What is a TruSTAR Report?
A TruSTAR Report is a body of structured and/or unstructured data that is uploaded and IOCs (indicators) are recognized and extracted to be correlated with internal and external enrichment. Incident reports are generated by users in the TruSTAR Station. Technically an incident report is a map-like data structure that contains both metadata about the report and the report contents.
You can view your reports in list view in the "Explore" page where each report will be previewed with Time Stamps, Report Title, Enclaves submitted, Tags, IOC Count, Notes, Correlations, Sector, and Content Preview (See Figure 1 below)
When you click on a report of interest you will be taken to the Analysis screen with link analysis visualization. To reduce distraction, our link analysis visualizations now have their own panel with updated controls. You can drill down on analyses, filter out irrelevant nodes, add notes or tags and adjust the timeline of correlations based on your requirements—all within a single panel. Users will be presented with the full JSON report content as well as graph visualization of correlations. (See Figure 2 below)
A report can be Exported, Followed, Updated, and Deleted in the drop down menu. (See Figure 3 below)
- Export Report: A report can be exported in various file types including: FireEye TAP, STIX, JSON, and TXT
- Followed: We know that if you are a user of TruSTAR you already have a dozen different sources of information you have to keep checking up on for updates. This is ineffective and prevents you from doing actual analysis work. On TruSTAR you can “follow” a report of interest and get regular updates when:
- A new report is submitted that correlates with the report you are following.
- New intelligence is gathered from external data sources that enriches the report you are following.
- Updated: Any report and it's details by selecting the "Update" option
- Deleted: Remove a report from TruSTAR by selecting the "Delete" option