Blog Discover New Context with TruSTAR’s IoC Search

Discover New Context with TruSTAR’s IoC Search

Today we’re thrilled to roll-out new IoC search functionality on the TruSTAR platform. 

Security analysts are visual creatures. We are able to process new information and recall old information better when it is presented with graphics or images. This is especially true when it comes to searching for indicators during incident triage or threat hunting. Seeing the results as a visualization makes it so much easier to pinpoint interesting patterns and quickly assess the full scope of your analysis. And this is exactly what we are launching today!

Starting today our search results will return IoCs (like an IP address or a malware name like Jaff, WannaCry) in addition to the incident reports. You can visualize the results of your IoC search and see how it relates to TruSTAR reports across various sectors, closed source intelligence (like FS-ISAC and listservs) and open source intelligence.

What is different about this new capability?

TruSTAR had previously offered an IoC search capability, but users could only visualize results by seeing a list of reports that contained the IoC. This did not allow our users to visualize how a specific IoC connects to other reports on TruSTAR, which meant our users were not able to take full advantage of the the unique way we store IoCs and the relationships between IoCs and reports.

How can it help me in my analysis?

The real value of this feature comes from what you can do with the results of the searches. Here are a couple of examples:

  1. Incident/Event Triage: Effective incident response relies on how quickly you can mitigate a threat. With our new search function, SOC operators can search for indicators and quickly see all the reports and intelligence connected to that specific indicator, from their own enclave and from the TruSTAR Community. Having access to the full context helps SOC operators quickly determine if they have evaluated this IoC in the past and what other TruSTAR members are saying about it, prompting a faster mitigation response.
  2. Cyber Threat Hunting: It is extremely important for threat hunters to quickly establish the quality of intelligence available for a specific indicator. By visualizing the context around specific indicators, threat hunters answer specific questions like how many other users are seeing this indicator, when was it first seen on TruSTAR, what information is available from intelligence sources, etc. This information can guide their hunt and get more targeted in their mission.  

How do I use it?

When you search for a term like “WannaCry” or IP address “” the results will first list all IoCs that match the term, followed by reports that contain the term. If the results contain an IoC you can click on it and see the graph visualization of all reports that connect to it.

If you are new to TruSTAR check out this blog post about how to read our graph visualizations.

Check Out Our IoC Search Demo with WannaCry


Ready to get started? 

Now that you know how our new search capability works, give it a try! Click here to get searching. I’ll bet you find a new correlation you haven’t discovered before.

Improved Submission Workflow on TruSTAR Improved Submission Workflow on TruSTAR One of TruSTAR’s key differentiators is the ability to extract and normalize indicators from structured or ... Read More
TruSTAR Announces New MITRE ATT&CK Framework Feature ABOUT MITRE ATT&CK on TruSTAR Read More
New Context Panel Helps Analysts Prioritize Reports Faster Using Trusted Intelligence Sources Introducing the New Context Panel Reducing friction in the analyst workflow is central to how we evolve our product. Today TruSTAR has released a new ... Read More
IBM & City of Los Angeles Select TruSTAR to Build Security Tool for Local Businesses On Tuesday, at the 2019 LA Cyber Lab Summit, The City of Los Angeles announced their business partnership with IBM Security and TruSTAR to help local ... Read More