Splunk ES FAQ

Updated 5 days ago by Elvis Hovor

This document contains technical information about the TruSTAR App for Splunk Enterprise Security (ES).

App Components

The TruSTAR App for Splunk ES consists of three primary components: 

  • Downloader, also known as an "input" or "modinput" in Splunk
  • An Enrich Adaptive Response Action, or modalert in Splunk
  • A Submit Adaptive Response Action, or modalert in Splunk

Downloader

This component downloads IOCs that meet the criteria you specify in the input setup page to your Splunk ES Threat Intelligence Datamodel's threat intelligence kvstores, and expires them after the time you specify in the input setup page.  Once in the Threat Intelligence kvstores, Splunk ES's "threat gen" searches can hunt the indexes you point those searches at for the presence of any IOCs imported from TruSTAR and generate notable events from any matches. 

Enrich Adaptive Response Action

The Enrich action retrieves indicator summary information from the Station platform's "Indicator Summaries" endpoint and adds it as a comment to your notable events titled "Threat Activity Detected".  This is intended to be used by analysts to help triage notable events - help determine  whether or not to investigate the threat match further.  This action can be added to any correlation search created by the user to automatically enrich "Threat Activity Detected" notable events. 

Submit Adaptive Response Action

This action submits an event to an enclave of the user's choice in the Station platform.  This action can be used on any log event in Splunk and will trigger the Station platform to reach out to your indicator-query closed intelligence sources for further enrichment about any indicators the Station platform identifies in the event.  This action can also be added to any saved-search to automatically submit log events that match criteria of the user's choosing to Station for further investigation or enrichment. 

Using Inputs

The TruSTAR App for Splunk ES includes the ability to configure multiple inputs from your TruSTAR TruSTAR enclaves. This gives you very granular control over which IOCs are imported into Splunk ES and used to create notable events and reduces the likelihood of importing IOCs that will cause Splunk ES to create notable events that turn out to be false positives.

The Splunk ES integration does not have the ability to generate report or indicator tags in Station

To help you understand the power of granular inputs, here is an example for a fictional company, Acme Corporation.

Input 1

The SOC at Acme Corporation wants Splunk ES to always be on the lookout for any sign of any IOC that Acme has investigated and determined malicious. They store these IOCs in a case management enclave in TruSTAR Station.

  • Name: Acme IOCs
  • Enclave ID: <case-management enclave in TruSTAR Station>
  • IOC Types: All available (do not remove any IOCs from the default list display)
  • Expiration: 360 days

Input 2

Acme Corporation is also extremely concerned about file hashes reported on by Intelligence Source X. They are not interested in alerting on any other IOC type reported on by that intelligence source, and they are not interested in hashes reported on by any other intelligence source. 

  • Name: X-Intel Source
  • Enclave ID: <case-management enclave in TruSTAR Station>
  • IOC Types: SHA1, SHA256, MD5 (delete all others displayed in this field)
  • Expiration: 180 days

Input 3

Let's assume that Acme Corporation is also interested in alerting on IP addresses reported on by Intelligence Sources A,B,C,D, and E, but only if the reporting is timestamped within the last 7 days.  To accommodate this interest, the user could configure a third input that downloads IPs from enclaves A,B,C, and D and retains them only for 7 days. 

  • Name: Malicious IPs
  • Enclave ID: <enclaveA_ID, enclaveB_ID, enclaveC_ID, enclaveD_ID>
  • IOC Types: IP
  • Expiration: 7 days

Input 4

Let's assume that Acme Corporation is also a member of a sharing group named CyberSleuths. Acme Corporation wants another input to download all IOCs from that sharing group enclave and retain them for 90 days.  

  • Name: CyberSleuth Intel
  • Enclave ID: <CyberSleuth_ID>
  • IOC Types: All available (do not remove any IOCs from the default list display)
  • Expiration: 90 days

Input 5

Acme Corporation also runs a script that transfers reports and IOCs that meet certain criteria to an enclave named ACME_CURATED that they believe contains very high-signal data. For example, that script transfers to that enclave only indicators whose scores by sources A, B, and C surpass certain thresholds. Acme wants to configure an input that downloads all IOC types from that enclave and retains them for 180 days. 

  • Name: ACME Curated Intel
  • Enclave ID: <ACME_CURATED_ID>
  • IOC Types: All available (do not remove any IOCs from the default list display)
  • Expiration: 180 days
Acme could also curate an enclave for each IOC type, then pipe those into Splunk ES by configuring a new input for each IOC type. This is especially useful when you want to use different expiration dates for different IOCs; for example, have email addresses expire after 30 days while SHA1 data would expire after 180 days.


How Did We Do?