FAQ: TruSTAR for Splunk v1.0.9

Updated 6 days ago by Elvis Hovor

This document explains how to install, update, and remove the TruSTAR Workflow App and TruSTAR Add-on for Splunk in an air-gapped environment or from the CLI. This document also covers basic troubleshooting steps for using TruSTAR with Splunk.

Have Splunk ES? Reference our guides here

Features

  • Improved ingestion Options - Ingest not only TruSTAR Intel Reports but also Indicator lists submitted to TruSTAR using bulk uploading.
  • Splunk App Dashboard Update - Offers a streamlined experience, making relevant information more visible to the user, including the source Enclave for Indicators ingested into Splunk.
  • Optimized Queries - Increased efficiency in data ingestion and optimization of Splunk queries.

Installing in an Air-Gapped Environment

When the instance where you want to install the TruSTAR App and Add-on is not connected to the internet, you need to download the TruSTAR files and then manually move them to the instance. 

Installing from the Command Line

TruSTAR recommends installing the App from the user interface but you can choose to install from the command line by following these instructions:

  1. Download the files:

OR

  1. Execute the following commands:
  • cd $SPLUNK_HOME
  • ./splunk install app TA-trustar.spl
  • ./splunk install app Trustar.spl 

Removing the TruSTAR App and Add-On

To manually delete the integration:

  • Go to $SPLUNK_HOME/etc/apps/ and remove TA-trustar and Trustar 
  • Restart Splunk

Updating the TruSTAR App and Add-On

You can update the integration from the user interface, the command line, or manually.

To update through the user interface:

  1. Click Manage Apps.
  2. Find the TruSTAR App And TA entry from list.
  3. Click the link of the newer version under Version Column on related entry.
  4. Install the TA first, followed by the App.

To update from the command line:

  1. Download the tar file of App or TA from Splunkbase.
  2. Stop the Splunk server.
  3. Execute this command: $SPLUNK_HOME/bin/splunk 
  4. Install the app using this command: APP_NAME.tgz –update 1 –auth username:password
  5. Restart the Splunk Server.

To update manually:

  1. Click Manage Apps.
  2. Click Install App from File.
  3. Locate the Trustar TA file on your local drive.
  4. Select Upgrade App.
  5. Click Upload.
  6. Repeat the above steps for the TruSTAR app.

Troubleshooting

Q. Why is my Dashboard not being populated?

A: You may not see data initially because the Dashboard data display depends on the amount of data being ingested into TruSTAR. It can take about 24 hours for all data to be imported into Splunk and populate the dashboard.

To confirm if data is being ingested, select the imported data tab and check if new reports are being downloaded. Reach out to TruSTAR support if the dashboard isn't fully populated after 48 hours.

Q. Can Splunk index my TruSTAR logs to an index of my choice?

A:T Yes, and this is a convenient way to use the Splunk user interface to look at the logs generated by your TruSTAR integration components.

  • Create a file/directory monitor input and have it monitor this directory: $SPLUNK_HOME/var/log/trustar/ (replace $SPLUNK_HOME with your splunk directory.) That directory will have 2 log files: "trustar_match.log" and "trustar_modinput.log".
    • "trustar_modinput.log": this is the log file for the TA.
    • "trustar_match.log": this is the log file for the app.

Q. Where can I find my checkpoint file?

A: A checkpoint file for each REST input can be found in this directory: $SPLUNK_HOME/var/lib/splunk/modinputs/trustar/ and the filename for a given rest input's checkpoint will be the name of the rest input.Known Issues

Q. How do I know if TruSTAR search is consuming Splunk memory?

This Splunk knowledge base document has information on how to identify your top memory consuming searches: http://docs.splunk.com/Documentation/Splunk/7.0.0/Troubleshooting/Troubleshootmemoryusage

Q. Why do I get an authentication error when configuring the TruSTAR App.

  • Check to make sure all your credentials are entered correctly. 
  • Verify that you have write and read access for the Enclave you have selected. 
  • Check to see if your firewall is blocking traffic from TruSTAR.

Q. How much storage does TruSTAR use in Splunk?

The TruSTAR app will consume some storage; this is standard for threat intelligence applications that let you match intel against your local Splunk instance. TruSTAR focuses on high value Indicators that have been submitted by other analysts, which means you do not receive large volumes of data.

Each TruSTAR Intel Report is approximately 10KB. The actual size may be smaller or larger, based on the amount of context in the report but should not be significantly different.
A daily download of Indicators should be around 250-500KB, depending on how much data is available in your Enclave and other data sources you utilize within TruSTAR.

Q How do I manage the kvstore limits in Splunk Cloud?

Splunk Cloud has a hard limit of letting kvstores reach 3 GB in size. At 2 GB, a ticket is automatically generated and Splunk Cloud support reaches out to the customer to have them reduce the size of the kvstore.

You can use this Splunk search to trim your kvstores:

| inputlookup _______[kvstore name]______ | 
where NOT (_time<relative_time(now(), "-180m") |
outputlookup ______[kvstore name])______

This search deletes all entries from a kvstore that were added to that kvstore more than 3 hours before the current time. If you want to change that increment, you can edit the “-180m” to whatever time you prefer, for example, “-1d” or “-1w”.

Q. Does TruSTAR work with a Universal Forwarder?

The TruSTAR Add-on requires a heavy forwarder if you are deploying in a cluster setup.

The TruSTAR App requires both Python (to connect to TruSTAR's REST API and perform some processing of requests from Splunk) and a user interface (to configure the App). The Universal Forwarder does not provide Python or a user interface, so it cannot work with the TruSTAR App.

Splunk documentation for upgrading to a Heavy Forwarder: https://docs.splunk.com/Documentation/Forwarder/7.0.0/Forwarder/Upgradeauniversalforwardertoaheavyforwarder

Q. Can I configure custom fields for matches?

For example, can I just match on IP addresses or URLs but not everything?

This feature is currently not possible with TruSTAR's Splunk V1 app, however users can run custom search queries to match on custom fields.

Q. Why am I receiving only old reports when pulling reports from an Enclave?

It is possible that a stored checkpoint file may have a default date time as it looks back and is not respecting the date applied in the TruSTAR App. You can find the checkpoint file directory here: https://support.trustar.co/article/jhyfaoni2r-faq-for-splunk-integration

Wiping the checkpoint will properly recreate it and restart the downloading no further than the date time in the config specified when applying these changes. We also recommend increasing the scan interval to allocate more time to ingest reports.

Known Issues

The Export PDF function on the TruSTAR App doesn’t work.

The Splunk application does not allow the full download of a PDF in the format used by the TruSTAR App. As a workaround, you can use your browser to save the report; this will guarantee that the full report is downloaded with an appearance close to the original.

The Splunk integration does not have the ability to generate tags for Intel Reports or Indicators.


How Did We Do?