Overview: Intelligence Reports
A TruSTAR Intelligence Report is a body of structured and/or unstructured data that is uploaded to TruSTAR, where it is stored in a specific enclave. Any Indicators in the report are extracted and enriched with information from internal and external intelligence sources.
The Reports panel is where you work with reports in the TruSTAR Web App. You access the reports panel by clicking the Reports icon in the Navigation Bar.
The Reports panel has two views, each with a separate purpose:
- List View: Displays a list of reports that match the current filters you have set. This is the default view for reports. You can always return to the list by clicking on the Reports icon in the Navigation Bar.
- Graph View: Provides a detailed look at a selected report. To see a report in Graph view, click on the highlighted title of the Indicator in List View.
There are four ways to get started with adding data to your enclaves:
- Enclave Inbox: Forward suspicious emails to TruSTAR to get added enrichment.
- Google Chrome Extension: Query or submit suspicious Observables to TruSTAR.
- Slack App: Instantly query intelligence sources and submit data to TruSTAR.
- Manual Ingest: Submit any file format directly in TruSTAR Station.
- API / Python SDK-1: Write code to extract your intel from its storage location, transform it to a TruSTAR Report object, then load it to a TruSTAR enclave through submit-report 1.3 API.
Some TruSTAR Enterprise customers have access to application integrations that submit detections / investigations to enclaves as reports:
- TruSTAR Unified App for Splunk Enterprise and ES
- TruSTAR App for ServiceNow
- TruSTAR App for Demisto (XSOAR)
- TruSTAR App for Splunk SOAR (formerly Phantom)
- TruSTAR<>MISP integration
The following topics explain how to work with reports in the TruSTAR Web App: