User Guide: TruSTAR Unified App for Splunk Enterprise & Enterprise Security
- Download Observables from TruSTAR -> KvStores.
- Whitelist Reconciliation.
- Domain White-listing.
- Manually Enriching a Notable Event
- Manually Submitting a Notable Event
- Research an Observable in TruSTAR.
This document explains how to use the TruSTAR Unified Workflow App for Enterprise & Enterprise Security (ES).
- Install: TruSTAR Unified App for Splunk
- FAQ: TruSTAR Unified App for Splunk
- Video: TruSTAR Unified App for Splunk Enterprise & Enterprise Security
Depending on which version of Splunk you are using, different features are available.
If you have Splunk Enterprise, you can use the TruSTAR Splunk APP for Enterprise & Enterprise Security to:
- Load Indicators from TruSTAR. Collect Indicators from TruSTAR Enclaves and load them into the Splunk KV Store to alert against internal log events. See the Configuring Inputs section of the Install KB article for instructions on how to set up these inputs.
Splunk ES users can use the TruSTAR Splunk APP for Enterprise & Enterprise Security to load indicators (as above) and also to work with Notable Events:
- Manually Enrich a Notable Event in Splunk ES. This process uses the Threat Match value in the Notable Event to search one or more TruSTAR Enclaves for more information about that value and adds any new information to the Event.
- Manually submit a Notable Event to TruSTAR. This creates an Intelligence Report in the TruSTAR Enclave you specified when configuring the App. You can use that Enclave to set up workflows within TruSTAR or to configure inputs in Splunk ES that filter the enriched data back into KV stores.
Download Observables from TruSTAR -> KvStores.
- The app's modinput can be used to populate Splunk kvstores with observables from TruSTAR enclaves. See the install guide for setup instructions.
- If a modinput configuration is deleted, all the observables it downloaded will be removed from the kvstores.
- These observables are still available in TruSTAR, so user should feel free to delete & re-create modinputs as needed.
- once / 12 hours the modinput will download the entire company whitelist from TruSTAR and remove from the kvstores any observable/type combo that is present in the company whitelist.
- Whitelist reconciliation process will remove from the kvstores all URL & domain records (added by the TruSTAR Unified app) whose TLD is present in the company whitelist.
TruSTAR Whitelist Record
Will KvStore Record be removed?
The whitelisted value includes a subdomain, the app will only remove the URL if it also includes the subdomain.
In this example, the URL in question is a member of the same top-level domain, but not a member of the subdomain that is whitelisted, so it will not be removed.
The whitelisted URL value must precisely match the kvstore URL's value for it to be removed.
The kvstore URL will only be removed if its value precisely matches the whitelisted URL's value.
Manually Enriching a Notable Event
You can enrich a Notable Event using intel from the TruSTAR Enclaves specified in the TruSTAR App configuration.
- Create an ad-hoc search by specifying values in Status, Owner or other fields displayed on the screen. In the example screen below, the only parameter selected was "Last 90 Days" in the Time field. The Incident Review search returned the list of results you see at the bottom of the screen.
- Click the Actions carat on the far right of any event to display the Actions menu.
- Choose Run Adaptive Response Actions from that menu. This displays a dialog box of possible actions.
- Click the TruSTAR - Enrichment option. (Note: You may need to scroll down to display this option.) This displays the dialog box where you can configure the enrichment action.
- Select the Enclave(s) to use for the enrichment:
- Default Enrichment: Queries the Enclaves you configured in the TruSTAR App as enrichment enclaves.
- Custom Enrichment: Queries a specified list of one or more TruSTAR Enclaves, or ALL Enclaves. To specify a list of Enclaves, provide a list of Enclave IDs, separated by commas.
- Adjust the Urgency setting. This allows the enrichment to adjust the urgency of the Notable Event based on information from the enrichment. TruSTAR recommends leaving this setting Enabled.
- Click Run to start the enrichment action. The dialog box displayed below provides confirmation that the enrichment action is being executed.
- Click X in the upper right corner to close this message box and return to the list of Notable Events.
- To view the results of the enrichment, expand the Notable Event by clicking the carat on the far left of it. This displays the details of the event. In the example screen below, you can see that the TruSTAR - Enrichment action displays Success as status, meaning the action has completed.
- Click the TruSTAR - Enrichment link to see details of what the enrichment action has returned. Based on enrichment from TruSTAR, the Urgency indicator for the Notable Event may be raised or lowered.
TruSTAR will only raise the severity of an Event; it will never lower the severity; For example, if an event has a Critical severity score and TruSTAR rates it as High, the Urgent rating will remain unchanged.
Manually Submitting a Notable Event
You can manually submit a Notable Event to TrUSTAR. If you want to automatically submit then, see the Automatic Submission section of the Install article.
- Click the Actions carat at the far right of a Notable Event to display the Actions menu.
- Click Run Adaptive Response Actions from that menu. This displays a dialog box of possible actions.
- Click the TruSTAR - Submit option. This displays the dialog box where you can configure the reporting action.
- Select the settings you want to use:
- Report Title: This will be the report title displayed in TruSTAR.
- Additional Comments: Use this field as notes on the event that you or your team may find useful.
- Custom or Default: This selects whether or not to use the default submission Enclave specified in the TruSTAR App configuration setting.
- Custom Enclave ID: If you choose Custom Enclave, use this field to specify the GUID of the Enclave you want to use for this Intel Report.
- Redact: Chooses whether or not to redact information specified in your TruSTAR Redaction Library. By default, redaction is disabled.
- Click Run to submit the Intel Report. A popup window provides confirmation that the report has been submitted.
Viewing Submission Status
To view the status of the report submittal, expand the Notable Event by clicking the carat on the far left of it. In the example screen below, you can see that the TruSTAR - Report action displays Success as status, meaning the report has been submitted.
Viewing the TruSTAR Report
To view the report itself, you can log in to the TruSTAR Web App. When TruSTAR receives the Intel Report, it queries all specified Enclaves for enrichment. This process can take a while to complete.
Research an Observable in TruSTAR.
- About Workflow Actions in SplunkWeb
Using the workflow action.
While viewing a log event:
- click the drop-down Actions carat to the right of the observable you'd like to research.
- click the Resarch in TruSTAR: _____[observable value]___ action in the drop-down menu.