FAQ: TruSTAR Unified App for Splunk Enterprise & Enterprise Security

Updated 2 weeks ago by TruSTAR

This article answers frequently asked questions about the TruSTAR Splunk App for Enterprise & Enterprise Security.

Q: How do I check my Splunk user account's permissions?
  1. Click the Settings menu in the upper-right corner, then click Access Controls.
    SplunkES_Install_Figure1
  2. On the Access Controls page, click Users.
  3. On the Users page, examine the Roles column. Any user who needs to use the Enrich or Submit actions requires Admin as one of their account roles.
    SplunkES_Install_Figure3
Q. What is the default TruSTAR Enclave for submissions from Splunk?

The default Enclave is Splunk ES Threat Activity.

Q. What is the mapping of Indicators to tables in the KV Store?

TruSTAR Observable Type

Splunk ES Kvstore Collection Name

TruSTAR kvstore Collection Name (non-ES customers)

IP

ip_intel

trustar_ip_intel

URL

http_intel

trustar_http_intel

EMAIL ADDRESS

email_intel

trustar_email_intel

MD5, SHA1, SHA256, SOFTWARE

file_intel

trustar_file_intel

REGISTRY_KEY

registry_key

trustar_registry_key

Q. Why can't I execute Submit or Enrich commands?

Splunk ES requires that the Splunk user account have Admin permissions in order to execute Submit or Enrich commands. You can check the error message in Splunk ES to see if your permissions are the issue.

  1. To find the error message for an adaptive response action failure, click on the hyperlink labeled View Adaptive Response Invocations. When you click on that hyperlink, you’ll be taken to a search results page.
    SplunkES_FAQ_Figure1
  2. Read through the log entries to find the error message.  The text in red box below shows the error is due to the user’s Splunk account having insufficient role permissions.
    SplunkES_FAQ_Figure2

To check if your account has the correct permissions, see the section User Requirements in the Install: TTruSTAR Splunk APP for Enterprise & Enterprise Security document.

Q. What is Splunk ES Urgency Scoring

A Threat Activity Notable Event in Splunk ES contains a single Indicator, enabling TruSTAR to adjust the urgency score based on enrichment from TruSTAR enclaves. Read more here.

TruSTAR queries all the Enclaves you have access to in order to obtain the normalized scores for that Indicator. TruSTAR assigns the Indicator a score that is equal to the max of all those normalized scores and sets the Notable Event’s Urgency score according that score, as shown in the table below.

TruSTAR Normalized Indicator Score

Splunk ES Notable Event Urgency Score

0

Informational

1

Low

2

Medium

3

High

[nothing that maps to “critical”]

Critical

TruSTAR can only enrich the Urgency Score for Threat Activity events. It cannot not change the Urgency Score for any other type of Notable Events.
Q. How can I remove false positives from my KV Store?

If a false positive exists in your KV Store and it is not set to age out following an update to your company's Allow List, then run this query in the Splunk “Search and Reporting” app to remove the false positive URL from the appropriate KV Store:

|inputlookup http_intel | search NOT url="falsepositive.com" | outputlookup http_intel

To remove all variations of an entry (utilizing wildcard) for a particular indicator in the KV Store, use the following query in the Splunk Search and Reporting app:

|inputlookup http_intel | search NOT url="*falsepositive*" | outputlookup http_intel

Q. How can I restore Indicators accidentally deleted in Splunk ES?

In order to restore deleted Indicators in Splunk ES, you must reconfigure all the input configurations in the TruSTAR App, which then reloads the Indicators from TruSTAR to Splunk ES.

  1. Make note of all the input configurations. For example, Name, Interval, Global Account, Enclave IDs, IOC Types, Tags, Expiration Days. It may be easiest to take a screen shot or photo of the configuration.
  2. Delete the input configurations.
  3. Re-enter the input configurations using the information from step 1.

This removes the existing checkpoints for the inputs and restarts the ingestion process, which will restore the missing Indicators.

Q: my TruSTAR Unified app is printing warning / error log messages. What do they mean?

Log Level

Message

What it means?

Does this mean my TruSTAR app is not going to work?

What should I do about it?

WARN

Input <your modinput name>, Required collections not found: {‘threat_intel_meta’}

Older versions of ES required the TruSTAR Unified app to update this collection every time the app CRUD'ed records in the threat intel kvstores. Newer versions of ES deprecated this kvstore.

no.

ignore.

WARN

No checkpoint found for enclave <one of your modinput's enclave IDs>, IOC type <a TruSTAR observable type> and input name <your modinput name>. Initializing new checkpoint.

This message always prints the first time one of your modinputs downloads observables of that type from that enclave, so the modinput has not yet stored a checkpoint for that download operation.

no.

ignore.

WARN

Input <your modinput name>, Too many IOCs with same lastSeen time <epoch timestamp milliseconds>, start paging results. This may result in loss of data
  • The modinput encountered a TruSTAR "lastSeen" timestamp for which the enclave contained >1k observables.
  • If the enclave contains > 10k observables with same "lastSeen" timestamp, some of them may not end up in the kvstore.
  • This case is very rare, and should only happen if someone performed multiple indicator submissions (to the submit-indicators 1.3 endpoint or the CSV indicator submission UI) and specified the same "lastSeen" timestamp on more than 10k.

no. But some of the observables from your enclave might not arrive in the Splunk kvstores.

ignore. This edge-case will be handled in future versions of TruSTAR Unified app.

WARN

The following enclaves could not be found: [<comma-separated list of TruSTAR enclave IDs>]“

One or more of the enclave IDs specified in the modinput configs are not valid, or the "DOWNLOAD" account does not have read-access to it. It's possible that....

  • (a) your "DOWNLOAD" account did at one time have read-access to the enclave but someone (with a Station Company Administrator account) modified the "DOWNLOAD" account's permission to that enclave.
  • (b) access to that enclave has been removed from your Station company account altogether.
  • (c) your Station Company Administrator unsubscribed your company account from a particular integration, which removes that enclave from your company's access.
  • (d) The enclave ID was incorrect / invalid.

no. The Modinput will continue to download observables from other valid enclave IDs that its "DOWNLOAD" creds have access to.

You can ignore, but recommend review / update the modinput's enclave IDs list to contain only valid enclave IDs that the "DOWNLOAD" account has appropriate access to.

ERROR

09-29-2021 15:34:46.421 +0000 ERROR sendmodalert [27651 AlertNotifierWorker-0] - action=trustar_enrich_threat_activity STDERR -  ERROR: ts_spl_unified.modalerts. enrich.notable_event_service: REST API call to add indicator summaries endpoint info to notable event 0F7E38BF- AA18-4529-9961- 8E49CB2F0E70@@ notable@@ e9ecb3b 7cee274a1 5bf671b8 66381502 failed.  Reason: b' <?xml version="1.0" encoding="UTF-8"?>\n<response>\n  <messages>\n    <msg type="WARN"> insufficient permission to access this resource</msg>\n  </messages> \n</response>\n'

The Splunk user account attempting to run the "enrich" modaction does not have "update_notable_event" permissions.

The Enrich action will not work as expected until user's permissions are updated.

Give the user "ess_admin" role.


How Did We Do?