Install: TruSTAR for Splunk ES

Updated 1 day ago by Elvis Hovor

This article explains how to install and configure the TruSTAR Workflow App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR Enclaves specified during configuration.

Requirements

Software Requirements

The TruSTAR Workflow App for Splunk ES requires this software to be installed before installing the App:

  • Splunk version 7.0 or higher
  • Splunk Enterprise Security version 5.0 or higher
  • Splunk Common Information Model (CIM) version 4 or higher
  • Splunk Datasets Add-on version 1.0 or higher

User Permissions

The Splunk account you use to install and configure the TruSTAR Workflow App must have Admin permissions in Splunk and be logged into the Splunk search head.

To check permissions for an account level, use this procedure:

  1. Click the Settings menu in the upper-right corner, then click Access Controls.
    SplunkES_Install_Figure1
  2. On the Access Controls page, click Users.
    SplunkES_Install_Figure2
  3. On the Users page, examine the Roles column. Any user who needs to use the Enrich or Submit actions requires Admin as one of their account roles.
    SplunkES_Install_Figure3

Before You Install

The TruSTAR integration performs three basic tasks:

  • Submitting Intel Reports to TruSTAR
  • Downloading data
  • Enrichment of existing notables.

To ensure those three processes work separately, you need to create three new email accounts, and then create three accounts in the TruSTAR Web App that use those three email accounts. In addition, TruSTAR recommends creating a new Enclave that will act as the default Enclave for Intel Reports submitted from Splunk ES.

TruSTAR recommends creating a separate Enclave in TruSTAR for the submissions you will be sending from Splunk ES.

Creating the Submission Enclave

In TruSTAR Station, create a new Enclave to handle all submissions from Splunk ES. TruSTAR recommends using the name Splunk ES Threat Activity for this enclave.

All threat activity notable events should be sent to this enclave automatically by the Threat Activity Detected correlation search. The Indicators in the events will be extracted and correlated with information from the external intelligence sources you subscribe to in TruSTAR. This automatic correlation ensures that you have the latest information when you run the Enrich action on the Notable Event.

Creating Email Accounts

Each TruSTAR user account is allocated a single set of API credentials, so you will need to create three TruSTAR user accounts. Each of these user accounts requires a unique email address so you will need to create 3 new email accounts on your company's email server. TruSTAR recommends following this conventions:

  • trustar_splunk_es_submit@yourcompany.com
  • trustar_splunk_es_download@yourcompany.com
  • trustar_splunk_es_enrich@yourcompany.com

Creating User Accounts on TruSTAR Station

Now that you have three new email accounts, you'll need to create the three Station user accounts. This can only be done by a user with Company Admininstrator permissions in TruSTAR. For more details, see this support article: Setting up a 'Service Account.

Use this information to set up the accounts in the TruSTAR Web App:

  1. Submit account
  • First Name: Integration Account
  • Last Name: Splunk ES Submit
  • Enclave Permissions: submit access to any Enclave you wish to submit Events to
    • TruSTAR recommends submit access to your Splunk ES Threat Activity enclave and any sharing group Enclaves you would like to be able to submit to. Use view or no access to all other enclaves.
  1. Download account
  • First Name: Integration Account
  • Last Name: Splunk ES Download
  • Enclave Permissions: view access to all enclaves.
  1. Enrichment account
  • First Name: Integration Account
  • Last Name: Splunk ES Enrich
  • Enclave Permissions: view access to all enclaves.
When creating these accounts, note their API Key and API Secret information because you will be asked to enter that when configuring the TruSTAR App.

Installing the TruSTAR App

  1. Select Apps -> Manage Apps from the Splunk ES main menu bar.
  2. Click the Browse More Apps button, then use the Search box to find the TruSTAR App for Splunk ES.
    SplunkES_Install_Figure4
  3. Proceed with the installation of the TruSTAR App.

Configuration Options

The Configuration Options is where you set up the API credentials, proxy servers, logging, and other settings for the TruSTAR App.

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure5
  2. Click Configuration on the blue submenu.
    SplunkES_Install_Figure6

Account Settings

The Account Settings tab sets up the API credentials for the integration.

SplunkES_Install_Figure7

You need to create three accounts for the three actions that TruSTAR performs:

  • Downloading data into TruSTAR enclaves
  • Submitting reports to TruSTAR
  • Enrichment of notables from TruSTAR enclaves
  1. Enter DOWNLOAD into the Account Name field.
  2. Enter the API key into the Username field.
  3. Enter the API Secret into the Password field.
  4. Click Add to save the details and create the account.
  5. Create a second account with ENRICH as the Account Name, then follow steps 2-4 above.
  6. Create a third account with SUBMIT as the Account Name, then follow steps 2-4 above.

Proxy

If your environment uses a proxy, use this tab to enter details, such as type, host, port, username and password.

SplunkES_Install_Figure8

Logging

You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.

SplunkES_Install_Figure9
TruSTAR recommends leaving the level at Info (the default) unless instructed by Support.

Add-On Settings

The Add-on Settings specify the location of the TruSTAR Web App and which Enclaves to use with Splunk ES.

SplunkES_Install_Figure10

Explanation of Settings

  • Station API URL: The URL to make API calls to the TruSTAR Web App (formerly known as Station).
  • Default Submit Enclave: The Enclave that, by default, will store all your submissions to TruSTAR. TruSTAR recommends creating and using a separate enclave named Splunk ES Threat Activity.
  • Default Enrich Enclaves: The Enclaves for enriching events. TruSTAR recommends using the ALL option, which will use all Enclaves available to you, including internal and external intelligence sources. Alternatively, you can choose specific Enclaves by providing their IDs, separating each ID with a comma.
You can override the default Enclave settings when running individual enrichment or submission actions.

Creating Inputs to Splunk ES

You can create inputs that export data from your TruSTAR Enclaves into Splunk ES. This information can then be used for both automated and manual enrichment of notable events and alerts in Splunk ES.

The Inputs do not have a 1:1 relationship with TruSTAR Enclaves. For example, you can create an input named BadActorIPs and specify that IP addresses from two or more Enclaves be loaded into this input.

For a detailed use case on how to leverage inputs at a very controlled level, see the Splunk ES FAQ.
  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure11
  2. Click Inputs on the blue submenu.
    SplunkES_Install_Figure12
  3. Click Create New Input to start defining an input source.
    SplunkES_Install_Figure13
  4. Enter a Name for the data input.
  5. Enter the Interval. Set this to 600.
  6. Use the default Index setting.
  7. Enter DOWNLOAD as the Global Account.
  8. Enter the Enclave IDs that will be the source of the download. You can specify multiple Enclaves by separating the Enclave IDs with commas.
  9. In the IOC Types field, click to remove any Indicator types you do not want to download from the source Enclave.
  10. Enter any tags you want to use to further filter the data. If you enter one or more tags in this field, only Indicators that have ALL the specified tags will be downloaded.
  11. Enter an Expiration value. This determines how long the data will be stored in Splunk ES. For example, if you enter 14, all data imported from this source into Splunk ES that is older than 14 days will be deleted.
  12. Click Add to save these settings and create the input.

Splunk ES Configuration

To have Splunk ES work most efficiently with TruSTAR, you need to modify the Threat Activity correlation search so that Indicators are automatically submitted to your default TruSTAR Enclave.

  1. Choose Enterprise Security from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure14
  2. Click the Configure menu, then click the Content menu.
    SplunkES_Install_Figure15
  3. Click Content Management.
    SplunkES_Install_Figure16
  4. Search for "threat activity detected" and then click on the correlation search named Threat Activity Detected.
    SplunkES_Install_Figure17

This opens the configuration window for that search.

SplunkES_Install_Figure18

  1. In that configuration window, scroll down to the Adaptive Response Actions section, then click the carat next to Notable.
    SplunkES_Install_Figure19
  2. In the Next Steps text box, add these lines, separated by 2 newline characters:
[[action|trustar_submit_event]]


[[action|trustar_enrich_threat_activity]]
  1. In the Recommended Actions section, select TruSTAR - Enrichment and TruSTAR - Submit.

The configuration should now look like this example:

SplunkES_Install_Figure20
  1. Go back to the Adaptive Response Actions section and choose Add New Response Action.
    SplunkES_Install_Figure21
  2. Select the TruSTAR - Submit action.
  3. Configure the Submit action:
  • Add a Report Title
  • Add additional comments
  • Choose the Default Enclave for submitting events (usually Splunk ES Threat Activity).

The configuration should now look like this example:

SplunkES_Install_Figure22
  1. Click the green Save in the lower right corner to complete the Splunk ES configuration.
    SplunkES_Install_Figure23

How Did We Do?