FAQ: TruSTAR Unified App for Splunk Enterprise & Enterprise Security

Updated 1 month ago by TruSTAR

This article answers frequently asked questions about the TruSTAR Splunk App for Enterprise & Enterprise Security.

Checking Splunk User Account Permissions
  1. Click the Settings menu in the upper-right corner, then click Access Controls.
  2. On the Access Controls page, click Users.
  3. On the Users page, examine the Roles column. Any user who needs to use the Enrich or Submit actions requires Admin as one of their account roles.
Q. What is the default TruSTAR Enclave for submissions from Splunk?

The default Enclave is Splunk ES Threat Activity.

Q. What Indicators are supported by this App?
  • Email Address
  • IP
  • MD5
  • SHA1
  • SHA256
  • Software
  • Registry Key
  • URL
Q. What is the mapping of Indicators to tables in the KV Store?

IP: ip_intel or trustar_ip_intel

URL: http_intel or trustar_http_intel

EMAIL ADDRESS: email_intel or trustar_email-intel

MD5, SHA1, SHA256, SOFTWARE:  file_intel or trustar_file_intel

REGISTRY_KEY:  registry_key  or  trustar_registry_key

Q. Why can't I execute Submit or Enrich commands?

Splunk ES requires that the Splunk user account have Admin permissions in order to execute Submit or Enrich commands. You can check the error message in Splunk ES to see if your permissions are the issue.

  1. To find the error message for an adaptive response action failure, click on the hyperlink labeled View Adaptive Response Invocations. When you click on that hyperlink, you’ll be taken to a search results page.
  2. Read through the log entries to find the error message.  The text in red box below shows the error is due to the user’s Splunk account having insufficient role permissions.

To check if your account has the correct permissions, see the section User Requirements in the Install: TTruSTAR Splunk APP for Enterprise & Enterprise Security document.

Q. What is Splunk ES Urgency Scoring

A Threat Activity Notable Event in Splunk ES contains a single Indicator, enabling TruSTAR to adjust the urgency score based on enrichment from TruSTAR enclaves. Read more here.

TruSTAR queries all the Enclaves you have access to in order to obtain the normalized scores for that Indicator. TruSTAR assigns the Indicator a score that is equal to the max of all those normalized scores and sets the Notable Event’s Urgency score according that score, as shown in the table below.

TruSTAR Normalized Indicator Score

Splunk ES Notable Event Urgency Score









[nothing that maps to “critical”]


TruSTAR can only enrich the Urgency Score for Threat Activity events. It cannot not change the Urgency Score for any other type of Notable Events.
Q. How can I remove false positives from my KV Store?

If a false positive exists in your KV Store and it is not set to age out following an update to your company's Allow List, then run this query in the Splunk “Search and Reporting” app to remove the false positive URL from the appropriate KV Store:

|inputlookup http_intel | search NOT url="falsepositive.com" | outputlookup http_intel

To remove all variations of an entry (utilizing wildcard) for a particular indicator in the KV Store, use the following query in the Splunk Search and Reporting app:

|inputlookup http_intel | search NOT url="*falsepositive*" | outputlookup http_intel

Q. How can I restore Indicators accidentally deleted in Splunk ES?

In order to restore deleted Indicators in Splunk ES, you must reconfigure all the input configurations in the TruSTAR App, which then reloads the Indicators from TruSTAR to Splunk ES.

  1. Make note of all the input configurations. For example, Name, Interval, Global Account, Enclave IDs, IOC Types, Tags, Expiration Days. It may be easiest to take a screen shot or photo of the configuration.
  2. Delete the input configurations.
  3. Re-enter the input configurations using the information from step 1.

This removes the existing checkpoints for the inputs and restarts the ingestion process, which will restore the missing Indicators.

How Did We Do?