API 2.0: TruSTAR Operationalizes Data Orchestration and Normalization for a New Era in Intelligence Management

Security Splunk

Today we released API 2.0, the latest version of TruSTAR’s API-First Intelligence Management Platform. This new version continues our commitment to simplify and streamline intelligence for automation in enterprise security intelligence management, and breaks through long-standing industry limitations around operationalizing data orchestration and normalization.

TruSTAR was created on the principle of being API-First, with a data-centric approach to transforming cyber intelligence to make it actionable. TruSTAR API 2.0 delivers on that promise with the addition of TruSTAR Intel Workflows and Safelist Libraries. These new features, combined with TruSTAR’s already robust platform, create a unified, all-source intelligence picture without the flood of false positives or manual data-wrangling.

“Historically, security approaches have focused on layers of defense, which resulted in massive walls around data. But, enterprise security leaders are breaking down silos and demanding visibility and sovereignty over the data workflows required for orchestration and automation in detection and response. We look at sectors like financial services, sales, and marketing and we see that our peers in other departments in the enterprise have stepped to these challenges by combining unified APIs with data-centric architectures. We can learn from this as we enter a new era where integration and automation is a top priority for all enterprise security leaders." — Patrick Coughlin, CEO of TruSTAR

TruSTAR Intel Workflows

A game-changing addition to API 2.0 is TruSTAR Intel Workflows, which provide no-code set-up of data processing and transformations using established sources to cross-validate and curate intelligence. Traditionally, security leaders have had to rely on teams of trained analysts spending many hours a day doing the data janitor work or investing in large, multiyear data engineering projects.

Now, TruSTAR users can easily select intelligence sources, including open source, premium intel providers and collections of historical events and alerts, apply priority scores, Safelists and filtering based on indicator types or attributes and submit prepared data into vetted Enclaves or a suite of enterprise workflow applications.

Benefits include:

TruSTAR Intel Workflows allow users to get normalized scores on observables and events based on individual source profiles, reduce false positives in detection sets by normalizing indicators across multiple sources, and filter by priority score and relevant indicator type. TruSTAR’s Unified Intel API provides a single point of integration through TruSTAR’s fully RESTful API, TAXII infrastructure and Python SDK, supporting all standard data structures and use-case oriented endpoints.

Safelist Libraries

TruSTAR offers Safelists and Blocklists as a replacement Whitelists and Blacklists. Words matter, and we prefer to use more actionable language with the added benefit of replacing language with racial connotations. TruSTAR’s new Safelist libraries allow users to create and maintain a set of observables that can be considered benign from being used for threat intelligence correlations. This can produce false positive alerts, wasting analyst time and lowering business productivity.

Now users can programmatically apply multiple workflow-level Safelists, source weights and filtering before delivery into TruSTAR Intel Workflow destinations. As any security analyst will tell you, no one Safelist library can be used for all use-cases, workflows and security controls. Breaking Safelists into multiple libraries allows users to fine tune and operationalize intelligence using only the applicable set of Safelists based on use cases and the security controls, thereby reducing false positives.

----------------------------------------------------
Thanks!
Mikala Vidal

Related Articles

Threat Update DoubleZero Destructor
Security
5 Minute Read

Threat Update DoubleZero Destructor

The Splunk Threat Research Team shares a closer look at a new malicious payload named DoubleZero Destructor (CERT-UA #4243).
Defending at Machine Speed: Guiding LLMs with Security Context
Security
7 Minute Read

Defending at Machine Speed: Guiding LLMs with Security Context

Enhance LLM performance for cybersecurity tasks with few-shot learning, RAG, & fine-tuning guide models for accurate PowerShell classification.
Zipf's Law and Fraud Detection
Security
4 Minute Read

Zipf's Law and Fraud Detection

Splunker Nimish Doshi breaks down Zipf’s Law to look for possible indicators of fraud.