Skip to main content

TruSTAR (Deprecated)

This Integration is part of the TruSTAR (Deprecated) Pack.#

Deprecated

Not supported since TrueSTAR was acquired by Splunk, No available replacement.

Deprecated. Use the TruSTAR v2 integration instead.

This integration was integrated and tested with TruSTAR v1.3. (TruSTAR Python SDK.)

Use Cases

  • Search for indicators
  • Add and remove indicators to the allow list
  • Filter reports using indicators
  • Submit, update, delete, search, and get reports

Prerequisites

Access your TruSTAR environment to obtain an API key and an API secret.

Navigate to Settings > API > API Credentials .

Configure TruSTAR on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for TruSTAR.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance
    • Server URL (example: https://192.168.0.1)
    • TruSTAR API Key
    • TruSTAR API Secret
    • Do not validate server certificate (not secure)
    • Use system proxy settings
    • File Threshold (LOW, MEDIUM, HIGH) : minimum TruSTAR priority level to consider the file malicious
    • URL Threshold (LOW, MEDIUM, HIGH) :minimum TruSTAR priority level to consider the URL malicious
    • IP Threshold (LOW, MEDIUM, HIGH) :minimum TruSTAR priority level to consider the IP malicious
    • Domain Threshold (LOW, MEDIUM, HIGH) :minimum TruSTAR priority level to consider the domain malicious
  4. Click Test to validate connectivity and credentials.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Return a list of related indicators: trustar-related-indicators
  2. Trending indicators: trustar-trending-indicators
  3. Find an indicator: trustar-search-indicators
  4. Submit a report: trustar-submit-report
  5. Update a report: trustar-update-report
  6. Return report details: trustar-report-details
  7. Delete a report: trustar-delete-report
  8. Generate a report: trustar-get-reports
  9. Return correlated reports: trustar-correlated-reports
  10. Search reports: trustar-search-reports
  11. Add indicators to allow list: trustar-add-to-whitelist
  12. Remove indicators from allow list: trustar-remove-from-whitelist
  13. Get all enclaves: trustar-get-enclaves
  14. Check the reputation of a file: file
  15. Check the reputation of an IP address: ip
  16. Check the reputation of a URL: url
  17. Check the reputation of a domain: domain

1. Return a list of related indicators

Returns a list of indicators related to a specified indicator.

Command Example

!trustar-related-indicators indicators=wannacry.exe

Inputs
Argument Name Description
indicators

Example indicator types: IP address, email address, URL, MD5, SHA-1, SHA-256, registry key, malware name, and so on

enclave-ids

CSV of enclave IDs. Returns indicators found in reports from these enclaves only (default - all enclaves you have READ access to)

page-number Page of the result set to get
page-size Number of results per page

Context Output
Path Description
File.Name File name
File.MD5 File MD5
File.SHA1 File SHA-1
File.SHA256 File SHA-256
URL.Address URL address
IP.Address IP address
Account.Email.Address Email address
RegistryKey.Path Registry key path
CVE.ID CVE ID

Raw Output 
 [
    {
       "indicatorType": "SOFTWARE",
       "value": "00000000.res"
    }
 ]

2. Trending indicators

Returns trending indicators.

Command Example

!trustar-trending-indicators type=MALWARE raw-response=true

Inputs
Argument Name Description
type

Types of indicators to return (by default, all indicator types except for CVE and MALWARE will be returned)

days-back

Number of days to count correlations for

Context Output
Path Description
File.Name File name
File.MD5 File MD5
File.SHA1 File SHA-1
File.SHA256 File SHA-256
URL.Address URL address
IP.Address IP address
Account.Email.Address Email address
RegistryKey.Path Registry key path
CVE.ID CVE ID

Raw Output 
Formatted JSON Data
[  
   {  
      "correlationCount":109,
      "indicatorType":"MALWARE",
      "value":"IEXPLORE"
   }
]

3. Find an indicator

Search for a specific indicator.

Command Example

!trustar-search-indicators search-term=IEXPLORE

Inputs
Argument Name Description
search-term

Term to search for

enclave-ids

CSV of enclave IDs. Returns indicators found in reports from these enclaves only (default - all enclaves you have READ access to).

page-number Page of the result set to get
page-size Number of results per page

Context Output
Path Description
File.Name File name
File.MD5 File MD5
File.SHA1 File SHA-1
File.SHA256 File SHA-256
URL.Address URL address
IP.Address IP address
Account.Email.Address Email address
RegistryKey.Path Registry key path
CVE.ID CVE ID

Raw Output 
[  
   {  
      "indicatorType":"SOFTWARE",
      "priorityLevel":"HIGH",
      "value":"iexplore.exe",
      "whitelisted":false
   }
]

4. Submit a report

Creates a new report. This command does not generate content.

Command Example

!trustar-submit-report report-body=1.2.3.4,domain.com title=DailyReport distribution-type=ENCLAVE enclave-ids=3435626a-d0d6-4ba5-a229-1dd645d34da5

Inputs
Argument Name Description
title

Title of the report

report-body

Text content of report

enclave-ids

CSV of TruSTAR-generated enclave IDs. Mandatory if the distribution type is ENCLAVE.

NOTE: Use the enclave ID, not the enclave name.

distribution-type Distribution type of the report
external-url

URL for the external report that this originated from, if one exists. Limited to 500 alphanumeric characters. Each company must have a unique URL for all of its reports.

time-began

ISO-8601 formatted incident time with timezone (for example: 2016-09-22T11:38:35+00:00) (default is current time)

Context Output
Path Description
TruSTAR.Report.reportTitle Title of the report
TruSTAR.Report.reportBody Body of the report
TruSTAR.Report.id ID of the report

Raw Output 
{  
   "id":"ddda0c95-0b87-44b3-b38c-591f387f1be7",
   "reportBody":"1.2.3.4,domain.com",
   "reportTitle":"DailyReport"
}

5. Update a report

Modifies an existing report.

Inputs
Argument Name Description
report-id

TruSTAR report ID or external tracking ID

title

Title of the report

report-body

Text content of report

enclave-ids

CSV of TruSTAR-generated enclave IDs. Mandatory if the distribution type is ENCLAVE

NOTE: Use the enclave ID, not the enclave name

external-url

URL for the external report that this originated from, if one exists. Limit 500 alphanumeric characters. Each company must have a unique URL for all of its reports.

distribution-type

Distribution type of the report

time-began

ISO-8601 formatted incident time with timezone (for example: 2016-09-22T11:38:35+00:00) Default is current time.

Context Output
Path Description
TruSTAR.Report.reportTitle Title of the report
TruSTAR.Report.reportBody Body of the report
TruSTAR.Report.id

ID of the report

Raw Output 
{  
   "id":"ddda0c95-0b87-44b3-b38c-591f387f1be7",
   "reportBody":"email@gmail.com",
   "reportTitle":"UpdateDailyReport"
}

6. Return report details

Returns report metadata.

Argument Name Description
report-id

TruSTAR report ID or external tracking ID

id-type

Type of report ID

Context Output
Path Description
TruSTAR.Report.reportTitle Title of the report
TruSTAR.Report.reportBody Body of the report
TruSTAR.Report.id ID of the report

Raw Output 
{  
   "created":"2018-04-04 08:09:05",
   "distributionType":"ENCLAVE",
   "enclaveIds":"3435626a-d0d6-4ba5-a229-1dd645d34da5",
   "id":"ddda0c95-0b87-44b3-b38c-591f387f1be7",
   "reportBody":"email@gmail.com",
   "timeBegan":"2018-04-04 08:12:13",
   "title":"UpdateDailyReport",
   "updated":"2018-04-04 08:12:07"
}

7. Delete a report

Deletes specified report.

Input
Argument Name Description
report-id

TruSTAR report ID or external tracking ID

id-type

Type of report ID

Context Output

There is no context output for this command.

Raw output 
Report ddda0c95-0b87-44b3-b38c-591f387f1be7 was successfully deleted

8. Generate a report

Generates a report.

Command Example

!trustar-get-reports enclave-ids=3435626a-d0d6-4ba5-a229-1dd645d34da5:

Input
Argument Name Description
from

Start of time window.

Format is YY-MM-DD HH:MM:SS (example: 2018-01-01 10:30:00)

Based on updated time, not created time.

(Default is 1 day ago)

to

End of time window

Format is YY-MM-DD HH:MM:SS (example: 2018-01-01 10:30:00)

Based on updated time, not created time.

(Default is current time)

distribution-type

Whether to search for reports only in enclaves, or in the COMMUNITY too

enclave-ids

CSV of enclave IDs to search for reports in. Even if distribution-type is COMMUNITY, these enclaves will still be searched as well (default: all enclaves the user has READ access to)

tags

Names of tags to filter by

NOTE: only reports containing ALL of these tags are returned

excluded-tags

Tags excluded from the report

NOTE: Reports containing ANY of these tags are excluded from the results.

Context Output
Path Description
TruSTAR.Report.reportTitle Title of the report
TruSTAR.Report.reportBody Body of the report
TruSTAR.Report.id ID of the report

Raw Output 
[  
   {  
      "created":"2018-04-04 08:23:05",
      "distributionType":"ENCLAVE",
      "enclaveIds":"3435626a-d0d6-4ba5-a229-1dd645d34da5",
      "id":"d445c743-8cd8-4c38-bcf4-7879f31ca6bf",
      "reportBody":"1.2.3.4,domain.com",
      "timeBegan":"2018-04-04 08:23:12",
      "title":"DailyReport",
      "updated":"2018-04-04 08:23:05"
   }
]

9. Return correlated reports

Returns reports correlating to specified indicators.

Command Example

!trustar-correlated-reports indicators=NANOCORE:

Inputs
Argument Name Description
indicators

Indicator value of any type (for example: an IP address, email address, URL, MD5, SHA-1, SHA-256, Registry Key, Malware name)

enclave-ids

CSV of enclave IDs. returns indicators found in reports from these enclaves only (default: all enclaves the user has READ access to)

page-number

Which page of the result set to get

page-size

Number of results per page

distribution-type

Distribution type of the report

Context Output

There is no context output for this command.

Raw Output 
{  
   "created":"2018-04-04 12:14:31",
   "distributionType":"ENCLAVE",
   "enclaveIds":[  

   ],
   "id":"c7343c52-13d8-4125-8693-e0d4648a2e49",
   "reportBody":"",
   "timeBegan":"2018-04-04 12:14:27",
   "title":"hybridanalysispublicfeed-11a5d43169626282dd899a1bb0f96fe0-2018-04-04 11:24:52",
   "updated":"2018-04-04 12:14:31"
}

10. Search reports

Returns reports based on search terms.

Command Example

!trustar-search-reports search-term=CVE

Inputs
Argument Name Description
search-term

Term to search for

enclave-ids

CSV of enclave IDs. Returns indicators found in reports from these enclaves only (defaults to all of the user’s enclaves)

Context Output

There is no context output for this command.

Raw Output 
[  
   {  
      "created":"2018-01-31 20:04:34",
      "distributionType":"ENCLAVE",
      "enclaveIds":[  

      ],
      "id":"57bffb4b-bcf7-44c8-9e14-4116a46fcb95",
      "timeBegan":"2018-04-04T14:00:05.636840+00:00",
      "title":"CVE-2018-2714",
      "updated":"2018-01-31 20:04:34"
   }
]

11. Add indicators to allow list

Adds indicators to your allow list.

Inputs
Argument Name Description
indicators

CSV of indicators to add to allow list (example: evil.com,101.43.52.224)

Context Output

There is no context output for this command.

Raw output: 
Added to the allow list successfully

12. Remove indicators from allow list

Remove indicator from your allow list.

Inputs
Argument Name Description
indicator

Value of the indicator to delete

indicator-type

Type of indicator to delete

Context Output

There is no context output for this command.

Raw Output 
Removed from the allow list successfully

13. Get all enclaves

Returns all enclaves.

Input

There is no input for this command.

Context Output

There is no context output for this command.

Raw output: 
[  
   {  
      "create":false,
      "id":"0e4443fc-2b50-4756-b5e0-4ea30030bcb3",
      "name":"Broadanalysis",
      "read":true,
      "type":"OPEN",
      "updated":false
   }
]

14. Check the reputation of a file

Checks the reputation of a file in TruSTAR.

Base Command

file

Input
Argument Name Description Required
file File hash - MD5, SHA-1 or SHA-256 Required
threshold If ThreatScore is greater or equal than the threshold, then ip will be considered malicious Optional

Context Output
Path Type Description
File.MD5 string File MD5
File.SHA1 string File SHA-1
File.SHA256 string File SHA-256
File.Malicious.Vendor string For malicious files, the vendor that made the decision
DBotScore.Indicator string The indicator we tested
DBotScore.Type string The type of the indicator
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score number The actual score
TruSTAR.File.Value string Indicator value
TruSTAR.File.Whitelisted boolean Is the indicator on allow list
TruSTAR.File.Priority string Indicator's priority level by TruSTAR

Command Example

!file file=84c82835a5d21bbcf75a61706d8ab549 threshold=LOW

Context Example 
{
    "DBotScore": {
        "Vendor": "TruSTAR", 
        "Indicator": "84c82835a5d21bbcf75a61706d8ab549", 
        "Score": 3, 
        "Type": "file"
    }, 
    "TruSTAR": {
        "File": {
            "Priority": "LOW", 
            "Whitelisted": false, 
            "Value": "84c82835a5d21bbcf75a61706d8ab549"
        }
    }, 
    "File": {
        "Malicious": {
            "Vendor": "TruSTAR"
        }, 
        "MD5": "84c82835a5d21bbcf75a61706d8ab549"
    }
}
Human Readable Output

image

15. Check the reputation of an IP address

Checks the reputation of an IP address in TruSTAR.

Base Command

ip

Input
Argument Name Description Required
ip IP address (e.g. 8.8.8.8) or a CIDR (e.g. 1.1.1.0/18) Required
threshold If ThreatScore is greater or equal than the threshold, then ip will be considered malicious Optional

Context Output
Path Type Description
IP.Address string IP Address
IP.Malicious.Vendor string For malicious IPs, the vendor that made the decision
IP.Malicious.Description string For malicious IPs, the reason for the vendor to make the decision
DBotScore.Indicator string The indicator we tested
DBotScore.Type string The type of the indicator
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score string The actual score
TruSTAR.IP.Value string Indicator value
TruSTAR.IP.Whitelisted boolean Is the indicator on allow list
TruSTAR.IP.Priority unknown Indicator's priority level by TruSTAR

Command Example

!ip ip=8.8.8.8 threshold=LOW

Context Example 
{
    "IP": {
        "Malicious": {
            "Vendor": "TruSTAR", 
            "Description": "LOW"
        }, 
        "Address": "8.8.8.8"
    }, 
    "DBotScore": {
        "Vendor": "TruSTAR", 
        "Indicator": "8.8.8.8", 
        "Score": 3, 
        "Type": "ip"
    }, 
    "TruSTAR": {
        "IP": {
            "Priority": "LOW", 
            "Whitelisted": false, 
            "Value": "8.8.8.8"
        }
    }
}
Human Readable Output

image

16. Check the reputation of a URL

Checks the reputation of a URL in TruSTAR.

Base Command

url

Input
Argument Name Description Required
url Enter a URL to search Required
threshold If ThreatScore is greater or equal than the threshold, then ip will be considered malicious Optional

Context Output
Path Type Description
URL.Data string URL data
URL.Malicious.Vendor string For malicious URLs, the vendor that made the decision
URL.Malicious.Description string For malicious URLs, the reason for the vendor to make the decision
DBotScore.Indicator string The indicator we tested
DBotScore.Type string The type of the indicator
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score string The actual score
TruSTAR.URL.Value string Indicator value
TruSTAR.URL.Whitelisted boolean Is the indicator on allow list
TruSTAR.URL.Priority string Indicator's priority level by TruSTAR

Command Example

!url url=www.google.com threshold=LOW

Context Example 
{
    "URL": {
        "Malicious": {
            "Vendor": "TruSTAR", 
            "Description": "LOW"
        }, 
        "Data": "www.google.com"
    }, 
    "DBotScore": {
        "Vendor": "TruSTAR", 
        "Indicator": "www.google.com", 
        "Score": 3, 
        "Type": "url"
    }, 
    "TruSTAR": {
        "URL": {
            "Priority": "LOW", 
            "Whitelisted": false, 
            "Value": "www.google.com"
        }
    }
}
Human Readable Output

image

17. Check the reputation of a domain

Checks the reputation of a domain in TruStar.

Base Command

domain

Input
Argument Name Description Required
domain Enter domain name to search Required
threshold If ThreatScore is greater or equal than the threshold, then ip will be considered malicious Optional

Context Output
Path Type Description
Domain.Name string Domain Name
Domain.Malicious.Vendor string For malicious domains, the vendor that made the decision
Domain.Malicious.Description string For malicious domains, the reason for the vendor to make the decision
DBotScore.Indicator string The indicator we tested
DBotScore.Type string The type of the indicator
DBotScore.Vendor string Vendor used to calculate the score
DBotScore.Score string The actual score
TruSTAR.Domain.Value string Indicator value
TruSTAR.Domain.Whitelisted boolean Is the indicator on allow list
TruSTAR.Domain.Priority string Indicator's priority level by TruSTAR

Command Example

!domain domain=www.google.com threshold=LOW

Context Example 
{
    "DBotScore": {
        "Vendor": "TruSTAR", 
        "Indicator": "www.google.com", 
        "Score": 3, 
        "Type": "domain"
    }, 
    "TruSTAR": {
        "Domain": {
            "Priority": "LOW", 
            "Whitelisted": false, 
            "Value": "www.google.com"
        }
    }, 
    "Domain": {
        "Malicious": {
            "Vendor": "TruSTAR", 
            "Description": "LOW"
        }, 
        "Name": "www.google.com"
    }
}
Human Readable Output

image

Edit this page
Report an Issue