Improved Submission Workflow on TruSTAR
One of TruSTAR’s key differentiators is the ability to extract and normalize indicators from structured or unstructured submissions. These extracted indicators are critical for making correlations and enriching intelligence sources across an analyst’s workflow.
Today we are pleased to announce an improved submission workflow.
These architectural changes that will provide two main benefits.
- Data submissions will be more robust, resilient, and performant to large submission volumes.
- We have made it easier for analysts to share, copy, and redact submissions for easier sharing throughout their partner ecosystem.
Read on to learn more about all the analyst workflows we have streamlined with this release.
New Submission Workflow Capabilities
Many TruSTAR users belong to Sharing Communities like ISACs and ISAOs. Before today’s release, users had to manually copy-paste the content into a new submission. With this update, TruSTAR developed an explicit COPY operation that makes sharing intel fast and easy. Now a copy of the entire report, along with tags, can be automatically submitted to an Enclave of the user’s choice. We have also made a copy endpoint available on our Public API for users who want to develop scripts to programmatically share reports.
Copy & Redact Report
When sharing to other teams or peer groups, users may want to redact sensitive information from reports before making them available to their network. In the new Copy workflow, there is an option to apply your redaction library or manually redact the report before the submission process is completed. You can also remove existing tags or add new tags. This copy and redact endpoint available on our Public API for users who want to develop scripts to programmatically share and redact reports.
Moving a report from one Enclave to another helps teams organize and keep track of reports. For example, some TruSTAR users can have an Enclave that serves as a repository of unvetted intelligence. One a report is evaluated for relevance and fidelity, they get moved into a vetted Enclave. Before the new Move Report workflow, moving a report between Enclaves was a cumbersome four-step process. With today’s release we have made this operation explicit and extremely simple to execute. We have also made a Move Report function available on our Public API, that will help automate this operation for multiple submissions at one.
Simplifying Tagging for Submissions
Previously tags on submissions were either Categories (our term for publicly visible tags), or Enclave tags (private tags only visible to members of that Enclave). These tagging systems were treated differently because of permission model associated with them. Based on user feedback, there were two main issues with the existing tagging system: The difference between these two tagging classifications were never clear and the actions you could take based on tags (i.e. Search and Filter) were not consistent. As part of the architectural update we have simplified submission tagging into one system. Now permissions are determined by Enclave. Whoever has access to view the report can now also see the tags.
Coming Soon: Increased Report Submission Volume
The significant architecture improvements in our submission workflow will allow us to increase the number of indicators we can process in each report submission. Currently, users are limited to a maximum of 500 observables per report submission. By EOY 2019, we will be gradually increasing this max limit to up to 1,500.
For more detailed rundown please visit our Knowledge Base article.