Enclave Email Inbox

Updated 1 month ago by Elvis Hovor

You can submit incident and alert information directly to your enclaves using email. This document provides a description of how to set up and use the enclave email submission feature. 

Use Cases

  1. You belong to a listserv where IOCs are exchanged regularly and are receiving valuable context, but there is no easy way to extract and operationalize this intelligence. 
  2. You have automated alerts setup on your SIEM or case management system and want to automatically submit the details of an alert or case as a report to your enclave.
  3. You can forward emails that you suspect to be phishing attempts and Station will store the email as a report in your enclave and identify any IOCs in that email.
  4. You can forward emails into your shared Enclave and use your redaction library to anonymize and redact any sensitive information.

How It Works

TruSTAR creates an email handle for a given company, e.g. for Acme Co it would be “acmeco@trustar.co”. Any emails sent to this email address are then added to that user’s Enclave with the subject line as the report title and the date and report content properly populated.

Setting Up the Enclave Email Inbox

Note: You must be a company admin to configure the Enclave Inbox.
  1. Log into your TruSTAR account
  2. Navigate to the bottom left of the navbar and select Settings
  3. Navigate to Enclave Inbox in and Select + to create a new email handle.
  4. Email Handles are now automatically generated.
    Desired Email Handle: The email handle you would like receive. The email handle will be automatically generated.
    The email handle will always be @enclave.trustar.co
    Optional Email Subject Prefixes: This is text surrounded by square brackets [ ] that has to be present in the subject line for emails to be processed. You can have multiple prefixes. This has to be at least 3 characters long. Remember to select enter to accept each email subject prefix after to you enter it in the form.
    For example, if you choose [ACME] then all your emails need to have [ACME] as prefix in the subject line for TruSTAR to process it.
    Accepted Sender Emails: Add all sender emails that can send emails to this enclave. Only emails sent from these senders will be accepted by the system. (Press enter to add each sender email to list of accepted emails)
    Users will be able to use wildcard for the accepted senders field to accept emails being sent from a common domain. For example, '*@acme.com' will accept all senders that end with the domain @acme.com
  5. After the request is complete you will receive a notification. The enclave inbox can take up to 2 minutes to become operational. 
Emails are processed and submitted to the Enclave every minute.
As with all other submissions, IOCs are automatically extracted and correlated.

Updating the Enclave Email Inbox

You may want to add new sender emails or modify the accepted list of prefixes. You can modify existing enclave inbox configurations by going to Settings->Enclave Inbox.

  1. Select the inbox configuration you need to update
  2. Edit the fields needed, as seen here:
    2. Be sure to hit "Enter" 
  3. Don't forget to save!

Delete Enclave Email Inbox

You can delete an existing Enclave Inbox configuration by going to Settings->Enclave Inbox. Select the email configuration you want to delete and select the "Delete Icon" option.

Sending Email Submissions

After your email inbox has been setup you will now be able to send emails to the @trustar.co email account for submissions.

From

The email has to sent from one of the accepted emails provided during setup.

Subject Line

You have to use the prefix(s) you had specified during setup in the subject line for this email to be processed. 

The prefix must be contained within square brackets [ ]. If you use multiple prefixes, each one has to be in its own square [ ] bracket. 

Text excluding the prefix will be used as Report Title for the submission.

Enclave Tags in Subject Line

You can associate tags with your email submission using either of the following. There is no difference in terms of capability from specifying enclave tags in subject line - this is to support preference of the submitter. 

  1. Specify enclave tags in the subject line. The enclave tags have to be specified as a comma separated list within { } brackets for submission to be tagged.
  2. Specify enclave tags as the first line in the body of the email. The enclave tags have to be specified as a comma separated list within { } brackets for submission to be tagged.

Email Body

The body of the email will be submitted as a report to the enclave you specified during setup. If there are any IOC’s in the email body they will get automatically extracted by the TruSTAR platform.

Attachments

If your email has an attachment in PDF, Word, Text file, CSV, Excel or JSON our system will automatically append the content of the attachments to the report body. If the attachments have any IOCs they will be automatically extracted by the TruSTAR platform. Please note you may lose formatting of the original attachment in this process.

Sample Email

Here's a sample email that will be processed by the platform and submitted to the enclave specified by the user.

To set-up auto-forwarding rules for your inbox read more here

Setting up Email Redaction

This functionality enables you to have all emails forwarded in to be processed through your redaction library. For example, anonymizing the sender or recipient of the email or any information sensitive to your organization.

Updates made to the redaction library will apply to reports submitted after the change

Prerequisites

  1. Update your redaction library to include the term or IOC that you would like to have redacted when submitting via the Enclave inbox
    Redaction does support wildcard i.e *@google.com will redact all email handles from google.com
  2. You must have an enclave inbox configuration created

Submit Email Redaction request

To submit an Email Redaction request please navigate to the customer service portal and provide the Enclave inbox handle of the configuration you are interested in applying your redaction library. We will get this enabled within 48 business hours.

FAQ

Why aren't my emails appearing in my enclave?

  • First, crosscheck with your enclave inbox configuration and ensure that the email is in compliance with the configured accepted sender and accepted prefix (optional).
  • Check that the email you are forwarding to your inbox comply with TruSTARs report submission limits. You can find the limits here
  • Next, confirm in the server logs that the emails are being successfully delivered. Depending on the settings, whitelisting the domain @enclave.trustar.co may resolve emails that are being blocked when forwarding to the enclave inbox handle.
  • If this issue persists please contact your account executive or support@trustar.co

How Did We Do?