TruSTAR on Slack

Updated 7 months ago by TruSTAR

This document explains how to use the TruSTAR Workflow App for Slack to tap into intelligence sources within TruSTAR and enrich investigation workflows taking place in Slack conversations.

Many security analysts leverage collaborative tools such as Slack in incident triage and investigations for real-time exchange of information. In addition to enterprise security teams, sharing communities like ISACs/ISAOs leverage Slack to encourage collaboration among industry peers. 

The TruSTAR App for Slack is currently degraded due to registration conflicts. This will be resolved in the next scheduled update in Q3 of 2021.

Features

You can use the TruSTAR App for Slack to:

  • Manage threat intelligence by vetting and validating intelligence from external websites. You can tap into multiple intelligence sources like SIEM, Case Management, and Orchestration tools.
  • Enrich investigations by quickly identifying and flagging high-priority Indicators. Run searches in TruSTAR directly from your browser, then use the TruSTAR Web App for additional investigation.
  • Submit Intelligence Reports and Observables to TruSTAR from within Slack conversations to enrich them with TruSTAR data sources.
When you submit Reports and Observables via the TruSTAR Slack app, enrichment data is shown only to you, not to others in the Slack conversations.

Installing the App

You can install the TruSTAR App either from the TruSTAR Marketplace or manually through your web browser.

The TruSTAR App for Slack is only supported for the Google Chrome browser.

Installing from Marketplace

  1. Login to the TruSTAR Web App.
  2. Navigate to the TruSTAR Marketplace.
  3. Search for Slack.
  4. Select the Set Up button to install the the TruSTAR Slack app.
  5. Select the Slack workspace where you want to install the TruSTAR App and click Authorize. You may be asked to sign into the workspace before continuing with the App installation.

Installing From a Browser

  1. Copy and paste this URL into the address bar of your browser and click the Enter key:
    https://Slack.com/oauth/authorize?client_id=3911975615.603117200739&scope=commands,chat:write:bot,bot
  2. Select the workspace where you want to install the TruSTAR app and click Authorize. You may be asked to sign in to your Slack workspace before continuing with the App installation.

Configuring the App

Each user who has access to the Slack workspace must complete a one-time setup to start using the TruSTAR App for Slack..

  1. Run the command /trustar-register in Slack.
  2. Enter your TruSTAR API key and API secret keys. Click the API Key or API Secret Key hyperlinks to jump to the TruSTAR Web page section where you can retrieve your API credentials.
Sharing TruSTAR API Keys and API Secrets in Slack will count toward per-minute rate limits and might affect your user experience with the Slack app. TruSTAR recommends that each user have their own set of API credentials from TruSTAR.

Slack Channel Restrictions

The TruSTAR App uses a Slackbot to retrieve intelligence enrichment in response to user actions. Slack Channels that do not allow the use of Slackbots cannot be used with this App.

The TruSTAR Slackbot can be used in any of the following channels:

  • Any public channel
  • Any channel that @TruSTAR has been invited to
  • The Slackbot channel

Users cannot use this integration in channels that the TruSTAR bot doesn’t have permission to write into.

The TruSTAR App cannot return an error message if you post into a channel where the TruSTAR Slackbot cannot respond.

Using the App

After installing the TruSTAR App for Slack, you can type TruSTAR commands into the Slack conversation to search within TruSTAR enclaves or submit information to TruSTAR.

Listing Commands

You can preview TruSTAR app commands by typing /trustar to display a list of commands with brief explanations.

Searching for Indicators

Use the command /trustar-search <search-term> to search in TruSTAR enclaves for correlated indicators to that search-term. For example, to search "wannacry", you would use this command: /trustar-search wannacry

The TruSTAR App will display a Slackbot message in the conversation with enrichment from TruSTAR on that search term.

Submitting Reports to TruSTAR

Use the command /trustar-submit-report to bring up a dialog for submitting a Report to TruSTAR. When you submit the Report, TruSTAR automatically extracts all Observables and enriches them. Additional context from the Report is displayed in the context panel.

  1. Issue the Submit Report command to open a new dialog box.
  2. Select which TruSTAR Enclave to submit the report to.
  3. Add any tags if needed and submit.

The TruSTAR App displays a Slackbot message when the report has been successfully submitted to TruSTAR.

Submitting Observables to TruSTAR

Use the command /trustar-submit-indicators to display a dialog where you can submit Observables to TruSTAR for processing.

  1. Issue the Submit Indicators command to open a new dialog box.
  2. Fill out the IOC list. For example, you can copy items from a Slack conversation.
  3. Select the TruSTAR Enclave where you want to submit the list.
  4. Add tags to the submission list. TruSTAR recommends adding tags that indicate the source of the Indicators, such as the Slack conversation or other indentifying details.
  5. Click Submit.

You will receive a Slackbot message when the list of Indicators has been submitted to TruSTAR. You will receive another email when the list has been processed by TruSTAR.

FAQ

Q: What data does the TruSTAR App need access to?

A: The TruSTAR App installs a bot user that appears in and has access to your workspace’s directory. It can also post messages and view activity on messages in any channel it is invited to.

Q: Is an enterprise Slack license necessary to use this add-on?

A: No

Please reach out to support@trustar.co if you have issues or questions.


How Did We Do?