Intelligence Sources FAQ

Updated 8 months ago by Elvis Hovor

Q. What are the limitations for an intel source that does not have a parser?

A. Observables provided by the intelligence source will be extracted and available to the user in the TruSTAR app and integration(s). Without the parser in place, the observables will not be mapped to specific fields nor provide risk or confidence scores.

Q, How do I request an intel source not available in the TruSTAR Marketplace?

Work with your TruSTAR Account Manager to establish a shared understanding of the use-case for the source. For example, Is this information that you are interested in for the detection mission in the SIEM or for enrichment mission in triage / incident response? Or both? 

Q. How does TruSTAR prioritize requests for new intelligence sources?

Many customers have submitted sources that TruSTAR is working to process. As part of the Customer Success process, TruSTAR Product Management manages the roadmap of customer requests. They work with internal TruSTAR teams to execute the roadmap and report out progress in monthly check-ins and quarterly executive business reviews.

Q. How fast can a new intelligence source be added to TruSTAR?

How quickly new data sources are added depends on three factors:

  • Existing Backlog of Sources: TruSTAR's roadmap is reviewed every quarter based on requests and then shared with our customer base.
  • REST API / Python SDK: Typically, there are some unique sources that customers want to leverage. As a result, we work with them to identify the most appropriate way to integrate those sources, while balancing speed and cost. Some customers want to build these themselves; some want TruSTAR to do it. If the customer wants TruSTAR to do it, we can pursue the following:
    • Enumerate specific sources/integrations and their prices/delivery deadlines in the contract,
    • Create an integrations line-item in the contract and integrations will be scoped and developed via email approval between TruSTAR and BV POC-- TruSTAR will report on the utilization as part of the quarterly business reviews, or
    • Approach each-integration ad-hoc with a separate statement of work and signature process
  • Enclave Email Inbox: If a customer has new data sources, but is unable or uninterested in earmarking resources for integration, we typically look to the Enclave Email Inbox feature. Using this feature to ingest and parse data is one of the most popular ways to get data into the platform without expending engineering resources.

How Did We Do?