Report Commands in Demisto

Updated 5 months ago by TruSTAR

With the TruSTAR Workflow App for Demisto, you can submit, update, copy, move, or delete an Intelligence Report, as well as find Indicators contained in a Report.

Submit Report

Submits a new Report to TruSTAR and adds the TruSTAR Report ID to the Demisto incident.

Format

trustar-submit-report

Example
!trustar-submit-report title="fake title" report-body="the report body goes here" enclave_ids=xxxxx-yyyy=zzzzz
Inputs

Argument

Description

Required

title

Title of the Intelligence Report

Yes

report_body

Text content of the Report

Yes

enclave_id

Enclave ID of where the Report will be stored in TruSTAR.

Argument is required if the distribution type is ENCLAVE.

Yes, if distribution_type is set to ENCLAVE

distribution_type

Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default).

No

external_url

URL for the external report that this originated from, if one exists. This URL must be unique across all reports in your organization.

Maximum is 500 alphanumeric characters.

No

time_began

ISO-8601 formatted incident time with timezone; for example, 2016-09-22T11:38:35+00:00.

Default is current timezone.

No

Outputs

Path

Type

Description

TruSTAR.Report.title

string

Title of the report

TruSTAR.Report.reportBody

string

Body of the report

TruSTAR.Report.id

string

ID of the report

Update Report

Updates the information in a Report. You can specify either the TruSTAR Report ID or an external tracking ID, such as a Demisto incident number. This command can only update a single Report. Only the fields included in the action will be updated; all others fields are left unchanged.

Format

trustar-update-report

Example
!trustar-update-report report_id=b11d4516-9935-4be7-9d6a-xxxxxxxx title="new title" 
Inputs

Argument

Description

Required

report_id

TruSTAR Report ID or external tracking ID

Yes

title

Title of the report

No

report-body

Text content of report

No

distribution_type

Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default).

No

enclave_ids

Comma-separated list of Enclave IDs to search.

If no argument is specified, the default is to search all enclaves which you have Read access to in TruSTAR.

Mandatory if the distribution type is ENCLAVE.

No

external_url

URL for the external report that this originated from, if one exists. Limit 500 alphanumeric characters. Must be unique across all reports for a given company.

No

time_began

ISO-8601 formatted incident time with timezone, e.g. 2016-09-22T11:38:35+00:00.

Default is current time.

No

Outputs

Path

Type

Description

TruSTAR.Report.title

string

Title of the report

TruSTAR.Report.reportBody

string

Body of the report

TruSTAR.Report.id

string

ID of the report

Copy Report

Makes a copy of the Report in a different Enclave. There is no output returned for this command.

Format

trustar-copy-report

Example
!trustar-copy-report report_id=xxxx.yyyyy.zzzzz dest_enclave_id=aaaaa.2222.bbbbb.33333
Inputs

Argument

Description

Required

report_id

the ID of the Report you want to move

Yes

dest_enclave_id

the ID of the destination Enclave

Yes

Move Report

Moves a Report from one Enclave to another. There is no output returned for this command.

Format

trustar-move-report

Example
!trustar-move-report report_id=xxxx.yyyyy.zzzzz dest_enclave_id=aaaaa.2222.bbbbb.33333
Inputs

Argument

Description

Required

report_id

the ID of the Intel Report you want to move

Yes

dest_enclave_id

the ID of the destination Enclave

Yes

Delete Report

Completely removes the specified Report. You can specify either the TruSTAR Report ID or an external tracking ID, such as a JIRA issue number. There is no output returned for this command.

Format

trustar-delete-report

Example
!trustar-delete-report report_id=b11d4516-9935-4be7-9d6a-xxxxxxx
Inputs

Argument

Description

Required

report_id

Finds a report by its internal or external ID.

Yes

id_type

Type of report ID. Legal values are EXTERNAL or INTERNAL (default).

No

Get Indicators

Returns a list of Indicators extracted from the specified Report. This command is limited to one Report at a time.

Format

trustar-get-indicators-for-report

Example
!trustar-get-indicators-for-report report_id=xxxx.yyyyy.zzzzz 
Inputs

Argument

Description

Required

report_id

the ID of the Intel Report to get the indicators from.

Yes

limit

Limit of results to return. Max value possible is 1000.

Default is 25.

No

Outputs

Path

Type

Description

TruSTAR.Indicators.type

string

Indicator type

TruSTAR.Indicators.value

string

Indicator value

File.Name

string

The full file name (including file extension)

<Indicator>

string

Supported Indicators

DBotScore.Indicator

string

The indicator we tested

DBotScore.Type

string

The type of the indicator

DBotScore.Vendor

string

Vendor used to calculate the score

DBotScore.Score

number

The actual score


How Did We Do?