Cases

Dashboard

Filter and Refine Panel

Main Screen

Marketplace

Navigate a Visualization

Navigation Bar

Searching

TruSTAR Community Chat

TruSTAR Enclaves

UI Tour (with Links)

Using Notes

Editing Your Profile

Notifications

User Settings

Copying a Report

Exporting Report Data

Moving a Report

Redacting Data from Reports

Report Distribution via Email

Reports Basics

Reports Constellation View

Reports List View

Reports Panel

Submitting a Report

Updating a Report

Deleting IOCs

Exporting IOCs

IOC Basics

IOC Constellation View

IOC List View

Uploading IOCs

Auto Whitelisting

Automating Forwarding to an Enclave Email Inbox

Company Whitelist

Enclave Email Inbox

Managing Users

Setting Up Multi-Factor Authentication (MFA)

Setting up a Service Account

MITRE ATT&CK

Threat Actors

Automated Sharing

Automatically Exporting Data

Scripts for Enclave Data Submit/Export

Okta (SSO)

Ping Identity (SSO)

Splunk ES FAQ

Splunk ES Installation

Splunk ES User Guide

Splunk v1.0.9 FAQ

Splunk v1.0.9 Installation

IBM QRadar FAQ

IBM QRadar Install

IBM QRadar User Guide

Anomali ThreatStream

LogRhythm

TAXII FAQ

TruSTAR TAXII Server

Demisto FAQ

Demisto Install

Demisto User Guide

Phantom Cyber FAQ

Phantom Cyber Install

Phantom Cyber User Guide

IBM Resilient FAQ

IBM Resilient Install

IBM Resilient User Guide

Jira FAQ

Jira Install

Jira User Guide

ServiceNow v1.1.0 FAQ

ServiceNow v1.1.0 Install

ServiceNow v1.1.0 User Guide

Chrome Extension

Slack

Digital Shadows

RiskIQ PassiveTotal

RiskIQ Blacklist Intelligence

Shape Blackfish

SpyCloud

Cisco AMP Threat Grid

Cisco AMP Threat Grid Indicator Query

Crowdstrike Falcon Detect

Crowdstrike Falcon Intelligence

Crowdstrike Falcon Reports

FireEye iSight

IBM X-Force

IBM XForce IRIS

Intel 471 Adversary Intelligence

Intel 471 Alerts

Intel 471 Malware Intelligence

Recorded Future Hash Intelligence

Recorded Future IP Intelligence

Recorded Future URL Intelligence

Recorded Future Vulnerability Intelligence

VirusTotal

A-ISAC

F-ISAC

FS-ISAC

NCFTA

AWS GuardDuty

Alienvault OTX Pulse

Cofense Intelligence

Cybersource

Facebook Threat Exchange

Farsight Security

Hybrid Analysis

Joe Sandbox

MISP

Proofpoint TAP Intelligence

Intel Feeds Source URLs

OSINT Sources Tech Specs

Premium Intel Sources Tech Specs

RSS Open Sources Tech Specs

TruSTAR’s Normalized Indicator Score Scale

COVID-19 OSINT Community Enclave

How To Read TruSTAR's Graph Visualization

Source Scoring Model

TruSTAR API

API Usage Policy

What is TruSTAR's Privacy Policy?

Clearing browser cookies and caches

Entities Supported

Finding your API Key

IOC Uploading

Integrations

Intel Sources FAQ

REST API and Python

Security

Sending ArcSight cases to TruSTAR

TruSTAR Basics

Using Proofpoint with TruSTAR

Release Notes

All Categories > Application Integrations > Orchestration > Demisto > Demisto User Guide

Demisto User Guide

Updated 3 weeks ago by Elvis Hovor

Related Documentation
Creating Playbooks
Working with Reports
Searching for Reports
Searching for IOCs
Managing Whitelists
- Add to Whitelist
- Remove IOC from Whitelist
Listing TruSTAR Enclaves

This document explains how to use the features of the TruSTAR App for Demisto

Creating Playbooks

You can automate workflows by creating playbooks in Demisto that use TruSTAR functionality.

Select Playbook in the menu list.
Select Create New Playbook and search for the TruSTAR actions in the Task library.
Select the TruSTAR action you want to use in the playbook. Each action is described later in this document.
Configure the associated parameters for that action and complete to add action to playbook. More details on how to setup demisto playbooks can be found here.

Working with Reports

You can use Demisto to submit, update, or delete reports in TruSTAR.

Submitting a Report to TruSTAR

Format: trustar-submit-report

Description: Submits a new incident report to TruSTAR and adds the new ID to the Demisto incident.

Example:

!trustar-submit-report title="testreport" report-body=8.8.8.2,8.8.8.1 distribution-type=ENCLAVE enclave-ids=xxxxxx-xxx-xxx-xxxx

Updating a Report

Format: trustar-update-report

Description: Updates the specified TruSTAR report. You can specify either the internal TruSTAR report ID or an external tracking ID. Only the fields included in the action will be updated; all others fields are left unchanged.

Example:

!trustar-update-report report-body={'ip':8.8.8.2'} report-id=b11d4516-9935-4be7-9d6a-4940b564d32e title=testreport

Deleting a Report

Format: trustar-delete-report

Description: Deletes the specified report. You can specify either the internal TruSTAR report ID or an external tracking ID.

Example:

!trustar-delete-report report-id=b11d4516-9935-4be7-9d6a-4940b564d32e

Searching for Reports

You can search for reports by using filters, IDs, or other criteria.

Searching With Filters

Format: trustar-get-reports

Description: Returns incident reports matching the specified filters. All parameters are optional: if nothing is specified, the latest 25 reports will be returned. This matches the view you would see in TruSTAR Station.

Example:

!trustar-get-reports distribution-type=ENCLAVE

Using Search Terms

Format: trustar-search-reports

Description: Searches for all reports that contain the given search term.

Example:

!trustar-search-reports search-term=8.8.8.1

Searching by ID

Format: trustar-report-details

Description: Finds a report by its internal or external id.

Example:

!trustar-report-details report-id=3ad95dfb-72a1-42fc-9780-da264bfbce94

Searching by IOCs

Format: trustar-correlated-reports:

Description: Returns a list of all reports that contain any of the provided IOC values.

Example:

!trustar-correlated-reports indicators=8.8.8.1

Searching for IOCs

You can use TruSTAR actions to search for correlated indicators or by search term. You can also list the top 10 IOCs in TruSTAR.

Searching for Related Indicators

Format: trustar-related-indicators

Description: Searches all TruSTAR reports for the specified IOCs and return all correlated indicators from search results. Two indicators are considered correlated if they can be found in a common report.

Example:

!trustar-related-indicators indicators=8.8.8.1

Searching by Search Term

Format: trustar-search-indicators:

Definition: Searches for all indicators that contain the given search term.

Example:

!trustar-search-indicators search-term=8.8.8.1

Returning Top 10 IOCs

Format: trustar-trending-indicators

Description: Returns the 10 indicators that have recently appeared in the most community reports. This is analogous to the Community Trends section of the dashboard on TruSTAR Station.

Example:

!trustar-trending-indicators

Managing Whitelists

TruSTAR provides two actions for working with whitelisted items.

Add to Whitelist

Format: trustar-add-to-whitelist

Description: Whitelist a list of indicator values for the user’s company.

Example:

!trustar-add-to-whitelist indicators=8.8.8.1

Remove IOC from Whitelist

Format: trustar-remove-from-whitelist

Description: Delete an indicator from the user’s company whitelist.

Example:

!trustar-remove-from-whitelist indicator=8.8.8.1 indicator-type=IP

Listing TruSTAR Enclaves

Format: trustar-get-enclaves:

Description: Returns the list of all enclaves that the user has access to, as well as whether they can read, create, and update reports in that enclave. This command does not require arguments

Example:

!trustar-get-enclaves

Demisto User Guide

Related Documentation

Creating Playbooks

Working with Reports

Submitting a Report to TruSTAR

Updating a Report

Deleting a Report

Searching for Reports

Searching With Filters

Using Search Terms

Searching by ID

Searching by IOCs

Searching for IOCs

Searching for Related Indicators

Searching by Search Term

Returning Top 10 IOCs

Managing Whitelists

Add to Whitelist

Remove IOC from Whitelist

Listing TruSTAR Enclaves

How Did We Do?

Related Articles Demisto Install Jira User Guide Phantom Cyber User Guide

Contact

Related Articles

Demisto Install

Jira User Guide

Phantom Cyber User Guide