1. Overview

Updated 1 month ago by Steven Chamales

This document explains how to use the TruSTAR Unified Workflow App for Enterprise & Enterprise Security (ES).

Use Cases.

  • Depending on which version of Splunk you are using, different use cases are available.
  • This table shows the relationship between TruSTAR's Use-Cases and this app's features that serve / support each use-case.

Application

TruSTAR Use-case

Associated Features

Splunk Enterprise (core) + ES

Detect

Modinput: TruSTAR Observables -> Kvstores

  • Download Indicators from TruSTAR Enclaves into Splunk KV Stores for use in searching or alerts.
  • Config enables user to specify Indicator types, tags, intelligence sources, age, and kvstore group relevant to user's organization.
  • Remove modinput's indicators when added to TruSTAR Company Safelist
  • automatically cleanup indicators downloaded by old, deleted modinputs.

ES (only)

Triage

Adaptive Response Action: Enrich

  • Prioritize Threat Activity Detected Notable Events (NE) by adjusting their Urgency scores according to TruSTAR's normalization of scores provided by intel sources about that indicator.
  • Enrichment comments provide deeper understanding of key tags, attributes, properties user's intel sources have associated with the NE's observable.

Core + ES

Disseminate

Adaptive Response Action: Submit

  • Submit saved-search result events to TruSTAR as a TruSTAR Report.
  • Send to a TruSTAR enclave shared with other groups (Ex: ISAC/ISAO, other teams in your company).
  • Optional: redact terms sent to TruSTAR.

Features.

This table lists the app's features and the TruSTAR use-cases each feature is associated with.

Feature

Capabilities it provides

Platform

Associated TruSTAR Use-Cases

Modinput: "TruSTAR Observables to KV-Stores"

  • Observable Download. Download observables from TruSTAR enclaves to Splunk KV Stores for alerting against internal log events.
  • Whitelist Reconciliation. Remove from kvstores any observables added to TruSTAR Company Whitelist
  • Expiration. Remove from kvstores any observables whose last-seen time is older than the modinput's expiration window.
  • Expunge. Remove from kvstores any observables downloaded by modinputs that have been deleted.
  • Domain whitelisting (see below)

Core + ES

Detect

Adaptive Response Action: "TruSTAR - Submit"

  • Core Events. Submit Splunk events resulting from saved searches to TruSTAR enclaves as TruSTAR Reports.
  • ES NEs. Submit ES Notable Events to TruSTAR enclaves as TruSTAR Reports.
  • Redact. Redact sensitive terms from the NE before submission to TruSTAR.
  • Share. Submit events / NEs to sharing-group enclaves as TruSTAR Reports.

Core + ES

Disseminate

Historical Intel

Adaptive Response Action: "TruSTAR - Enrich Threat Activity"

  • Comment. Fetch enrichment from TruSTAR for the observable found in the NE's "threat_match_value" field, paste it into a comment on the NE.
  • Urgency. Update the NE's "Urgency" score based on scores provided by intel sources.

ES only.

Triage

Investigate

Workflow Action: "Research in TruSTAR"

  • Jump the user to the observable's page in TruSTAR for further research about the observable.

Core + ES

Investigate

Domain White-listing.
  • Whitelist reconciliation process will remove from the kvstores all URL & domain records (added by the TruSTAR Unified app) whose TLD is present in the company whitelist.

Examples:

TruSTAR Whitelist Record

KVStore Record

Will KvStore Record be removed?

Type:

DOMAIN


example.com

Type:

URL

Value:

http://example.com/index.html

Yes.

Type:

  DOMAIN

Value:

 www.subdomain.example.com

Type:

URL

Value:

 http://example.com/index.html

No.

The whitelisted value includes a subdomain, the app will only remove the URL if it also includes the subdomain.

In this example, the URL in question is a member of the same top-level domain, but not a member of the subdomain that is whitelisted, so it will not be removed.

Type:

URL

Value:

http://www.example.com

Type:

URL

Value:

http://www.example.com/index.html

No.

The whitelisted URL value must precisely match the kvstore URL's value for it to be removed.

The kvstore URL will only be removed if its value precisely matches the whitelisted URL's value.


How Did We Do?