Intel Sources FAQ
Q. What are the limitations for an intel source that does not have a parser?
A. Observables (click list above) provided by the source will be extracted and available to the user in the TruSTAR app and integration(s). Without the parses in place, the observables will not be mapped to specific fields nor provide risk or confidence scores.
Q, How do I request an intel source not available in the TruSTAR Marketplace?
1) Work with your TruSTAR Account Manager to establish a shared understanding of the use-case for the source. For example, Is this information that you are interested in for the detection mission in the SIEM or for enrichment mission in triage / incident response? Or both?
2) Prioritizing and Refining - Many customers have submitted sources that TruSTAR is working to process. As part of the Customer Success process, TruSTAR Product Management has created a shared roadmap of requests from customers and then works with the internal team to execute on the implementation and report out the progress in monthly check-ins and quarterly executive business reviews.
3) Acceleration - How quickly new data sources are added depends on three factors:
- Existing Backlog of Sources - we maintain a backlog of integrations by popularity with our sharing communities and customer base. Next up for us in Q1 are integrations with Slack, D3, and an expansion of our RiskIQ integration. These will be available for all customers of TruSTAR. We re-prioritize this roadmap every quarter based on requests and share it with our customer base.
- REST API / Python SDK - Typically, there are some unique sources that customers want to leverage. As a result, we work with our customers to identify the most appropriate way to advance their specific needs, while balancing speed and cost. Some customers want to build these themselves. Some want TruSTAR to do it for them. If the customer wants TruSTAR to do it, we can pursue the following:
- Enumerate specific sources/integrations and their prices/delivery deadlines in the contract,
- Create an integrations line-item in the contract and integrations will be scoped and developed via email approval between TruSTAR and BV POC-- TruSTAR will report on the utilization as part of the quarterly business reviews, or
- Approach each-integration ad-hoc with a separate statement of work and signature process
- Enclave-Inbox - If a customer has new data sources, but is unable or uninterested in earmarking resources for integration, we typically look to maximize our email-ingest vector. Ingesting and parsing data through email-ingest is one of the most popular ways to get data into the platform without expending engineering resources.