1. Introducing TruSTAR

2. Product Architecture

3. Data Management

4. Data Processing

4.1 Data Processing: Collect

4.2 Data Processing: Prepare

4.3 Data Processing: Prioritize

4.4 Data Processing: Connect

5. Capabilities

5.1 Capabilities: Governance

5.2 Capabilities: Intelligence Workflows

5.3 Capabilities: Search

5.4 Capabilities: Scoring

5.5 Capabilities: Analytics

6. Interfaces

6.1 Interfaces: REST API

6.2 Interfaces: Integrations

6.3 Interfaces: Web App

7. Use Cases

7.1 Use Cases: Detect

7.2 Use Cases: Triage

7.3 Use Cases: Investigate

7.4 Use Cases: Disseminate

TruSTAR Ontology

Case Management Integrations

Detection Integrations

Overview: Partner Resources

Requirements for Integrations

SOAR Integrations

Building an Observable-Query Intelligence Source Integration

Python SDK

REST API

Cyjax

Digital Shadows

RiskIQ Blacklist

RiskIQ PassiveTotal

Shape Blackfish

SpyCloud

Cisco AMP Threat Grid Analysis

Cisco AMP Threat Grid Indicator Query

Crowdstrike Falcon Detection

Crowdstrike Falcon Intelligence

Crowdstrike Falcon Reports

AbuseIPDB

Alienvault OTX

Alienvault OTX Pulse

Bambenek C2 Domain Feed

Bambenek C2 IP Feed

Bambenek DGA Feed

Dragos WorldView

Facebook Threat Exchange

Farsight Security

Flashpoint

Hybrid Analysis

IBM X-Force

IBM X-Force Threat Intelligence

Intel 471 Adversary Intelligence

Intel 471 Alerts

Intel 471 Malware Intelligence

Mandiant iSight

NetLab 360 DGA Feeds

Recorded Future Hash Intelligence

Recorded Future IP Intelligence

Recorded Future URL Intelligence

Recorded Future Vulnerability Intelligence

Shodan

VirusTotal

urlscan

A-ISAC

COVID-19 OSINT Community Enclave

F-ISAC

FS-ISAC

NCFTA CyFin

NCFTA TNT

AWS GuardDuty

Cybersource

Joe Sandbox

MISP

TAXII Client

How Intelligence Sources are Updated

Intelligence Sources FAQ

Open Source Intelligence Tech Specs

Overview: Intelligence Sources

Install: TruSTAR for FIR

User Guide: TruSTAR for FIR

FAQ: TruSTAR for Resilient

Install: TruSTAR for Resilient

User Guide: TruSTAR for Resilient

FAQ: TruSTAR for Jira

Install: TruSTAR for Jira

User Guide: TruSTAR for Jira

FAQ: TruSTAR for ServiceNow

Install: TruSTAR for ServiceNow

User Guide: TruSTAR for ServiceNow

Install: TruSTAR for ServiceNow V2

User Guide: TruSTAR for ServiceNow V2

Overview: Case Management Apps

FAQ: TruSTAR for Splunk ES

Install: TruSTAR App for Splunk ES

User Guide: TruSTAR for Splunk ES

FAQ: TruSTAR for IBM QRadar

Install: TruSTAR for IBM QRadar

User Guide: TruSTAR for IBM QRadar

Overview: Detection Workflow Apps

Creating a Demisto Playbook

Indicator Retrieval in Demisto

Indicator Searches in Demisto

Listing TruSTAR Enclaves in Demisto

Phishing Triage Commands for Demisto

Report Commands in Demisto

Report Searches in Demisto

User Guide: TruSTAR for Demisto

Whitelisting with Demisto

FAQ: TruSTAR for Demisto

Install: TruSTAR for Demisto

Overview: Demisto

FAQ: TruSTAR for Splunk Phantom Cyber

Install: TruSTAR for Splunk Phantom Cyber

User Guide: TruSTAR for Splunk Phantom Cyber

Anomali ThreatStream

LogRhythm

Palo Alto MineMeld

TAXII Client Basics

TAXII FAQ

TruSTAR TAXII Server

FAQ: TruSTAR for MISP (v2)

Install: TruSTAR for MISP (v2)

User Guide: TruSTAR for MISP (v2)

TruSTAR Extension for Chrome

TruSTAR on Slack

Workflow Apps FAQ

Automated Sharing Between Enclaves

Script: Correlations Between Enclaves

Script: Deleting Reports

Script: Domain-level URL Filtering

Script: Exporting Indicators

Script: Moving Data Between Enclaves

Scripts: Uploading Data

ArcSight: Upload Events to TruSTAR

Azure Sentinel: Import Indicators from TruSTAR

Crowdstrike Falcon: Import Indicators from TruSTAR

Cybereason: Import Indicators from TruSTAR

MISP: Import Reports or Indicators from TruSTAR

Overview: Managed Connectors

Proofpoint: URL Decoder

SecureWorks: Send Indicators to TruSTAR

Splunk Enterprise: Import Indicators from TruSTAR

Splunk Phantom: Enrich Notable Events

Windows Defender: Import Indicators from TruSTAR

Report Correlation Email

Vetting and Tagging Indicators

1. Start Here

2. Main Window

3. Filter and Refine Panel

4. Intelligence Reports

5. Indicators

6. Dashboard

7. Marketplace

8. TruSTAR Community Chat

9. User Settings

Copying a Report

Deleting a Report

Emailing a Report

Exporting Report Data

Moving a Report

Overview: Intelligence Reports

Redacting Data from a Report

Reports Graph View

Reports List View

Reports Panel

Submitting a Report

Tagging a Report

Updating a Report

Deleting Indicators

Exporting Indicators

IOC List View

Observable Graph View

Overview: Indicators

Tagging Indicators

Threat Actors

Uploading Indicators

Whitelisting Indicators

Overview: Phishing Triage

Phishing Triage API

Phishing Triage Python SDK

Phishing Workflow in the TruSTAR Web App

Using Phishing Triage with Detection Tools

Using Phishing Triage with Orchestration Tools

Using Phishing Triage with a TAXII Client

Editing Your Profile

Notifications

User Settings Overview

Okta (SSO)

Ping Identity (SSO)

Salesforce (SSO)

Automating Forwarding to an Enclave Inbox

Enclave Inbox

Setting up an Enclave Inbox with Proofpoint

Managing Users

Managing the Company Whitelist

Managing the Redaction Library

Setting Up Multi-Factor Authentication (MFA)

Setting up a Service Account

MITRE ATT&CK Framework

Navigation Bar

Searching

Using Notes

Using the Filter and Refine Panel

Overview: TruSTAR Web App

Normalized Indicator Scores

Priority Event Scores

Priority Indicator Scores

Auto-Whitelist

Enclaves

Redaction Library

API Usage Policy

Contacting Support

Finding Enclave IDs

Finding Report IDs

Finding Your API Keys

Observable Collection FAQ

Observables Supported by TruSTAR

Security FAQ

TruSTAR Glossary

Uploading Observables FAQ

All Categories > Workflow Apps > Detection > Splunk ES > Install: TruSTAR App for Splunk ES

Install: TruSTAR App for Splunk ES

Updated 1 week ago by TruSTAR

This article explains how to install and configure the TruSTAR Workflow App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR Enclaves specified during configuration.

You can use the TruSTAR Workflow App for Splunk ES to

Accelerate investigations: Ingest pre-filtered open source and Premium Intelligences feeds from your TruSTAR Enclaves into the Splunk KV Store to alert against internal log events. You can configure inputs to select only Indicator types that are relevant to your organization.
Prioritize Alerts: Use TruSTAR's enrichment of Notable Events to view pass-through scores from Premium Intelligence feeds and help prioritize notable events.
Investigate and Respond: Submit Notable Events to TruSTAR for further enrichment and correlation with historical data. You can share the full event or redact it for added security.

Splunk ES Requirements

Software

You must have the following Splunk ES packages installed before installing the TruSTAR App:

Splunk version 7.0 or higher
Splunk Enterprise Security version 5.0 or higher
Splunk Common Information Model (CIM) version 4 or higher
Splunk Datasets Add-on version 1.0 or higher

Logs-to-CIM Mapping

For Splunk ES to generate notable events when it finds a TruSTAR Indicator in logs, those logs must be mapped to the Splunk Common Information Model. Splunk Professional Services can assist with this process. For more information see the Splunk ES CIM Overview.

User Accounts

You must have two Splunk ES user accounts on each search head:

admin required for installation
ess_analyst (or greater) required for use

For more information, see Chcck Splunk User Account Permissions in the FAQ.

Search-Head Clusters

If your Splunk ES configuration includes search-head clusters, you need to configure the following items.

If you need help in settting up your search-head clusters to work with the TruSTAR App, please contact Splunk Professional Services, not TruSTAR.

Some search-head-clustering documentation:
- Search Head Clusters in Distributed Search

KV Store Replication

Downloading indicators from TruSTAR to search-head can occur only on the cluster Captain node. The cluster must be configured to replicate the ES Threatintel KV Stores to all nodes in the cluster.

Proxy Sticky Sessions

You must have proxy sticky sessions enabled. This is a Splunk requirement and ensures a consistent user experience.

Networking

Code will be started by the Splunk application on search-heads. It will need to be able to make REST API calls to the Splunk application on localhost, port 8089

The Splunk application must accept incoming traffic on port 8089.

Distributed Splunk Deployments

Many Splunk ES knowledge objects reside on search-heads only. Correlation, threat-gen, and lookup-gen searches must process entirely on search-heads and cannot be distributed to an indexer or indexer cluster.

For assistance, please contact Splunk Professional Services.

Some Distrubuted Splunk documentation:

Distributed Search

TruSTAR Requirements

Your TruSTAR setup needs to have one enclave and three user accounts dedicated to Splunk ES. Work with your TruSTAR account manager to create these items.

Enclaves

Your TruSTAR installation needs to have one enclave named Splunk ES Threat Activity.

User Accounts

The App requires three user accounts. For faster setup, TruSTAR will create these accounts for you, including "dummy" email accounts for each one. When you view these accounts in the TruSTAR Web App, you will see the three names in the left column, the permissions in the right column, and the dummy email addresses.

Account Name	Enclave + Permissions
Download	All Enclaves - view
Submit	All Enclaves - view Splunk ES Threat Activity Enclave - full
Enrich	All Enclaves - view

Installing the TruSTAR App

The TruSTAR App must be installed on search-heads. Do not install the App on indexers or heavy-forwarders.

Select Apps -> Manage Apps from the Splunk ES main menu bar.
Click the Browse More Apps button, then use the Search box to find the TruSTAR App for Enterprise Security (Splunkbase page: TruSTAR App for Enterprise Security).
Proceed with the installation of the TruSTAR App.

Configuring the App

The Configuration Options is where you set up API credentials, proxy server, logging, and other settings for the TruSTAR App.

Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
Click Configuration on the blue submenu.

Account Settings

The Account Settings tab sets up the API credentials for the integration.

You will now set up three user accounts that match the three TruSTAR accounts you worked with your TruSTAR account manager to create.

For the first account, enter the Account name as DOWNLOAD.
In the Username field, enter your TruSTAR API Key.
In the Password field, enter your TruSTAR API Secret.
Click Add to save the account.
For the second account, enter the Account name as ENRICH.
Repeat steps 2-4.
For the third account, enter the Account name as SUBMIT.
Repeat steps 2-4.

You should now see three accounts with the names DOWNLOAD, ENRICH, and SUBMIT.

Proxy Settings

If your installation uses a proxy between search head(s) and the TruSTAR platform, you need to configure the proxy information as shown below.

Logging

You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.

TruSTAR recommends leaving the level at Info (the default) unless instructed by TruSTAR Support.

Add-On Settings

The Add-on Settings specify the location of the TruSTAR Web App and which Enclaves to use with Splunk ES.

Explanation of Settings

Station API URL: The URL to make API calls to the TruSTAR Web App.
Default Submit Enclave: The Enclave ID for Splunk ES Threat Activity.
Default Enrich Enclaves: The Enclaves to use when enriching events.
- TruSTAR recommends: ALL
- Alternatively, can enter comma-separated list of Enclave IDs.

You can override the default Enclave settings when running individual enrichment or submission actions.

Configuring Inputs

Inputs in Splunk ES copy Indicators from TruSTAR Enclaves to Splunk ES's Threat-Intel KV Stores to use in its detection pipeline.

Creating an Input

Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
Click Inputs on the blue submenu.
Click Create New Input to start defining an input source.
Fill out the configuration options as shown in this table.

Field	Value	Notes
Name	Name of the input	A unique input name. Valid characters are letters and underscores only. You cannot use spaces or special characters.
Interval	3600	This is the default value. Do not change this value.
Index	n/a	Not used in the TruSTAR App.
Global Account	DOWNLOAD	The account you created during the installation process.
Enclave IDs	Enclaves to download from	You must enter at least one Enclave ID. To specify multiple Enclave IDs, separate them with commas and no spaces. Finding Enclave IDs
IOC Types	Indicators	The Indicator types you want to download from TruSTAR. The default is to include all Indicators. Click x on an Indicator to remove it.
Tags	List of tags	This list is used to filter Indicators when downloading from TruSTAR. Lowercase characters only. The input will only download Indicators that match all other criteria (Enclaves, IOC types, etc.) AND include ALL the tags in the list.
Expiration	Number of days	When an Indicator has not been mentioned in any of the Enclaves this input downloads from in the specified number of days, that Indicator will no longer be detected on.

Click Add to save these settings and create the input.

Examples of Input Configuration

When setting up the TruSTAR App, you can configure which types of Indicators to pull from which Enclaves. For example, you may want to only pull IP information from one Enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration.

To help you understand the power of granular inputs, here is five inputs for a fictional company called Acme Corp.

Input 1

Acme wants to watch for any Indicators that they have already investigated and determined are malicious. Acme stores these Indicators in a Vetted Indicators Enclave in TruSTAR.

Input Name	Enclave IDs	IOC Types	Expiration
Historical_Indicators	<vetted indicators Enclave ID>	All	360 days

Input 2

Acme is extremely concerned about file hashes reported on by Intelligence-X. They want to constrain this input to file hashes only, and only from that one Intelligence Source.

Input Name

Enclave IDs

IOC Types

Expiration

Intel-X_Source

<Intelligence-X Enclave ID>

SHA1

SHA256

MD5

180 days

Input 3

Acme wants to alert on IP addresses reported on by Intelligence Sources A,B and C, but only if the reporting is timestamped within the last 7 days. To do this, they configure an input that downloads IP addresses from Enclaves A,B, and C and retains that data for 7 days.

Input Name	Enclave IDs	IOC Types	Expiration
Malicious_IPs	<EnclaveA_ID, EnclaveB_ID, EnclaveC_ID>	IP	7 days

Input 4

Acme is a member of a sharing group named CyberSleuths. Acme wants to copy all Indicators from that sharing group Enclave and retain them for 90 days.

Input Name	Enclave IDs	IOC Types	Expiration
CyberSleuth_Intel	<CyberSleuthEnclave_ID>	All	90 days

Input 5

Acme Corporation runs a script that copies TruSTAR Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that then contains very high-signal data. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days.

Input Name	Enclave IDs	IOC Types	Expiration
Curated_Intel	<AcmeCuratedEnclave_ID>	All	180 days

Acme could also curate an Enclave for each Indicator type, then pipe those into Splunk ES by configuring a new input for each type. This is especially useful when you want to use different expiration dates for different Indicators; for example, have email addresses expire after 30 days while SHA1 data expires after 180 days.

Reconciling the TruSTAR WhiteList

You can configure an input to remove all terms from KV Stores that are included on your organization's TruSTAR Safelist (formerly called the whitelist). You must use the input name WHITELIST for this input to work correctly.

Input Name	Interval	Enclave	Indicator Types	Tags	Expire
WHITELIST	14400	-	all		180

More Examples of Inputs

You can reduce false-positive alerts by exercising fine-grained control over the Indicators that the app brings into the detection set. The table below suggests some inputs filtering Indicators.

Input Name	Interval	Enclave	Indicator Types	Tags	Expire
investigated_ip	3600	Investigations	IP	malicious, detection	7
investigated_hash_email	3600	Investigations	email, sha256, md5	malicious, detection	180
investigated_phish_urls	3600	Investigations	url	malicious, phish	90
investigated_phish_ips	3600	Investigations	ip	malicious, phish	7
isac_vetted_ip	3600	Sharing Group Vetted Indicators	IP		7
isac_vetted_email_hash	3600	Sharing Group Vetted Indicators	email, sha256, md5, sha1		180
isac_vetted_url	3600	Sharing Group Vetted Indicators	url		60
premium_sources_ip	3600	- Source A - Source B - Source C	IP		7
premium_sources_all_others

How Did We Do?

(opens in a new tab)

Install: TruSTAR App for Splunk ES

Related Links

Splunk ES Requirements

Software

User Accounts

Search-Head Clusters

KV Store Replication

Proxy Sticky Sessions

Networking

Distributed Splunk Deployments

TruSTAR Requirements

Enclaves

User Accounts

Installing the TruSTAR App

Configuring the App

Account Settings

Proxy Settings

Logging

Add-On Settings

Configuring Inputs

Creating an Input

Examples of Input Configuration

Reconciling the TruSTAR WhiteList

More Examples of Inputs

How Did We Do?

Related Articles User Guide: TruSTAR for Splunk ES FAQ: TruSTAR for Splunk ES Install: TruSTAR for Splunk Phantom Cyber

Contact

Related Articles

User Guide: TruSTAR for Splunk ES

FAQ: TruSTAR for Splunk ES

Install: TruSTAR for Splunk Phantom Cyber