Splunk ES Installation

Updated 4 hours ago by Elvis Hovor

This article explains how to install and configure the TruSTAR App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR enclaves specified during configuration.

Requirements

The TruSTAR App for Splunk ES requires this software to be installed before installing the App:

  • Splunk version 7.3 or higher
  • Splunk Enterprise Security version 5.3 or higher
  • Splunk Common Information Model (CIM) version 4 or higher
  • Splunk Datasets Add-on version 1.0 or higher

Before You Install

The TruSTAR integration performs three basic tasks: submitting reports, downloading data, and enrichment of existing notables. To ensure those three processes work separately, you need to create three new email accounts, and then create three accounts in TruSTAR Station that use those three email accounts. In addition, TruSTAR recommends creating a new enclave that will act as the default submission enclave for reports from Splunk ES.

Creating Email Accounts

Either you can work with your company's email administrator to create email accounts or you can work with your TruSTAR Account Manager to create them.

When working with your internal email administrator, TruSTAR recommends using this format for the accounts:

  • Submit Account: trustar_splunk_es_submit@<customername.com>
  • Downloading Account: trustar_splunk_es_download@<customername.com>
  • Enrichment Account: trustar_splunk_es_enrich@<customername.com>

If you choose to work with your TruSTAR Account Manager (AM) to create email accounts that are customized for your usage, these are the recommended email formats:

  • Submit Account: <AMname>+<customername>_splunk_es_submit@trustar.co
  • Downloading Account: <AMname>+<customername>_splunk_es_download@trustar.co
  • Enrichment Account: <AMname>+<customername>_splunk_es_enrich@trustar.co

Creating User Accounts on TruSTAR Station

You will need three sets of API credentials, one for submitting reports, one for downloading data, one for enriching notables.

  1. Submit account:
  • First Name: “Integration Account”
  • Last Name: “Splunk ES Submit”
  1. Download account:
  • First Name: “Integration Account”
  • Last Name: “Splunk ES Download”
  • Enclave Permissions: “view” access to all enclaves.
  1. Enrichment account:
  • First Name: “Integration Account”
  • Last Name: “Splunk ES Enrich”
  • Enclave Permissions: “view” access to all enclaves.
When creating these accounts, note their API Key and API Secret information because you will be asked to enter that when configuring the TruSTAR App.

Creating the Submission Enclave

In TruSTAR Station, create a new enclave to handle all submissions from Splunk ES. TruSTAR recommends using the name Splunk ES Threat Activity for this enclave.

All threat activity notable events should be sent to this enclave automatically by the “Threat Activity Detected” correlation search. so it triggers TruStash to fetch enrichment for the IOC from indicator-query closed-sources. This will ensure that Station has fresh enrichment on that IOC to present to the analyst when they run the “enrich” action on the notable event.

Installing the TruSTAR App

  1. Select Apps -> Manage Apps from the Splunk main menu bar.
  2. Click the Browse More Apps button, then use the Search box to locate the TruSTAR App for Splunk ES app.
  3. Proceed with the installation of the TruSTAR app.

Configuration Options

The Configuration Options is where you set up the API credentials, any proxy servers in use, logging, and other settings for the TruSTAR App.

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
  2. Click Configuration on the blue submenu.

Account Settings

The Account Settings tab sets up the API credentials for the integration.

You need to create three accounts for the three actions that TruSTAR performs:

  • Downloading data into TruSTAR enclaves
  • Submitting reports to TruSTAR
  • Enrichment of notables from TruSTAR enclaves
  1. Enter DOWNLOAD into the Account Name field.
  2. Enter the API key into the Username field.
  3. Enter the API Secret into the Password field.
  4. Click Add to save the details and create the account.
  5. Create a second account with ENRICH as the Account Name, then follow steps 2-4 above.
  6. Create a third account with SUBMIT as the Account Name, then follow steps 2-4 above.

Note: You can use the same API key and API secret for each account.

Proxy

If your environment uses a proxy, use this tab to enter details, such as type, host, port, username and password.

Logging

You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.

TruSTAR recommends leaving the level at Info (the default) unless instructed by Support if you are having issues.

Add-On Settings

The Add-on Settings specify the location of TruSTAR Station and which enclaves to use with Splunk ES.

Explanation of Settings

  • Station API URL: The URL to make API calls to TruSTAR Station.
  • Default Submit Enclave: The enclave that, by default, will store all submissions to TruSTAR. TruSTAR recommends creating and using a separate enclave named Splunk ES Threat Activity.
  • Default Enrich Enclaves: The default sources for enriching events. TruSTAR recommends using the ALL option, which will use all enclaves. Alternatively, you can choose specific enclaves by providing their IDs, separating each ID with a comma.
You can override these default enclave settings when running individual enrichment or submission actions.

Creating Inputs to Splunk ES

You can create inputs that download data from your TruSTAR enclaves into Splunk ES. This information will be used for both automated and manual enrichment of notable events and alerts in Splunk ES.

The Inputs do not have a 1:1 relationship with TruSTAR enclaves. For example, you can create an input named BadActorIPs and specify that IP addresses from two or more enclaves will be loaded into this input.

For a detailed use case on how to leverage inputs at a very controlled level, see the Splunk ES FAQ.
  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
  2. Click Inputs on the blue submenu.
  3. Click Create New Input to start defining an input source.
  4. Enter a Name for the data input.
  5. Enter the Interval of time the input will be updated from TruSTAR.
  6. Use the default Index setting.
  7. Enter DOWNLOAD as the Global Account.
  8. Enter the Enclave IDs that will be the source of the download. You can specify multiple enclaves by separating the IDs with commas.
  9. In the IOC Types field, click to remove any IOC types you do not want to download from the source enclave.
  10. Enter any Tags you want to use to further filter the data. If you enter one or more tags in this field, only IOCs that have ALL the specified tags will be downloaded.
  11. Enter an Expiration value. This determines how long the data will be stored in Splunk ES. For example, if you enter 14, all data imported from this source into Splunk ES that is older than 14 days will be deleted.
  12. Click Add to save these settings and create the input.

Splunk ES Configuration

To have Splunk ES work most efficiently with TruSTAR, you need to modify the Threat Activity correlation search so that IOCs are automatically submitted to your TruSTAR enclave.

  1. Choose Enterprise Security from the App pull-down menu on the top-level Splunk menu.
  2. Click the Configure menu, then click the Content menu.
  3. Click Content Management.
  4. Search for "threat activity detected" and then click on the correlation search named Threat Activity Detected.

This opens the configuration window for that search.

  1. In that configuration window, scroll down to the Adaptive Response Actions section then click the carat next to Notable.
  2. In the Next Steps text box, add these lines, separated by 2 newline characters:
[[action|trustar_submit_event]]


[[action|trustar_enrich_threat_activity]]
  1. In the Recommended Actions section, select TruSTAR - Enrichment and TruSTAR - Submit.

The configuration should now look like this example:

  1. Go back to the Adaptive Response Actions section and choose Add New Response Action.
  2. Select the TruSTAR - Submit action.
  3. Configure the Submit action:
  • Add a Report Title
  • Add additional comments
  • Choose the Default enclave for submitting events (Splunk ES Threat Activity).

The configuration should now look like this example:

  1. Click the green Save in the lower right corner to complete the Splunk ES configuration.

How Did We Do?