F-ISAC

Updated 5 months ago by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. Financials Information Sharing and Analysis Center Japan (F-ISAC Japan) was established so that Japan’s financial institutions are able to share and analyze cyber security information, and conduct cooperative activities to improve their safety and security. 

Prerequisites

This integration requires TruSTAR users to be members of F-ISAC and have access to retrieve their F-ISAC API key, Email, Password to enable the integration.

Configure Integration

After you have retrieved your F-ISAC API key, email and password follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on F-ISAC logo and fill in your API key, email and password.
  4. Click Submit.

TruSTAR will validate and enable the F-ISAC integration within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration in enabled you should see reports from F-ISAC being submitted into an enclave you control.

FAQ

What data do you currently pull from .F-ISAC? 

Our integration currently only pulls reports from F-ISAC that have the cyber IOC’s listed below

These include:

  • IP
  • Domain
  • URL
  • MD5
  • SHA1 /SHA256

Please contact us if you would like to discuss additional indicators that can be queried from F-SAC

How often is the data pulled?

Our integration retrieves data from F-ISAC every 15mins.

Technical Details

WorkFlow:

  • Each Indicator block in the response will be submitted to TruSTAR as a new report

  • LIST INDICATORS
    Sample Query: GET https://localhost:7001/api/v1/indicators.json?q[predicate]=range&q[attribute]=indicator_updated_at&q[start]=2019/02/13 17:00&q[end]=2019/02/13 18:00

Response:

{

"indicators": [

{

"indicator_id": 5118,

"indicator_category": "NOTICE",

"indicator_type": "URL",

"indicator_value": "",

"indicator_description": ""

"indicator_date": "2019/02/13",

"indicator_time": "01:02:36",

"indicator_reliability": 99,

"indicator_validate_result": "NG",

"indicator_created_at": "2019/02/13 17:10",

"indicator_updated_at": "2019/02/13 17:10",

"group": {

"group_id": 1,

"group_name": ""

},

"feed": {

"feed_id": 11,

"feed_name": "\"

},

"thread": {

"thread_id": 7116,

"thread_title": "[金融\"

},

"message": {

"message_id": ,

"subject": "[金融ISAC]インディケー 2019/02/13",

"message_category": "INFO",

"body": "不審な

"expires": null,

"created_at": "2019/02/13 17:10",

"updated_at": "2019/02/13 17:10",

"author_name": "API 金融ISAC",

"belongs_to": "金融ISAC",

"tlp": "AMBER",

"priority": "INFORMATION"

}

]

}

TruSTAR Report Content Mapping:

Feed based TruStash

Type: Feed Ingest based TruStash

API Timeout : 30 seconds

BASE_URL - https://fisac-signal-v3.jpcert.or.jp/api/

API Mapping: API Key, Email, Password

Stash Type: f-isac

SourceType: Closed source

Note: Tags > 32 chars will be ignored.

Report Mapping fields (List Indicators)

Report Title -  {indicator_type} {indicator_value}  {message_subject}(e.g IPv4 38.21.241.233 DoS攻撃について)

External ID - encoded value of sha256 of {Report Title}

Report Body -  full json response 

Time Begun - Created_at": posting date and time

Tags - Priority": priority (e.g. Priority: High)

Deeplink - https://fisac-signal-v3.jpcert.or.jp/groups/4/feeds/11/threads/7228/messages

Client Type - PYTHON_SDK

Client Meta Tag - stash_f-isac

Please reach out to support@trustar.co for any additional questions.


How Did We Do?