Intelligence Sources FAQ

Updated 1 year ago by TruSTAR

Q. What are the limitations for an intelligence source that does not have a parser?

A. Observables provided by the intelligence source will be extracted and available to the user in the TruSTAR app and integration(s). Without the parser, these observables will not be mapped to specific fields and no scores will be provided.

Q, How do I request a new intelligence source?

You can work with your TruSTAR Account Manager to establish a shared understanding of the use case for the source. For example, Is this information that you are interested in for the detection mission in the SIEM or for enrichment mission in triage / incident response? Or both? 

Q. How does TruSTAR prioritize requests for intelligence sources?

As part of the Customer Success process, TruSTAR Product Management manages the roadmap of customer requests. They work with internal TruSTAR teams to execute the roadmap and report out progress in monthly check-ins and quarterly executive business reviews.

Q. How does frequently are query-based sources updated?

TruSTAR query based sources run every 15 minutes (4 times an hour).

Q. How fast can a new intelligence source be added to TruSTAR?

How quickly new data sources are added depends on three factors:

  • Existing Backlog of Sources: TruSTAR's roadmap is reviewed every quarter based on requests and then shared with our customer base.
  • REST API / Python SDK: Typically, there are some unique sources that customers want to leverage. As a result, we work with them to identify the most appropriate way to integrate those sources, while balancing speed and cost. Some customers want to build these themselves; some want TruSTAR to do it. If the customer wants TruSTAR to do it, we can pursue the following:
    • Enumerate specific sources/integrations and their prices/delivery deadlines in the contract,
    • Create an integrations line-item in the contract and integrations will be scoped and developed via email approval between TruSTAR and BV POC-- TruSTAR will report on the utilization as part of the quarterly business reviews, or
    • Approach each-integration ad-hoc with a separate statement of work and signature process
  • Enclave Inbox: If a customer has new data sources, but is unable or uninterested in earmarking resources for integration, we typically suggest using the Enclave Inbox feature. Using this feature to ingest and parse data is one of the most popular ways to get data into the TruSTAR platform without expending engineering resources.

Q. Can I archive a Premium Intelligence Source?

You can request that TruSTAR archive the data from a premium intelligence source where your subscription has expired. This option allows you to retain the data that was loaded into your enclaves during the time you had a valid subscription.

The following premium intelligence sources do not support archiving:
Intel 471 Adversary Intelligence
Intel 471 Alerts
Intel 471 Malware Intelligence

To request an archive enclave be created, follow this procedure:

  1. Navigate to the TruSTAR Customer Service Portal.
  2. On the request form, fill in these fields:
  • Contact Us About field: Choose General as the reason.
  • Summary field: <Company name> + Archive Premium Intel Source Request. For example, Acme Corp Archive Premium Intel Source Request.
  • Description field: List of the premium intel sources you wish to archive
  1. Click Send to submit the the request.

Please allow 7 business days for changes to go into affect following the request. Once archived, you can see the new Enclave listed under My Enclaves on the Filter and Refine panel in the TruSTAR Web App.

How Did We Do?