Phantom Cyber User Guide

Updated 1 week ago by Elvis Hovor

The TruSTAR App for Phantom enhances your intelligence operations by

  • Enriching intelligence in open Phantom cases using TruSTAR enclaves (OSINT, commercial feeds, and internal intelligence).
  • Submitting Phantom cases as TruSTAR reports, then adding the TruSTAR deeplinks to Phantom cases for fast followup.
  • Automating end-to-end intelligence gathering within Phantom by using playbooks that execute TruSTAR actions.

Launch Actions

To launch a TruSTAR action:

  1. Click Sources, then Events or Sources, then Intelligence.
  2. Click the Action button.
  3. Select the appropriate Action from the list. For example, if you want to submit a report you would select Action Type: Generic, Action: Submit Report, and Asset: TruSTAR.

Supported Actions

Action Name

Action Type

Description

submit report

generic

Submit report to TruSTAR

get report

generic

Get report details, including report data, submission metadata.

hunt bitcoin address

investigate

Get report IDs associated with a bitcoin address

hunt registry key

investigate

Get report IDs associated with a registry key

hunt malware

investigate

Get report IDs associated with a malware name

hunt cve

investigate

Get report IDs associated with a CVE ID

hunt email

investigate

Get report IDs associated with an email address

hunt file

investigate

Get report IDs associated with a file name

hunt url

investigate

Get report IDs associated with a URL

hunt ip

investigate

Get report IDs associated with an IP address (V4 and V6)

test connectivity

n/a

Action to ingest latest indicators

on poll

n/a

Validate credentials provided for connectivity

Sample Playbook

TruSTAR has developed a sample playbook that uses some of the TruSTAR actions to achieve a specific goal. This playbook is a sample of what’s possible using the base actions.

Playbook Objective: User will submit a report and user will receive the TruSTAR Report ID, number of IoC’s extracted and number of correlations with other reports.

Sequence Actions: This is comprised of two actions listed above. submit report will be called first, which will return TruSTAR Report GUID as one of the parameters. Then get report will be called with the report GUID and we will need to extract correlation count for this report from the response.

Playbook Output:

  • TruSTAR Report GUID
  • (Optional - only if provided by user in first Action) User Provided UID
  • Extracted IoC’s
  • Correlation Count


How Did We Do?