Report Commands in Demisto
The TruSTAR Workflow App for Demisto supports these actions for working with Intel Reports:
- Submit a Report
- Update a Report
- Copy a Report
- Move a Report
- Delete a Report
- Get Indicators in an Intel Report
Submit Report
This command submits a new Intel Report to TruSTAR and adds the TruSTAR Report ID to the Demisto incident.
Format
trustar-submit-report
Example
!trustar-submit-report title="fake title" report-body="the report body goes here" enclave_ids=xxxxx-yyyy=zzzzz
Inputs
Argument | Description | Required |
title | Title of the Intel Report | Yes |
report_body | Text content of the Intel Report | Yes |
enclave_id | Enclave ID of where the Intel Report will be stored in TruSTAR. Argument is required if the distribution type is ENCLAVE. | Yes, if distribution_type is set to ENCLAVE |
distribution_type | Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default). | No |
external_url | URL for the external report that this originated from, if one exists. This URL must be unique across all reports in your organization. Maximum is 500 alphanumeric characters. | No |
time_began | ISO-8601 formatted incident time with timezone; for example, 2016-09-22T11:38:35+00:00. Default is current timezone. | No |
Outputs
Path | Type | Description |
TruSTAR.Report.title | string | Title of the report |
TruSTAR.Report.reportBody | string | Body of the report |
TruSTAR.Report.id | string | ID of the report |
Update Report
This command updates the specified TruSTAR Intel Report. You can specify either the TruSTAR Report ID or an external tracking ID, such as a Demisto incident number. This action can only specify one Intel Report per command.
Only the fields included in the action will be updated; all others fields are left unchanged.
Format
trustar-update-report
Example
!trustar-update-report report_id=b11d4516-9935-4be7-9d6a-xxxxxxxx title="new title"
Inputs
Argument | Description | Required |
report_id | TruSTAR Report ID or external tracking ID | Yes |
title | Title of the report | No |
report-body | Text content of report | No |
distribution_type | Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default). | No |
enclave_ids | Comma-separated list of Enclave IDs to search. If no argument is specified, the default is to search all enclaves which you have Read access to in TruSTAR. Mandatory if the distribution type is ENCLAVE. | No |
external_url | URL for the external report that this originated from, if one exists. Limit 500 alphanumeric characters. Must be unique across all reports for a given company. | No |
time_began | ISO-8601 formatted incident time with timezone, e.g. 2016-09-22T11:38:35+00:00. Default is current time. | No |
Outputs
Path | Type | Description |
TruSTAR.Report.title | string | Title of the report |
TruSTAR.Report.reportBody | string | Body of the report |
TruSTAR.Report.id | string | ID of the report |
Copy Report
This command copies an Intel Report from one Enclave to another.
Format
trustar-copy-report
Example
!trustar-copy-report report_id=xxxx.yyyyy.zzzzz dest_enclave_id=aaaaa.2222.bbbbb.33333
Inputs
Argument | Description | Required |
report_id | the ID of the Intel Report you want to move | Yes |
dest_enclave_id | the ID of the destination Enclave | Yes |
Output
None
Move Report
This command moves a Intel Report from one Enclave to another.
Format
trustar-move-report
Example
!trustar-move-report report_id=xxxx.yyyyy.zzzzz dest_enclave_id=aaaaa.2222.bbbbb.33333
Inputs
Argument | Description | Required |
report_id | the ID of the Intel Report you want to move | Yes |
dest_enclave_id | the ID of the destination Enclave | Yes |
Output
None
Delete Report
In the TruSTAR App for Demisto, this command deletes the specified Intel Report. You can specify either the TruSTAR Report ID or an external tracking ID, such as a JIRA issue number.
Format
trustar-delete-report
Example
!trustar-delete-report report_id=b11d4516-9935-4be7-9d6a-xxxxxxx
Inputs
Argument | Description | Required |
report_id | Finds a report by its internal or external ID. | Yes |
id_type | Type of report ID. Legal values are EXTERNAL or INTERNAL (default). | No |
Output
None
Get Indicators in Report
This command returns a list of Indicators extracted from the specified Intel Report. This command is limited to one Intel Report at a time.
Format
trustar-get-indicators-for-report
Example
!trustar-get-indicators-for-report report_id=xxxx.yyyyy.zzzzz
Inputs
Argument | Description | Required |
report_id | the ID of the Intel Report to get the indicators from. | Yes |
limit | Limit of results to return. Max value possible is 1000. Default is 25. | No |
Outputs
Path | Type | Description |
TruSTAR.Indicators.type | string | Indicator type |
TruSTAR.Indicators.value | string | Indicator value |
File.Name | string | The full file name (including file extension) |
<Indicator> | string | |
DBotScore.Indicator | string | The indicator we tested |
DBotScore.Type | string | The type of the indicator |
DBotScore.Vendor | string | Vendor used to calculate the score |
DBotScore.Score | number | The actual score |