Demisto
INTRODUCTION
This document is intended to provide details of the TruSTAR integration built for Demisto.TruSTAR's threat intelligence platform enriches every stage of the security operations workflow from the trusted and relevant data sources. This integration provides capabilities in the form of commands and each command reflects a product capability (API) and returns both a human readable and computer readable response.
USE CASES
The TruSTAR integration with Demisto allows users enrich cases incidents in Demisto with intelligence from TruSTAR in an automated manner thereby drastically speeding up speed to resolution times. Coupled with Demisto's ability to create play books to automate the investigative and analysis workflows of analyst, the TruSTAR integration with Demisto provides a means for analyst to fully leverage the power of actionable intelligence in their automated workflows.
PRE-REQUISITES
The following requirements and components need to be installed and activated for TruSTAR integration to work with Demisto
Demisto Server v3.6 - 4.0 (more info here) |
Demisto Agent(D2) (more info here) |
Demisto Engine (more info here) |
FILE DOWNLOAD
From Demisto Platform
The TruSTAR integration is available on Demisto's integration page for download. Please follow steps from "How to Install" section below to setup the TruSTAR instance.
Manual Installation
The following bundles is required for manual installation of TruSTAR app instance in Demisto.
Bundle Name | Description |
This file contains all the actions required to support TruSTAR instance in Demisto. |
HOW TO INSTALL
Setup & Configuration
To install and configure the TruSTAR instance in Demisto, follow steps below:
- Login to your demisto platform with your username and password
- Select settings -> integrations -> and type TruSTAR in search integration text box. Select Add instance to configure TruSTAR instance.
- Enter configuration parameter details like Name, Server URL, TruSTAR API Key, TruSTAR API Secret etc. and Test to check connectivity with TruSTAR.
Configuration Details
Configuration Parameter | Required | Description |
Name | Yes | This is a name you assign to the instance. It can be whatever you want it to, but must be unique to each instance you set up. |
Server URL | Yes | Use https://station.trustar.co This is TruSTAR station URL from where data get collected by executing API calls. |
TruSTAR API Key | Yes | Authentication Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API in your TruSTAR Station account. How to find your API Key |
TruSTAR API Secret | Yes | Secret Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API on TruSTAR Station. How to find your API Secret |
TruSTAR Actions & Commands
This section lists down all the commands provided as part of TruSTAR integration.
- trustar-add-to-whitelist: Whitelist a list of indicator values for the user’s company.
Example:
!trustar-add-to-whitelist indicators=8.8.8.1 - trustar-correlated-reports: Returns a paginated list of all reports that contain any of the provided indicator values.
Example:
!trustar-correlated-reports indicators=8.8.8.1 - trustar-delete-report: Deletes a report as specified by given id (id can be TruSTAR report id or external id).
Example:
!trustar-delete-report report-id=b11d4516-9935-4be7-9d6a-4940b564d32e - trustar-get-enclaves: Returns the list of all enclaves that the user has access to, as well as whether they can read, create, and update reports in that enclave.
Note: This command does not require argumentsExample:
!trustar-get-enclaves - trustar-get-reports: Returns incident reports matching the specified filters. All parameters are optional: if nothing is specified, the latest 25 reports accessible by the user will be returned (matching the view the user would have by logging into Station).
Example:
!trustar-get-reports distribution-type=ENCLAVE - trustar-related-indicators: Search all TruSTAR incident reports for provided indicators and return all correlated indicators from search results. Two indicators are considered “correlated” if they can be found in a common report.
Example:
!trustar-related-indicators indicators=8.8.8.1 - trustar-remove-from-whitelist: Delete an indicator from the user’s company whitelist.
Example:
!trustar-remove-from-whitelist indicator=8.8.8.1 indicator-type=IP - trustar-report-details: Finds a report by its internal or external id.
Example:
!trustar-report-details report-id=3ad95dfb-72a1-42fc-9780-da264bfbce94 - trustar-search-indicators: Searches for all indicators that contain the given search term.
Example:
!trustar-search-indicators search-term=8.8.8.1 - trustar-search-reports: Searches for all reports that contain the given search term.
Example:
!trustar-search-reports search-term=8.8.8.1 - trustar-submit-report: Submit a new incident report and receive the ID it has been assigned in TruSTAR’s system.
Example:
!trustar-submit-report report-body={'ip':8.8.8.2} title=testreport - trustar-trending-indicators: Returns the 10 indicators that have recently appeared in the most community reports. This is analogous to the Community Trends section of the dashboard on Station.
Example:
!trustar-trending-indicators - trustar-update-report: Update the report with the specified ID. Either the internal TruSTAR report ID or an external tracking ID can be used. Only the fields passed will be updated. All others will be left unchanged.
Example:
!trustar-update-report report-body={'ip':8.8.8.2'} report-id=b11d4516-9935-4be7-9d6a-4940b564d32e title=testreport
Creating Playbooks
Users can automate their workflows by creating play books in Demisto.
- To create a playbook users have to select Playbook in the menu list
- Select create new playbook and search for the TruSTAR actions in the Task library
- Here users can see all the 13 supported TruSTAR actions and select to use in playbook
- After selecting an action you can configure the associated parameters for that action and complete to add action to playbook. More details on how to setup demisto play books can be found here
FAQs
Q: What ports and firewall exceptions are needed for the Integration to work?
A: The TruSTAR integration requires no special port allocations or firewall exceptions to be installed. Users need to follow firewall and port guidelines for installing Demisto found here for installation. However, for certain functions the app needs access to station.trustar.co over port 443
Q: How long does it take to setup Integration ?
A: Typically setting up the integration takes about 10 - 20 minutes. It is often quicker if installation is done from the Demisto marketplace vs a manual install. Setting up play books is dependent on the user since all workflows are different and the more complicated the workflow the more time it takes to build a play book.
Q: Where can i locate logs for troubleshooting in Demisto?
A: You can download logs from the UI Settings--> About --> Troubleshooting but before that IMP: Change the log level to debug, try the failing scenario and then download the logs.
Q: How to restart service or instance?
A: To restart instance you have to either reconnect the TruSTAR instance or restart service for Demisto. To start, stop and check the status of the demisto server you can refer to Demisto support notes
Q: How do you delete/reinstall/upgrade the TruSTAR instance
A: Users can delete the TruSTAR instance by navigating to Settings --> INTEGRATIONS -->Servers&Services, here you can find the TruSTAR instance and select to disable the instance. To reinstall follow the installation and setup instructions from above.
