TruSTAR
Integration version: 4.0
Use Cases
Perform enrichment actions.
Configure TruSTAR integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://api.trustar.co | Yes | TruSTAR API root |
| API Key | String | N/A | Yes | TruSTAR API key |
| API Secret | Password | Yes | TruSTAR API secret | |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the TruSTAR server is valid. |
Where To Find API Token and API Secret
- Navigate to https://station.trustar.co/settings/api
- Copy "Client ID" and "Client Secret" and put them in the integration configuration
- Execute test run.
Actions
Ping
Description
Test connectivity to TruSTAR with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: The action should fail and stop a playbook execution: |
General |
Enrich Entities
Description
Enrich entities using information from TruSTAR. Supported entities: All.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Security Level Threshold | DDL | Low Default values: Benign Low Medium High |
Yes | Specify what should be the lowest security level for the entity to be marked as suspicious. |
| Enclave Filter | CSV | No | Specify a comma-separated list of enclave names that should be used during the enrichment. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"indicatorType": "URL",
"value": "http://esmne052.top/downfiles/lv.exe",
"correlationCount": 0,
"priorityLevel": "NOT_FOUND",
"noteCount": 0,
"sightings": 3,
"firstSeen": 1617901588427,
"lastSeen": 1617923344643,
"enclaveIds": [
"b850e851-27e3-4cc2-9269-69ac0aad63b1",
"85313bc9-deb4-4022-ac03-923adcee9298",
"cf777992-5dde-4d08-aef2-5e7c13951f54"
],
"tags": [
{
"guid": "385a631d-fe0a-4657-ab4b-b201d48bf58c",
"name": "api-tag",
"enclaveId": "85313bc9-deb4-4022-ac03-923adcee9298"
}
],
"source": "",
"notes": [],
"guid": "URL|http://esmne052.top/downfiles/lv.exe",
"summaries": [
{
"reportId": "970da023-e974-4223-80be-4b83c85583d9",
"updated": 1617900133000,
"enclaveId": "cf777992-5dde-4d08-aef2-5e7c13951f54",
"source": {
"key": "virustotal",
"name": "VirusTotal"
},
"type": "URL",
"value": "http://esmne052.top/downfiles/lv.exe",
"score": {
"name": "Positives/Total Scans",
"value": "12/85"
},
"attributes": [
{
"name": "Scan Date",
"value": 1617900133000
},
{
"name": "Websites with Positive Detections",
"value": [
"AegisLab WebGuard",
"AlienVault",
"CRDF",
"ESET",
"Emsisoft",
"Fortinet",
"G-Data",
"Kaspersky",
"Spamhaus",
"URLhaus",
"VX Vault",
"benkow.cc"
]
}
],
"severityLevel": 1
},
]
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| sightings | When available in JSON |
| first_seen | When available in JSON |
| last_seen | When available in JSON |
| tags | When available in JSON |
| source | When available in JSON |
| security_level | When available in JSON |
| report_link | When available in JSON |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If didn't enrich some (is_success = true): "Action wasn't able to enrich the following entities using TruSTAR:\n".format(entity.identifier) If didn't enrich all (is_success = false): "No entities were enriched". The action should fail and stop a playbook execution: If one of the enclaves were not found: "Error executing action "Enrich Entities". Reason: the following enclaves were not found: {0}. Please check the spelling or use the action "List Enclaves" to find the valid enclaves.''.format(enclave names) |
General |
| Entity Table | Same Columns as in the Enrichment table, but without prefix. | Entity |
Get Related IOCs
Description
Get information about IOCs that are related to the provided entities. Supported entities: All.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Max IOCs To Return | Integer | 50 | No | Specify how many IOCs to return. Default: 50. Maximum: 1000. |
| Enclave Filter | CSV | No | Specify a comma-separated list of enclave names that should be used during the enrichment. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"{indicatorType_1}": ["{value_1}"],
"{indicatorType_2}": ["{value_2}"]
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If no IOCs were found(is_success=false) "No related IOCs were found for the provided entities in TruSTAR". The action should fail and stop a playbook execution: If non 200 response: "Error executing action "Get Related IOCs". Reason: {0}''.format(message) If one of the enclaves were not found: "Error executing action "Get Related IOCs". Reason: the following enclaves were not found: {0}. Please check the spelling or use the action "List Enclaves" to find the valid enclaves.''.format(enclave names) |
General |
Case Wall Table |
Name: Statistics Columns: Type Count |
General |
Get Related Reports
Description
Get information about reports related to the entities. Supported entities: All.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Create Insight | Checkbox | Yes | No | If enabled, action will create an insight containing information about reports related to the entities. |
| Include Report Body In Insight | Checkbox | No | No | If enabled, insight will contain information about the report body. Note: report body can be very big in size. |
| Enclave Filter | CSV | No | Specify a comma-separated list of enclave names that should be used during the enrichment. | |
| Max Reports To Return | Integer | No | Specify how many reports to return. Default: 10. Maximum: 25. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"id": "b8decde8-a68e-4961-aa0b-e07474e394b0",
"created": 1615928416710,
"updated": 1615928416710,
"title": "35201",
"distributionType": "ENCLAVE",
"submissionStatus": "PROCESSED",
"timeBegan": 1615928416187,
"reportBody": "Event # 1\n Source IP: 4.2.2.2\n Destination IP: 10.250.250.25\n Raw Event: <114>Mar 16 22:04:21 SyslogAlertForwarder: |6863274412612564368|Signature|2021-03-16 22:04:20 GMT+02:00|\"DNS: Microsoft SMTP Service DNS resolver overflow\"|0x40302f00|High|ms-smtp-dns-resolver-overflow|Medium|My Company|BDCFailover|3A-3B|4.2.2.2|53|10.250.250.25|1027|Inbound|buffer-overflow",
"externalTrackingId": "qradar-offence-35201",
"enclaveIds": [
"28177710-9cb8-aa2f-29e8-135c14365e80"
],
"tags": [
{
"guid": "sense offense",
"name": "sense offense",
"enclaveId": "28177710-9cb8-aa2f-29e8-135c14365e80"
},
{
"guid": "host logout",
"name": "host logout",
"enclaveId": "28177710-9cb8-aa2f-29e8-135c14365e80"
},
{
"guid": "service stopped",
"name": "service stopped",
"enclaveId": "28177710-9cb8-aa2f-29e8-135c14365e80"
},
{
"guid": "object access success",
"name": "object access success",
"enclaveId": "28177710-9cb8-aa2f-29e8-135c14365e80"
},
{
"guid": "process creation success",
"name": "process creation success",
"enclaveId": "28177710-9cb8-aa2f-29e8-135c14365e80"
},
{
"guid": "information",
"name": "information",
"enclaveId": "28177710-9cb8-aa2f-29e8-135c14365e80"
},
{
"guid": "user privilege",
"name": "user privilege",
"enclaveId": "28177710-9cb8-aa2f-29e8-135c14365e80"
},
{
"guid": "user login failure",
"name": "user login failure",
"enclaveId": "28177710-9cb8-aa2f-29e8-135c14365e80"
}
]
}
Entity Insight
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If no reports are found (is_success=false) "No related reports were found in TruSTAR" The action should fail and stop a playbook execution: If none 200 response: "Error executing action "Get Related Reports". Reason: {0}''.format(message) If one of the enclaves were not found: "Error executing action "Get Related Reports". Reason: the following enclaves were not found: {0}. Please check the spelling or use the action "List Enclaves" to find the valid enclaves.''.format(enclave names) |
General |
| Case Wall | Title: Related Reports Columns: Title Tags |
General |
List Enclaves
Description
List available enclaves in TruSTAR.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Filter Logic | DDL | Equal DDL Equal Contains |
No | Specify what filter logic should be applied. |
| Filter Value | String | No | Specify what value should be used in the filter. | |
| Max Enclaves To Return | Integer | 50 | No | Specify how many enclaves to return. Default: 50. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
[
{
"name": "COVID-19 OSINT Community Enclave",
"templateName": "COVID-19",
"workflowSupported": false,
"read": true,
"create": false,
"update": false,
"id": "b0a7be7b-a847-4597-9e1d-20ae18c344ea",
"type": "OPEN"
},
{
"name": "Hybrid Analysis Public Feed",
"templateName": "Open Source",
"workflowSupported": false,
"read": true,
"create": false,
"update": false,
"id": "2eeccced-c740-4ad9-aa5c-82744cd1f6aa",
"type": "OPEN"
}
]
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If no enclaves are found (is_success=false): "No related enclaves were found in TruSTAR" The action should fail and stop a playbook execution: |
General |
| Case Wall | Title: Related Reports Columns: Name Read Create Update ID Type |
General |