- Installing the App
- Configuring the App
- Slack Channel Restrictions
- Using the TruSTAR App
This document explains how to use the TruSTAR App for Slack to tap into intelligence sources within TruSTAR and enrich investigation workflows taking place in Slack conversations
Many security analysts leverage collaborative tools such as Slack in incident triage and investigations for a more real-time exchange of information. In addition to using Slack among enterprise security teams, sharing communities like ISACs/ISAOs leverage Slack to encourage collaboration among industry peers.
You can use the TruSTAR App for Slack to:
- Manage threat intelligence by vetting and validating intelligence from external websites. You can collaborate via chat and tap into multiple intelligence sources like SIEM, Case Management, and Orchestration tools.
- Enrich investigations by quickly identifying and flagging high priority indicators, then running searches in TruSTAR directly from your browser. You can quickly pivot to TruSTAR Station for additional investigation.
- Submit reports and IOCs to TruSTAR from within Slack conversations so that intelligence and context can be enriched with data sources available across the TruSTAR platform.
Installing the App
You can install the TruSTAR App for Slack either from the TruSTAR marketplace or manually through your web browser.
Installing from TruSTAR Marketplace
- Login to the TruSTAR Station platform.
- Navigate to the TruSTAR Marketplace.
- Search for Slack.
- Select the Set Up button to install the the TruSTAR Slack app.
- Select the Slack workspace where you want to install the TruSTAR App and click Authorize. You may be asked to sign into the workspace before continuing with the App installation.
Installing From a Web Browser
- Copy and paste this URL into the address bar of your browser and click the Enter key:
- Select the workspace where you want to install the TruSTAR app and click Authorize. You may be asked to sign in to your Slack workspace before continuing with the App installation.
Configuring the App
Each user who has access to the Slack workspace must complete a one-time setup to start using the TruSTAR App for Slack..
- Each user needs to run the command /trustar-register in their Slack app.
- This prompts the user to enter your TruSTAR API key and API secret keys. Click the API Key or API Secret Key hyperlinks to jump to the TruSTAR Station page to retrieve your API credentials.
Sharing TruSTAR credentials in Slack will count toward per-minute rate limits and might affect your user experience with the Slack app. It is advisable for each individual to use their own set of API credentials for registration.
Any attempt any of the commands listed below in the next section without completing the registration set-up you will result in an Error.
Slack Channel Restrictions
The TruSTAR App uses a Slackbot to retrieve intelligence enrichment in response to user actions. Slack Channels that do not allow the use of Slackbots cannot be used with this App.
The TruSTAR Slackbot can be used in any of the following channels:
- Any public channel
- Any channel that @TruSTAR has been invited to
- The Slackbot channel
Users cannot use this integration in channels that the TruSTAR bot doesn’t have permission to write into.
Using the TruSTAR App
After installing the TruSTAR App for Slack, you can type TruSTAR commands into the Slack conversation to search within TruSTAR enclaves or submit information to TruSTAR.
you can preview TruSTAR app commands by typing /trustar to display a list of commands with brief explanations.
Searching in TruSTAR
Command: /trustar-search <search-term>
- Enter the search command and search term, then click the Enter key. For example, to search "wannacry", you would use this command: /trustar-search wannacry
The TruSTAR App will display a Slackbot message in the conversation with enrichment from TruSTAR on that search term.
Submitting Reports to TruSTAR
Description: Brings up a dialog to submit a report. When you submit intelligence reports to TruSTAR, the platform automatically extracts all IOCs and normalizes them. Additional context from the report is captured in the context panel.
- Issue the Submit Report command to open a new dialog box.
- Select which TruSTAR Enclave to submit the report to.
- Add any tags if needed and submit.
The TruSTAR App displays a Slackbot message when the report has been successfully submitted to TruSTAR.
Submitting IOCs to TruSTAR
Description: Brings up a dialog to submit IOCs. IOC submission is best for when you are dealing with pure indicators vs. intelligence reports with additional context and analysis.
- Issue the Submit Indicators command to open a new dialog box.
- Fill out the IOC list. For example, you can copy IOCs from the Slack conversation.
- Select the TruSTAR enclave where you want to submit the IOC list.
- Add tags and click Submit.
You will receive a Slackbot message when the list of IOC's is successfully submitted to TruSTAR. You will receive another email when the IOC list has been extracted and normalized and the submission to TruSTAR is complete.
Q: What data does the app need access to?
A: The TruSTAR App installs a bot user that appears in and has access to your workspace’s directory. It can also post messages and view activity on messages in any channel it is invited to.
Q: Is an enterprise Slack license necessary to use this add-on?