Phantom Cyber

by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of the Phantom App that leverages TruSTAR’s capabilities. This document provides a step by step guide to install, setup and troubleshoot the TruSTAR App for Phantom.

This App allows users to utilize context of TruSTAR’s IOCs and incidents within Phantom orchestration playbooks. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.

Workflow Illustration

Direct Installation

The certified TruSTAR app is available for direct download through the Phantom app store. We recommend directly downloading from the Phantom app store and installing the TruSTAR app.

Manual Installation

The following bundles are required for successful manual install of the TruSTAR app. Please contact support@trustar.co to get the app bundle.

#

Bundle Name

Description

1

trustar.tgz

This bundle contains all the supported TruSTAR actions for Phantom.

After you have the trustar.tgz file follow these steps:

  1. Click on the Home dropdown list in top left.
  2. Select Apps. Then click Install App.
  3. Select the trustar.tgz file and upload it.
  4. Click on Unconfigured Apps and search for TruSTAR.
  5. Click on Configure New Asset.
  6. Follow rest of directions in App Configuration section of this manual.

App Configuration

  1. Fill out the Asset Info tab with relevant details.
  2. Next click on Asset Settings tab.
    1. URL - https://api.trustar.co
    2. OAuth client ID - This is the API Credential available here: https://station.trustar.co/settings/api
    3. OAuth client secret key - This is the API Secret available here: https://station.trustar.co/settings/api
    4. Enclave IDs: place all the enclave id’s that you would like to either submit reports to issue hunt actions to. These are available here: https://station.trustar.co/settings/api
    5. Click TEST CONNECTIVITY button. If connectivity fails recheck credentials.
  3. Click SAVE button to save configuration details.Click on Ingest Settings tab. Change settings if required. Click SAVE if you change any settings.

Supported Actions

Action Name

Action Type

Description

submit report

generic

Submit report to TruSTAR

get report

generic

Get report details, including report data, submission metadata.

hunt bitcoin address

investigate

Get report IDs associated with a bitcoin address

hunt registry key

investigate

Get report IDs associated with a registry key

hunt malware

investigate

Get report IDs associated with a malware name

hunt cve

investigate

Get report IDs associated with a CVE ID

hunt email

investigate

Get report IDs associated with an email address

hunt file

investigate

Get report IDs associated with a file name

hunt url

investigate

Get report IDs associated with a URL

hunt ip

investigate

Get report IDs associated with an IP address (V4 and V6)

test connectivity

n/a

Action to ingest latest indicators

on poll

n/a

Validate credentials provided for connectivity

Launch Action

You can launch the different TruSTAR actions by clicking on Sources - > Events or Sources - > Intelligence. Once you have configured the source you will see the Action button. Click on the Action button.

Select the appropriate Action from the list. See Table in Supported Actions to see where the actions are located.

For example, if you want to submit a report you would select Action Type: Generic, Action: Submit Report, and Asset: TruSTAR

For other actions you can check details in the Supported Actions section.

Pre-configured Playbook

We have developed a sample playbook that uses some of the TruSTAR actions to achieve a specific goal. This playbook is a sample of what’s possible using the base actions.

Playbook Objective: User will submit a report and user will receive the TruSTAR Report ID, number of IoC’s extracted and number of correlations with other reports.

Sequence Actions: This is comprised of two actions listed above. submit report will be called first, which will return TruSTAR Report GUID as one of the parameters. Then get report will be called with the report GUID and we will need to extract correlation count for this report from the response.

Playbook Output:

  • TruSTAR Report GUID
  • (Optional - only if provided by user in first Action) User Provided UID
  • Extracted IoC’s
  • Correlation Count

Troubleshooting

Please reach out to support@trustar.co for any additional questions.

How Did We Do?