With the new and improved submission workflow, we have made architecture changes to decouple a very high throughput sensitive data submission operation from the core but compute intensive component of extraction and normalization. This critical architectural change has not only made data submissions more robust, resilient and performant, but has also helped remove friction in enhancing and evolving capabilities like observables extraction/normalization and sharing, copying, redacting or moving submission that are critical to our analyst daily workflow.
Reports can be submitted through the Front End, by email, and the TruSTAR API. Regardless of how the data is ingested, all indicators are automatically correlated and visible in Station.
Click on the “Submit” button seen in the top right of the interface. Select "Report" from the drop-down.
There are two ways to input data. The user can simply drag and drop a file into the Upload File field. File types that can be dragged and dropped include: JSON, DOC, DOCX, XML, XLS, XLSX, EML, MSG, CSV, PDF, STIX, TAXII and TEXT files.
Incident Began is populated with the current date and time by default, but clicking in the field will allow the user to set the date. If the date the incident began is unknown check the box above the date field.
Before submitting a report, tags can be added in the tags field.
The user can also input incident report data is by clicking on the Paste Text tab, and either pasting data or typing the report directly into the field.
Once the key information has been added click Next in the bottom center of the page.
On the review page, a natural language processing tool will scan the document and provide a count of possible items to redact on the right.
Report data can be reviewed in the Original Content window. Hovering over those items will bring up a “Redact as..” (1) button that can be clicked to redact the item. Any item that has been redacted will be red in color and hovering over the item will show the original data that was redacted (2).
There are two additional methods for redacting sensitive data in a report and both rely on the redaction library panel on the right.
- A user can highlight text in the Original Content window then click on the Redact Selected Text button on the right.
- Users can also manually add redaction items by submitting a text or CSV file for a bulk upload of terms under settings, or by selecting one of the headings and typing in the terms that should be redacted.
All items are permanently stored in the user’s redaction library and will be automatically redacted in future reports to save time. If there is ever a need to review redacted items, they can be exported via the Export button on the right.
When viewing a report, users are able to make edits to the current report by navigating to the drop down in the top right of the report panel and selecting 'Update Report'
Users will then be able to edit the Report Title, Incident Began timestamp, Tags, Report Body, Enclave, and Redaction of the report
A common workflow for an analyst is to share an existing submission into a shared community enclave. This was typically used share intel across team or sharing members. Previously, this workflow was achieved either through manual copy paste or by making the current submission visible to shared enclave. With this update, TruSTAR has made available an explicit copy operation that makes sharing intel fast and easy. Note that the tags on the report are also copied over along with that submission. We have also made a copy endpoint available on our Public API, that will help automate this operation for multiple submissions.
Copy & Redact Report
Most of the time intel that needs to be shared must have to be redacted before it’s shared with the community. Within the copy workflow, there is an option to modify and redact the submission that needs to be copied. This is also the place where tags can be added or removed. We have also made a copy and redact endpoint available on our Public API, that will help automate this operation for multiple submissions..
Moving submission was another common and frequent operation that analysts performed in their workflow. This was done to move a triaged submission into a vetted enclave, that could be eventually consumed as intel in their workflow. Previously, for moving a submission the user had to go through the entire report update process. But with the new updates, we have made this operation explicit and extremely simple to operate on. We have also made a move endpoint available on our Public API, that will help automate this operation for multiple submissions at one.
Q: Where did categories go?
A: Categories, also known as public tags, were removed from the platform and replaced with the more embodying tags that are at the enclave level instead.