Install: TruSTAR for Splunk ES

Updated 1 week ago by Elvis Hovor

This article explains how to install and configure the TruSTAR Workflow App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR Enclaves specified during configuration.

Requirements

Software Requirements

The TruSTAR Workflow App for Splunk ES requires this software to be installed before installing the App:

  • Splunk version 7.0 or higher
  • Splunk Enterprise Security version 5.0 or higher
  • Splunk Common Information Model (CIM) version 4 or higher
  • Splunk Datasets Add-on version 1.0 or higher
For Splunk ES to generate notable events when it finds a TruSTAR Indicator in the logs, those logs must be mapped to the Splunk Common Information Model. Splunk ES Professional Services can assist you with this process. For more information see the Splunk ES CIM Overview.

User Permissions

The Splunk account you use to install and configure the TruSTAR Workflow App must have Admin permissions in Splunk and be logged into the Splunk search head.

To check permissions for an account level, use this procedure:

  1. Click the Settings menu in the upper-right corner, then click Access Controls.
    SplunkES_Install_Figure1
  2. On the Access Controls page, click Users.
    SplunkES_Install_Figure2
  3. On the Users page, examine the Roles column. Any user who needs to use the Enrich or Submit actions requires Admin as one of their account roles.
    SplunkES_Install_Figure3

Before You Install

The TruSTAR integration performs three basic tasks:

  • Submitting Intel Reports to TruSTAR
  • Downloading data
  • Enrichment of existing notables.

To ensure those three processes work separately, you need to create three new email accounts, and then create three accounts in the TruSTAR Web App that use those three email accounts. In addition, TruSTAR recommends creating a new Enclave that will act as the default Enclave for Intel Reports submitted from Splunk ES.

TruSTAR recommends creating a separate Enclave in TruSTAR for the submissions you will be sending from Splunk ES.

Creating the Submission Enclave

In TruSTAR Station, create a new Enclave to handle all submissions from Splunk ES. TruSTAR recommends using the name Splunk ES Threat Activity for this enclave.

All threat activity notable events should be sent to this enclave automatically by the Threat Activity Detected correlation search. The Indicators in the events will be extracted and correlated with information from the external intelligence sources you subscribe to in TruSTAR. This automatic correlation ensures that you have the latest information when you run the Enrich action on the Notable Event.

Creating Email Accounts

Each TruSTAR user account is allocated a single set of API credentials, so you will need to create three TruSTAR user accounts. Each of these user accounts requires a unique email address so you will need to create 3 new email accounts on your company's email server. TruSTAR recommends following this conventions:

  • trustar_splunk_es_submit@yourcompany.com
  • trustar_splunk_es_download@yourcompany.com
  • trustar_splunk_es_enrich@yourcompany.com

Creating User Accounts on TruSTAR Station

Now that you have three new email accounts, you'll need to create the three Station user accounts. This can only be done by a user with Company Admininstrator permissions in TruSTAR. For more details, see this support article: Setting up a 'Service Account.

Use this information to set up the accounts in the TruSTAR Web App:

  1. Submit account
  • First Name: Integration Account
  • Last Name: Splunk ES Submit
  • Enclave Permissions: submit access to any Enclave you wish to submit Events to
    • TruSTAR recommends submit access to your Splunk ES Threat Activity enclave and any sharing group Enclaves you would like to be able to submit to. Use view or no access to all other enclaves.
  1. Download account
  • First Name: Integration Account
  • Last Name: Splunk ES Download
  • Enclave Permissions: view access to all enclaves.
  1. Enrichment account
  • First Name: Integration Account
  • Last Name: Splunk ES Enrich
  • Enclave Permissions: view access to all enclaves.
When creating these accounts, note their API Key and API Secret information because you will be asked to enter that when configuring the TruSTAR App.

Installing the TruSTAR App

  1. Select Apps -> Manage Apps from the Splunk ES main menu bar.
  2. Click the Browse More Apps button, then use the Search box to find the TruSTAR App for Splunk ES.
    SplunkES_Install_Figure4
  3. Proceed with the installation of the TruSTAR App.

Configuration Options

The Configuration Options is where you set up the API credentials, proxy servers, logging, and other settings for the TruSTAR App.

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure5
  2. Click Configuration on the blue submenu.
    SplunkES_Install_Figure6

Account Settings

The Account Settings tab sets up the API credentials for the integration.

SplunkES_Install_Figure7

You need to create three accounts for the three actions that TruSTAR performs:

  • Downloading data into TruSTAR enclaves
  • Submitting reports to TruSTAR
  • Enrichment of notables from TruSTAR enclaves
  1. Enter DOWNLOAD into the Account Name field.
  2. Enter the API key into the Username field.
  3. Enter the API Secret into the Password field.
  4. Click Add to save the details and create the account.
  5. Create a second account with ENRICH as the Account Name, then follow steps 2-4 above.
  6. Create a third account with SUBMIT as the Account Name, then follow steps 2-4 above.

Proxy

If your environment uses a proxy, use this tab to enter details, such as type, host, port, username and password.

SplunkES_Install_Figure8

Logging

You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.

SplunkES_Install_Figure9
TruSTAR recommends leaving the level at Info (the default) unless instructed by Support.

Add-On Settings

The Add-on Settings specify the location of the TruSTAR Web App and which Enclaves to use with Splunk ES.

SplunkES_Install_Figure10

Explanation of Settings

  • Station API URL: The URL to make API calls to the TruSTAR Web App (formerly known as Station).
  • Default Submit Enclave: The Enclave that, by default, will store all your submissions to TruSTAR. TruSTAR recommends creating and using a separate enclave named Splunk ES Threat Activity.
  • Default Enrich Enclaves: The Enclaves for enriching events. TruSTAR recommends using the ALL option, which will use all Enclaves available to you, including internal and external intelligence sources. Alternatively, you can choose specific Enclaves by providing their IDs, separating each ID with a comma.
You can override the default Enclave settings when running individual enrichment or submission actions.

Creating Inputs to Splunk ES

You can create Inputs that export data from your TruSTAR Enclaves into Splunk ES. For example, you may want to pull IP information from one Enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration. This information can then be used for detection purposes to create notable events in Splunk ES.

Inputs and Enclaves

The TruSTAR App for Splunk ES includes the ability to configure multiple inputs from your TruSTAR Enclaves. This gives you very granular control over which Indicators are imported into Splunk ES and used to create notable events and reduces the likelihood of importing Indicators that turn out to be false positives.

An Input can take one or more Indicators from a single Enclave or from multiple Enclaves. The table below shows how you can pull data from multiple Enclaves into a single Input (example C) as well as use the more common "one Input, one Enclave" mapping.

Splunk Input

TruSTAR Enclave

Indicators

A

Private Enclave #1

IP addresses

B

Private Enclave #2

Email addresses

C

Shared Enclave #1

Shared Enclave #2

SHA256, SHA256, IPv4, IPv6

Currently, you cannot create multiple inputs from a single TruSTAR Enclave into Splunk ES. You can only create a single input from an Enclave. Within that input, you can specify any number of indicator types. For example, you can create an input in Splunk ES that pulls URL addresses, SHA56, and IPs from a single TruSTAR Enclave.

Examples of Input Configuration

When setting up the TruSTAR App, you can configure which types of Indicators to pull from which Enclaves. For example, you may want to only pull IP information from one Enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration.

The Splunk ES integration does not have the ability to generate tags for TruSTAR Intel Reports or Indicators.

To help you understand the power of granular inputs, here is an example for a fictional company, Acme Corporation.

Input 1

Acme Corporation wants Splunk ES to always be on the lookout for any sign of any Indicator that Acme has investigated and determined malicious. Acme stores these Indicators in a case management Enclave in TruSTAR.

  • Name: Acme IOCs
  • Enclave ID: <case-management Enclave in TruSTAR>
  • Indicator Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 360 days

Input 2

Acme Corporation is extremely concerned about file hashes reported on by Intelligence Source X. They are not interested in alerting on any other Indicator type reported on by that intelligence source, and they are not interested in hashes reported on by any other intelligence source. 

  • Name: X-Intel Source
  • Enclave ID: <case-management Enclave in TruSTAR>
  • Indicator Types: SHA1, SHA256, MD5 (delete all others displayed in this field)
  • Expiration: 180 days

Input 3

Acme Corporation is also interested in alerting on IP addresses reported on by Intelligence Sources A,B,C,D, and E, but only if the reporting is timestamped within the last 7 days. To accommodate this interest, they configure a third input that downloads IP addresses from Enclaves A,B,C, and D and retains them for 7 days. 

  • Name: Malicious IPs
  • Enclave ID: <enclaveA_ID, enclaveB_ID, enclaveC_ID, enclaveD_ID>
  • Indicator Types: IP
  • Expiration: 7 days

Input 4

Acme Corporation is also a member of a sharing group named CyberSleuths. Acme wants another input to copy all Indicators from that sharing group Enclave and retain them for 90 days.  

  • Name: CyberSleuth Intel
  • Enclave ID: <CyberSleuth_ID>
  • Indicator Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 90 days

Input 5

Acme Corporation also runs a script that copies Intel Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that they believe contains very high-signal data. For example, that script transfers only Indicators with scores by sources A, B, and C that surpass certain thresholds. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days. 

  • Name: ACME Curated Intel
  • Enclave ID: <ACME_CURATED_ID>
  • IOC Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 180 days
Acme could also curate an Enclave for each Indicator type, then pipe those into Splunk ES by configuring a new input for each type. This is especially useful when you want to use different expiration dates for different Indicators; for example, have email addresses expire after 30 days while SHA1 data expires after 180 days.

Creating an Input

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure11
  2. Click Inputs on the blue submenu.
    SplunkES_Install_Figure12
  3. Click Create New Input to start defining an input source.
    SplunkES_Install_Figure13
  4. Enter a Name for the data input.
  5. Enter the Interval. Set this to 600.
  6. Use the default Index setting. (see note)
    This integration puts IOCs into the Splunk ES Threat Intel key-value stores.
    It does not store any information in indexes. The "Index" config option exists only because TruSTAR built this add-on using Splunk's Add-On-Builder and that config option can't be removed from the AOB's default inputs config page.
  7. Enter DOWNLOAD as the Global Account.
  8. Enter the Enclave IDs that will be the source of the download. You can specify multiple Enclaves by separating the Enclave IDs with commas.
  9. In the IOC Types field, click to remove any Indicator types you do not want to download from the source Enclave.
  10. Enter any tags you want to use to further filter the data. If you enter one or more tags in this field, only Indicators that have ALL the specified tags will be downloaded.
  11. Enter an Expiration value. This determines how long the data will be stored in Splunk ES. For example, if you enter 14, all data imported from this source into Splunk ES that is older than 14 days will be deleted.
  12. Click Add to save these settings and create the input.

Splunk ES Configuration

To have Splunk ES work most efficiently with TruSTAR, you need to modify the Threat Activity correlation search so that Indicators are automatically submitted to your default TruSTAR Enclave.

  1. Choose Enterprise Security from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure14
  2. Click the Configure menu, then click the Content menu.
    SplunkES_Install_Figure15
  3. Click Content Management.
    SplunkES_Install_Figure16
  4. Search for "threat activity detected" and then click on the correlation search named Threat Activity Detected.
    SplunkES_Install_Figure17

This opens the configuration window for that search.

SplunkES_Install_Figure18

  1. In that configuration window, scroll down to the Adaptive Response Actions section, then click the carat next to Notable.
    SplunkES_Install_Figure19
  2. In the Next Steps text box, add these lines, separated by 2 newline characters:
[[action|trustar_submit_event]]


[[action|trustar_enrich_threat_activity]]
  1. In the Recommended Actions section, select TruSTAR - Enrichment and TruSTAR - Submit.

The configuration should now look like this example:

SplunkES_Install_Figure20
  1. Go back to the Adaptive Response Actions section and choose Add New Response Action.
    SplunkES_Install_Figure21
  2. Select the TruSTAR - Submit action.
  3. Configure the Submit action:
  • Add a Report Title
  • Add additional comments
  • Choose the Default Enclave for submitting events (usually Splunk ES Threat Activity).

The configuration should now look like this example:

SplunkES_Install_Figure22
  1. Click the green Save in the lower right corner to complete the Splunk ES configuration.
    SplunkES_Install_Figure23

How Did We Do?