Report Correlation Email

Updated 1 month ago by Sachit Soni

The Report Correlation Email provides a daily summary of correlated intelligence between your private enclaves and other enclaves you are subscribed to through the TruSTAR Marketplace.

This feature can assist in your monitoring and investigations by providing clear and concise matches between your own reports and outside intelligence from third-party providers, such as ISACs or Premium Intel sources like CrowdStrike. It's an automated assist to ensure you never miss important correlations between what you're seeing and what other intelligence sources are spotting in the wild.

You can also use the Report Correlation Email to validate the relevancy of your Premium Intel sources. If one Premium Intel source appears every day in the email, that source is providing high value for your investigations. On the other hand, if a source rarely appears in the daily summary, there is no strong relationship between the data it provides and the type of cybersecurity investigations you are conducting and you may want to change to a different source.

Format

The email consists of three sections:

Source Enclaves, consisting of your private enclaves, such as SIEM and Case-management Enclaves 

  • [Source Enclave1 name]
  • [Source Enclave2 name]
  • + more

Correlation Enclaves: which can be some or all of the Premium Intel and other Enclaves you subscribe to through the TruSTAR Marketplace

  • [Correlated Enclave1 name]
  • [Correlated Enclave2 name]
  • + more

Reports in source enclaves that have correlations in correlation enclaves:

[Source Enclave1]:

  • [Date] [Timestamp] - [Report title1 - with embedded link to report]
  • [Date] [Timestamp] - [Report title1 - with embedded link to report]

[Source Enclave2]:

  • [Date] [Timestamp] - [Report title3 - with embedded link to report]
  • [Date] [Timestamp] - [Report title4 - with embedded link to report]

The enclave sets are sorted by type, such as case-management, phishing, premium intel, and/or sharing group enclaves, for easier readability.

Example Email Summary

Figure-1: Example correlation email summary

Activating the Report Correlation Email

Contact your TruSTAR account manager and provide the following information:

  • List of Source Enclave IDs to use.
  • List of Correlation Enclave IDs to use. This can be some or all of your third-party enclaves.
  • Recipient Email Addresses: the list of people who will receive this daily email.

After you have provided the information, your account manager will configure the feature and then email you with confirmation that the summary email has been enabled.

How It Works

  • Searches the source enclaves for all reports submitted or updated in the last five days. 
  • Checks all source reports for correlations in any of the correlation enclaves. 
  • If a source report has a correlation in any, some, or all of the correlation enclaves, it gets added to the list.
  • When all source reports have been checked for correlations, sends the user an email with the list. 

FAQ

Q: What email address sends out the Report Correlation Email?

A. The email address support@notifications.trustar.co is used to send this email.

Q. I am not receiving the email even though I requested it.

A. Your account manager will send a confirmation email when they have set up this feature for you. If you still don't see the daily email after that, check your spam folders for support@notifications.trustar.co.


How Did We Do?