Splunk ES Installation

Updated 1 month ago by Elvis Hovor

This article explains how to install and configure the TruSTAR App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR enclaves specified during configuration.

Navigate to our User guide or our FAQ for Splunk ES

Requirements

Software Requirements

The TruSTAR App for Splunk ES requires this software to be installed before installing the App:

  • Splunk version 7.0 or higher
  • Splunk Enterprise Security version 5.0 or higher
  • Splunk Common Information Model (CIM) version 4 or higher
  • Splunk Datasets Add-on version 1.0 or higher

User Permissions

The Splunk account you use to install and configure the TruSTAR App must have Admin permissions in Splunk and be logged into the Splunk search head.

To check permissions for an account level, use this procedure:

  1. Click the Settings menu in the upper-right corner, then click Access Controls.
    SplunkES_Install_Figure1
  2. On the Access Controls page, click Users.
    SplunkES_Install_Figure2
  3. On the Users page, examine the Roles column. Any user who needs to use the Enrich or Submit actions requires Admin as one of their account roles.
    SplunkES_Install_Figure3

Before You Install

The TruSTAR integration performs three basic tasks: submitting reports, downloading data, and enrichment of existing notables. To ensure those three processes work separately, you need to create three new email accounts, and then create three accounts in TruSTAR Station that use those three email accounts. In addition, TruSTAR recommends creating a new enclave that will act as the default submission enclave for reports from Splunk ES.

Creating Email Accounts

You will need 3 sets of Station API credentials to configure the TruSTAR add-on for Splunk ES. Each Station user account is allocated a single set of Station API credentials, so you will need to create 3 Station user accounts to use with this add-on. Each Station user account requires a unique email address. No two Station user accounts can have the same email address. Therefore, you will need to create 3 new email accounts in your company's email server. TruSTAR recommends following this convention:

  • trustar_splunk_es_submit@yourcompany.com
  • trustar_splunk_es_download@yourcompany.com
  • trustar_splunk_es_enrich@yourcompany.com

Creating User Accounts on TruSTAR Station

Now that you have 3 new email accounts, you'll need to create 3 Station user accounts. This can only be done by a user whose Station account has "Company Admin" permissions. For more details, see this article: "Setting up a 'Service Account'"

  1. Submit account:
  • First Name: “Integration Account”
  • Last Name: “Splunk ES Submit”
  • Enclave Permissions: "submit" access to any enclave you wish to submit Events to.
    • Recommend "submit" access to your "Splunk ES Threat Activity" enclave and any sharing group enclaves you'd like to be able to submit to. "view" or "no access" to all other enclaves.
  1. Download account:
  • First Name: “Integration Account”
  • Last Name: “Splunk ES Download”
  • Enclave Permissions: “view” access to all enclaves.
  1. Enrichment account:
  • First Name: “Integration Account”
  • Last Name: “Splunk ES Enrich”
  • Enclave Permissions: “view” access to all enclaves.
When creating these accounts, note their API Key and API Secret information because you will be asked to enter that when configuring the TruSTAR App.

Creating the Submission Enclave

In TruSTAR Station, create a new enclave to handle all submissions from Splunk ES. TruSTAR recommends using the name Splunk ES Threat Activity for this enclave.

All threat activity notable events should be sent to this enclave automatically by the “Threat Activity Detected” correlation search. so it triggers TruStash to fetch enrichment for the IOC from indicator-query closed-sources. This will ensure that Station has fresh enrichment on that IOC to present to the analyst when they run the “enrich” action on the notable event.

Installing the TruSTAR App

  1. Select Apps -> Manage Apps from the Splunk main menu bar.
  2. Click the Browse More Apps button, then use the Search box to locate the TruSTAR App for Splunk ES app.
    SplunkES_Install_Figure4
  3. Proceed with the installation of the TruSTAR app.

Configuration Options

The Configuration Options is where you set up the API credentials, any proxy servers in use, logging, and other settings for the TruSTAR App.

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure5
  2. Click Configuration on the blue submenu.
    SplunkES_Install_Figure6

Account Settings

The Account Settings tab sets up the API credentials for the integration.

SplunkES_Install_Figure7

You need to create three accounts for the three actions that TruSTAR performs:

  • Downloading data into TruSTAR enclaves
  • Submitting reports to TruSTAR
  • Enrichment of notables from TruSTAR enclaves
  1. Enter DOWNLOAD into the Account Name field.
  2. Enter the API key into the Username field.
  3. Enter the API Secret into the Password field.
  4. Click Add to save the details and create the account.
  5. Create a second account with ENRICH as the Account Name, then follow steps 2-4 above.
  6. Create a third account with SUBMIT as the Account Name, then follow steps 2-4 above.

Note: You can use the same API key and API secret for each account.

Proxy

If your environment uses a proxy, use this tab to enter details, such as type, host, port, username and password.

SplunkES_Install_Figure8

Logging

You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.

SplunkES_Install_Figure9
TruSTAR recommends leaving the level at Info (the default) unless instructed by Support if you are having issues.

Add-On Settings

The Add-on Settings specify the location of TruSTAR Station and which enclaves to use with Splunk ES.

SplunkES_Install_Figure10

Explanation of Settings

  • Station API URL: The URL to make API calls to TruSTAR Station.
  • Default Submit Enclave: The enclave that, by default, will store all submissions to TruSTAR. TruSTAR recommends creating and using a separate enclave named Splunk ES Threat Activity.
  • Default Enrich Enclaves: The default sources for enriching events. TruSTAR recommends using the ALL option, which will use all enclaves. Alternatively, you can choose specific enclaves by providing their IDs, separating each ID with a comma.
You can override these default enclave settings when running individual enrichment or submission actions.

Creating Inputs to Splunk ES

You can create inputs that download data from your TruSTAR enclaves into Splunk ES. This information will be used for both automated and manual enrichment of notable events and alerts in Splunk ES.

The Inputs do not have a 1:1 relationship with TruSTAR enclaves. For example, you can create an input named BadActorIPs and specify that IP addresses from two or more enclaves will be loaded into this input.

For a detailed use case on how to leverage inputs at a very controlled level, see the Splunk ES FAQ.
  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure11
  2. Click Inputs on the blue submenu.
    SplunkES_Install_Figure12
  3. Click Create New Input to start defining an input source.
    SplunkES_Install_Figure13
  4. Enter a Name for the data input.
  5. Enter the Interval of time the input will be updated from TruSTAR.
  6. Use the default Index setting.
  7. Enter DOWNLOAD as the Global Account.
  8. Enter the Enclave IDs that will be the source of the download. You can specify multiple enclaves by separating the IDs with commas.
  9. In the IOC Types field, click to remove any IOC types you do not want to download from the source enclave.
  10. Enter any Tags you want to use to further filter the data. If you enter one or more tags in this field, only IOCs that have ALL the specified tags will be downloaded.
  11. Enter an Expiration value. This determines how long the data will be stored in Splunk ES. For example, if you enter 14, all data imported from this source into Splunk ES that is older than 14 days will be deleted.
  12. Click Add to save these settings and create the input.

Splunk ES Configuration

To have Splunk ES work most efficiently with TruSTAR, you need to modify the Threat Activity correlation search so that IOCs are automatically submitted to your TruSTAR enclave.

  1. Choose Enterprise Security from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure14
  2. Click the Configure menu, then click the Content menu.
    SplunkES_Install_Figure15
  3. Click Content Management.
    SplunkES_Install_Figure16
  4. Search for "threat activity detected" and then click on the correlation search named Threat Activity Detected.
    SplunkES_Install_Figure17

This opens the configuration window for that search.

SplunkES_Install_Figure18

  1. In that configuration window, scroll down to the Adaptive Response Actions section then click the carat next to Notable.
    SplunkES_Install_Figure19
  2. In the Next Steps text box, add these lines, separated by 2 newline characters:
[[action|trustar_submit_event]]


[[action|trustar_enrich_threat_activity]]
  1. In the Recommended Actions section, select TruSTAR - Enrichment and TruSTAR - Submit.

The configuration should now look like this example:

SplunkES_Install_Figure20
  1. Go back to the Adaptive Response Actions section and choose Add New Response Action.
    SplunkES_Install_Figure21
  2. Select the TruSTAR - Submit action.
  3. Configure the Submit action:
  • Add a Report Title
  • Add additional comments
  • Choose the Default enclave for submitting events (Splunk ES Threat Activity).

The configuration should now look like this example:

SplunkES_Install_Figure22
  1. Click the green Save in the lower right corner to complete the Splunk ES configuration.
    SplunkES_Install_Figure23

How Did We Do?