Report Correlation Email

Updated 4 months ago by Sachit Soni

This script provides a daily summary of correlated intelligence between your private Enclaves and other Enclaves you are subscribed to through the TruSTAR Marketplace.

This feature can assist in your monitoring and investigations by providing clear and concise matches between your own Intel Reports and outside intelligence from third-party providers, such as ISACs or Premium Intel sources like CrowdStrike. Think of this script as an automated assist to ensure you never miss important correlations between what you're seeing and what other intelligence sources are spotting in the wild.

You can also use this script to validate the relevancy of your Premium Intel sources. If one Premium Intel source appears every day in the email, that shows the source is providing high value for your investigations. On the other hand, if a source rarely appears in the daily summary, there is no strong relationship between the data it provides and the type of cybersecurity investigations you are conducting and you may want to change to a different source.

Format

The email consists of three sections:

Source Enclaves, consisting of your private Enclaves, such as SIEM and Case-management Enclaves 

  • [Source Enclave1 name]
  • [Source Enclave2 name]
  • + more

Correlation Enclaves: which can be some or all of the Premium Intel and other Enclaves you subscribe to through the TruSTAR Marketplace

  • [Correlated Enclave1 name]
  • [Correlated Enclave2 name]
  • + more

Reports in source Enclaves that have correlations in correlation Enclaves:

[Source Enclave1]:

  • [Date] [Timestamp] - [Report title1 - with embedded link to report]
  • [Date] [Timestamp] - [Report title1 - with embedded link to report]

[Source Enclave2]:

  • [Date] [Timestamp] - [Report title3 - with embedded link to report]
  • [Date] [Timestamp] - [Report title4 - with embedded link to report]

The Enclave sets are sorted by type, such as case-management, phishing, premium intel, and/or sharing group enclaves, for easier readability.

Example Email Summary

Figure-1: Example correlation email summary

Activating the Script

Contact your TruSTAR account manager and provide the following information:

  • List of Source Enclave IDs to use.
  • List of Correlation Enclave IDs to use. This can be some or all of your third-party Enclaves.
  • Recipient Email Addresses: the list of people who will receive this daily email.

After you have provided the information, your account manager will configure the script and then email you with confirmation that the script has been enabled.

How It Works

  1. Searches the source Enclaves for all Intel Reports submitted or updated in the last five days. 
  2. Checks all Intel Reports in the Source Enclaves for matches in any of the correlation Enclaves. 
  3. If the Intel Report has a correlation in any, some, or all of the correlation Enclaves, it is added to the list.
  4. When all Intel Reports in the source Enclaves have been checked, the script sends you an email with the completed list. 

FAQ

Q: What email address sends out the Report Correlation Email?

A. The email address support@notifications.trustar.co is used to send this email.

Q. I am not receiving the email even though I requested it.

A. Your account manager will send a confirmation email when they have set up this feature for you. If you still don't see the daily email after that, check your spam folders for support@notifications.trustar.co.

Any issues or questions about this script, please contact support@notifications.trustar.co.


How Did We Do?