From 859bd19e24f7e2f5ad82cd4f514ba559322d7869 Mon Sep 17 00:00:00 2001
From: Jesse Hedden <jhedden@trustar.co>
Date: Mon, 22 Jun 2020 12:57:37 -0700
Subject: [PATCH] added module documentation

---
 doc/README.md                     | 29 +++++++++++++++++++++++++++++
 doc/expansion/trustar_enrich.json | 12 ++++++------
 2 files changed, 35 insertions(+), 6 deletions(-)

diff --git a/doc/README.md b/doc/README.md
index 37cb2c9..cb28526 100644
--- a/doc/README.md
+++ b/doc/README.md
@@ -1168,6 +1168,35 @@ Module to get information from ThreatMiner.
 
 -----
 
+#### [trustar_enrich](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/trustar_enrich.py)
+
+<img src=logos/trustar.png height=60>
+
+Module to get enrich indicators with TruSTAR.
+- **features**:
+>This module enriches MISP attributes with scoring and metadata from TruSTAR.
+>
+>The TruSTAR indicator summary is appended to the attributes along with links to any associated reports.
+- **input**:
+>Any of the following MISP attributes:
+>- btc
+>- domain
+>- email-src
+>- filename
+>- hostname
+>- ip-src
+>- ip-dst
+>- md5
+>- sha1
+>- sha256
+>- url
+- **output**:
+>MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.
+- **references**:
+>https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html
+
+-----
+
 #### [urlhaus](https://github.com/MISP/misp-modules/tree/master/misp_modules/modules/expansion/urlhaus.py)
 
 <img src=logos/urlhaus.png height=60>
diff --git a/doc/expansion/trustar_enrich.json b/doc/expansion/trustar_enrich.json
index d2f26bd..294419d 100644
--- a/doc/expansion/trustar_enrich.json
+++ b/doc/expansion/trustar_enrich.json
@@ -1,8 +1,8 @@
 {
-    "description": "Module to get information from ThreatMiner.",
-    "logo": "logos/threatminer.png",
-    "input": "A MISP attribute included in the following list:\n- hostname\n- domain\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- sha512",
-    "output": "MISP attributes mapped from the result of the query on ThreatMiner, included in the following list:\n- domain\n- ip-src\n- ip-dst\n- text\n- md5\n- sha1\n- sha256\n- sha512\n- ssdeep\n- authentihash\n- filename\n- whois-registrant-email\n- url\n- link",
-    "references": ["https://www.threatminer.org/"],
-    "features": "This module takes a MISP attribute as input and queries ThreatMiner with it.\n\nThe result of this query is then parsed and some data is mapped into MISP attributes in order to enrich the input attribute."
+    "description": "Module to get enrich indicators with TruSTAR.",
+    "logo": "logos/trustar.png",
+    "input": "Any of the following MISP attributes:\n- btc\n- domain\n- email-src\n- filename\n- hostname\n- ip-src\n- ip-dst\n- md5\n- sha1\n- sha256\n- url",
+    "output": "MISP attributes enriched with indicator summary data from the TruSTAR API. Data includes a severity level score and additional source and scoring info.",
+    "references": ["https://docs.trustar.co/api/v13/indicators/get_indicator_summaries.html"],
+    "features": "This module enriches MISP attributes with scoring and metadata from TruSTAR.\n\nThe TruSTAR indicator summary is appended to the attributes along with links to any associated reports."
 }