Automated Sharing Between Enclaves

Updated 2 weeks ago by Elvis Hovor

Automated sharing provides a way to replicate Intel Reports and their tags to a second Enclave by either adding a specific string as a tag to the Report or placing that string inside curly-braces in the report's title.

You can use this automated sharing to:

  • Redact and share an investigation ticket from your case-management system to a sharing-group Enclave without having to login to TruSTAR Station. Within your SIEM, you can add a tag to the ticket or to the Intel Report title and then submit that Report to TruSTAR. Automated Sharing in TruSTAR detects the special tag and replicates the report to the specified Enclaves.
  • Build an Enclave of Intel Reports that your organization finds to be high-quality/high-fidelity.

This feature can be activated several times over for each source Enclave, and can be activated for several different source Enclaves. The possibilities are endless. Discuss your needs with your TruSTAR account manager.

Activating Automated Sharing

Contact your TruSTAR account manager and provide the following information:

  • Source Enclave ID
  • Destination Enclave ID
  • Whether or not to redact the Intel Reports that are replicated to the Destination Enclave

If you want to use Automated Sharing outside your own organization, TruSTAR recommends that you redact sensitive information so that shared information is truly anonymous. To redact Intel Reports, you can use the settings in your Redaction Library in TruSTAR Station.

Using Automated Sharing

To trigger this feature to share an Intel Report from one Enclave to another, you have two options:

  • Add the tag release (all lowercase, no quote-marks) to the Intel Report you want to replicate
  • Add the cue-string {release} anywhere in the title of the Intel Report.

TruSTAR monitors the source Enclave for the presence of any Intel Reports that have the cue-string in curly-braces in the title or are tagged with the cue-string and replicates those Reports over to the destination Enclave. The cue-string remains a part of both the original and the replicated Reports unless you manually remove it.

Once a Report in a source Enclave has been tagged for automated sharing, any changes made to that Report's "body" or "title" fields (attributes) will propagate to all replicas of that Report. If you are redacting Reports, all subsequent updates are also redacted.

You must receive confirmation from your TruSTAR account manager that the feature has been enabled before the cue-string will work as described in this document.

Using the Cue-String in Intel Reports

You can place the cue-string inside curly braces anywhere in the Report Title.

Example Report Titles:

Investigating an accidental release of PII to an unauthorized party. {release}

Investigating potential breach from bad actor. {release, breach, reconnaissance}

{release} Investigating an accidental disclosure of PII to an unauthorized party.

Investigating an accidental disclosure {release} of PII to an unauthorized party.

The cue-string must be all lower case inside curly braces; capitalizing any of the cue-string does not activate the Automated Sharing feature.

Listing Replicated Intel Reports

Because all replicated Reports generated by this feature are tagged with the source Enclave ID, listing all Reports your organization has shared with your sharing group is easy to do.

  1. Log in to the TruSTAR Web App.
  2. Navigate to the Reports view.
  3. Select only the sharing-group Enclave.
  4. Use the tag filter box to list Intel Reports tagged with your source Enclave ID.

This list should match the list of Intel Reports presented in the TruSTAR Web App when you select only the source Enclave and filter on the tag release (unless you're using the string-in-curly-braces-in-title trigger).

How It Works

This section explains how Automated Sharing works with tags and with Enclave and Intel Report IDs.

Rules for Replicating Tags

These rules govern replicating tags from source Report to replica Reports:

  • The release tag is not replicated. This applies whether it is added to the source Report as a tag or to the Report title.
  • All other tags in the source Report will be replicated to the replica Report in the destination Enclave.
  • All other strings in curly-braces in the title will not be added as tags either to the source or to the replica Report.
  • Any tags added to a Report after it is initially replicated will be spotted by TruSTAR and replicated.
  • Removing a tag from the source Report does not automatically remove it from replicated Reports. You must manually remove them from the replicated Reports.

ID Tags

Replicas are tagged with the source Enclave ID and the source Report ID.

FAQ

How long does it take to replicate a Report to other Enclaves?

It takes a few minutes from the instant the “release” tag is added to the source Report for the replica to be created, and it then takes a few more minutes for source Report tags to propagate over to the replicated Report.

If 90 minutes has passed without a replica being created or a tag propagating, you can assume that that Report’s replication failed. To follow up on causes, please contact your TruSTAR account manager, give them the Report ID (the GUID from the URL when viewing the report in the TruSTAR Web App), and let them know that the Report failed replication.

Please reach out to support@trustar.co if you have issues with this feature.


How Did We Do?