Requirements for Integrations
When you are writing an integration between your tool and the TruSTAR platform, you must include a way to specify certain information:
- Account settings: Required to ensure the user has a valid TruSTAR account.
- Enclave Settings: For each type of Enclave your integration is using, you must provide a way to specify Enclave IDs.
- Proxy Settings: If your integration will go through a proxy server to reach the internet, you must provide a way to specify those settings.
Your integration must provide a way for the user to enter three pieces of information:
- The TruSTAR API URL. You can hardcode this to https://api.trustar.co
- The user's TriSTAR API Key.
- The user's TruSTAR API Secret.
Here's a sample user interface showing that information.
Depending on your integration, you can specify any number of Enclaves.
Your integration must specify the location of one or more Enclaves where Reports or Indicators will be stored in TruSTAR. TruSTAR recommends naming this field Submission Enclave IDs.
Here is one example of how that user inteface might look, showing the required Submission Enclave IDs field and the optional Enrichment Enlclave IDs field.
Note that when a user can specify multiple Enclave IDs, they must separate the Enclave IDs with commas and no spaces.
Related Link: Finding Enclave IDs
You can also provide checkboxes will let the user choose to automatically submit Reports and/or Observables to TruSTAR.
Depending on the integration you are building, you may need to provide fields for additional Enclaves.
If your integration will enrich Observables in an event or report, you need to specify which Enclaves can be used for that enrichment. TruSTAR recommends naming this field Enrichment Enclave IDs.
You can also choose to offer an option to automatically enrich Observables when they are submitted to TruSTAR. TruSTAR recommends providing a checkbox for automatic submisstion of Observables.
If your integration allows the user to share Observables or Reports with other Enclaves, you will need to provide one or more Enclave IDs where the items can be moved or copied to in TruSTAR. TruSTAR recommends naming this field Destination Enclave IDs.
When sharing reports, you can offer the user the option to redact information from the reports using the Company Safelist stored in TruSTAR. In most cases, this can be a checkbox, similar to what is shown here.
<graphic - checkbox to activate redaction>
You can specify one or more Enclave IDs to search for Observables. TruSTAR suggests naming this field Search Enclave IDs. If no Enclave IDs are specified, the commands will search all Enclaves that the user has access to in TruSTAR.
Phishing Triage Enclaves
When using the Phishing Triage workflow, you can set up this functionality within your integration:
- Activate the Phishing Triage functionality. TruSTAR recommends naming this field Activate Phishing Triage
- Specify Phishing Enclave IDs:
- The Enclave where all phishing emails are submitted to the Phishing Triage workflow. TruSTAR recommends naming this field Phishing Triage Enclave IDs.
- The Enclave where you store the Indicators that have passed through the Phishing Triage workflow and have been deemed malicious. TruSTAR recommends naming this field Phishing Triage Vetted Indicators Enclave IDs.
Here's a sample user interface to collect proxy information if the app you are building will use a proxy server to reach the Internet.