Install: TruSTAR App for Splunk ES

Updated 1 week ago by TruSTAR

This article explains how to install and configure the TruSTAR Workflow App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR Enclaves specified during configuration.

You can use the TruSTAR Workflow App for Splunk ES to

  • Accelerate investigations: Ingest pre-filtered open source and Premium Intelligences feeds from your TruSTAR Enclaves into the Splunk KV Store to alert against internal log events. You can configure inputs to select only Indicator types that are relevant to your organization.
  • Prioritize Alerts: Use TruSTAR's enrichment of Notable Events to view pass-through scores from Premium Intelligence feeds and help prioritize notable events.
  • Investigate and Respond: Submit Notable Events to TruSTAR for further enrichment and correlation with historical data. You can share the full event or redact it for added security.

Splunk ES Requirements

Software

You must have the following Splunk ES packages installed before installing the TruSTAR App:

  • Splunk version 7.0 or higher
  • Splunk Enterprise Security version 5.0 or higher
  • Splunk Common Information Model (CIM) version 4 or higher
  • Splunk Datasets Add-on version 1.0 or higher
Logs-to-CIM Mapping

For Splunk ES to generate notable events when it finds a TruSTAR Indicator in logs, those logs must be mapped to the Splunk Common Information Model. Splunk Professional Services can assist with this process. For more information see the Splunk ES CIM Overview.

User Accounts

You must have two Splunk ES user accounts on each search head:

  • admin required for installation
  • ess_analyst (or greater) required for use

For more information, see Chcck Splunk User Account Permissions in the FAQ.

Search-Head Clusters

If your Splunk ES configuration includes search-head clusters, you need to configure the following items.

If you need help in settting up your search-head clusters to work with the TruSTAR App, please contact Splunk Professional Services, not TruSTAR.

Some search-head-clustering documentation:
- Search Head Clusters in Distributed Search
KV Store Replication

Downloading indicators from TruSTAR to search-head can occur only on the cluster Captain node. The cluster must be configured to replicate the ES Threatintel KV Stores to all nodes in the cluster.

Proxy Sticky Sessions

You must have proxy sticky sessions enabled. This is a Splunk requirement and ensures a consistent user experience.

Networking

Code will be started by the Splunk application on search-heads. It will need to be able to make REST API calls to the Splunk application on localhost, port 8089

The Splunk application must accept incoming traffic on port 8089.

Distributed Splunk Deployments

Many Splunk ES knowledge objects reside on search-heads only. Correlation, threat-gen, and lookup-gen searches must process entirely on search-heads and cannot be distributed to an indexer or indexer cluster.

For assistance, please contact Splunk Professional Services.

Some Distrubuted Splunk documentation:

TruSTAR Requirements

Your TruSTAR setup needs to have one enclave and three user accounts dedicated to Splunk ES. Work with your TruSTAR account manager to create these items.

Enclaves

Your TruSTAR installation needs to have one enclave named Splunk ES Threat Activity.

User Accounts

The App requires three user accounts. For faster setup, TruSTAR will create these accounts for you, including "dummy" email accounts for each one. When you view these accounts in the TruSTAR Web App, you will see the three names in the left column, the permissions in the right column, and the dummy email addresses.

Account Name

Enclave + Permissions

Download

All Enclaves - view

Submit

All Enclaves - view

Splunk ES Threat Activity Enclave - full

Enrich

All Enclaves - view

Installing the TruSTAR App

The TruSTAR App must be installed on search-heads. Do not install the App on indexers or heavy-forwarders.
  1. Select Apps -> Manage Apps from the Splunk ES main menu bar.
  2. Click the Browse More Apps button, then use the Search box to find the TruSTAR App for Enterprise Security (Splunkbase page: TruSTAR App for Enterprise Security).
    SplunkES_Install_Figure4
  3. Proceed with the installation of the TruSTAR App.

Configuring the App

The Configuration Options is where you set up API credentials, proxy server, logging, and other settings for the TruSTAR App.

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure5
  2. Click Configuration on the blue submenu.
    SplunkES_Install_Figure6

Account Settings

The Account Settings tab sets up the API credentials for the integration.

SplunkES_Install_Figure7

You will now set up three user accounts that match the three TruSTAR accounts you worked with your TruSTAR account manager to create.

  1. For the first account, enter the Account name as DOWNLOAD.
  2. In the Username field, enter your TruSTAR API Key.
  3. In the Password field, enter your TruSTAR API Secret.
  4. Click Add to save the account.
  5. For the second account, enter the Account name as ENRICH.
  6. Repeat steps 2-4.
  7. For the third account, enter the Account name as SUBMIT.
  8. Repeat steps 2-4.

You should now see three accounts with the names DOWNLOAD, ENRICH, and SUBMIT.

Proxy Settings

If your installation uses a proxy between search head(s) and the TruSTAR platform, you need to configure the proxy information as shown below.

SplunkES_Install_Figure8

Logging

You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.

SplunkES_Install_Figure9
TruSTAR recommends leaving the level at Info (the default) unless instructed by TruSTAR Support.

Add-On Settings

The Add-on Settings specify the location of the TruSTAR Web App and which Enclaves to use with Splunk ES.

SplunkES_Install_Figure10

Explanation of Settings

  • Station API URL: The URL to make API calls to the TruSTAR Web App.
  • Default Submit Enclave: The Enclave ID for Splunk ES Threat Activity.
  • Default Enrich Enclaves: The Enclaves to use when enriching events.
    • TruSTAR recommends: ALL
    • Alternatively, can enter comma-separated list of Enclave IDs.
You can override the default Enclave settings when running individual enrichment or submission actions.

Configuring Inputs

Inputs in Splunk ES copy Indicators from TruSTAR Enclaves to Splunk ES's Threat-Intel KV Stores to use in its detection pipeline.

Creating an Input

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure11
  2. Click Inputs on the blue submenu.
    SplunkES_Install_Figure12
  3. Click Create New Input to start defining an input source.
    SplunkES_Install_Figure13
  4. Fill out the configuration options as shown in this table.

Field

Value

Notes

Name

Name of the input

A unique input name. Valid characters are letters and underscores only. You cannot use spaces or special characters.

Interval

3600

This is the default value. Do not change this value.

Index

n/a

Not used in the TruSTAR App.

Global Account

DOWNLOAD

The account you created during the installation process.

Enclave IDs

Enclaves to download from

You must enter at least one Enclave ID. To specify multiple Enclave IDs, separate them with commas and no spaces. Finding Enclave IDs

IOC Types

Indicators

The Indicator types you want to download from TruSTAR. The default is to include all Indicators. Click x on an Indicator to remove it.

Tags

List of tags

This list is used to filter Indicators when downloading from TruSTAR. Lowercase characters only.

The input will only download Indicators that match all other criteria (Enclaves, IOC types, etc.) AND include ALL the tags in the list.

Expiration

Number of days

When an Indicator has not been mentioned in any of the Enclaves this input downloads from in the specified number of days, that Indicator will no longer be detected on.

  1. Click Add to save these settings and create the input.

Examples of Input Configuration

When setting up the TruSTAR App, you can configure which types of Indicators to pull from which Enclaves. For example, you may want to only pull IP information from one Enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration.

To help you understand the power of granular inputs, here is five inputs for a fictional company called Acme Corp.

Input 1

Acme wants to watch for any Indicators that they have already investigated and determined are malicious. Acme stores these Indicators in a Vetted Indicators Enclave in TruSTAR.

Input Name

Enclave IDs

IOC Types

Expiration

Historical_Indicators

<vetted indicators Enclave ID>

All

360 days

Input 2

Acme is extremely concerned about file hashes reported on by Intelligence-X. They want to constrain this input to file hashes only, and only from that one Intelligence Source. 

Input Name

Enclave IDs

IOC Types

Expiration

Intel-X_Source

<Intelligence-X Enclave ID>

SHA1

SHA256

MD5

180 days

Input 3

Acme wants to alert on IP addresses reported on by Intelligence Sources A,B and C, but only if the reporting is timestamped within the last 7 days. To do this, they configure an input that downloads IP addresses from Enclaves A,B, and C and retains that data for 7 days. 

Input Name

Enclave IDs

IOC Types

Expiration

Malicious_IPs

<EnclaveA_ID, EnclaveB_ID, EnclaveC_ID>

IP

7 days

Input 4

Acme is a member of a sharing group named CyberSleuths. Acme wants to copy all Indicators from that sharing group Enclave and retain them for 90 days.  

Input Name

Enclave IDs

IOC Types

Expiration

CyberSleuth_Intel

<CyberSleuthEnclave_ID>

All

90 days

Input 5

Acme Corporation runs a script that copies TruSTAR Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that then contains very high-signal data. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days. 

Input Name

Enclave IDs

IOC Types

Expiration

Curated_Intel

<AcmeCuratedEnclave_ID>

All

180 days

Acme could also curate an Enclave for each Indicator type, then pipe those into Splunk ES by configuring a new input for each type. This is especially useful when you want to use different expiration dates for different Indicators; for example, have email addresses expire after 30 days while SHA1 data expires after 180 days.

Reconciling the TruSTAR WhiteList

You can configure an input to remove all terms from KV Stores that are included on your organization's TruSTAR Safelist (formerly called the whitelist). You must use the input name WHITELIST for this input to work correctly.

Input Name

Interval

Enclave

Indicator Types

Tags

Expire

WHITELIST

14400

-

all

180

More Examples of Inputs

You can reduce false-positive alerts by exercising fine-grained control over the Indicators that the app brings into the detection set. The table below suggests some inputs filtering Indicators.

Input Name

Interval

Enclave

Indicator Types

Tags

Expire

investigated_ip

3600

Investigations

IP

malicious, detection

7

investigated_hash_email

3600

Investigations

email, sha256, md5

malicious, detection

180

investigated_phish_urls

3600

Investigations

url

malicious, phish

90

investigated_phish_ips

3600

Investigations

ip

malicious, phish

7

isac_vetted_ip

3600

Sharing Group Vetted Indicators

IP

7

isac_vetted_email_hash

3600

Sharing Group Vetted Indicators

email, sha256, md5, sha1

180

isac_vetted_url

3600

Sharing Group Vetted Indicators

url

60

premium_sources_ip

3600

- Source A

- Source B

- Source C

IP

7

premium_sources_all_others


How Did We Do?