Report Commands in Demisto

Updated 21 hours ago by Elvis Hovor

The TruSTAR Workflow App for Demisto supports these actions for working with Intel Reports:

  • Submit a Report
  • Update a Report
  • Copy a Report
  • Move a Report
  • Delete a Report
  • Get Indicators in an Intel Report

Submit Report

This command submits a new Intel Report to TruSTAR and adds the TruSTAR Report ID to the Demisto incident.

Format

trustar-submit-report

Example

!trustar-submit-report title="fake title" report-body="the report body goes here" enclave_ids=xxxxx-yyyy=zzzzz

Inputs

Argument

Description

Required

title

Title of the Intel Report

Yes

report_body

Text content of the Intel Report

Yes

enclave_id

Enclave ID of where the Intel Report will be stored in TruSTAR.

Argument is required if the distribution type is ENCLAVE.

Yes, if distribution_type is set to ENCLAVE

distribution_type

Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default).

No

external_url

URL for the external report that this originated from, if one exists. This URL must be unique across all reports in your organization.

Maximum is 500 alphanumeric characters.

No

time_began

ISO-8601 formatted incident time with timezone; for example, 2016-09-22T11:38:35+00:00.

Default is current timezone.

No

Outputs

Path

Type

Description

TruSTAR.Report.title

string

Title of the report

TruSTAR.Report.reportBody

string

Body of the report

TruSTAR.Report.id

string

ID of the report

Update Report

This command updates the specified TruSTAR Intel Report. You can specify either the TruSTAR Report ID or an external tracking ID, such as a Demisto incident number. This action can only specify one Intel Report per command.

Only the fields included in the action will be updated; all others fields are left unchanged.

Format

trustar-update-report

Example

!trustar-update-report report_id=b11d4516-9935-4be7-9d6a-xxxxxxxx title="new title" 

Inputs

Argument

Description

Required

report_id

TruSTAR Report ID or external tracking ID

Yes

title

Title of the report

No

report-body

Text content of report

No

distribution_type

Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default).

No

enclave_ids

Comma-separated list of Enclave IDs to search.

If no argument is specified, the default is to search all enclaves which you have Read access to in TruSTAR.

Mandatory if the distribution type is ENCLAVE.

No

external_url

URL for the external report that this originated from, if one exists. Limit 500 alphanumeric characters. Must be unique across all reports for a given company.

No

time_began

ISO-8601 formatted incident time with timezone, e.g. 2016-09-22T11:38:35+00:00.

Default is current time.

No

Outputs

Path

Type

Description

TruSTAR.Report.title

string

Title of the report

TruSTAR.Report.reportBody

string

Body of the report

TruSTAR.Report.id

string

ID of the report

Copy Report

This command copies an Intel Report from one Enclave to another.

Format

trustar-copy-report

Example

!trustar-copy-report report_id=xxxx.yyyyy.zzzzz dest_enclave_id=aaaaa.2222.bbbbb.33333

Inputs

Argument

Description

Required

report_id

the ID of the Intel Report you want to move

Yes

dest_enclave_id

the ID of the destination Enclave

Yes

Output

None

Move Report

This command moves a Intel Report from one Enclave to another.

Format

trustar-move-report

Example

!trustar-move-report report_id=xxxx.yyyyy.zzzzz dest_enclave_id=aaaaa.2222.bbbbb.33333

Inputs

Argument

Description

Required

report_id

the ID of the Intel Report you want to move

Yes

dest_enclave_id

the ID of the destination Enclave

Yes

Output

None

Delete Report

In the TruSTAR App for Demisto, this command deletes the specified Intel Report. You can specify either the TruSTAR Report ID or an external tracking ID, such as a JIRA issue number.

Format

trustar-delete-report

Example

!trustar-delete-report report_id=b11d4516-9935-4be7-9d6a-xxxxxxx

Inputs

Argument

Description

Required

report_id

Finds a report by its internal or external ID.

Yes

id_type

Type of report ID. Legal values are EXTERNAL or INTERNAL (default).

No

Output

None

Get Indicators in Report

This command returns a list of Indicators extracted from the specified Intel Report. This command is limited to one Intel Report at a time.

Format

trustar-get-indicators-for-report

Example

!trustar-get-indicators-for-report report_id=xxxx.yyyyy.zzzzz 

Inputs

Argument

Description

Required

report_id

the ID of the Intel Report to get the indicators from.

Yes

limit

Limit of results to return. Max value possible is 1000.

Default is 25.

No

Outputs

Path

Type

Description

TruSTAR.Indicators.type

string

Indicator type

TruSTAR.Indicators.value

string

Indicator value

File.Name

string

The full file name (including file extension)

<Indicator>

string

Supported Indicators

DBotScore.Indicator

string

The indicator we tested

DBotScore.Type

string

The type of the indicator

DBotScore.Vendor

string

Vendor used to calculate the score

DBotScore.Score

number

The actual score


How Did We Do?