Creating an Indicator Prioritization Intel Workflow

Updated 2 months ago by TruSTAR

This article explains how to create a specific kind of Intel Workflow, the Indicator Prioritization Workflow. The purpose of this Intel Workflow is to filter and transform Indicators into a high-fidelity data set that you can then use with third-party tools or other integrations in your cybersecurity environment.

You must be a Company Administrator in TruSTAR to create an Intel Workflow.

Creating the Workflow

To create this Intel Workflow, you specify the details, the sources, transformations you want to occur, and the destinations where you want to store the final data set.

  1. Click the Workflows icon in the left Navigation bar. This opens the Workflows main screen.
  1. Click Create Workflow.
  2. On the Details screen, enter the name of the workflow you want to create.
You cannot edit the Intel Workflow name after finishing the creation process.
  1. Click Select Sources to move to the next screen.

Selecting Sources

The Sources screen displays the list of intelligence sources that your organization has subscribed to. If the list is long, you can use the search bar to locate a specific source you want to use.

  1. To choose a source, click the checkbox to the left of the source name.
  2. To change the default weight of a source, use the pull-down menu for that source in the Weight column. The scale is 1 to 5, with 5 being the highest possible weighting.
Details
Each source you select can be weighted to provide more customization in the transformation stage. For example, you may know from past experience that one source is very closely aligned to the malicious Indicators you've seen in past cybersecurity events, so you may want to give that source a higher weighting than a source you just started using.
  1. Click Select Transformations to move to the next screen.

Choosing Transformations

You can now choose which transformations you want to make to the data sources you selected. You can filter the data set by scores, Indicator Types, or Safelists.

  1. To filter the data set by scores, click the checkboxes for the scores you want to use. The default is Medium + High.
  2. Next, deselect the Indicator Types you do not want to use in this Workflow. The default is to use all Indicator Types supported by TruSTAR.
  3. Select the safelist(s) you want to use with this workflow. Safelists ensure that Indicators containing specific terms or phrases are removed by the workflow. Related Link: Working with Safelist Libraries
  4. Click Select Destination to move to the next screen.

Choosing Destinations

Destinations is where you specify what you want to do with the data set you are creating. Your choices are to send the data to a third-party tool using a TruSTAR Workflow App or store the data set to a TruSTAR Enclave.

  1. Click the destination where you want to send the new data set created by this Intel Workflow.
  • A third-party application that you will connect to TruSTAR using a TruSTAR Workflow App.
To send the data to a third-party tool, you must set up the TruSTAR Workflow App for that tool before the tool can receive from the Intel Workflow.
  • A new Enclave. You can then view the contents of the Enclave to check that the results are useful. Once you have the data set of the correct content and quality, you can edit the Intel Workflow to redirect the Destination to a third-party application.
  1. Click Create Workflow to save your workflow. TruSTAR displays a popup window that displays the Destination, Enclave ID, and API credentials for this workflow.
  2. Click Close to close the confirmation popup or click Run in Postman to see the data set created by this Intel Workflow.


How Did We Do?