SecureWorks: Send Indicators to TruSTAR
This script extracts Indicators from the SecureWorks blacklist and writes them to TruSTAR as Intelligence Reports. Each new Report contains the Indicator, time began, and tags that contain any additional context from SecureWorks.
Activating This Script
Contact your TruSTAR account manager and provide the following information:
- Destination Enclave ID(s)
- Frequency of script execution. The default is every 24 hours but you can request a different time interval to meet your organization's needs.
After you have provided the information, your account manager will configure the feature and then email you with confirmation that the script has been enabled.
How It Works
- Parses the SecureWorks blacklist for Indicators added since the script was last run.
- Imports each Indicator into TruSTAR as a separate Intelligence Report, including the "time began" field.
- Adds report tags if SecureWorks provides any additional information inside brackets in the original blacklist entry.
Any issues or questions about this script, contact firstname.lastname@example.org.