports by using filters, IDs, or other criteria.

Searching With Filters

Format: trustar-get-reports

Description: Returns incident reports matching the specified filters. All parameters are optional: if nothing is specified, the latest 25 reports will be returned. This matches the view you would see in TruSTAR Station.

Example:

!trustar-get-reports distribution-type=ENCLAVE

Using Search Terms

Format: trustar-search-reports

Description: Searches for all reports that contain the given search term.

Example:

!trustar-search-reports search-term=8.8.8.1

Searching by ID

Format: trustar-report-details

Description: Finds a report by its internal or external id.

Example:

!trustar-report-details report-id=3ad95dfb-72a1-42fc-9780-da264bfbce94

Searching by IOCs

Format: trustar-correlated-reports:

Description: Returns a list of all reports that contain any of the provided IOC values.

Example:

!trustar-correlated-reports indicators=8.8.8.1

Searching for IOCs

You can use TruSTAR actions to search for correlated indicators or by search term. You can also list the top 10 IOCs in TruSTAR.

Format: trustar-related-indicators

Description: Searches all TruSTAR reports for the specified IOCs and return all correlated indicators from search results. Two indicators are considered correlated if they can be found in a common report.

Example:

!trustar-related-indicators indicators=8.8.8.1

Searching by Search Term

Format: trustar-search-indicators:

Definition: Searches for all indicators that contain the given search term.

Example:

!trustar-search-indicators search-term=8.8.8.1

Returning Top 10 IOCs

Format: trustar-trending-indicators

Description: Returns the 10 indicators that have recently appeared in the most community reports. This is analogous to the Community Trends section of the dashboard on TruSTAR Station.

Example:

!trustar-trending-indicators

Managing Whitelists

TruSTAR provides two actions for working with whitelisted items.

Add to Whitelist

Format: trustar-add-to-whitelist

Description: Whitelist a list of indicator values for the user’s company.

Example:

!trustar-add-to-whitelist indicators=8.8.8.1

Remove IOC from Whitelist

Format: trustar-remove-from-whitelist

Description: Delete an indicator from the user’s company whitelist.

Example:

!trustar-remove-from-whitelist indicator=8.8.8.1 indicator-type=IP

Listing TruSTAR Enclaves

Format: trustar-get-enclaves:

Description: Returns the list of all enclaves that the user has access to, as well as whether they can read, create, and update reports in that enclave. This command does not require arguments

Example: 

!trustar-get-enclaves

How Did We Do?