Enclave Inbox

Updated 2 weeks ago by Elvis Hovor

This document explains how to use the Enclave Inbox feature to submit incident and alert information directly to your enclaves using email. Emails sent to this inbox are processed and then submitted to the enclave every minute.

Related Links:

Use Cases

  1. You belong to a listserv where IOCs are exchanged regularly and are receiving valuable context, but there is no easy way to extract and operationalize this intelligence. 
  2. You have automated alerts setup on your SIEM or case management system and want to automatically submit the details of an alert or case as a report to your enclave.
  3. You can forward emails that you suspect to be phishing attempts and Station will store the email as a report in your enclave and identify any IOCs in that email.
  4. You can forward emails into your shared Enclave and use your redaction library to anonymize and redact any sensitive information.

How It Works

TruSTAR creates an email handle for a given company, e.g. for Acme Co it would be “acmeco@trustar.co”. Any emails sent to this email address are then added to that user’s Enclave with the subject line as the report title and the date and report content properly populated.

Setting Up an Enclave Inbox

Note: You must be a company admin to configure the Enclave Inbox feature.
  1. Log into TruSTAR Station.
  2. Click navigate to User Settings on the Navigation Bar, then choose Settings from the dropdown menu.
  3. Click Enclave inbox on the Settings menu.
  4. Click the + sign on the far right vertical menu to start the configuration.
  5. Choose the Enclave you want to submit emails to.
  6. Note the Desired Email Handle. This field is automatically generated and end in @enclave.trustar.co. You will use this email address as the recipient for all mail you are sending to the enclave.
  7. Add text into the Accepted Email Subject Prefixes text box and press Enter after each entry. Using this field ensures that only emails with the specified prefixes will be processed and added to the enclave.
  • Text must be enclosed in square brackets; for example, if you want to process emails with [ACME] in the subject line, you must enter [ACME] in this text box.
  • Each entry must be at least 3 characters long, including the square brackets.
  • You can specify multiple prefixes. An email with any of the prefixes will be processed.
  1. Specify Accepted Sender Emails, if desired. Press Enter after each email address to add it to the list. Restricting who can send or forward emails to this enclave increases security.
  • You can use wildcards to accept emails sent from a common domain. For example, '*@acme.com' will accept all senders that end with the domain @acme.com.
  1. Click Send to submit the new configuration.

After the request is complete you will receive a notification. The enclave email inbox can take up to 2 minutes to become operational. 

As with all other submissions, IOCs are automatically extracted and correlated.

Updating the Enclave Inbox

You can modify existing enclave inbox configurations by going to Settings->Enclave Inbox.

  1. Log into TruSTAR Station.
  2. Navigate to User Settings on the Navigation Bar, then choose Settings from the dropdown menu.
  3. Click Enclave inbox on the Settings menu.
  4. Select the inbox configuration you need to update and click the Pencil icon on the right vertical menu.
  5. Edit the Email Subject Prefix and Sender Email fields as needed. Remember to press Enter after each new entry to commit it to the list.
  6. Click Save when you have finished editing the information.

Deleting an Enclave Inbox

  1. Log into TruSTAR Station.
  2. Navigate to User Settings on the Navigation Bar, then choose Settings from the dropdown menu.
  3. Click Enclave inbox on the Settings menu.
  4. Select the inbox configuration you want to delete and click the Trashcan icon on the right vertical menu.
  5. Click Delete on the confirmation popup. (Note: this does not delete the enclave, it only deletes the email inbox for that enclave.)

Sending Email Submissions

After the inbox for the enclave has been set up, you can send emails to that @trustar.co email account to submit items to the enclave.

To be processed correctly, the emails you send need to match the email inbox configuration.

  • From field: If you specified Accepted Senders, the email must be from one of these addresses.
  • Subject field: If you specified prefixes, the email must contain one or more of those prefixes, including the square brackets enclosing the text. Each prefix must be contained in a separate set of square brackets. For example, [ACME] [SPAM]
    • The Subject text, excluding any prefixes will be used as Report Title for the submission.

Adding Tags to Emails

You can associate tags with your email submission using either of the following methods:

  1. Specify enclave tags in the subject line. The enclave tags have to be specified as a comma separated list within { } brackets for submission to be tagged; for example {spam,malware,highpriority}
  2. Specify enclave tags as the first line in the body of the email. The enclave tags have to be specified as a comma separated list within { } brackets for submission to be tagged; for example {spam,malware,highpriority}

Email Body

The body of the email is submitted as a report. If there are any IOC’s in the email body, they are automatically extracted.

Attachments

If your email has an attachment in PDF, Word, Text file, CSV, Excel, .eml, .msg, or JSON, TruSTAR automatically appends the content of that attachment to the report body and automatically extracts any IOCs from that content. This processing may remove the formatting of the attachment.

Sample Email

This is an example of an email processed by TruSTAR and submitted to the specified enclave.

Redacting Submitted Emails

You can choose to have submitted emails be processed through your organization's redaction map.

To submit a request for this redaction to be set up:

  1. Go to the customer service portal.
  2. Fill out a request for Technical Support and provide the Enclave Email Inbox handle for that enclave.

TruSTAR will work to get the redaction process in place within 48 business hours.

FAQ

Why aren't my emails appearing in my enclave?

  • First, crosscheck with your enclave inbox configuration and ensure that the email is in compliance with the configured accepted sender and accepted prefix (optional).
  • Check that the email you are forwarding to your inbox comply with TruSTARs report submission limits. You can find the limits here
  • Next, confirm in the server logs that the emails are being successfully delivered. Depending on the settings, whitelisting the domain @enclave.trustar.co may resolve emails that are being blocked when forwarding to the enclave inbox handle.
  • If this issue persists please contact your account executive or support@trustar.co

How Did We Do?