Vetting and Tagging Indicators

Updated 5 months ago by TruSTAR

Use this script to isolate Indicators that meet specific criteria or are matched to a specific Intelligence Source. The script is run against a source Enclave and the isolated Indicators are copied to a destination Enclave.

The script provides flexibility in how to create business rules that best fit your organization's needs. It also allows you to add tags to each indicator, based on Threat Assessment, MITRE ATT&CK, confidence rating, motivation, threat type, and so on.

Activating This Script

Contact your TruSTAR account manager and provide the following information:

  • Source Enclave ID
  • Destination Enclave ID
  • Business Rules for Vetting & Tagging

After you have provided the information, your account manager will configure the feature and then email you with confirmation that the script has been enabled.

How It Works

  1. Searches the source Enclave for all Indicators added in the last 24 hours.
  2. Identifies the Indicators that match the conditions specified by the user. For example, Indicators with a score higher than x or from a specific intelligence source, such as y.
  3. Tags those Indicators according to the business rules you supplied.
  4. Copies those vetted Indicators to the destination Enclave.

Examples of Business Rules

Here are some sample business rules that show how you can leverage this script to filter Indicators:

  • If a file hash is found in VirusTotal, keep it; otherwise remove it.
  • If a URL or IP address with a certain risk score is found in DomainTools keep it; otherwise remove it.
  • If an Indicator is found in Digital Shadows, keep it; otherwise remove it.
  • If a URL or IP address with a certain risk score is found in IBM X-Force then keep it; otherwise remove it.

Any issues or questions about this script, please contact

How Did We Do?