Install: TruSTAR App for Enterprise Security
This article explains how to install and configure the TruSTAR Workflow App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR Enclaves specified during configuration.
Related Links
- User Guide: TruSTAR for Splunk ES
- FAQ: TruSTAR for Splunk ES
- Splunkbase: TruSTAR App for Enterprise Security
Requirements
Software.
The TruSTAR Workflow App for Splunk ES requires this software to be installed before installing the App:
- Splunk version 7.0 or higher
- Splunk Enterprise Security version 5.0 or higher
- Splunk Common Information Model (CIM) version 4 or higher
- Splunk Datasets Add-on version 1.0 or higher
Logs-to-CIM mapping.
Splunk ES Professional Services can assist with this process.
For more information see the Splunk ES CIM Overview.
KvStore replication (ES search-head clusters only).
- Downloading indicators from TruSTAR to search-head will only happen on cluster Captain node.
- Cluster must be configured to replicate the ES Threatintel KvStores to all nodes in the cluster.
- For assistance, please contact Splunk Professional Services.
Proxy "sticky sessions" (ES SHC's only).
- This is a Splunk requirement.
- Ensures consistent user experience.
Local search processing (Distributed Splunk deployments).
- Many Enterprise Security knowledge objects reside on search-heads only.
- Correlation, threat-gen, lookup-gen searches must process entirely on search-heads.
- cannot distribute to an indexer/indexer cluster.
- For assistance, please contact Splunk Professional Services.
Networking.
- code will be started by the Splunk application on search-heads.
- code will need to be able to make REST API calls to the Splunk application on localhost, port 8089
- Splunk application must accept incoming traffic on port 8089.
- For assistance, contact Splunk Professional Services.
Splunk User Account Permissions.
On search heads:
- admin required for installation
- ess_analyst (or greater) required for use
Help: View Splunk User Account Permissions.
TruSTAR Enclaves.
Need (1) enclave named Splunk ES Threat Activity.
TruSTAR account manager will create this.
TruSTAR User Accounts.
- Need 3 user accounts.
- TruSTAR account manager will create these.
Purpose | username (email) | Enclave Permissions |
Download | cs-integrations+yourcompany_splunk_es_download@trustar.co | - "view": all. |
Submit | cs-integrations+yourcompany_splunk_es_submit@trustar.co | - "view": all. - "full": "Splunk ES Threat Activity" |
Enrich | cs-integrations+yourcompany_splunk_es_enrich@trustar.co | - "view": all. |
Install.
Do not install on indexers or heavy-forwarders.
- Select Apps -> Manage Apps from the Splunk ES main menu bar.
- Click the Browse More Apps button, then use the Search box to find the TruSTAR App for Enterprise Security (Splunkbase page: TruSTAR App for Enterprise Security).
- Proceed with the installation of the TruSTAR App.
App-Level Config.
The Configuration Options is where you set up the API credentials, proxy servers, logging, and other settings for the TruSTAR App.
- Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
- Click Configuration on the blue submenu.
Account Settings
The Account Settings tab sets up the API credentials for the integration.
Add API creds for your 3 TruSTAR user accounts. "Account name" for each should be:
- DOWNLOAD
- ENRICH
- SUBMIT
TruSTAR API secret goes in "Password" field.
An API key looks like this: e0dk3128-xxxx-xxxx-ad4a-ff1a2b3c4d89f
An API secret looks like this: KMuSxxxxk39Uhwxxxx9kVi2Z
Proxy
If proxy between Search Head(s) and TruSTAR, configure type, host, port, username and password.
Logging
You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.
Add-On Settings
The Add-on Settings specify the location of the TruSTAR Web App and which Enclaves to use with Splunk ES.
Explanation of Settings
- Station API URL: The URL to make API calls to the TruSTAR Web App.
- Default Submit Enclave: ID for enclave named Splunk ES Threat Activity.
- Default Enrich Enclaves: The Enclaves for enriching events.
- TruSTAR recommends: ALL
- Alternatively, can enter comma-separated list of enclave IDs.
Input Config.
Inputs copy indicators from TruSTAR to Splunk ES's Threat-Intel KVStores for ES to use in its detection pipeline.
Inputs and Enclaves
- Reduce false-positive alerts by exercising fine-grained control over the IOCs the app brings into the detection set.
- Configure automatic whitelist reconciliation by adding an input named (verbatim, all-caps) WHITELIST
Examples:
Input Name | Interval | Enclave | Indicator Types | Tags | Expire |
WHITELIST | 14400 | - | all | 180 | |
investigated_detection_ip | 3600 | Investigations | IP | malicious, detection | 7 |
investigated_detection_hash_email | 3600 | Investigations | email, sha256, md5 | malicious, detection | 180 |
investigated_phish_urls | 3600 | Investigations | url | malicious, phish | 90 |
investigated_phish_ips | 3600 | Investigations | ip | malicious, phish | 7 |
isac_vetted_ip | 3600 | Sharing Group Vetted Indicators | IP | 7 | |
isac_vetted_email_hash | 3600 | Sharing Group Vetted Indicators | email, sha256, md5, sha1 | 180 | |
isac_vetted_url | 3600 | Sharing Group Vetted Indicators | url | 60 | |
premium_sources_ip | 3600 | - Source A - Source B - Source C | IP | 7 | |
premium_sources_all_others | 3600 | - Source A - Source B - Source C | email, url, sha1, md5, sha256, registry, filename | 90 |
Examples of Input Configuration
When setting up the TruSTAR App, you can configure which types of Indicators to pull from which Enclaves. For example, you may want to only pull IP information from one Enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration.
To help you understand the power of granular inputs, here is an example for a fictional company, Acme Corporation.
Input 1
Acme Corporation wants Splunk ES to always be on the lookout for any sign of any Indicator that Acme has investigated and determined malicious. Acme stores these Indicators in a case management Enclave in TruSTAR.
- Name: Acme IOCs
- Enclave ID: <case-management Enclave in TruSTAR>
- Indicator Types: All available (do not remove any Indicators from the default list display)
- Expiration: 360 days
Input 2
Acme Corporation is extremely concerned about file hashes reported on by Intelligence Source X. They are not interested in alerting on any other Indicator type reported on by that intelligence source, and they are not interested in hashes reported on by any other intelligence source.
- Name: X-Intel Source
- Enclave ID: <case-management Enclave in TruSTAR>
- Indicator Types: SHA1, SHA256, MD5 (delete all others displayed in this field)
- Expiration: 180 days
Input 3
Acme Corporation is also interested in alerting on IP addresses reported on by Intelligence Sources A,B,C,D, and E, but only if the reporting is timestamped within the last 7 days. To accommodate this interest, they configure a third input that downloads IP addresses from Enclaves A,B,C, and D and retains them for 7 days.
- Name: Malicious IPs
- Enclave ID: <enclaveA_ID, enclaveB_ID, enclaveC_ID, enclaveD_ID>
- Indicator Types: IP
- Expiration: 7 days
Input 4
Acme Corporation is also a member of a sharing group named CyberSleuths. Acme wants another input to copy all Indicators from that sharing group Enclave and retain them for 90 days.
- Name: CyberSleuth Intel
- Enclave ID: <CyberSleuth_ID>
- Indicator Types: All available (do not remove any Indicators from the default list display)
- Expiration: 90 days
Input 5
Acme Corporation also runs a script that copies Intel Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that they believe contains very high-signal data. For example, that script transfers only Indicators with scores by sources A, B, and C that surpass certain thresholds. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days.
- Name: ACME Curated Intel
- Enclave ID: <ACME_CURATED_ID>
- IOC Types: All available (do not remove any Indicators from the default list display)
- Expiration: 180 days
Creating an Input
- Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
- Click Inputs on the blue submenu.
- Click Create New Input to start defining an input source.
- Fill out the config options.
- Name:
- Valid characters: letters, underscores, no whitespaces, no other special characters.
- Must be unique. - Interval: use 3600.
- Index: Not used, leave default. (see note)
Details
The TruSTAR integration puts IOCs into the Splunk ES Threat Intel key-value stores.
It does not store any information in indexes. The "Index" config option exists only because TruSTAR built this add-on using Splunk's Add-On-Builder (AOB) and that config option cannot be removed from the AOB's default inputs config page. - Global Account: DOWNLOAD
- Enclave IDs:
- IDs of enclaves to download from.
- separate enclave IDs with commas. - IOC Types:
- all by default.
- remove those you don't want this input to download. - Tags:
- used as a filter.
- lowercase characters only.
- input will ONLY download indicators meeting all other criteria (enclaves, types, timerange) AND have ALL the tags listed in this box. - Expiration:
- # days.
- when an indicator hasn't been mentioned in any of the enclaves this input downloads from in this number of days, the indicator will no longer be detected on.
- Name:
- Click Add to save these settings and create the input.
Auto-Notable-Event-Submission Config.
Notable Events must be submitted to the Splunk ES Threat Activity enclave in TruSTAR for TruSTAR to be able to triage / enrich them.
- Choose Enterprise Security from the App pull-down menu on the top-level Splunk menu.
- Click the Configure menu, then click the Content menu.
- Click Content Management.
- Search for "threat activity detected" and then click on the correlation search named Threat Activity Detected.
This opens the configuration window for that search.
- In that configuration window, scroll down to the Adaptive Response Actions section, then click the carat next to Notable.
- In the Next Steps text box, add these lines, separated by 2 newline characters:
[[action|trustar_submit_event]]
[[action|trustar_enrich_threat_activity]]
- In the Recommended Actions section, select TruSTAR - Enrichment and TruSTAR - Submit.
The configuration should now look like this example:
- Go back to the Adaptive Response Actions section and choose Add New Response Action.
- Select the TruSTAR - Submit action.
- Configure the Submit action:
- Add a Report Title
- Add additional comments
- Choose the Default Enclave for submitting events (usually Splunk ES Threat Activity).
The configuration should now look like this example:
- Click the green Save in the lower right corner to complete the Splunk ES configuration.
