Install: TruSTAR App for Splunk ES
This article explains how to install and configure the TruSTAR Workflow App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR Enclaves specified during configuration.
You can use the TruSTAR Workflow App for Splunk ES to
- Accelerate investigations: Ingest pre-filtered open source and Premium Intelligences feeds from your TruSTAR Enclaves into the Splunk KV Store to alert against internal log events. You can configure inputs to select only Indicator types that are relevant to your organization.
- Prioritize Alerts: Use TruSTAR's enrichment of Notable Events to view pass-through scores from Premium Intelligence feeds and help prioritize notable events.
- Investigate and Respond: Submit Notable Events to TruSTAR for further enrichment and correlation with historical data. You can share the full event or redact it for added security.
Related Links
- User Guide: TruSTAR for Splunk ES
- FAQ: TruSTAR for Splunk ES
- Splunkbase: TruSTAR App for Enterprise Security
Splunk ES Requirements
Software
You must have the following Splunk ES packages installed before installing the TruSTAR App:
- Splunk version 7.0 or higher
- Splunk Enterprise Security version 5.0 or higher
- Splunk Common Information Model (CIM) version 4 or higher
- Splunk Datasets Add-on version 1.0 or higher
For Splunk ES to generate notable events when it finds a TruSTAR Indicator in logs, those logs must be mapped to the Splunk Common Information Model. Splunk Professional Services can assist with this process. For more information see the Splunk ES CIM Overview.
User Accounts
You must have two Splunk ES user accounts on each search head:
- admin required for installation
- ess_analyst (or greater) required for use
For more information, see Chcck Splunk User Account Permissions in the FAQ.
Search-Head Clusters
If your Splunk ES configuration includes search-head clusters, you need to configure the following items.
Some search-head-clustering documentation:
- Search Head Clusters in Distributed Search
KV Store Replication
Downloading indicators from TruSTAR to search-head can occur only on the cluster Captain node. The cluster must be configured to replicate the ES Threatintel KV Stores to all nodes in the cluster.
Proxy Sticky Sessions
You must have proxy sticky sessions enabled. This is a Splunk requirement and ensures a consistent user experience.
Networking
Code will be started by the Splunk application on search-heads. It will need to be able to make REST API calls to the Splunk application on localhost, port 8089
The Splunk application must accept incoming traffic on port 8089.
Distributed Splunk Deployments
Many Splunk ES knowledge objects reside on search-heads only. Correlation, threat-gen, and lookup-gen searches must process entirely on search-heads and cannot be distributed to an indexer or indexer cluster.
For assistance, please contact Splunk Professional Services.
Some Distrubuted Splunk documentation:
TruSTAR Requirements
Your TruSTAR setup needs to have one enclave and three user accounts dedicated to Splunk ES. Work with your TruSTAR account manager to create these items.
Enclaves
Your TruSTAR installation needs to have one enclave named Splunk ES Threat Activity.
User Accounts
The App requires three user accounts. For faster setup, TruSTAR will create these accounts for you, including "dummy" email accounts for each one. When you view these accounts in the TruSTAR Web App, you will see the three names in the left column, the permissions in the right column, and the dummy email addresses.
Account Name | Enclave + Permissions |
Download | All Enclaves - view |
Submit | All Enclaves - view Splunk ES Threat Activity Enclave - full |
Enrich | All Enclaves - view |
Installing the TruSTAR App
- Select Apps -> Manage Apps from the Splunk ES main menu bar.
- Click the Browse More Apps button, then use the Search box to find the TruSTAR App for Enterprise Security (Splunkbase page: TruSTAR App for Enterprise Security).
- Proceed with the installation of the TruSTAR App.
Configuring the App
The Configuration Options is where you set up API credentials, proxy server, logging, and other settings for the TruSTAR App.
- Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
- Click Configuration on the blue submenu.
Account Settings
The Account Settings tab sets up the API credentials for the integration.

You will now set up three user accounts that match the three TruSTAR accounts you worked with your TruSTAR account manager to create.
- For the first account, enter the Account name as DOWNLOAD.
- In the Username field, enter your TruSTAR API Key.
- In the Password field, enter your TruSTAR API Secret.
- Click Add to save the account.
- For the second account, enter the Account name as ENRICH.
- Repeat steps 2-4.
- For the third account, enter the Account name as SUBMIT.
- Repeat steps 2-4.
You should now see three accounts with the names DOWNLOAD, ENRICH, and SUBMIT.
Proxy Settings
If your installation uses a proxy between search head(s) and the TruSTAR platform, you need to configure the proxy information as shown below.

Logging
You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.

Add-On Settings
The Add-on Settings specify the location of the TruSTAR Web App and which Enclaves to use with Splunk ES.
Explanation of Settings
- Station API URL: The URL to make API calls to the TruSTAR Web App.
- Default Submit Enclave: The Enclave ID for Splunk ES Threat Activity.
- Default Enrich Enclaves: The Enclaves to use when enriching events.
- TruSTAR recommends: ALL
- Alternatively, can enter comma-separated list of Enclave IDs.
Configuring Inputs
Inputs in Splunk ES copy Indicators from TruSTAR Enclaves to Splunk ES's Threat-Intel KV Stores to use in its detection pipeline.
Creating an Input
- Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
- Click Inputs on the blue submenu.
- Click Create New Input to start defining an input source.
- Fill out the configuration options as shown in this table.
Field | Value | Notes |
Name | Name of the input | A unique input name. Valid characters are letters and underscores only. You cannot use spaces or special characters. |
Interval | 3600 | This is the default value. Do not change this value. |
Index | n/a | Not used in the TruSTAR App. |
Global Account | DOWNLOAD | The account you created during the installation process. |
Enclave IDs | Enclaves to download from | You must enter at least one Enclave ID. To specify multiple Enclave IDs, separate them with commas and no spaces. Finding Enclave IDs |
IOC Types | The Indicator types you want to download from TruSTAR. The default is to include all Indicators. Click x on an Indicator to remove it. | |
Tags | List of tags | This list is used to filter Indicators when downloading from TruSTAR. Lowercase characters only. The input will only download Indicators that match all other criteria (Enclaves, IOC types, etc.) AND include ALL the tags in the list. |
Expiration | Number of days | When an Indicator has not been mentioned in any of the Enclaves this input downloads from in the specified number of days, that Indicator will no longer be detected on. |
- Click Add to save these settings and create the input.
Examples of Input Configuration
When setting up the TruSTAR App, you can configure which types of Indicators to pull from which Enclaves. For example, you may want to only pull IP information from one Enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration.
To help you understand the power of granular inputs, here is five inputs for a fictional company called Acme Corp.
Input 1
Acme wants to watch for any Indicators that they have already investigated and determined are malicious. Acme stores these Indicators in a Vetted Indicators Enclave in TruSTAR.
Input Name | Enclave IDs | IOC Types | Expiration |
Historical_Indicators | <vetted indicators Enclave ID> | All | 360 days |
Input 2
Acme is extremely concerned about file hashes reported on by Intelligence-X. They want to constrain this input to file hashes only, and only from that one Intelligence Source.
Input Name | Enclave IDs | IOC Types | Expiration |
Intel-X_Source | <Intelligence-X Enclave ID> | SHA1 SHA256 MD5 | 180 days |
Input 3
Acme wants to alert on IP addresses reported on by Intelligence Sources A,B and C, but only if the reporting is timestamped within the last 7 days. To do this, they configure an input that downloads IP addresses from Enclaves A,B, and C and retains that data for 7 days.
Input Name | Enclave IDs | IOC Types | Expiration |
Malicious_IPs | <EnclaveA_ID, EnclaveB_ID, EnclaveC_ID> | IP | 7 days |
Input 4
Acme is a member of a sharing group named CyberSleuths. Acme wants to copy all Indicators from that sharing group Enclave and retain them for 90 days.
Input Name | Enclave IDs | IOC Types | Expiration |
CyberSleuth_Intel | <CyberSleuthEnclave_ID> | All | 90 days |
Input 5
Acme Corporation runs a script that copies TruSTAR Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that then contains very high-signal data. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days.
Input Name | Enclave IDs | IOC Types | Expiration |
Curated_Intel | <AcmeCuratedEnclave_ID> | All | 180 days |
Reconciling the TruSTAR WhiteList
You can configure an input to remove all terms from KV Stores that are included on your organization's TruSTAR Safelist (formerly called the whitelist). You must use the input name WHITELIST for this input to work correctly.
Input Name | Interval | Enclave | Indicator Types | Tags | Expire |
WHITELIST | 14400 | - | all | 180 |
More Examples of Inputs
You can reduce false-positive alerts by exercising fine-grained control over the Indicators that the app brings into the detection set. The table below suggests some inputs filtering Indicators.
Input Name | Interval | Enclave | Indicator Types | Tags | Expire |
investigated_ip | 3600 | Investigations | IP | malicious, detection | 7 |
investigated_hash_email | 3600 | Investigations | email, sha256, md5 | malicious, detection | 180 |
investigated_phish_urls | 3600 | Investigations | url | malicious, phish | 90 |
investigated_phish_ips | 3600 | Investigations | ip | malicious, phish | 7 |
isac_vetted_ip | 3600 | Sharing Group Vetted Indicators | IP | 7 | |
isac_vetted_email_hash | 3600 | Sharing Group Vetted Indicators | email, sha256, md5, sha1 | 180 | |
isac_vetted_url | 3600 | Sharing Group Vetted Indicators | url | 60 | |
premium_sources_ip | 3600 | - Source A - Source B - Source C | IP | 7 | |
premium_sources_all_others |