User Guide: TruSTAR for Resilient

Updated 2 weeks ago by Elvis Hovor

This document explains how to use the TruSTAR Workflow App for the IBM Resilient platform.

TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.

Features

You can perform these actions with the TruSTAR Workflow App for IBM Resilient:

  • Submit an Incident to TruSTAR.
  • Update a report on TruSTAR whenever a new artifact is added or the Incident status has changed.
  • Update the TruSTAR report when an Incident is closed.
  • Delete Report of a deleted Incident.
  • Manage whitelisting indicators in TruSTAR.

Whenever a report is sent to TruSTAR, the correlated indicators for that report will be fetched and each of the indicators is added as an artifact. In addition, a list of all correlated indicators is added as a note with deeplinks to each indicator in TruSTAR.

In the configuration for the TruSTAR App, you can also set up automatic fetching of priority scores. Whenever a new artifact is added to any incident, the Threat Service can fetch its priority score from TruSTAR and update that information in the artifact’s hits section.

Submitting Incidents to TruSTAR

You can automate report submissions or manually submit reports to TruSTAR. The deeplink to the TruSTAR report is added as a note in the Resilient incident.

You can submit incidents automatically or manually:

  • If you have enabled auto_submission in the trustar-account_n section of the app.config file, then reports are automatically submitted when a new incident is created in Resilient.
  • If you have disabled auto_submission in the app.config file, then you will need to manually submit a report of the incident to TruSTAR.

Manually Submitting a Report

There are two ways to submit a report to TruSTAR:

  • From the Incidents list
  • While viewing a specific incident
Submitting from the Incident List
  1. While viewing the Incidents list, select the incident you want to report by clicking on the checkbox to the left of it.
  2. Click the Selected dropdown menu on the top right of the window.
    Resilient_UserGuide_Figure1
  3. Click Send to TruSTAR to submit the report.
Submitting While Viewing an Incident
  1. Navigate to an Incident on the List Incidents menu.
  2. Click Actions in the upper right corner to display the Actions menu.
  3. Click Send To TruSTAR on the Actions menu.

Updating a Report

You can automatically or manually update a submitted report whenever a new artifact is added or if the status of the incident has changed.

You can update incidents automatically or manually:

  • If you have enabled auto_submission in the trustar_account_n section of the app.config file, then reports are automatically updated when the incident is updated in Resilient.
  • If you have disabled auto_submission in the app.config file, then you will need to manually submit a new report of the incident to TruSTAR using the procedure described above.

Closing Incidents in TruSTAR

When an Incident is closed in Resilient, you can add the resolution and resolution summary as well as all notes in the Incident to the corresponding report in TruSTAR.

You can update closed incidents automatically or manually:

  • If you have enabled auto_submission in the trustar_account_n section of the app.config file, then reports are automatically updated when the incident is closed in Resilient.
  • If you have disabled auto_submission in the app.config file, then you will need to manually submit a new report of the incident to TruSTAR.

Deleting a Report

You can delete a report in TruSTAR when the incident is deleted in Resilient.

  • If you have enabled auto_submission in the trustar_account_n section of the app.config file, then reports are automatically deleted when the incident is deleted in Resilient.
  • If you have disabled auto_submission in the app.config file, then you will need to manually delete the report in TruSTAR.

Whitelisting in TruSTAR

This feature lets you whitelist an artifact in TruSTAR or remove a whitelisted artifact from TruSTAR

  1. Navigate to an Incident listed on the List Incidents menu.
  2. Click Artifacts on the menu bar.
  3. Next to the artifact you want to edit, click the left button to display the whitelist choices and select the one you want to execute.
Resilient_UserGuide_Figure3

Report Format

Reports sent to TruSTAR use JSON (JavaScript Object Notation) format, with the content shown in the table below.

Key

Value

reportBody

Incident content submitted to TruSTAR

updated

Time of last report update

externalUrl

None

created

Time when report was created

distributionType

ENCLAVE

title

Report Title

timeBegan

Time that the incident began

id

Report ID

enclaveIds

ID of enclaves in which report is submitted

externalTrackingId

External ID of report

Known Limitations

  • It takes approximately 10-15 seconds to fetch data from TruSTAR and display in Resilient.
  • You need to refresh the page to view the data enrichment.
  • Some indicators of URL type returned from the TruSTAR are not accepted by Resilient As a workaround, there is an artifact type “URL String”, which will be assigned as the type to those indicators.


How Did We Do?