User Guide: TruSTAR for Splunk ES

Updated 6 days ago by Elvis Hovor

This document explains how to use the TruSTAR Workflow App for Splunk Enterprise Security (ES).

Splunk ES uses correlation searches to provide visibility into security-relevant threats and generate notable events for tracking identified threats. The TruSTAR Workflow App for Splunk ES is an industry-leading integration that facilitates the detection, investigation, and response of notable events and alerts.

Features

You can use the TruSTAR Workflow App for Splunk ES to

  • Accelerate investigations: Ingest pre-filtered open source and Premium Intelligences feeds from your TruSTAR Enclaves into the Splunk KV store to alert against internal log events. You can configure the application to select only Indicator types that are relevant to your organization.
  • Prioritize Alerts: Set priorities for Splunk alerts based on fusing TruSTAR intelligence with the Splunk ES native severity rating. Use TruSTAR's enrichment of Notable Events to view pass-through scores from Premium Intelligence feeds and help prioritize notable events.
  • Investigate and Respond: Report relevant notable events to TruSTAR for further enrichment and correlation with historical data. You can share the full notable event or redact it for added security.

Configuring Indicator Types

When setting up the TruSTAR App, you can configure which types of Indicators to pull from which Enclaves. For example, you may want to only pull IP information from one Enclave and email addresses from another enclaves. You can edit these inputs at any time by changing your configuration.

For more information, see Creating Inputs to Splunk ES in the Install: TruSTAR Workflow App for Splunk ES support document.

Enriching a Notable Event

You can enrich a Notable Event using TruSTAR data ingested from the Enclaves specified in the TruSTAR App configuration. This process uses the Threat Match value in the Notable Event to search one or more TruSTAR Enclaves for more information about that value and adds any new information to the Event.

  1. Create an ad-hoc search by specifying values in Status, Owner or other fields displayed on the screen. In the example screen below, the only parameter selected was "Last 90 Days" in the Time field. The Incident Review search returned the list of results you see at the bottom of the screen.
    SplunkES_UserGuide_Figure1
  2. Click the Actions carat on the far right of any event to display the Actions menu.
    SplunkES_UserGuide_Figure2
  3. Choose Run Adaptive Response Actions from that menu. This displays a dialog box of possible actions.
SplunkES_UserGuide_Figure3
  1. Click the TruSTAR - Enrichment option. (Note: You may need to scroll down to display this option.) This displays the dialog box where you can configure the enrichment action.
    SplunkES_UserGuide_Figure4
  2. Select the Enclave(s) to use for the enrichment:
  • Default Enrichment: Queries the Enclaves you configured in the TruSTAR App as enrichment enclaves.
  • Custom Enrichment: Queries a specified list of one or more TruSTAR Enclaves, or ALL Enclaves. To specify a list of Enclaves, provide a list of Enclave IDs, separated by commas.
  1. Adjust the Urgency setting. This allows the enrichment to adjust the urgency of the Notable Event based on information from the enrichment. TruSTAR recommends leaving this setting Enabled.
  2. Click Run to start the enrichment action. The dialog box displayed below provides confirmation that the enrichment action is being executed.
SplunkES_UserGuide_Figure5
  1. Click X in the upper right corner to close this message box and return to the list of Notable Events.
  2. To view the results of the enrichment, expand the Notable Event by clicking the carat on the far left of it. This displays the details of the event. In the example screen below, you can see that the TruSTAR - Enrichment action displays Success as status, meaning the action has completed.
SplunkES_UserGuide_Figure6
  1. Click the TruSTAR - Enrichment link to see details of what the enrichment action has returned. Based on enrichment from TruSTAR, the Urgency indicator for the Notable Event may be raised or lowered.
This enrichment action checks only the Enclaves specified in the Configuration section of the TruSTAR App for Splunk ES and it only displays the information those Enclaves have at that moment in time.
TruSTAR will only raise the severity of an Event; it will never lower the severity; For example, if an event has a Critical severity score and TruSTAR rates it as High, the Urgent rating will remain unchanged.

Reporting a Notable Event to TruSTAR

To receive the most current information from your premium intelligence sources in TruSTAR, you should submit the Notable Event to TruSTAR as an Intel Report. This will query all TruSTAR Enclaves available to you for enrichment to provide the most complete and updated information available. You can then rerun the enrichment action on the Notable Event to receive updated enrichment.

  1. Click the Actions carat at the far right of a Notable Event to display the Actions menu.
  2. Click Run Adaptive Response Actions from that menu. This displays a dialog box of possible actions.
    SplunkES_UserGuide_Figure8
  3. Click the TruSTAR - Submit option. (Note: You may need to scroll down to display this option.) This displays the dialog box where you can configure the reporting action.
    SplunkES_UserGuide_Figure9
  4. Select the settings you want to use:
  • Report Title: This will be the report title displayed in TruSTAR.
  • Additional Comments: Use this field as notes on the event that you or your team may find useful.
  • Custom or Default: This selects whether or not to use the default submission Enclave specified in the TruSTAR App configuration setting.
  • Custom Enclave ID: If you choose Custom Enclave, use this field to specify the GUID of the Enclave you want to use for this Intel Report.
  • Redact: Chooses whether or not to redact information specified in your TruSTAR Redaction Library. By default, redaction is disabled.
  1. Click Run to submit the Intel Report. The dialog box displayed below provides confirmation that the report has been submitted.
    SplunkES_UserGuide_Figure10
  2. Click X in the upper right corner to close this message box and return to the list of Notable Events.
  3. To view the status of the report submittal, expand the Notable Event by clicking the carat on the far left of it. In the example screen below, you can see that the TruSTAR - Report action displays Success as status, meaning the report has been submitted.

To view the report itself, you can log in to the TruSTAR Web App. When TruSTAR receives the Intel Report, it queries all specified Enclaves for enrichment. This process can take a while to complete.

You can receive updated enrichment for the Notable event by rerunning the Enrichment process.

When rerunning an enrichment action, TruSTAR recommends that you wait at least 20 minutes after submitting the report to ensure that the report has been fully processed by TruSTAR and your Enclaves have been updated. It can take up to 90 minutes to receive full enrichment back from TruSTAR and query-based external intelligence sources.
TruSTAR can only return information for query-based feeds when the information has been parsed and added to the Attribute Summary Table for that intel source. Check the Intel Feeds FAQ to see which intel sources have Attribute Summary Tables.


How Did We Do?