TruSTAR on Slack
- Installing the App
- Configuring the App
- Slack Channel Restrictions
- Using the App
This document explains how to use the TruSTAR Workflow App for Slack to tap into intelligence sources within TruSTAR and enrich investigation workflows taking place in Slack conversations.
Many security analysts leverage collaborative tools such as Slack in incident triage and investigations for real-time exchange of information. In addition to enterprise security teams, sharing communities like ISACs/ISAOs leverage Slack to encourage collaboration among industry peers.
You can use the TruSTAR App for Slack to:
- Manage threat intelligence by vetting and validating intelligence from external websites. You can tap into multiple intelligence sources like SIEM, Case Management, and Orchestration tools.
- Enrich investigations by quickly identifying and flagging high-priority Indicators. Run searches in TruSTAR directly from your browser, then use the TruSTAR Web App for additional investigation.
- Submit Intelligence Reports and Observables to TruSTAR from within Slack conversations to enrich them with TruSTAR data sources.
Installing the App
You can install the TruSTAR App either from the TruSTAR Marketplace or manually through your web browser.
Installing from Marketplace
- Login to the TruSTAR Web App.
- Navigate to the TruSTAR Marketplace.
- Search for Slack.
- Select the Set Up button to install the the TruSTAR Slack app.
- Select the Slack workspace where you want to install the TruSTAR App and click Authorize. You may be asked to sign into the workspace before continuing with the App installation.
Installing From a Browser
- Copy and paste this URL into the address bar of your browser and click the Enter key:
- Select the workspace where you want to install the TruSTAR app and click Authorize. You may be asked to sign in to your Slack workspace before continuing with the App installation.
Configuring the App
Each user who has access to the Slack workspace must complete a one-time setup to start using the TruSTAR App for Slack..
- Run the command /trustar-register in Slack.
- Enter your TruSTAR API key and API secret keys. Click the API Key or API Secret Key hyperlinks to jump to the TruSTAR Web page section where you can retrieve your API credentials.
Slack Channel Restrictions
The TruSTAR App uses a Slackbot to retrieve intelligence enrichment in response to user actions. Slack Channels that do not allow the use of Slackbots cannot be used with this App.
The TruSTAR Slackbot can be used in any of the following channels:
- Any public channel
- Any channel that @TruSTAR has been invited to
- The Slackbot channel
Users cannot use this integration in channels that the TruSTAR bot doesn’t have permission to write into.
Using the App
After installing the TruSTAR App for Slack, you can type TruSTAR commands into the Slack conversation to search within TruSTAR enclaves or submit information to TruSTAR.
You can preview TruSTAR app commands by typing /trustar to display a list of commands with brief explanations.
Searching for Indicators
Use the command /trustar-search <search-term> to search in TruSTAR enclaves for correlated indicators to that search-term. For example, to search "wannacry", you would use this command: /trustar-search wannacry
The TruSTAR App will display a Slackbot message in the conversation with enrichment from TruSTAR on that search term.
Submitting Reports to TruSTAR
Use the command /trustar-submit-report to bring up a dialog for submitting a Report to TruSTAR. When you submit the Report, TruSTAR automatically extracts all Observables and enriches them. Additional context from the Report is displayed in the context panel.
- Issue the Submit Report command to open a new dialog box.
- Select which TruSTAR Enclave to submit the report to.
- Add any tags if needed and submit.
The TruSTAR App displays a Slackbot message when the report has been successfully submitted to TruSTAR.
Submitting Observables to TruSTAR
Use the command /trustar-submit-indicators to display a dialog where you can submit Observables to TruSTAR for processing.
- Issue the Submit Indicators command to open a new dialog box.
- Fill out the IOC list. For example, you can copy items from a Slack conversation.
- Select the TruSTAR Enclave where you want to submit the list.
- Add tags to the submission list. TruSTAR recommends adding tags that indicate the source of the Indicators, such as the Slack conversation or other indentifying details.
- Click Submit.
You will receive a Slackbot message when the list of Indicators has been submitted to TruSTAR. You will receive another email when the list has been processed by TruSTAR.
Q: What data does the TruSTAR App need access to?
A: The TruSTAR App installs a bot user that appears in and has access to your workspace’s directory. It can also post messages and view activity on messages in any channel it is invited to.
Q: Is an enterprise Slack license necessary to use this add-on?
Please reach out to firstname.lastname@example.org if you have issues or questions.