User Guide: TruSTAR for FIR

Updated 8 months ago by TruSTAR

This document explains how to use the features of the TruSTAR Workflow App for Fast Incident Response (FIR). The App automates the extraction of Observables from events, queries those items against various Intelligence Sources in TruSTAR and then adds the enriched data to the FIR incident.

Install: TruSTAR App for FIR

How It Works

When a FIR incident or event is submitted to TruSTAR, a note and a link to the TruSTAR Report is added to the Comments section of the item.

Any Observable enrichment found by TruSTAR is added to the TruSTAR Threat Intel tab of the FIR item.

Features

You can use the TruSTAR App for FIR to:

  • Auto-submit Reports
  • Manually submit a Report
  • Enrich an Observable
  • Share a FIR incident or event with one or more TruSTAR Enclaves.
  • Share Observables with one or more TruSTAR Enclaves
  • Sync FIR Items with TruSTAR Reports

Automatic Report Submission

You can automatically submit FIR incidents or events to TruSTAR by choosing these two settings in the TruSTAR Configuration section of FIR:

  • Auto-submit
  • Auto-enrich Observable

Whenever a FIR item is submitted, you will see the note and link to the TruSTAR report in the Comments section and any enrichment will appear in the TruSTAR Threat Intel tab.

Selecting these two configuration settings will send every new FIR incident or event to TruSTAR. If you want to choose whether or not to send a new FIR item to TruSTAR, then do not use these settings and instead use the Manually Submitting a Report procedure below.

Manually Submitting a Report

Use this procedure to send a single report to TruSTAR.

  1. In the TruSTAR Configuration section, make sure that Auto-enrich Observable is selected.
  2. Create the new FIR incident and save it.
  3. At the bottom of the Incident/Events details page, click Send Report to TruSTAR.

You will now see the note and link to the TruSTAR report in the Comments section and any enrichment will appear in the TruSTAR Threat Intel tab.

Enriching an Observable

You can manually enrich any Observable in a FIR incident or event. This is useful when you don't want to send the FIR item to TruSTAR but you do want to see if an observable is malicious or benign.

  1. Select the FIR item containing the Observable.
  2. On the Artifacts tab, hover the mouse over the Observable you want to enrich.
  3. On the pop-up menu, select TruSTAR: Enrich Observable.

The data found in TruSTAR is added to the TruSTAR Threat Intel tab of the FIR item. The Finding column on that tab displays a normalized score for each Observable:

  • High (considered malicious)
  • Medium
  • Low
  • Not Found (the Observable was not seen by other intelligence sources)

Sharing a FIR Incident

You can choose to share a FIR item with selected TruSTAR Enclaves

  1. In the TruSTAR Configuration section, choose these settings:
  • Auto-enrich Observable
  • Allow share. You will also need to specify at least one Sharing Enclave ID.
  • Optional; Select Allow redact if you want to remove information from the FIR item before sharing it with TruSTAR Enclaves. TruSTAR will remove any terms from the item that are listed in your organization's Redaction Library.
  1. Select an existing FIR Incident or Event.
  2. Click on Share Report in TruSTAR at the bottom of the Incident/Event details page.

You will now see the note and link to the TruSTAR report(s) in the Comments section.

Sharing Observables

To share Observables, select these items in the TruSTAR Configuration section:

  • Allow share
  • Specify at least one Sharing Enclave ID.

Sharing One Observable

  1. Open the FIR incident or event that contains the Observable you want to share.
  2. On the Artifacts tab, hover the mouse over the Observable you want to enrich.
  3. On the pop-up menu, select TruSTAR: Share to share the Observable with the specified Sharing Enclaves.

Sharing Multiple Observables

  1. Open the FIR incident or event that contains the Observable you want to share.
  2. Go to the TruSTAR Threat Intel Tab.
  3. Select the Observables you want to share from the table.
  4. Click TruSTAR: Share at the bottom of the table to share the Observables with the specified Sharing Enclaves.

Syncing with TruSTAR

When you edit an existing FIR incident or event, you can choose to update the corresponding TruSTAR Report automatically or manually, depending on your settings in the FIR TruSTAR Configuration section:

  • When Auto-submit is enabled, the TruSTAR Report is updated automatically when the FIR item is updated.
  • When Auto-submit is disabled, you must click the Send Report to TruSTAR button at the bottom of the FIR item details to update the TruSTAR Report. 
  • When Allow Share is enabled, click the Share Report in TruSTAR button at the bottom of the FIR item to update the TruSTAR Report.


How Did We Do?