- Privacy & Visibility:
Many security analysts leverage collaborative tools such as Slack in incident triage and investigations for a more real-time exchange of information. In addition to using Slack among enterprise security teams, sharing communities like ISACs/ISAOs leverage Slack to encourage collaboration among industry peers.
Our new Slack app helps analysts tap into their intelligence sources inside of TruSTAR to enrich investigation workflows taking place in Slack conversations.
- Manage Threat Intelligence: Vet and validate intelligence on external websites. Collaborate via chat and tap into multiple intelligence sources like SIEM, Case Management, and Orchestration tools all in a few clicks.
- Enrich Investigations: Quickly identify and flag high priority indicators based on intelligence from your integration sources by running indicator searches from your browser using the TruSTAR Slack app.
TruSTAR Slack App Features:
Submit Reports: Submit intelligence from a Slack channel conversations that you’re having with other analysts so that intelligence and context can be enriched with other data sources available across the TruSTAR platform. This interaction will only be visible to you.
Submit IOCs: Submit IOCs from a Slack channel conversations that you’re having with other analysts so that indicators can be enriched with data sources available across the TruSTAR platform. This interaction will only be visible to you.
Search: Search an IOC of interest from a Slack channel so that you can quickly assess if additional enrichment is available and pivot to the TruSTAR platform for additional research. This interaction will only be visible to you.
Privacy & Visibility:
When you submit Reports and IOCs via the TruSTAR Slack app, enrichment data will only be shown to you.
Slack App Installation
Installing Through TruSTAR Marketplace
- Select the "Set Up" button to install the the TruSTAR Slack app.
- You will be asked to sign in to your workspace.
- Select the workspace and click “Authorize”.
- If a non-admin tries to install the app to a workspace, the Slack admins for that user's workspace will receive emails prompting them to approve the installation, and one of them will need to approve before the app can be installed.
- Open your web browser.
- Paste the above URL into your address bar and hit enter.
- Select the workspace you will like to install the app and select “Authorize.”
- You may be asked to sign in to your workspace
- Select the workspace click “Authorize”.
Individual User Configuration
Each individual user who has access to the workspace must complete a one-time setup in order to start using the TruSTAR Slack integration.
- To set the integration up each user needs to run the command `/trustar-register`
- This will prompt them to enter their TruSTAR API key and API secret keys.
- Clicking on the API Key or API Secret Key hyperlinks will lead you to the TruSTAR Station page to retrieve your API credentials.
- For instructions on how to find your TruSTAR API key, click here.
Best Practices: Sharing TruSTAR credentials in Slack will count toward per-minute rate limits and might affect your user experience with the Slack app. It is advisable for each individual to use their own set of API credentials for registration.
Any attempt any of the commands listed below in the next section without completing the registration set-up you will result in an Error.
This integration uses a TruSTAR Slackbot to retrieve intelligence enrichment in response to user actions. Slack Channels that do not allow the use of Slackbots cannot be used with this integration.
TruSTAR Slackbot can be used in any of the following channels:
- Any public channel
- Any channel that @TruSTAR has been invited to
- The Slackbot channel
Users cannot use this integration in channels that the TruSTAR bot doesn’t have permission to write into.
Using the TruSTAR Slack App
- After installing the Slack app users can preview TruSTAR app commands by typing in "/trustar." Commands and brief explanations will pop up.
Search with TruSTAR
/trustar-search <search-term> - Search for an indicator
- Add search term after the /trustar-search command and hit enter (/trustar-search wannacry).
- You will receive a Slackbot message with enrichment from TruSTAR on that indicator.
Submit Report to TruSTAR
/trustar-submit-report - Brings up a dialog to submit a report. When you submit intelligence reports to TruSTAR, the platform automatically extracts all IOCs and normalizes them. Additional context from the report is captured in the context panel.
- Fill out a report details.
- Select which TruSTAR Enclave to submit the report to.
- Add any tags if needed and submit.
- You will receive a Slackbot message when the report is successfully submitted to TruSTAR
Submit IOCs to TruSTAR
/trustar-submit-indicators - Brings up a dialog to submit IOCs. IOC submission is best for when you are dealing with pure indicators vs. intelligence reports with additional context and analysis.
- Fill out IOC list
- 2. Copy and paste the IOC list to be submitted through TruSTAR's IOC management feature.
- Select an Enclave to submit the IOC list.
- Add tags and submit. We strongly recommend adding tags when doing IOC submissions.
- You will receive a Slackbot message when the list of IOC's is successfully submitted to TruSTAR.
- You will receive an email when the IOC list has been extracted and normalized and submission is complete.
Currently there is no way to let return an error message to a user if they post into a channel that the Slackbot cannot respond to. Currently nothing is returned and users may assume the integration is working as expected.
Troubleshooting & FAQ's
Q: What data will the Slack app need access to in order to work?
A: TruSTAR will be able to install a bot user that appears in and has access to your workspace’s directory. It can also post messages and view activity on messages in any channel it is invited to.
Q: Is an enterprise Slack license necessary to use this add-on?
Please reach out to firstname.lastname@example.org for any additional questions.