4. Manually Submit an NE to Enclave (ES)

Updated 1 month ago by Steven Chamales

TruSTAR recommends that all Enterprise Security users configure their app to automatically submit all Threat Activity notable events to an enclave.

To configure, see the Automatic Submission section of the Installation Guide.

Why should I submit Notable Events to a TruSTAR enclave?

  • NEs must be submitted to an enclave before they can be enriched by the TruSTAR - Enrich Threat Activity modaction.
  • keep a copy of the NE in an enclave for historical archive.
  • enrich future NEs with intel from previous NEs.
    • NEs essentially become an intel source.

Cases where user may prefer manual submission to automatic submission.

  • Sharing. Some users may prefer to not configure the app to automatically share notable events to sharing group enclaves, but may want to manually share select NEs to the sharing group.

Required fields

he Notable Event, when converted to a Python dictionary, needs to contain a field named "_time".

Performance Steps.

Click the Actions carat at the far right of a Notable Event to display the Actions menu

Click Run Adaptive Response Actions.

The Adaptive Response Actions dialog box appears.

In the Adaptive Response Actions dialog box, select TruSTAR - Submit.

SplunkES_UserGuide_Figure8

The TruSTAR - Submit action's config dialog box will appear.

In the TruSTAR - Submit action's config dialog box, select the settings you'd like to use.

  • Report Title: This will be the report title displayed in TruSTAR.
  • Additional Comments: Use this field as notes on the event that you or your team may find useful.
  • Custom or Default: This selects whether or not to use the default submission Enclave specified in the TruSTAR App configuration setting.
  • Custom Enclave ID: If you choose Custom Enclave, use this field to specify the GUID of the Enclave you want to use for this Intel Report.
  • Redact: Chooses whether or not to redact information specified in your TruSTAR Redaction Library. By default, redaction is disabled.

Click Run to submit the Intel Report. A popup window provides confirmation that the report has been submitted.


How Did We Do?