Blog Our New Automated Whitelisting Capability

Our New Automated Whitelisting Capability

False positives waste time. At TruSTAR, our mission is to empower analysts to make smarter decisions faster about where to focus precious investigation cycles.

With this in mind, we’re rolling out a new Automated Whitelisting Capability to to reduce false positives and non-relevant IOCs without interrupting analyst workflow. This new feature will immediately provide relief to analysts who are dealing with information overload and let them get on with their jobs.

This new feature is built on top our Enclave architecture, which gives TruSTAR users more control over their data.

How does auto-whitelisting work and how will this affect me?

We’re using machine learning models to identify URLs and IPs that are noisy and redundant. These indicators will automatically be removed from correlation count, graph visualization, dashboard results, and API responses to give you better relevancy in your investigations. URLs and IPs account for a large majority of IOCs on TruSTAR and that’s why we are starting by focusing on these two IOC types. We will apply automated whitelisting to other IOC types in future releases.

What is the difference between auto-whitelisting and the company whitelisting feature?

Automated whitelisting takes into account the contextual data around the IOC at the report level. So, if an IOC is automatically whitelisted from a present report it could still appear in a future one. However, when you add an IOC to the company whitelist it will never be seen again.  

How do I add an IOC to my company whitelist?

There are two ways you can add an IOC to your company whitelist.

You can add IOCs using the IOCs tab. Click on the to add the IOC to your company whitelist.



Or, you can add an IOC to your company whitelist by selecting the IOC on the graph, and then using the information panel on the left. 



Will I be able to revert the auto-whitelist decision?

Yes, as long as you have read-write capabilities for the Enclave(s) containing the report you can click on the red X button shown in Figure 1 to revert the automated decision. The reversion will affect all Enclaves associated with that report. For example, if you revert the automated whitelisting decision for an IOC it will now appear as a malicious IOC in all Enclaves associated with the report. The IOC will be counted in the correlation count and will show up in the graph visualization, dashboard results, and API responses.

How does the automation work?

The automated capability relies on three different types of features that are used in our machine learning models:

  • Contextual features: The words surrounding the IOC. This is why the capability applies at the report level.
  • Lexical features: The types of characters present in the IOC.
  • Third-party features: The values returned from third-party sources, such as the domain reputation.

If you have any more questions or concerns, we always welcome feedback at or to your TruSTAR customer success rep.

To read more about TruSTAR's Data Science initiatives click here.

Ingest Intelligence Faster With the New TruSTAR Google Chrome Extension If you’re an intelligence analyst, you’re probably spending a lot of time searching and scraping the internet for threat intelligence to speed ... Read More
Enrich Your Data With Independent Threat Intelligence Research TruSTAR is a product built by analysts, for analysts. Back in our SOC days, we checked-in with influencers in our field whenever we had an indicator ... Read More
Unveiling Our New Blockchain Research Tool at Black Hat Arsenal and DEF CON Recon Village 2018 Las Vegas, Aug. 06, 2018 (GLOBE NEWSWIRE) — The data science team behind TruSTAR will be presenting the only blockchain research tool selected for ... Read More
We've Made It Easier For You To Find High-Priority Indicators Today we’re announcing a major update to our IOC management feature to help security teams identify high-priority indicators while investigating ... Read More