A TruSTAR Report is a body of structured and/or unstructured data that is uploaded and IOCs (indicators) are recognized and extracted to be correlated with internal and external enrichment. Incident reports are generated by users in the TruSTAR Station. Technically, an incident report is a map-like data structure that contains both metadata about the report and the report contents.
You can view your reports in list view in the Reports page where each report will be previewed with Time Stamps, Report Title, Enclaves submitted, Tags, IOC Count, Notes, Correlations, and Content Preview (shown below).
Using the Constellation Screen
Clicking on a report of interest displays the Constellation screen with link analysis visualization. To reduce distraction, each link analysis visualization has its own panel with updated controls.
You can drill down on analyses, filter out irrelevant nodes, add notes or tags and adjust the timeline of correlations based on your requirements—all within a single panel. You can view the full JSON report content as well as graph visualization of correlations.
A report can be exported in various file types including: FireEye TAP, STIX, JSON, and TXT
Adding Data to Reports
Here are four easy ways to get started with adding data into your enclaves and reports:
- Enclave Inbox - Forward suspicious phishing emails or Trust Group OSINT data into TruSTAR to get added enrichment. Learn more.
- Google Chrome Extension - Highlight suspicious indicators in your browser to query if matching IOCs exists in TruSTAR. Highlight and right-click to submit data into TruSTAR. Learn more.
- Slack App - Instantly query intelligence sources and submit data to TruSTAR to enrich investigations taking place in Slack conversations. Learn more.
- Manual Ingest - Upload any file formal directly via the platform. Learn more.