Report Searches in Demisto
The TruSTAR Workflow App for Demisto offers these actions you can use when searching for reports.
- Get Report details, using either a TruSTAR Report ID or an external tracking ID.
- Search by Indicator
- Search using filters
- Search using search terms
Get Report Details
In the TruSTAR App for Demisto, this command finds an Intel Report by internal TruSTAR Report ID or an external tracking ID, such as a JIRA report number.
Format
trustar-report-details
Example
!trustar-report-details report_id=3ad95dfb-72a1-42fc-9780-xxxxxxxx
Inputs
Argument | Description | Required |
report_id | Finds a report by its internal or external id. | Yes |
id_type | Type of report ID | No |
Outputs
Path | Type | Description |
TruSTAR.Report.title | string | Title of the report |
TruSTAR.Report.reportBody | string | Body of the report |
TruSTAR.Report.id | string | ID of the report |
Search by Indicators
This command returns a list of all Intel Reports that contain any of the specified Indicators.
Format
trustar-correlated-reports
Example
!trustar-correlated-reports indicators=WANNACRY,COVID-19
Inputs
Argument | Description | Required |
indicators | Comma-separated Indicators. These can be any of the Indicators supported by TruSTAR. | Yes |
distribution_type | Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default). | No |
enclave-ids | Comma-separated list of Enclave IDs to search. Even if distributionType is COMMUNITY, these enclaves will still be searched as well. If no argument is specified, the default is to search all enclaves which you have Read access to in TruSTAR. | No |
limit | Limit of results to return. Max value possible is 1000. Default value is 25. | No |
Output
The list of correlated Intel Reports.
Search Using Filters
In the TruSTAR App for Demisto, this command returns Intel Reports matching the specified filters. All parameters are optional.
Format
trustar-get-reports
Example
!trustar-get-reports distribution_type=ENCLAVE enclave_ids=xxxxxxx.yyyyyyyyy.zzzzzz from_time="1 day ago"
Inputs
Argument | Description | Required |
from_time | Start of time window. Legal formats are
Default is the last 24 hours. | No |
to_time | End of time window. Legal formats are
Default is the current time. | No |
distribution_type | Distribution type of the report. Legal values are COMMUNITY or ENCLAVE (the default). | No |
enclave_ids | Comma-separated list of Enclave IDs to search. Even if distributionType is COMMUNITY, these enclaves will still be searched as well. If no argument is specified, the default is to search all enclaves which you have Read access to in TruSTAR. | No |
tags | List of tags to use when searching for Intel Reports; only Intel Reports containing ALL of these tags will be returned. | No |
excluded_tags | Intel Reports containing ANY of these tags will be excluded from the results | No |
Outputs
If no arguments are specified, the most recent 25 Intel Reports will be returned. This matches the view you would see in the TruSTAR Web App.
Path | Type | Description |
TruSTAR.Report.title | string | Title of the report |
TruSTAR.Report.reportBody | string | Body of the report |
TruSTAR.Report.id | string | ID of the report |
Search Using Search Terms
This command searches for all Intel Reports that contain the given search term.
Format
trustar-search-reports
Example
!trustar-search-reports search_term=8.8.8.1
Inputs
Argument | Description | Required |
search_term | The term to search for (e.g. WANNACRY) If empty, no search term will be applied. Otherwise, must be at least 3 characters. | No |
enclave_ids | Comma-separated list of Enclave IDs to search. If no argument is specified, the default is to search all enclaves which you have Read access to in TruSTAR. | No |
Outputs
Path | Type | Description |
TruSTAR.Report.title | string | ID of the report |
TruSTAR.Report.id | string | Title of the report |