F-ISAC
Introduction
TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. Financials Information Sharing and Analysis Center Japan (F-ISAC Japan) was established so that Japan’s financial institutions are able to share and analyze cyber security information, and conduct cooperative activities to improve their safety and security.
Prerequisites
This integration requires TruSTAR users to be members of F-ISAC and have access to retrieve their F-ISAC API key, Email, Password to enable the integration.
Configure Integration
After you have retrieved your F-ISAC API key, email and password follow these steps:
- Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
- Click on Closed Sources.
- Click on F-ISAC logo and fill in your API key, email and password.
- Click Submit.
TruSTAR will validate and enable the F-ISAC integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.
After the integration in enabled you should see reports from F-ISAC being submitted into an enclave you control.
FAQ
What data do you currently pull from .F-ISAC?
Our integration currently only pulls reports from F-ISAC that have the cyber IOC’s listed below
These include:
- IP
- Domain
- URL
- MD5
- SHA1 /SHA256
Please contact us if you would like to discuss additional indicators that can be queried from F-SAC
How often is the data pulled?
Our integration retrieves data from F-ISAC every 15mins.
Technical Details
WorkFlow:
- Each Indicator block in the response will be submitted to TruSTAR as a new report
- LIST INDICATORS
Sample Query: GET https://localhost:7001/api/v1/indicators.json?q[predicate]=range&q[attribute]=indicator_updated_at&q[start]=2019/02/13 17:00&q[end]=2019/02/13 18:00
Response:
{
"indicators": [
{
"indicator_id": 5118,
"indicator_category": "NOTICE",
"indicator_type": "URL",
"indicator_value": "",
"indicator_description": ""
"indicator_date": "2019/02/13",
"indicator_time": "01:02:36",
"indicator_reliability": 99,
"indicator_validate_result": "NG",
"indicator_created_at": "2019/02/13 17:10",
"indicator_updated_at": "2019/02/13 17:10",
"group": {
"group_id": 1,
"group_name": ""
},
"feed": {
"feed_id": 11,
"feed_name": "\"
},
"thread": {
"thread_id": 7116,
"thread_title": "[金融\"
},
"message": {
"message_id": ,
"subject": "[金融ISAC]インディケー 2019/02/13",
"message_category": "INFO",
"body": "不審な
"expires": null,
"created_at": "2019/02/13 17:10",
"updated_at": "2019/02/13 17:10",
"author_name": "API 金融ISAC",
"belongs_to": "金融ISAC",
"tlp": "AMBER",
"priority": "INFORMATION"
}
]
}
TruSTAR Report Content Mapping:
Feed based TruStash
Type: Feed Ingest based TruStash
API Timeout : 30 seconds
BASE_URL - https://fisac-signal-v3.jpcert.or.jp/api/
API Mapping: API Key, Email, Password
Stash Type: f-isac
SourceType: Closed source
Note: Tags > 32 chars will be ignored.
Report Mapping fields (List Indicators)
Report Title - {indicator_type} {indicator_value} {message_subject}(e.g IPv4 38.21.241.233 DoS攻撃について)
External ID - encoded value of sha256 of {Report Title}
Report Body - full json response
Time Begun - Created_at": posting date and time
Tags - Priority": priority (e.g. Priority: High)
Deeplink - https://fisac-signal-v3.jpcert.or.jp/groups/4/feeds/11/threads/7228/messages
Client Type - PYTHON_SDK
Client Meta Tag - stash_f-isac
Please reach out to support@trustar.co for any additional questions.
