Report Commands in Demisto
With the TruSTAR Workflow App for Demisto, you can submit, update, copy, move, or delete an Intelligence Report, as well as find Indicators contained in a Report.
Submit Report
Submits a new Report to TruSTAR and adds the TruSTAR Report ID to the Demisto incident.
Format
trustar-submit-report
Example
!trustar-submit-report title="fake title" report-body="the report body goes here" enclave_ids=xxxxx-yyyy=zzzzz
Inputs
Argument | Description | Required |
title | Title of the Intelligence Report | Yes |
report_body | Text content of the Report | Yes |
enclave_id | Enclave ID of where the Report will be stored in TruSTAR. Argument is required if the distribution type is ENCLAVE. | Yes, if distribution_type is set to ENCLAVE |
distribution_type | Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default). | No |
external_url | URL for the external report that this originated from, if one exists. This URL must be unique across all reports in your organization. Maximum is 500 alphanumeric characters. | No |
time_began | ISO-8601 formatted incident time with timezone; for example, 2016-09-22T11:38:35+00:00. Default is current timezone. | No |
Outputs
Path | Type | Description |
TruSTAR.Report.title | string | Title of the report |
TruSTAR.Report.reportBody | string | Body of the report |
TruSTAR.Report.id | string | ID of the report |
Update Report
Updates the information in a Report. You can specify either the TruSTAR Report ID or an external tracking ID, such as a Demisto incident number. This command can only update a single Report. Only the fields included in the action will be updated; all others fields are left unchanged.
Format
trustar-update-report
Example
!trustar-update-report report_id=b11d4516-9935-4be7-9d6a-xxxxxxxx title="new title"
Inputs
Argument | Description | Required |
report_id | TruSTAR Report ID or external tracking ID | Yes |
title | Title of the report | No |
report-body | Text content of report | No |
distribution_type | Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default). | No |
enclave_ids | Comma-separated list of Enclave IDs to search. If no argument is specified, the default is to search all enclaves which you have Read access to in TruSTAR. Mandatory if the distribution type is ENCLAVE. | No |
external_url | URL for the external report that this originated from, if one exists. Limit 500 alphanumeric characters. Must be unique across all reports for a given company. | No |
time_began | ISO-8601 formatted incident time with timezone, e.g. 2016-09-22T11:38:35+00:00. Default is current time. | No |
Outputs
Path | Type | Description |
TruSTAR.Report.title | string | Title of the report |
TruSTAR.Report.reportBody | string | Body of the report |
TruSTAR.Report.id | string | ID of the report |
Copy Report
Makes a copy of the Report in a different Enclave. There is no output returned for this command.
Format
trustar-copy-report
Example
!trustar-copy-report report_id=xxxx.yyyyy.zzzzz dest_enclave_id=aaaaa.2222.bbbbb.33333
Inputs
Argument | Description | Required |
report_id | the ID of the Report you want to move | Yes |
dest_enclave_id | Yes |
Move Report
Moves a Report from one Enclave to another. There is no output returned for this command.
Format
trustar-move-report
Example
!trustar-move-report report_id=xxxx.yyyyy.zzzzz dest_enclave_id=aaaaa.2222.bbbbb.33333
Inputs
Argument | Description | Required |
report_id | the ID of the Intel Report you want to move | Yes |
dest_enclave_id | the ID of the destination Enclave | Yes |
Delete Report
Completely removes the specified Report. You can specify either the TruSTAR Report ID or an external tracking ID, such as a JIRA issue number. There is no output returned for this command.
Format
trustar-delete-report
Example
!trustar-delete-report report_id=b11d4516-9935-4be7-9d6a-xxxxxxx
Inputs
Argument | Description | Required |
report_id | Finds a report by its internal or external ID. | Yes |
id_type | Type of report ID. Legal values are EXTERNAL or INTERNAL (default). | No |
Get Indicators
Returns a list of Indicators extracted from the specified Report. This command is limited to one Report at a time.
Format
trustar-get-indicators-for-report
Example
!trustar-get-indicators-for-report report_id=xxxx.yyyyy.zzzzz
Inputs
Argument | Description | Required |
report_id | the ID of the Intel Report to get the indicators from. | Yes |
limit | Limit of results to return. Max value possible is 1000. Default is 25. | No |
Outputs
Path | Type | Description |
TruSTAR.Indicators.type | string | Indicator type |
TruSTAR.Indicators.value | string | Indicator value |
File.Name | string | The full file name (including file extension) |
<Indicator> | string | |
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the indicator |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | number | The actual score |