User Guide: TruSTAR for Resilient
This document explains how to use the TruSTAR Workflow App for the IBM Resilient platform.
You can perform these actions with the TruSTAR Workflow App for IBM Resilient:
- Submit an Incident to TruSTAR.
- Update a TruSTAR Report whenever a new artifact is added or the Incident status has changed or when the incident is closed.
- Delete the TruSTAR Report when an Incident is deleted.
- Manage the whitelisting of Indicators in TruSTAR.
Whenever a Report is sent to TruSTAR, the Indicators for that report will be fetched and each of the Indicators is added as an artifact. In addition, a list of all correlated Indicators is added as a note with links back to each Indicator in TruSTAR.
In the configuration for the TruSTAR App, you can also set up automatic fetching of priority scores. Whenever a new artifact is added to any incident, the Threat Service can fetch its priority score from TruSTAR and update that information in the artifact’s hits section.
Submitting Incidents to TruSTAR
You can automate incident submissions or manually submit them to TruSTAR. Whichever method you choose, the link to the TruSTAR report is added as a note in the Resilient incident.
You can submit incidents automatically or manually:
- If you have enabled auto_submission in the trustar-account_n section of the app.config file, then Reports are automatically submitted when a new incident is created in Resilient.
- If you have disabled auto_submission in the app.config file, then you will need to manually submit the incident to TruSTAR.
Manually Submitting an Incident to TruSTAR
There are two ways to submit a indicent to TruSTAR:
- From the Incidents list
- While viewing a specific incident
Submitting from the Incident List
- While viewing the Incidents list, select the incident you want to report by clicking on the checkbox to the left of it.
- Click the Selected dropdown menu on the top right of the window.
- Click Send to TruSTAR to submit the incident and create a Report in TruSTAR.
Submitting While Viewing an Incident
- Navigate to an Incident on the List Incidents menu.
- Click Actions in the upper right corner to display the Actions menu.
- Click Send To TruSTAR on the Actions menu. This sends the incident to TruSTAR and creates a Report.
Updating or Closing a TruSTAR Report
You can automatically or manually update a submitted Report whenever a new artifact is added or if the status of the incident has changed.
You can update incidents automatically or manually:
- If you have enabled auto_submission in the trustar_account_n section of the app.config file, then Reports are automatically updated when the incident is updated in Resilient.
- If you have disabled auto_submission in the app.config file, then you will need to manually submit a new Report of the incident to TruSTAR using the procedure described above.
Deleting a Report
You can delete a Report in TruSTAR when the incident is deleted in Resilient.
- If you have enabled auto_submission in the trustar_account_n section of the app.config file, then Reports are automatically deleted when the incident is deleted in Resilient.
- If you have disabled auto_submission in the app.config file, then you will need to manually delete the Report in TruSTAR.
Whitelisting in TruSTAR
This feature lets you whitelist an artifact in TruSTAR or remove a whitelisted artifact from TruSTAR
- Navigate to an Incident listed on the List Incidents menu.
- Click Artifacts on the menu bar.
- Next to the artifact you want to edit, click the left button to display the whitelist choices and select the one you want to execute.
Incident content submitted to TruSTAR
Time of last report update
Time when report was created
Time that the incident began
ID of enclaves in which report is submitted
External ID of report
- It takes approximately 10-15 seconds to fetch data from TruSTAR and display in Resilient.
- You need to refresh the page to view the data enrichment.
- Some indicators of URL type returned from the TruSTAR are not accepted by Resilient. As a workaround, there is an artifact type “URL String”, which will be assigned as the type to those indicators.