Install: TruSTAR App for Enterprise Security

Updated 1 month ago by Elvis Hovor

This article explains how to install and configure the TruSTAR Workflow App for Splunk Enterprise Security (ES). The integration typically takes anywhere from 15-30 minutes, depending on your Splunk environment and the number of TruSTAR Enclaves specified during configuration.

Requirements

Software.

The TruSTAR Workflow App for Splunk ES requires this software to be installed before installing the App:

  • Splunk version 7.0 or higher
  • Splunk Enterprise Security version 5.0 or higher
  • Splunk Common Information Model (CIM) version 4 or higher
  • Splunk Datasets Add-on version 1.0 or higher

Logs-to-CIM mapping.

For Splunk ES to generate notable events when it finds a TruSTAR Indicator in logs, those logs must be mapped to the Splunk Common Information Model.

Splunk ES Professional Services can assist with this process.

For more information see the Splunk ES CIM Overview.

KvStore replication (ES search-head clusters only).

  • Downloading indicators from TruSTAR to search-head will only happen on cluster Captain node.
  • Cluster must be configured to replicate the ES Threatintel KvStores to all nodes in the cluster.
  • For assistance, please contact Splunk Professional Services.

Proxy "sticky sessions" (ES SHC's only).

  • This is a Splunk requirement.
  • Ensures consistent user experience.

Local search processing (Distributed Splunk deployments).

  • Many Enterprise Security knowledge objects reside on search-heads only.
  • Correlation, threat-gen, lookup-gen searches must process entirely on search-heads.
    • cannot distribute to an indexer/indexer cluster.
  • For assistance, please contact Splunk Professional Services.

Networking.

  • code will be started by the Splunk application on search-heads.
  • code will need to be able to make REST API calls to the Splunk application on localhost, port 8089
  • Splunk application must accept incoming traffic on port 8089.
  • For assistance, contact Splunk Professional Services.

Splunk User Account Permissions.

On search heads:

  • admin required for installation
  • ess_analyst (or greater) required for use

Help: View Splunk User Account Permissions.

TruSTAR Enclaves.

Need (1) enclave named Splunk ES Threat Activity.

TruSTAR account manager will create this.

TruSTAR User Accounts.

  • Need 3 user accounts.
  • TruSTAR account manager will create these.

Purpose

username (email)

Enclave Permissions

Download

cs-integrations+yourcompany_splunk_es_download@trustar.co

- "view": all.

Submit

cs-integrations+yourcompany_splunk_es_submit@trustar.co

- "view": all.

- "full": "Splunk ES Threat Activity"

Enrich

cs-integrations+yourcompany_splunk_es_enrich@trustar.co

- "view": all.

Install.

Must be installed on search-heads.
Do not install on indexers or heavy-forwarders.
  1. Select Apps -> Manage Apps from the Splunk ES main menu bar.
  2. Click the Browse More Apps button, then use the Search box to find the TruSTAR App for Enterprise Security (Splunkbase page: TruSTAR App for Enterprise Security).
    SplunkES_Install_Figure4
  3. Proceed with the installation of the TruSTAR App.

App-Level Config.

The Configuration Options is where you set up the API credentials, proxy servers, logging, and other settings for the TruSTAR App.

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure5
  2. Click Configuration on the blue submenu.
    SplunkES_Install_Figure6

Account Settings

The Account Settings tab sets up the API credentials for the integration.

SplunkES_Install_Figure7

Add API creds for your 3 TruSTAR user accounts. "Account name" for each should be:

  • DOWNLOAD
  • ENRICH
  • SUBMIT
TruSTAR API key goes in "Username" field.
TruSTAR API secret goes in "Password" field.

An API key looks like this: e0dk3128-xxxx-xxxx-ad4a-ff1a2b3c4d89f
An API secret looks like this: KMuSxxxxk39Uhwxxxx9kVi2Z

Proxy

If proxy between Search Head(s) and TruSTAR, configure type, host, port, username and password.

SplunkES_Install_Figure8

Logging

You can choose one of five logging levels: Debug, Info, Warning, Error, and Critical.

SplunkES_Install_Figure9
TruSTAR recommends leaving the level at Info (the default) unless instructed by TruSTAR Support.

Add-On Settings

The Add-on Settings specify the location of the TruSTAR Web App and which Enclaves to use with Splunk ES.

SplunkES_Install_Figure10

Explanation of Settings

  • Station API URL: The URL to make API calls to the TruSTAR Web App.
  • Default Submit Enclave: ID for enclave named Splunk ES Threat Activity.
  • Default Enrich Enclaves: The Enclaves for enriching events.
    • TruSTAR recommends: ALL
    • Alternatively, can enter comma-separated list of enclave IDs.
You can override the default Enclave settings when running individual enrichment or submission actions.

Input Config.

Inputs copy indicators from TruSTAR to Splunk ES's Threat-Intel KVStores for ES to use in its detection pipeline.

Inputs and Enclaves

  • Reduce false-positive alerts by exercising fine-grained control over the IOCs the app brings into the detection set.
  • Configure automatic whitelist reconciliation by adding an input named (verbatim, all-caps) WHITELIST

Examples:

Input Name

Interval

Enclave

Indicator Types

Tags

Expire

WHITELIST

14400

-

all

180

investigated_detection_ip

3600

Investigations

IP

malicious, detection

7

investigated_detection_hash_email

3600

Investigations

email, sha256, md5

malicious, detection

180

investigated_phish_urls

3600

Investigations

url

malicious, phish

90

investigated_phish_ips

3600

Investigations

ip

malicious, phish

7

isac_vetted_ip

3600

Sharing Group Vetted Indicators

IP

7

isac_vetted_email_hash

3600

Sharing Group Vetted Indicators

email, sha256, md5, sha1

180

isac_vetted_url

3600

Sharing Group Vetted Indicators

url

60

premium_sources_ip

3600

- Source A

- Source B

- Source C

IP

7

premium_sources_all_others

3600

- Source A

- Source B

- Source C

email, url, sha1, md5, sha256, registry, filename

90

Examples of Input Configuration

When setting up the TruSTAR App, you can configure which types of Indicators to pull from which Enclaves. For example, you may want to only pull IP information from one Enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration.

To help you understand the power of granular inputs, here is an example for a fictional company, Acme Corporation.

Input 1

Acme Corporation wants Splunk ES to always be on the lookout for any sign of any Indicator that Acme has investigated and determined malicious. Acme stores these Indicators in a case management Enclave in TruSTAR.

  • Name: Acme IOCs
  • Enclave ID: <case-management Enclave in TruSTAR>
  • Indicator Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 360 days

Input 2

Acme Corporation is extremely concerned about file hashes reported on by Intelligence Source X. They are not interested in alerting on any other Indicator type reported on by that intelligence source, and they are not interested in hashes reported on by any other intelligence source. 

  • Name: X-Intel Source
  • Enclave ID: <case-management Enclave in TruSTAR>
  • Indicator Types: SHA1, SHA256, MD5 (delete all others displayed in this field)
  • Expiration: 180 days

Input 3

Acme Corporation is also interested in alerting on IP addresses reported on by Intelligence Sources A,B,C,D, and E, but only if the reporting is timestamped within the last 7 days. To accommodate this interest, they configure a third input that downloads IP addresses from Enclaves A,B,C, and D and retains them for 7 days. 

  • Name: Malicious IPs
  • Enclave ID: <enclaveA_ID, enclaveB_ID, enclaveC_ID, enclaveD_ID>
  • Indicator Types: IP
  • Expiration: 7 days

Input 4

Acme Corporation is also a member of a sharing group named CyberSleuths. Acme wants another input to copy all Indicators from that sharing group Enclave and retain them for 90 days.  

  • Name: CyberSleuth Intel
  • Enclave ID: <CyberSleuth_ID>
  • Indicator Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 90 days

Input 5

Acme Corporation also runs a script that copies Intel Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that they believe contains very high-signal data. For example, that script transfers only Indicators with scores by sources A, B, and C that surpass certain thresholds. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days. 

  • Name: ACME Curated Intel
  • Enclave ID: <ACME_CURATED_ID>
  • IOC Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 180 days
Acme could also curate an Enclave for each Indicator type, then pipe those into Splunk ES by configuring a new input for each type. This is especially useful when you want to use different expiration dates for different Indicators; for example, have email addresses expire after 30 days while SHA1 data expires after 180 days.

Creating an Input

  1. Choose TruSTAR Splunk ES Technology App from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure11
  2. Click Inputs on the blue submenu.
    SplunkES_Install_Figure12
  3. Click Create New Input to start defining an input source.
    SplunkES_Install_Figure13
  4. Fill out the config options.
    1. Name:
      - Valid characters: letters, underscores, no whitespaces, no other special characters.
      - Must be unique.
    2. Interval: use 3600.
    3. Index: Not used, leave default. (see note)
      Details
      The TruSTAR integration puts IOCs into the Splunk ES Threat Intel key-value stores.
      It does not store any information in indexes. The "Index" config option exists only because TruSTAR built this add-on using Splunk's Add-On-Builder (AOB) and that config option cannot be removed from the AOB's default inputs config page.
    4. Global Account: DOWNLOAD
    5. Enclave IDs:
      - IDs of enclaves to download from.
      - separate enclave IDs with commas.
    6. IOC Types:
      - all by default.
      - remove those you don't want this input to download.
    7. Tags:
      - used as a filter.
      - lowercase characters only.
      - input will ONLY download indicators meeting all other criteria (enclaves, types, timerange) AND have ALL the tags listed in this box.
    8. Expiration:
      - # days.
      - when an indicator hasn't been mentioned in any of the enclaves this input downloads from in this number of days, the indicator will no longer be detected on.
  5. Click Add to save these settings and create the input.

Auto-Notable-Event-Submission Config.

Notable Events must be submitted to the Splunk ES Threat Activity enclave in TruSTAR for TruSTAR to be able to triage / enrich them.

  1. Choose Enterprise Security from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure14
  2. Click the Configure menu, then click the Content menu.
    SplunkES_Install_Figure15
  3. Click Content Management.
    SplunkES_Install_Figure16
  4. Search for "threat activity detected" and then click on the correlation search named Threat Activity Detected.
    SplunkES_Install_Figure17

This opens the configuration window for that search.

SplunkES_Install_Figure18

  1. In that configuration window, scroll down to the Adaptive Response Actions section, then click the carat next to Notable.
    SplunkES_Install_Figure19
  2. In the Next Steps text box, add these lines, separated by 2 newline characters:
[[action|trustar_submit_event]]


[[action|trustar_enrich_threat_activity]]
  1. In the Recommended Actions section, select TruSTAR - Enrichment and TruSTAR - Submit.

The configuration should now look like this example:

SplunkES_Install_Figure20
  1. Go back to the Adaptive Response Actions section and choose Add New Response Action.
    SplunkES_Install_Figure21
  2. Select the TruSTAR - Submit action.
  3. Configure the Submit action:
  • Add a Report Title
  • Add additional comments
  • Choose the Default Enclave for submitting events (usually Splunk ES Threat Activity).

The configuration should now look like this example:

SplunkES_Install_Figure22
  1. Click the green Save in the lower right corner to complete the Splunk ES configuration.
    SplunkES_Install_Figure23


How Did We Do?