Using the Enclave Email Inbox Feature

Updated 6 days ago by Shimon Modi

TruSTAR allows users to submit incident and alert information directly to their enclaves using a variety of techniques, including email. This document provides a description of how to setup and use the enclave email submission feature. 

Use Cases

  1. You belong to a listserv where IOCs are exchanged regularly and are receiving valuable context, but there is no easy way to extract and operationalize this intelligence. 
  2. You have automated alerts setup on your SIEM or case management system and want to automatically submit the details of an alert or case as a report to your enclave.

To do this TruSTAR creates an email handle for a given company, e.g. for Acme Co it would be “acmeco@trustar.co”. Any emails sent to this email address are then added to the user’s Enclave with the subject line as the report title and the date and report content properly populated.

Setup Enclave Email Inbox

  1. Log into your TruSTAR account
  2. Navigate to the top right and select "Settings" in the drop down menu
  3. Fill out the form under "Enclave Inbox"


     



  4. Enclave     : Name of your Enclave to send the emails
    Desired Email Handle: The email handle you would like to request. Best practice is to use the name of your company or your enclave. 

    The email handle will always be @enclave.trustar.co

    Accepted Email Subject Prefixes: This is text surrounded by square brackets [ ] that has to be present in the subject line for emails to be processed. You can have multiple prefixes. This has to be atleast 4 characters long.
    For example, if you choose [ACME] then all your emails need to have [ACME] as prefix in the subject line for TruSTAR to process it.
    Accepted Sender Emails: Add all sender emails that can send emails to this enclave. Only emails sent from these senders will be accepted by the system. 
  5. After the request is complete you will receive a notification. The enclave inbox can take upto 2 minutes to become operational. 
Emails are processed and submitted to the Enclave every minute.
As with all other submissions, IOCs are automatically extracted and correlated.


Update Enclave Email Inbox

You may want to add new sender emails or modify the accepted list of prefixes. You can modify existing enclave inbox configurations by going to Settings->Enclave Inbox.

  1. Select the inbox configuration you need to update
  2. Edit the fields needed, as seen here:
    2. Be sure to hit "Enter" 
  3. Don't forget to save!

Delete Enclave Email Inbox

You can delete an existing Enclave Inbox configuration by going to Settings->Enclave Inbox. Select the email configuration you want to delete and select the "Delete" option.

Sending Email Submissions

After your email inbox has been setup you will now be able to send emails to the @trustar.co email account for submissions.

From

The email has to sent from one of the accepted emails provided during setup.

Subject Line

You have to use the prefix(s) you had specified during setup in the subject line for this email to be processed. 

Please remember the prefix has to be in square brackets [ ]. 
If multiple prefixes each one has to be in its own square [ ] bracket. 

Text excluding the prefix will be used as Report Title for the submission.

Enclave Tags in Subject Line

You can associate tags with your email submission using either of the following. There is no difference in terms of capability from specifying enclave tags in subject line - this is to support preference of the submitter. 

  1. Specify enclave tags in the subject line. The enclave tags have to be specified as a comma separated list within { } brackets for submission to be tagged.
  2. Specify enclave tags as the first line in the body of the email. The enclave tags have to be specified as a comma separated list within { } brackets for submission to be tagged.

Email Body

The body of the email will be submitted as a report to the enclave you specified during setup. If there are any IOC’s in the email body they will get automatically extracted by the TruSTAR platform.

Attachments

If your email has an attachment in PDF, Word, Text file, CSV, Excel or JSON our system will automatically append the content of the attachments to the report body. If the attachments have any IOCs they will be automatically extracted by the TruSTAR platform. Please note you may lose formatting of the original attachment in this process.

Sample Email

Here's a sample email that will be processed by the platform and submitted to the enclave specified by the user.



How Did We Do?