User Guide: TruSTAR for MISP (v2)

Updated 2 weeks ago by Elvis Hovor

This document explains how to use the TruSTAR for MISP Workflow App.

Automatic Enrichment

After you install the App and TruSTAR has confirmed the subscription is active, you don't have to take any further actions. New MISP reports are sent every 15 minutes to TruSTAR for enrichment.

Enriched reports display a TruSTAR Reports tag...

Indicator Lookup

You can use this feature to enrich and single Indicator or enrich multiple Indicators within a single MISP report.

Enriching a Single Indicator

  1. Open the event view in MISP.
  2. Scroll down to the attribute you want to enrich.
  3. In the Actions column on the right side of the table, you see two asterisk icons.
  4. To view enrichment data before committing it to the attribute, click the left asterisk icon.

or

To view and add enrichment data, click on the right asterisk icon.

Enriching Multiple Indicators

  1. Open the event view in MISP.
  2. Click Enrich Event on the left-side.
  3. Select the trustar_enrich checkbox, and then click Enrich.

Enrichment Results

*ADD VISUAL OF ENRICHMENT*

A new MISP object is added to the MISP event for every attribute that was enriched by TruSTAR. This new object displays up to three rows of data:

  • Original attribute with any tags found in TruSTAR
  • Enrichment data in JSON format in the Value column
  • A deep link to a report for the Indicator in the TruSTAR Web App


How Did We Do?