User Guide: TruSTAR for Phantom Cyber
The TruSTAR App for Phantom Cyber enhances your intelligence operations by
- Enriching intelligence in open Phantom cases using TruSTAR enclaves (OSINT, external intelligence, and internal intelligence).
- Submitting Phantom cases as TruSTAR Intel Reports, then adding the TruSTAR links to Phantom cases for fast follow-up.
- Automating end-to-end intelligence gathering within Phantom by using playbooks that execute TruSTAR actions.
To launch a TruSTAR action:
- Click Sources, then Events or Sources, then Intelligence.
- Click the Action button.
- Select the appropriate Action from the list. For example, if you want to submit a report you would select Action Type: Generic, Action: Submit Report, and Asset: TruSTAR.
Submit an Intel Report to TruSTAR
Get details of an Intel Report, including submission and other metadata.
hunt bitcoin address
Get Intel Report IDs associated with a bitcoin address
hunt registry key
Get Intel Report IDs associated with a registry key
Get Intel Report IDs associated with a malware name
Get Intel Report IDs associated with a CVE ID
Get Intel Report IDs associated with an email address
Get Intel Report IDs associated with a file name
Get Intel Report IDs associated with a URL
Get Intel Report IDs associated with an IP address (V4 and V6)
Validate that your TruSTAR credentials are correct and working
Import latest Indicators from TruSTAR
TruSTAR has developed a sample playbook that uses some of the TruSTAR actions to achieve a specific goal. This playbook is a sample of what’s possible using the base actions.
Playbook Objective: User will submit a report and user will receive the TruSTAR Report ID, number of IoC’s extracted and number of correlations with other reports.
Sequence Actions: This is comprised of two actions listed above. submit report will be called first, which will return TruSTAR Report GUID as one of the parameters. Then get report will be called with the report GUID and we will need to extract correlation count for this report from the response.
- TruSTAR Report GUID
- (Optional - only if provided by user in first Action) User Provided UID
- Extracted IoC’s
- Correlation Count