Automated Sharing

Updated 4 days ago by Elvis Hovor

Automated sharing provides a way to replicate reports and their tags to a second enclave by either adding a specific string as a tag to the report or placing that string inside curly-braces in the report title.

You can choose to replicate the entire report or redact it to hide sensitive information, such as named sources. If you want to use Automated Sharing outside your own organization, TruSTAR recommends that you redact such sensitive information so that shared reports are truly anonymous. To redact replicated reports, you can use the settings in your redaction library in TruSTAR Station.

This feature can be activated several times over for each source enclave, and can be activated for several different source enclaves. The possibilities are endless. Discuss your use-case with your TruSTAR account manager.

Use Cases

Anonymous Sharing

Automated sharing enables group members to redact-and-share an investigation ticket from your case-management system to a sharing-group enclave without having to login to TruSTAR Station.

TruSTAR's integrations with case-management applications means you can add a tag to the ticket or to the report title from within that application and then submit the report to TruSTAR. The Automated Sharing feature in TruSTAR will then detect the special tag and replicate the report to the specified enclaves.

Special Enclave Curation

You can use this feature to build an enclave of reports that your organization finds to be high-quality/high-fidelity.

Activating Automated Sharing

Contact your TruSTAR account manager and provide the following information:

  • Source enclave ID
  • Destination enclave ID
  • Whether or not to redact reports that are replicated

Using Automated Sharing

To trigger this feature to share a report from one enclave to another, you have two options:

  • Add the tag release (all lowercase, no quote-marks) to the report you want to replicate
  • Add the cue-string {release} anywhere in the title of the report.

TruSTAR monitors the source enclave for the presence of any reports that have the cue-string in curly-braces in the title or are tagged with the cue-string and replicates those reports over to the destination enclave. The cue-string remains a part of both original report and replicated reports unless you manually remove it.

Once a report in a source enclave has been tagged for automated sharing, any changes made to that report's "body" or "title" fields (attributes) will propagate to all replicas of that report. If you are redacting reports, all subsequent updates are also redacted.

You must receive confirmation from your TruSTAR account manager that the feature has been enabled before the cue-string will work as described in this document.

Using the Cue-String in Report Titles

You can place the cue-string inside curly braces anywhere in the Report Title.

Examples

Investigating an accidental release of PII to an unauthorized party. {release}

Investigating potential breach from bad actor. {release, breach, reconnaissance}

{release} Investigating an accidental disclosure of PII to an unauthorized party.

Investigating an accidental disclosure {release} of PII to an unauthorized party.

The cue-string must be all lower case inside curly braces; capitalizing any of the cue-string does not activate the Automated Sharing feature.

Listing Replicated Reports

Because all replica reports generated by this feature are tagged with the source enclave ID, listing all reports your organization has shared with your sharing group is easy to do.

  1. Log into TruSTAR Station.
  2. Navigate to the reports view.
  3. Select only the sharing-group enclave.
  4. Use the tag filter box to list reports tagged with your source enclave ID.

This list should match the list of reports presented in TruSTAR Station when you select only the source enclave and filter on the tag release (unless you're using the string-in-curly-braces-in-title trigger).

Technical Details

This section explains how Automated Sharing works with tags and with enclave and report IDs.

Rules for Replicating Tags

These rules govern replicating tags from source report to replica reports:

  • The release tag is not replicated. This applies whether it is added to the source report as a tag or to the report title.
  • All other tags in the source report will be replicated to the replica report in the destination enclave.
  • All other strings in curly-braces in the title will not be added as tags either to the source or replica reports.
  • Any tags added to a report after it is initially replicated will be spotted by TruSTAR and replicated.
  • Removing a tag from the source report does not automatically remove it from replicated reports. You must manually remove them from the replicas.

ID Tags

Replicas are tagged with the source enclave ID and the source report ID.

FAQ

How long does it take to replicate a report to other enclaves?

It takes a few minutes from the instant the “release” tag is added to the source report for the replica to be created, and it then takes a few more minutes for source report tags to propagate over to the replica.

If 90 minutes has passed without a replica being created for a report or a tag propagating, you can assume that that report’s replication failed for some reason. To follow up on causes, please contact your TruSTAR account manager, give them the report ID (the GUID from the URL when viewing the report in Station), and let them know that the report failed replication.

Please reach out to support@trustar.co if you have issues with the Automated Sharing feature.


How Did We Do?