FAQ (TS Unif)

Updated 1 month ago by Steven Chamales

This article answers frequently asked questions about the TruSTAR Splunk App for Enterprise & Enterprise Security.

Q: How do I check my Splunk user account's permissions?
  1. Click the Settings menu in the upper-right corner, then click Access Controls.
    SplunkES_Install_Figure1
  2. On the Access Controls page, click Users.
  3. On the Users page, examine the Roles column. Any user who needs to use the Enrich or Submit actions requires Admin as one of their account roles.
    SplunkES_Install_Figure3
Q. What is the default TruSTAR Enclave for submissions from Splunk?

The default Enclave is Splunk ES Threat Activity.

Q. What is the mapping of Indicators to tables in the KV Store?

TruSTAR Observable Type

Splunk ES Kvstore Collection Name

TruSTAR kvstore Collection Name (non-ES customers)

IP

ip_intel

trustar_ip_intel

URL

http_intel

trustar_http_intel

DOMAIN

http_intel

trustar_http_intel

EMAIL ADDRESS

email_intel

trustar_email_intel

MD5, SHA1, SHA256, SOFTWARE

file_intel

trustar_file_intel

REGISTRY_KEY

registry_key

trustar_registry_key

Q. What is Splunk ES Urgency Scoring

A Threat Activity Notable Event in Splunk ES contains a single Indicator, enabling TruSTAR to adjust the urgency score based on enrichment from TruSTAR enclaves. Read more here.

TruSTAR queries all the Enclaves you have access to in order to obtain the normalized scores for that Indicator. TruSTAR assigns the Indicator a score that is equal to the max of all those normalized scores and sets the Notable Event’s Urgency score according that score, as shown in the table below.

TruSTAR Normalized Indicator Score

Splunk ES Notable Event Urgency Score

0

Informational

1

Low

2

Medium

3

High

[nothing that maps to “critical”]

Critical

TruSTAR can only enrich the Urgency Score for Threat Activity events. It cannot not change the Urgency Score for any other type of Notable Events.
Q. How can I remove false positives from my KV Store?

If a false positive exists in your KV Store and it is not set to age out following an update to your company's Allow List, then run this query in the Splunk “Search and Reporting” app to remove the false positive URL from the appropriate KV Store:

|inputlookup http_intel | search NOT url="falsepositive.com" | outputlookup http_intel

To remove all variations of an entry (utilizing wildcard) for a particular indicator in the KV Store, use the following query in the Splunk Search and Reporting app:

|inputlookup http_intel | search NOT url="*falsepositive*" | outputlookup http_intel

Q. How can I restore Indicators accidentally deleted in Splunk ES?

In order to restore deleted Indicators in Splunk ES, you must reconfigure all the input configurations in the TruSTAR App, which then reloads the Indicators from TruSTAR to Splunk ES.

  1. Make note of all the input configurations. For example, Name, Interval, Global Account, Enclave IDs, IOC Types, Tags, Expiration Days. It may be easiest to take a screen shot or photo of the configuration.
  2. Delete the input configurations.
  3. Re-enter the input configurations using the information from step 1.

This removes the existing checkpoints for the inputs and restarts the ingestion process, which will restore the missing Indicators.


How Did We Do?