Enclave Email Inbox Feature

Updated 2 weeks ago by Elvis Hovor

TruSTAR allows users to submit incident and alert information directly to their enclaves using a variety of techniques, including email. This document provides a description of how to setup and use the enclave email submission feature. 

Use Cases

  1. You belong to a listserv where IOCs are exchanged regularly and are receiving valuable context, but there is no easy way to extract and operationalize this intelligence. 
  2. You have automated alerts setup on your SIEM or case management system and want to automatically submit the details of an alert or case as a report to your enclave.
  3. You can forward emails that you suspect to be phishing attempts and Station will store the email as a report in your enclave and identify any IOCs in that email.

To do this TruSTAR creates an email handle for a given company, e.g. for Acme Co it would be “acmeco@trustar.co”. Any emails sent to this email address are then added to the user’s Enclave with the subject line as the report title and the date and report content properly populated.

Setup Enclave Email Inbox

Note: User must be a company admin to configure the Enclave Inbox.
  1. Log into your TruSTAR account
  2. Navigate to the bottom left of the navbar and select the "Settings" icon 
  3. Navigate to "Enclave Inbox" in settings and Select + to create a new email handle
  4. Email Handles are now automatically generated for user
    Desired Email Handle: The email handle you would like receive. The email handle will be automatically generated.
    The email handle will always be @enclave.trustar.co

    Optional Email Subject Prefixes: This is text surrounded by square brackets [ ] that has to be present in the subject line for emails to be processed. You can have multiple prefixes. This has to be at least 3 characters long. Remember to select enter to accept each email subject prefix after to you enter it in the form.
    For example, if you choose [ACME] then all your emails need to have [ACME] as prefix in the subject line for TruSTAR to process it.
    Accepted Sender Emails: Add all sender emails that can send emails to this enclave. Only emails sent from these senders will be accepted by the system. (Press enter to add each sender email to list of accepted emails)
    Users will be able to use wildcard for the accepted senders field to accept emails being sent from a common domain. For example, '*@acme.com' will accept all senders that end with the domain @acme.com
  5. After the request is complete you will receive a notification. The enclave inbox can take up to 2 minutes to become operational. 
Emails are processed and submitted to the Enclave every minute.
As with all other submissions, IOCs are automatically extracted and correlated.

Update Enclave Email Inbox

You may want to add new sender emails or modify the accepted list of prefixes. You can modify existing enclave inbox configurations by going to Settings->Enclave Inbox.

  1. Select the inbox configuration you need to update
  2. Edit the fields needed, as seen here:
    2. Be sure to hit "Enter" 
  3. Don't forget to save!

Delete Enclave Email Inbox

You can delete an existing Enclave Inbox configuration by going to Settings->Enclave Inbox. Select the email configuration you want to delete and select the "Delete Icon" option.

Sending Email Submissions

After your email inbox has been setup you will now be able to send emails to the @trustar.co email account for submissions.

From

The email has to sent from one of the accepted emails provided during setup.

Subject Line

You have to use the prefix(s) you had specified during setup in the subject line for this email to be processed. 

Please remember the prefix has to be in square brackets [ ]. 
If multiple prefixes each one has to be in its own square [ ] bracket. 

Text excluding the prefix will be used as Report Title for the submission.

Enclave Tags in Subject Line

You can associate tags with your email submission using either of the following. There is no difference in terms of capability from specifying enclave tags in subject line - this is to support preference of the submitter. 

  1. Specify enclave tags in the subject line. The enclave tags have to be specified as a comma separated list within { } brackets for submission to be tagged.
  2. Specify enclave tags as the first line in the body of the email. The enclave tags have to be specified as a comma separated list within { } brackets for submission to be tagged.

Email Body

The body of the email will be submitted as a report to the enclave you specified during setup. If there are any IOC’s in the email body they will get automatically extracted by the TruSTAR platform.

Attachments

If your email has an attachment in PDF, Word, Text file, CSV, Excel or JSON our system will automatically append the content of the attachments to the report body. If the attachments have any IOCs they will be automatically extracted by the TruSTAR platform. Please note you may lose formatting of the original attachment in this process.

Sample Email

Here's a sample email that will be processed by the platform and submitted to the enclave specified by the user.

To set-up auto-forwarding rules for your inbox read more here

How Did We Do?