FAQ: TruSTAR for Splunk ES
This document contains technical information and frequently asked questions (FAQ) about the TruSTAR Workflow App for Splunk Enterprise Security (ES).
The TruSTAR App for Splunk ES consists of three primary components:
- Downloader, also known as an "input" or "modinput" in Splunk
- An Enrich Adaptive Response Action, or modalert in Splunk
- A Submit Adaptive Response Action, or modalert in Splunk
This component downloads Indicators that meet the criteria you specify in the input setup page to your Splunk ES Threat Intelligence Datamodel's threat intelligence kvstores, and expires them after the time you specify in the input setup page. Once in the Threat Intelligence kvstores, Splunk ES's "threat gen" searches can hunt the indexes you point those searches at for the presence of any Indicators imported from TruSTAR and generate notable events from any matches.
The Downloader automatically sends your TruSTAR whitelist to Splunk ES. The Downloader will run only for the period of time equal to the “interval” specified in the Input.
Enrich Adaptive Response Action
The Enrich action retrieves Indicator summary information from TruSTAR's Indicator Summaries endpoint and adds it as a comment titled "Threat Activity Detected" to your notable events. This information can used by analysts to triage notable events and determine whether or not to investigate further. This action can be added to any correlation search created by the user to automatically enrich "Threat Activity Detected" notable events.
Submit Adaptive Response Action
This action submits an event to a TruSTAR Enclave of the user's choice. This action can be used on any log event in Splunk ES. The action will search your intelligence sources in TruSTAR for enrichment of any Indicators that TruSTAR identifies in the event. This action can also be added to any saved-search to automatically submit log events that match specific criteria you choose to TruSTAR for further investigation or enrichment.
Q. Why can't I execute Submit or Enrich commands in the TruSTAR App?
Splunk ES requires that the Splunk user account have Admin permissions in order to execute Submit or Enrich commands. You can check the error message in Splunk ES to see if your permissions are the issue.
- To find the error message for an adaptive response action failure, click on the hyperlink labeled View Adaptive Response Invocations. When you click on that hyperlink, you’ll be taken to a search results page.
- Read through the log entries to find the error message. The text in red box below shows the error is due to the user’s Splunk account having insufficient role permissions.
To check if your account has the correct permissions, see the section User Requirements in the Splunk ES Installation document.
Q. How does Splunk ES Urgency Scoring work with TruSTAR?
A Threat Activity Notable Event in Splunk ES contains a single Indicator, enabling TruSTAR to adjust the urgency score based on enrichment from TruSTAR enclaves. Read more here.
TruSTAR queries all the Enclaves you have access to in order to obtain the normalized scores for that IOC. TruSTAR assigns the Indicator a score that is equal to the max of all those normalized scores and sets the Notable Event’s Urgency score according that score, as shown in the table below.
TruSTAR Normalized Indicator Score
Splunk ES Notable Event Urgency Score
[nothing that maps to “critical”]
Q. How do I remove a false positive from my kvstore?
If a false positive exists in your kvstore and it is not set to age out following an update to your company's Allow List, then run this query in the Splunk “Search and Reporting” app to remove the false positive URL from the appropriate kvstore:
|inputlookup http_intel | search NOT url="falsepositive.com" | outputlookup http_intel
To remove all variations of an entry (utilizing wildcard) for a particular indicator in the kvstore, use the following query in the Splunk Search and Reporting app:
|inputlookup http_intel | search NOT url="*falsepositive*" | outputlookup http_intel