Demisto

Updated 2 weeks ago by Elvis Hovor

Introduction

TruSTAR's threat intelligence platform enriches every stage of the security operations workflow from the trusted and relevant data sources. This integration provides capabilities in the form of commands and each command reflects a product capability (API) and returns both a human readable and computer readable response.

Features

  • Submit open cases in Demisto to users enclave in TruSTAR and receive deeplink to report in Demisto
  • Receive intelligence enrichment on Indicators in open Demisto cases from intel sources within TruSTAR (user activated open, closed and internal intelligence sources)
  • 13 TruSTAR API actions available to use in Demisto's war room and for creating playbooks.
  • Automate end-to-end intelligence gathering to support incident investigations within Demisto using TruSTAR capability

Requirements

The following requirements and components need to be installed and activated for TruSTAR integration to work with Demisto

Demisto Server v3.6 - 4.0 (more info here)

Demisto Agent(D2) (more info here)

Demisto Engine (more info here)

While the TruSTAR integration requires no special port allocations or firewall exceptions, you do need to follow firewall and port guidelines for installing Demisto. Check here for details. For certain functions, the TruSTAR app will need access to station.trustar.co over port 443.

Installing

The TruSTAR integration is available on Demisto's integration page for download. Please follow steps from How To Install section below to setup the TruSTAR instance.

Manual Installation

The following bundle is required for manual installation of TruSTAR app instance in Demisto.

It is recommended to install the TruSTAR app from the Demisto integrations page. This process is more automated and requires less configuration from user.

Bundle Name

Description

Integration_TruSTAR.yml

This file contains all the actions required to support TruSTAR instance in Demisto.

Configuring the Integration

To configure the TruSTAR integration with Demisto, use this procedure.

  1. Login to your demisto platform.
  2. Select Settings -> Integrations -> and type TruSTAR in the search integration text box.
  3. Select Add Instance to begin configuring the TruSTAR instance.
  4. Enter the configuration parameter details explained in the table below, then click Test to check connectivity with TruSTAR.

Configuration Details

Configuration Parameter

Required

Description

Name

Yes

This is a name you assign to the instance. It can be whatever you want it to, but must be unique to each instance you set up.

Server URL

Yes

Use https://station.trustar.co This is TruSTAR station URL from where data get collected by executing API calls.

TruSTAR API Key

Yes

Authentication Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API in your TruSTAR Station account. How to find your API Key

TruSTAR API Secret

Yes

Secret Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API on TruSTAR Station. How to find your API Secret

Using the Integration

This section lists down all the commands provided as part of TruSTAR integration.

  1. trustar-add-to-whitelist: Whitelist a list of indicator values for the user’s company.
    Example:
    !trustar-add-to-whitelist indicators=8.8.8.1
  2. trustar-correlated-reports: Returns a paginated list of all reports that contain any of the provided indicator values.
    Example:
    !trustar-correlated-reports indicators=8.8.8.1
  3. trustar-delete-report: Deletes a report as specified by given id (id can be TruSTAR report id or external id).
    Example:
    !trustar-delete-report report-id=b11d4516-9935-4be7-9d6a-4940b564d32e
  4. trustar-get-enclaves: Returns the list of all enclaves that the user has access to, as well as whether they can read, create, and update reports in that enclave.
    Note: This command does not require arguments
    Example:
    !trustar-get-enclaves
  5. trustar-get-reports: Returns incident reports matching the specified filters. All parameters are optional: if nothing is specified, the latest 25 reports accessible by the user will be returned (matching the view the user would have by logging into Station).
    Example:
    !trustar-get-reports distribution-type=ENCLAVE
  6. trustar-related-indicators: Search all TruSTAR incident reports for provided indicators and return all correlated indicators from search results. Two indicators are considered “correlated” if they can be found in a common report.
    Example:
    !trustar-related-indicators indicators=8.8.8.1
  7. trustar-remove-from-whitelist: Delete an indicator from the user’s company whitelist.
    Example:
    !trustar-remove-from-whitelist indicator=8.8.8.1 indicator-type=IP
  8. trustar-report-details: Finds a report by its internal or external id.
    Example:
    !trustar-report-details report-id=3ad95dfb-72a1-42fc-9780-da264bfbce94
  9. trustar-search-indicators: Searches for all indicators that contain the given search term.
    Example:
    !trustar-search-indicators search-term=8.8.8.1
  10. trustar-search-reports: Searches for all reports that contain the given search term.
    Example:
    !trustar-search-reports search-term=8.8.8.1
  11. trustar-submit-report: Submit a new incident report and receive the ID it has been assigned in TruSTAR’s system.
    Example:
    !trustar-submit-report report-body={'ip':8.8.8.2} title=testreport
  12. trustar-trending-indicators: Returns the 10 indicators that have recently appeared in the most community reports. This is analogous to the Community Trends section of the dashboard on Station.
    Example:
    !trustar-trending-indicators
  13. trustar-update-report: Update the report with the specified ID. Either the internal TruSTAR report ID or an external tracking ID can be used. Only the fields passed will be updated. All others will be left unchanged.
    Example:
    !trustar-update-report report-body={'ip':8.8.8.2'} report-id=b11d4516-9935-4be7-9d6a-4940b564d32e title=testreport

Creating Playbooks

Users can automate their workflows by creating play books in Demisto.

  1. Select Playbook in the menu list.
  2. Select Create New Playbook and search for the TruSTAR actions in the Task library.
  3. You can view all supported TruSTAR actions and select the one you want to use in the playbook.
  4. Configure the associated parameters for that action and complete to add action to playbook. More details on how to setup demisto play books can be found here

FAQ

Q: How long does it take to setup Integration?

A: Typically setting up the integration takes about 10 - 20 minutes. It is often quicker if installation is done from the Demisto marketplace vs a manual install. Setting up play books is dependent on the user since all workflows are different and the more complicated the workflow the more time it takes to build a play book.

Q: Where can i locate logs for troubleshooting in Demisto?

A: You can download logs from the UI Settings--> About --> Troubleshooting but before that IMP: Change the log level to debug, try the failing scenario and then download the logs.

Q: How do I restart the service or instance?

A: To restart instance you have to either reconnect the TruSTAR instance or restart service for Demisto. To start, stop and check the status of the demisto server you can refer to Demisto support notes

Q: How do I delete/reinstall/upgrade the TruSTAR instance?

A: Users can delete the TruSTAR instance by navigating to Settings --> INTEGRATIONS -->Servers&Services, here you can find the TruSTAR instance and select to disable the instance. To reinstall follow the installation and setup instructions from above.

How Did We Do?