Cyber observables and IOCs are the building blocks of intelligence analysis. They're critical to making accurate decisions throughout the investigative workflow, but effectively managing this vast amount of IOC data is challenging.
Today we are excited to release our new IOC Management feature that will streamline IOC management throughout the entire indicator lifecycle. This new feature will help you upload large numbers of IOCs, classify IOCs into groups, augment them with additional context, and automatically surface them in internal investigations and threat hunts.
How is this different than existing capabilities on TruSTAR?
Until now, IOCs on the TruSTAR platform were always embedded in reports. They didn’t exist as independent entities. Reports provide an elegant way of grouping related threat intelligence so that it can be viewed as comprehensive analysis, but they limit an analyst’s ability to investigate a specific IOC or a group of IOCs and contextualize them. This change is a first step in a larger initiative that will allow users to more easily analyze cyber and fraud investigations and track TTP’s, campaigns, and actors, and visualize relationships between them.
Great! Tell me more…
As an end user of the TruSTAR platform you can now take the following actions:
- Mass Enrichment - Upload large lists of IOC’s and their associated context into one or more enclaves and let TruSTAR automatically augment them with additional enrichment.
- Group Tagging - Use tags to easily manage IOCs as individual entities or large groups of IOCs that share some common characteristics - like “ddos”, “brand protection,” “APT28,” etc.
- Visualize Context - Track enrichment of individual IOCs over time in our graph visualizations and quickly identify correlations with other intelligence sources.
These actions will let analysts quickly complete tasks including:
- Batch Processing - Send a large number of IOCs to TruSTAR using the API or Station via structured or unstructured data format and have the platform provide enrichment for each IOC.
- Mass Exporting - Export enriched IOCs, like IP addresses, that have a specific tag associated with them, i.e. “ddos.”
- Continuous Tracking - Keep a running list of IOCs and continuously update them with new context using the API or the Station.
Enrichment from our Machine Learning capabilities.
All IOCs processed by TruSTAR are rated using our machine learning models (you can read more about our model here). All IOCs rated as HIGH PRIORITY will be labeled accordingly and you will see them prominently displayed in the Explore view and the graph visualization.
I have a list of IOCs. How can I get started?
We value your feedback and would like to learn about how to improve this feature. Don’t hesitate to get in touch with us at firstname.lastname@example.org to get started.