TruSTAR (Deprecated)

Deprecated

We recommend using TruSTAR v2 instead

Use the TruSTAR integration to manage reports and indicators.

This integration was integrated and tested with TruSTAR v1.3. (TruSTAR Python SDK.)

Use Cases

  • Search for indicators
  • Add and remove indicators to the whitelist
  • Filter reports using indicators
  • Submit, update, delete, search, and get reports

Prerequisites

Access your TruSTAR environment to obtain an API key and an API secret.

Navigate to Settings > API > API Credentials .

Configure TruSTAR on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for TruSTAR.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance
    • Server URL (example: https://192.168.0.1)
    • TruSTAR API Key
    • TruSTAR API Secret
    • Do not validate server certificate (not secure)
    • Use system proxy settings
    • File Threshold (LOW, MEDIUM, HIGH) : minimum TruSTAR priority level to consider the file malicious
    • URL Threshold (LOW, MEDIUM, HIGH) :minimum TruSTAR priority level to consider the URL malicious
    • IP Threshold (LOW, MEDIUM, HIGH) :minimum TruSTAR priority level to consider the IP malicious
    • Domain Threshold (LOW, MEDIUM, HIGH) :minimum TruSTAR priority level to consider the domain malicious
  4. Click Test to validate connectivity and credentials.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Return a list of related indicators: trustar-related-indicators
  2. Trending indicators: trustar-trending-indicators
  3. Find an indicator: trustar-search-indicators
  4. Submit a report: trustar-submit-report
  5. Update a report: trustar-update-report
  6. Return report details: trustar-report-details
  7. Delete a report: trustar-delete-report
  8. Generate a report: trustar-get-reports
  9. Return correlated reports: trustar-correlated-reports
  10. Search reports: trustar-search-reports
  11. Add indicators to whitelist: trustar-add-to-whitelist
  12. Remove indicators from whitelist: trustar-remove-from-whitelist
  13. Get all enclaves: trustar-get-enclaves
  14. Check the reputation of a file: file
  15. Check the reputation of an IP address: ip
  16. Check the reputation of a URL: url
  17. Check the reputation of a domain: domain

1. Return a list of related indicators


Returns a list of indicators related to a specified indicator.

Command Example

!trustar-related-indicators indicators=wannacry.exe

Inputs
Argument Name Description
indicators

Example indicator types: IP address, email address, URL, MD5, SHA-1, SHA-256, registry key, malware name, and so on

enclave-ids

CSV of enclave IDs. Returns indicators found in reports from these enclaves only (default - all enclaves you have READ access to)

page-number Page of the result set to get
page-size Number of results per page

Context Output
Path Description
File.Name File name
File.MD5 File MD5
File.SHA1 File SHA-1
File.SHA256 File SHA-256
URL.Address URL address
IP.Address IP address
Account.Email.Address Email address
RegistryKey.Path Registry key path
CVE.ID CVE ID

Raw Output
 [
    {
       "indicatorType": "SOFTWARE",
       "value": "00000000.res"
    }
 ]

2. Trending indicators


Returns trending indicators.

Command Example

!trustar-trending-indicators type=MALWARE raw-response=true

Inputs
Argument Name Description
type

Types of indicators to return (by default, all indicator types except for CVE and MALWARE will be returned)

days-back

Number of days to count correlations for

Context Output
Path Description
File.Name File name
File.MD5 File MD5
File.SHA1 File SHA-1
File.SHA256 File SHA-256
URL.Address URL address
IP.Address IP address
Account.Email.Address Email address
RegistryKey.Path Registry key path
CVE.ID CVE ID

Raw Output
Formatted JSON Data
[  
   {  
      "correlationCount":109,
      "indicatorType":"MALWARE",
      "value":"IEXPLORE"
   }
]

3. Find an indicator


Search for a specific indicator.

Command Example

!trustar-search-indicators search-term=IEXPLORE

Inputs
Argument Name Description
search-term

Term to search for

enclave-ids

CSV of enclave IDs. Returns indicators found in reports from these enclaves only (default - all enclaves you have READ access to).

page-number Page of the result set to get
page-size Number of results per page

Context Output
Path Description
File.Name File name
File.MD5 File MD5
File.SHA1 File SHA-1
File.SHA256 File SHA-256
URL.Address URL address
IP.Address IP address
Account.Email.Address Email address
RegistryKey.Path Registry key path
CVE.ID CVE ID

Raw Output
[  
   {  
      "indicatorType":"SOFTWARE",
      "priorityLevel":"HIGH",
      "value":"iexplore.exe",
      "whitelisted":false
   }
]

4. Submit a report


Creates a new report. This command does not generate content.

Command Example

!trustar-submit-report report-body=1.2.3.4,domain.com title=DailyReport distribution-type=ENCLAVE enclave-ids=3435626a-d0d6-4ba5-a229-1dd645d34da5

Inputs
Argument Name Description
title

Title of the report

report-body

Text content of report

enclave-ids

CSV of TruSTAR-generated enclave IDs. Mandatory if the distribution type is ENCLAVE.

NOTE: Use the enclave ID, not the enclave name.

distribution-type Distribution type of the report
external-url

URL for the external report that this originated from, if one exists. Limited to 500 alphanumeric characters. Each company must have a unique URL for all of its reports.

time-began

ISO-8601 formatted incident time with timezone (for example: 2016-09-22T11:38:35+00:00) (default is current time)

Context Output
Path Description
TruSTAR.Report.reportTitle Title of the report
TruSTAR.Report.reportBody Body of the report
TruSTAR.Report.id ID of the report

Raw Output
{  
   "id":"ddda0c95-0b87-44b3-b38c-591f387f1be7",
   "reportBody":"1.2.3.4,domain.com",
   "reportTitle":"DailyReport"
}

5. Update a report


Modifies an existing report.

Inputs
Argument Name Description
report-id

TruSTAR report ID or external tracking ID

title

Title of the report

report-body

Text content of report

enclave-ids

CSV of TruSTAR-generated enclave IDs. Mandatory if the distribution type is ENCLAVE

NOTE: Use the enclave ID, not the enclave name

external-url

URL for the external report that this originated from, if one exists. Limit 500 alphanumeric characters. Each company must have a unique URL for all of its reports.

distribution-type

Distribution type of the report

time-began

ISO-8601 formatted incident time with timezone (for example: 2016-09-22T11:38:35+00:00) Default is current time.

Context Output
Path Description
TruSTAR.Report.reportTitle Title of the report
TruSTAR.Report.reportBody Body of the report
TruSTAR.Report.id

ID of the report

Raw Output
{  
   "id":"ddda0c95-0b87-44b3-b38c-591f387f1be7",
   "reportBody":"email@gmail.com",
   "reportTitle":"UpdateDailyReport"
}

6. Return report details


Returns report metadata.

Argument Name Description
report-id

TruSTAR report ID or external tracking ID

id-type

Type of report ID

Context Output
Path Description
TruSTAR.Report.reportTitle Title of the report
TruSTAR.Report.reportBody Body of the report
TruSTAR.Report.id ID of the report

Raw Output
{  
   "created":"2018-04-04 08:09:05",
   "distributionType":"ENCLAVE",
   "enclaveIds":"3435626a-d0d6-4ba5-a229-1dd645d34da5",
   "id":"ddda0c95-0b87-44b3-b38c-591f387f1be7",
   "reportBody":"email@gmail.com",
   "timeBegan":"2018-04-04 08:12:13",
   "title":"UpdateDailyReport",
   "updated":"2018-04-04 08:12:07"
}

7. Delete a report


Deletes specified report.

Input
Argument Name Description
report-id

TruSTAR report ID or external tracking ID

id-type

Type of report ID

Context Output

There is no context output for this command.

Raw output
Report ddda0c95-0b87-44b3-b38c-591f387f1be7 was successfully deleted

8. Generate a report


Generates a report.

Command Example

!trustar-get-reports enclave-ids=3435626a-d0d6-4ba5-a229-1dd645d34da5:

Input
Argument Name Description
from

Start of time window.

Format is YY-MM-DD HH:MM:SS (example: 2018-01-01 10:30:00)

Based on updated time, not created time.

(Default is 1 day ago)

to

End of time window

Format is YY-MM-DD HH:MM:SS (example: 2018-01-01 10:30:00)

Based on updated time, not created time.

(Default is current time)

distribution-type

Whether to search for reports only in enclaves, or in the COMMUNITY too

enclave-ids

CSV of enclave IDs to search for reports in. Even if distribution-type is COMMUNITY, these enclaves will still be searched as well (default: all enclaves the user has READ access to)

tags

Names of tags to filter by

NOTE: only reports containing ALL of these tags are returned

excluded-tags

Tags excluded from the report

NOTE: Reports containing ANY of these tags are excluded from the results.

Context Output
Path Description
TruSTAR.Report.reportTitle Title of the report
TruSTAR.Report.reportBody Body of the report
TruSTAR.Report.id ID of the report

Raw Output
[  
   {  
      "created":"2018-04-04 08:23:05",
      "distributionType":"ENCLAVE",
      "enclaveIds":"3435626a-d0d6-4ba5-a229-1dd645d34da5",
      "id":"d445c743-8cd8-4c38-bcf4-7879f31ca6bf",
      "reportBody":"1.2.3.4,domain.com",
      "timeBegan":"2018-04-04 08:23:12",
      "title":"DailyReport",
      "updated":"2018-04-04 08:23:05"
   }
]

9. Return correlated reports


Returns reports correlating to specified indicators.

Command Example

!trustar-correlated-reports indicators=NANOCORE:

Inputs
Argument Name Description
indicators

Indicator value of any type (for example: an IP address, email address, URL, MD5, SHA-1, SHA-256, Registry Key, Malware name)

enclave-ids

CSV of enclave IDs. returns indicators found in reports from these enclaves only (default: all enclaves the user has READ access to)

page-number

Which page of the result set to get

page-size

Number of results per page

distribution-type

Distribution type of the report

Context Output

There is no context output for this command.

Raw Output
{  
   "created":"2018-04-04 12:14:31",
   "distributionType":"ENCLAVE",
   "enclaveIds":[  

   ],
   "id":"c7343c52-13d8-4125-8693-e0d4648a2e49",
   "reportBody":"",
   "timeBegan":"2018-04-04 12:14:27",
   "title":"hybridanalysispublicfeed-11a5d43169626282dd899a1bb0f96fe0-2018-04-04 11:24:52",
   "updated":"2018-04-04 12:14:31"
}

10. Search reports


Returns reports based on search terms.

Command Example

!trustar-search-reports search-term=CVE

Inputs
Argument Name Description
search-term

Term to search for

enclave-ids

CSV of enclave IDs. Returns indicators found in reports from these enclaves only (defaults to all of the user’s enclaves)

Context Output

There is no context output for this command.

Raw Output
[  
   {  
      "created":"2018-01-31 20:04:34",
      "distributionType":"ENCLAVE",
      "enclaveIds":[  

      ],
      "id":"57bffb4b-bcf7-44c8-9e14-4116a46fcb95",
      "timeBegan":"2018-04-04T14:00:05.636840+00:00",
      "title":"CVE-2018-2714",
      "updated":"2018-01-31 20:04:34"
   }
]

11. Add indicators to whitelist


Adds indicators to your whitelist.

Inputs
Argument Name Description
indicators

CSV of indicators to whitelist (example: evil.com,101.43.52.224)

Context Output

There is no context output for this command.

Raw output:
Added to the whitelist successfully

12. Remove indicators from whitelist


Remove indicator from your whitelist.

Inputs
Argument Name Description
indicator

Value of the indicator to delete

indicator-type

Type of indicator to delete

Context Output

There is no context output for this command.

Raw Output
Removed from the whitelist successfully

13. Get all enclaves


Returns all enclaves.

Input

There is no input for this command.

Context Output

There is no context output for this command.

Raw output:
[  
   {  
      "create":false,
      "id":"0e4443fc-2b50-4756-b5e0-4ea30030bcb3",
      "name":"Broadanalysis",
      "read":true,
      "type":"OPEN",
      "updated":false
   }
]

14. Check the reputation of a file


Checks the reputation of a file in TruSTAR.

Base Command

file

Input
Argument Name Description Required
file File hash - MD5, SHA-1 or SHA-256 Required
threshold If ThreatScore is greater or equal than the threshold, then ip will be considered malicious Optional

Context Output
Path Type Description
File.MD5 string File MD5
File.SHA1 string File SHA-1
File.SHA256 string File SHA-256
File.Malicious.Vendor string For malicious files, the vendor that made the decision
DBotScore.Indicator string The indicator we tested
DBotScore.Type string The type of the indicator
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
TruSTAR.File.Value string Indicator value
TruSTAR.File.Whitelisted boolean Is the indicator whitelisted
TruSTAR.File.Priority string Indicator's priority level by TruSTAR

Command Example

!file file=84c82835a5d21bbcf75a61706d8ab549 threshold=LOW

Context Example
{
    "DBotScore": {
        "Vendor": "TruSTAR", 
        "Indicator": "84c82835a5d21bbcf75a61706d8ab549", 
        "Score": 3, 
        "Type": "file"
    }, 
    "TruSTAR": {
        "File": {
            "Priority": "LOW", 
            "Whitelisted": false, 
            "Value": "84c82835a5d21bbcf75a61706d8ab549"
        }
    }, 
    "File": {
        "Malicious": {
            "Vendor": "TruSTAR"
        }, 
        "MD5": "84c82835a5d21bbcf75a61706d8ab549"
    }
}
Human Readable Output

image

15. Check the reputation of an IP address


Checks the reputation of an IP address in TruSTAR.

Base Command

ip

Input
Argument Name Description Required
ip IP address (e.g. 8.8.8.8) or a CIDR (e.g. 1.1.1.0/18) Required
threshold If ThreatScore is greater or equal than the threshold, then ip will be considered malicious Optional

Context Output
Path Type Description
IP.Address string IP Address
IP.Malicious.Vendor string For malicious IPs, the vendor that made the decision
IP.Malicious.Description string For malicious IPs, the reason for the vendor to make the decision
DBotScore.Indicator string The indicator we tested
DBotScore.Type string The type of the indicator
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score string The actual score
TruSTAR.IP.Value string Indicator value
TruSTAR.IP.Whitelisted boolean Is the indicator whitelisted
TruSTAR.IP.Priority unknown Indicator's priority level by TruSTAR

Command Example

!ip ip=8.8.8.8 threshold=LOW

Context Example
{
    "IP": {
        "Malicious": {
            "Vendor": "TruSTAR", 
            "Description": "LOW"
        }, 
        "Address": "8.8.8.8"
    }, 
    "DBotScore": {
        "Vendor": "TruSTAR", 
        "Indicator": "8.8.8.8", 
        "Score": 3, 
        "Type": "ip"
    }, 
    "TruSTAR": {
        "IP": {
            "Priority": "LOW", 
            "Whitelisted": false, 
            "Value": "8.8.8.8"
        }
    }
}
Human Readable Output

image

16. Check the reputation of a URL


Checks the reputation of a URL in TruSTAR.

Base Command

url

Input
Argument Name Description Required
url Enter a URL to search Required
threshold If ThreatScore is greater or equal than the threshold, then ip will be considered malicious Optional

Context Output
Path Type Description
URL.Data string URL data
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision
URL.Malicious.Description string For malicious URLs, the reason for the vendor to make the decision
DBotScore.Indicator string The indicator we tested
DBotScore.Type string The type of the indicator
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score string The actual score
TruSTAR.URL.Value string Indicator value
TruSTAR.URL.Whitelisted boolean Is the indicator whitelisted
TruSTAR.URL.Priority string Indicator's priority level by TruSTAR

Command Example

!url url=www.google.com threshold=LOW

Context Example
{
    "URL": {
        "Malicious": {
            "Vendor": "TruSTAR", 
            "Description": "LOW"
        }, 
        "Data": "www.google.com"
    }, 
    "DBotScore": {
        "Vendor": "TruSTAR", 
        "Indicator": "www.google.com", 
        "Score": 3, 
        "Type": "url"
    }, 
    "TruSTAR": {
        "URL": {
            "Priority": "LOW", 
            "Whitelisted": false, 
            "Value": "www.google.com"
        }
    }
}
Human Readable Output

image

17. Check the reputation of a domain


Checks the reputation of a domain in TruStar.

Base Command

domain

Input
Argument Name Description Required
domain Enter domain name to search Required
threshold If ThreatScore is greater or equal than the threshold, then ip will be considered malicious Optional

Context Output
Path Type Description
Domain.Name string Domain Name
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision
Domain.Malicious.Description string For malicious domains, the reason for the vendor to make the decision
DBotScore.Indicator string The indicator we tested
DBotScore.Type string The type of the indicator
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score string The actual score
TruSTAR.Domain.Value string Indicator value
TruSTAR.Domain.Whitelisted boolean Is the indicator whitelisted
TruSTAR.Domain.Priority string Indicator's priority level by TruSTAR

Command Example

!domain domain=www.google.com threshold=LOW

Context Example
{
    "DBotScore": {
        "Vendor": "TruSTAR", 
        "Indicator": "www.google.com", 
        "Score": 3, 
        "Type": "domain"
    }, 
    "TruSTAR": {
        "Domain": {
            "Priority": "LOW", 
            "Whitelisted": false, 
            "Value": "www.google.com"
        }
    }, 
    "Domain": {
        "Malicious": {
            "Vendor": "TruSTAR", 
            "Description": "LOW"
        }, 
        "Name": "www.google.com"
    }
}
Human Readable Output

image