User Guide: TruSTAR for Splunk ES

Updated 5 months ago by TruSTAR

This document explains how to use the TruSTAR Workflow App for Splunk Enterprise Security (ES).

Splunk ES uses correlation searches to provide visibility into security-relevant threats and generate notable events for tracking identified threats. The TruSTAR Workflow App for Splunk ES facilitates the detection, investigation, and response of Notable Events.

Features

You can use the TruSTAR Workflow App for Splunk ES to

  • Enrich a Notable Event in Splunk ES. This process uses the Threat Match value in the Notable Event to search one or more TruSTAR Enclaves for more information about that value and adds any new information to the Event.
  • Submit a Notable Event to TruSTAR, either automatically or manually. This creates an Intelligence Report in your TruSTAR Enclave. You can use that Enclave to set up workflows within TruSTAR or to configure inputs in Splunk ES that filter the enriched data back into KV Stores.

Enriching a Notable Event

You can enrich a Notable Event using the TruSTAR Enclaves specified in the TruSTAR App configuration.

  1. Create an ad-hoc search by specifying values in Status, Owner or other fields displayed on the screen. In the example screen below, the only parameter selected was "Last 90 Days" in the Time field. The Incident Review search returned the list of results you see at the bottom of the screen.
    SplunkES_UserGuide_Figure1
  2. Click the Actions carat on the far right of any event to display the Actions menu.
    SplunkES_UserGuide_Figure2
  3. Choose Run Adaptive Response Actions from that menu. This displays a dialog box of possible actions.
    SplunkES_UserGuide_Figure3
  4. Click the TruSTAR - Enrichment option. (Note: You may need to scroll down to display this option.) This displays the dialog box where you can configure the enrichment action.
    SplunkES_UserGuide_Figure4
  5. Select the Enclave(s) to use for the enrichment:
  • Default Enrichment: Queries the Enclaves you configured in the TruSTAR App as enrichment enclaves.
  • Custom Enrichment: Queries a specified list of one or more TruSTAR Enclaves, or ALL Enclaves. To specify a list of Enclaves, provide a list of Enclave IDs, separated by commas.
  1. Adjust the Urgency setting. This allows the enrichment to adjust the urgency of the Notable Event based on information from the enrichment. TruSTAR recommends leaving this setting Enabled.
  2. Click Run to start the enrichment action. The dialog box displayed below provides confirmation that the enrichment action is being executed.
    SplunkES_UserGuide_Figure5
  3. Click X in the upper right corner to close this message box and return to the list of Notable Events.
  4. To view the results of the enrichment, expand the Notable Event by clicking the carat on the far left of it. This displays the details of the event. In the example screen below, you can see that the TruSTAR - Enrichment action displays Success as status, meaning the action has completed.
SplunkES_UserGuide_Figure6
  1. Click the TruSTAR - Enrichment link to see details of what the enrichment action has returned. Based on enrichment from TruSTAR, the Urgency indicator for the Notable Event may be raised or lowered.
Details
This enrichment action checks only the Enclaves specified in the Configuration section of the TruSTAR App. It displays the information those Enclaves have at the time of the action; to receive additional enrichment, rerun this action.

TruSTAR will only raise the severity of an Event; it will never lower the severity; For example, if an event has a Critical severity score and TruSTAR rates it as High, the Urgent rating will remain unchanged.

Submitting Notable Events to TruSTAR

You can configure the TruSTAR App to automatically submit Notable Events or you can manually submit Notable Events as required by your team's processes.

Automatic Submission

  1. Choose Enterprise Security from the App pull-down menu on the top-level Splunk menu.
    SplunkES_Install_Figure14
  2. Click the Configure menu, then click the Content menu, and then click Content Management.
    SplunkES_Install_Figure15
  3. Search for "threat activity detected" and then click the correlation search named Threat Activity Detected. This opens a configuration window for that search.
    SplunkES_Install_Figure17
  4. In the configuration window, scroll to the Adaptive Response Actions section, then click the carat next to Notable.
    SplunkES_Install_Figure19
  5. In the Next Steps text box, add these lines, separated by 2 newline characters:
[[action|trustar_submit_event]]


[[action|trustar_enrich_threat_activity]]
  1. In the Recommended Actions section, select TruSTAR - Enrichment and TruSTAR - Submit. The configuration should now look like this example:
    SplunkES_Install_Figure20
  2. Go back to the Adaptive Response Actions section and choose Add New Response Action, then select the TruSTAR - Submit action.
  3. Configure the Submit action by adding a Report Title and any comments you want to add to the event. The configuration should now look like this:
    SplunkES_Install_Figure22
  4. Click the green Save button in the lower right corner to complete the configuration.

Manual Submission

  1. Click the Actions carat at the far right of a Notable Event to display the Actions menu.
  2. Click Run Adaptive Response Actions from that menu. This displays a dialog box of possible actions.
    SplunkES_UserGuide_Figure8
  3. Click the TruSTAR - Submit option. This displays the dialog box where you can configure the reporting action.
    SplunkES_UserGuide_Figure9
  4. Select the settings you want to use:
  • Report Title: This will be the report title displayed in TruSTAR.
  • Additional Comments: Use this field as notes on the event that you or your team may find useful.
  • Custom or Default: This selects whether or not to use the default submission Enclave specified in the TruSTAR App configuration setting.
  • Custom Enclave ID: If you choose Custom Enclave, use this field to specify the GUID of the Enclave you want to use for this Intel Report.
  • Redact: Chooses whether or not to redact information specified in your TruSTAR Redaction Library. By default, redaction is disabled.
  1. Click Run to submit the Intel Report. A popup window provides confirmation that the report has been submitted.

Viewing Submission Status

To view the status of the report submittal, expand the Notable Event by clicking the carat on the far left of it. In the example screen below, you can see that the TruSTAR - Report action displays Success as status, meaning the report has been submitted.

Viewing the TruSTAR Report

To view the report itself, you can log in to the TruSTAR Web App. When TruSTAR receives the Intel Report, it queries all specified Enclaves for enrichment. This process can take a while to complete.

Rerunning Enrichment

You can receive updated enrichment for the Notable Event by rerunning the Enrichment process.

When rerunning an enrichment action, TruSTAR recommends that you wait at least 20 minutes after submitting the report to ensure that the report has been fully processed by TruSTAR and your Enclaves have been updated. It can take up to 90 minutes to receive full enrichment back from TruSTAR and query-based external intelligence sources.
Details
TruSTAR can only return information for query-based feeds when the information has been parsed and added to the Attribute Summary Table for that intel source. Check the Intel Feeds FAQ to see which intel sources have Attribute Summary Tables.


How Did We Do?