Splunk ES User Guide

Updated 1 month ago by Elvis Hovor

This document explains how to use TruSTAR integrated into Splunk Enterprise Security (ES).

Navigate to our Installation doc or our FAQ for Splunk ES

Splunk ES uses correlation searches to provide visibility into security-relevant threats and generate notable events for tracking identified threats. TruSTAR's Splunk ES workflow app is an industry-leading integration that facilitates the detection, investigation, and response of notable events and alerts.

With the TruSTAR integration into Splunk ES, you can

  • Accelerate investigations: Ingest pre-filtered OSINT and Premium Intelligences feeds from your TruSTAR enclaves into the Splunk KV store to alert against internal log events. You can configure the application to select only indicator types that are relevant to your logs.
  • Prioritize Alerts: Set priorities for Splunk alerts based on fusing TruSTAR intelligence with the Splunk ES native severity rating. Use TruSTAR's enrichment of Notable Events to view pass-through scores from Premium Intelligence feeds and help prioritize notable events.
  • Investigate and Respond: Report relevant notable events to TruSTAR for further enrichment and correlation with historical data. You can share the full notable event or redact it for added security.

Configuring Indicator Types

When setting up the TruSTAR App, you can configure which types of observables to pull from which enclaves. For example, you may want to only pull IP information from one enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration.

For more information, see Configuring Inputs to Splunk ES in the Splunk ES Installation document

Enriching a Notable Event

You can enrich a Notable Event using TruSTAR data ingested from the enrichment enclaves specified in the TruSTAR App configuration. This process uses the Threat Match value in the Notable Event to search one or more TruSTAR enclaves for more information about that value and adds any new information to the Event.

  1. Create an ad-hoc search by specifying values in Status, Owner or other fields displayed on the screen. In the example screen below, the only parameter selected was "Last 90 Days" in the Time field. The Incident Review search returned the list of results you see at the bottom of the screen.
    SplunkES_UserGuide_Figure1
  2. Click the Actions carat on the far right of any event to display the Actions menu.
    SplunkES_UserGuide_Figure2
  3. Choose Run Adaptive Response Actions from that menu. This displays a dialog box of possible actions.
SplunkES_UserGuide_Figure3
  1. Click the TruSTAR - Enrichment option. (Note: You may need to scroll down to display this option.) This displays the dialog box where you can configure the enrichment action.
    SplunkES_UserGuide_Figure4
  2. Select the enclave(s) to use for the enrichment:
  • Default Enrichment: Queries the enclaves configured in the TruSTAR App as enrichment enclaves.
  • Custom Enrichment: Queries a specified list of one or more TruSTAR enclaves, or ALL enclaves. To specify a list of enclaves, provide a list of enclave IDs, separated by commas.
  1. Adjust the Urgency setting. This allows the enrichment to adjust the urgency of the Notable Event based on information from the enrichment. TruSTAR recommends leaving this setting Enabled.
  2. Click Run to start the enrichment action. The dialog box displayed below provides confirmation that the enrichment action is being executed.
SplunkES_UserGuide_Figure5
  1. Click X in the upper right corner to close this message box and return to the list of Notable Events.
  2. To view the results of the enrichment, expand the Notable Event by clicking the carat on the far left of it. This displays the details of the event. In the example screen below, you can see that the TruSTAR - Enrichment action displays Success as status, meaning the action has completed.
SplunkES_UserGuide_Figure6
  1. Click the TruSTAR - Enrichment link to see details of what the enrichment action has returned. Based on enrichment from TruSTAR, the Urgency indicator for the Notable Event may be raised or lowered.
This enrichment action checks only the enclaves specified in the Configuration section of the TruSTAR App and it only displays the information those enclaves have at that moment in time.
TruSTAR will only raise the severity of an Event; it will never lower the severity; For example, if an event has a Critical severity score and TruSTAR rates it as High, the Urgent rating will remain unchanged.

Reporting a Notable Event to TruSTAR

To receive the most current information from your premium intelligence sources in TruSTAR Station, you should submit the Notable Event to TruSTAR as a report. This will query all your TruSTAR enclaves for enrichment and provide the most complete and updated information available. You can then rerun the enrichment action on the Notable Event to receive updated enrichment.

  1. Click the Actions carat at the far right of a Notable Event to display the Actions menu.
  2. Click Run Adaptive Response Actions from that menu. This displays a dialog box of possible actions.
    SplunkES_UserGuide_Figure8
  3. Click the TruSTAR - Submit option. (Note: You may need to scroll down to display this option.) This displays the dialog box where you can configure the reporting action.
    SplunkES_UserGuide_Figure9
  4. Select the settings you want to use:
  • Report Title: This will be the report title displayed in TruSTAR Station.
  • Additional Comments: Use this field as notes on the event that you or your team may find useful.
  • Custom or Default: This selects whether or not to use the default submission enclave specified in the TruSTAR App configuration setting.
  • Custom Enclave ID: If you choose Custom enclave, use this field to specify the GUID of the enclave you want to use for this report.
  • Redact: Chooses whether or not to redact information specified in your TruSTAR Redaction Library. By default, redaction is disabled.
  1. Click Run to submit the report. The dialog box displayed below provides confirmation that the report has been submitted.
    SplunkES_UserGuide_Figure10
  2. Click X in the upper right corner to close this message box and return to the list of Notable Events.
  3. To view the status of the report submittal, expand the Notable Event by clicking the carat on the far left of it. In the example screen below, you can see that the TruSTAR - Report action displays Success as status, meaning the report has been submitted.

To view the report itself, you can log into TruSTAR Station. When TruSTAR Station receives the report, it queries all your TruSTAR enclaves for enrichment. This process can take a while to complete.

You can receive updated enrichment for the Notable event by rerunning the Enrichment process.

When rerunning an enrichment action, TruSTAR recommends that you wait at least 20 minutes after submitting the report to ensure that the report has been fully processed in Station and your enclaves have been updated. It can take up to 90 minutes to receive full enrichment back from Station and query-based sources.
TruSTAR can only return information for query-based feeds when the information has been parsed and added to the Attribute Summary Table for that intel source. Check the Intel Feeds FAQ to see which intel sources have Attribute Summary Tables.


How Did We Do?