FAQ: TruSTAR for Splunk ES

Updated 6 days ago by Elvis Hovor

This document contains technical information and frequently asked questions (FAQ) about the TruSTAR Workflow App for Splunk Enterprise Security (ES).

App Components

The TruSTAR App for Splunk ES consists of three primary components: 

  • Downloader, also known as an "input" or "modinput" in Splunk
  • An Enrich Adaptive Response Action, or modalert in Splunk
  • A Submit Adaptive Response Action, or modalert in Splunk

Downloader

This component downloads Indicators that meet the criteria you specify in the input setup page to your Splunk ES Threat Intelligence Datamodel's threat intelligence kvstores, and expires them after the time you specify in the input setup page.  Once in the Threat Intelligence kvstores, Splunk ES's "threat gen" searches can hunt the indexes you point those searches at for the presence of any Indicators imported from TruSTAR and generate notable events from any matches. 

Enrich Adaptive Response Action

The Enrich action retrieves Indicator summary information from TruSTAR's Indicator Summaries endpoint and adds it as a comment titled "Threat Activity Detected" to your notable events.  This information can used by analysts to triage notable events and determine whether or not to investigate further.  This action can be added to any correlation search created by the user to automatically enrich "Threat Activity Detected" notable events. 

Submit Adaptive Response Action

This action submits an event to a TruSTAR Enclave of the user's choice.  This action can be used on any log event in Splunk ES. The action will search your intelligence sources in TruSTAR for enrichment of any Indicators that TruSTAR identifies in the event.  This action can also be added to any saved-search to automatically submit log events that match specific criteria you choose to TruSTAR for further investigation or enrichment. 

Using Inputs

The TruSTAR App for Splunk ES includes the ability to configure multiple inputs from your TruSTAR Enclaves. This gives you very granular control over which Indicators are imported into Splunk ES and used to create notable events and reduces the likelihood of importing Indicators that turn out to be false positives.

The Splunk ES integration does not have the ability to generate tags for TruSTAR Intel Reports or Indicators.

To help you understand the power of granular inputs, here is an example for a fictional company, Acme Corporation.

Input 1

Acme Corporation wants Splunk ES to always be on the lookout for any sign of any Indicator that Acme has investigated and determined malicious. Acme stores these Indicators in a case management Enclave in TruSTAR.

  • Name: Acme IOCs
  • Enclave ID: <case-management Enclave in TruSTAR>
  • Indicator Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 360 days

Input 2

Acme Corporation is extremely concerned about file hashes reported on by Intelligence Source X. They are not interested in alerting on any other Indicator type reported on by that intelligence source, and they are not interested in hashes reported on by any other intelligence source. 

  • Name: X-Intel Source
  • Enclave ID: <case-management Enclave in TruSTAR>
  • Indicator Types: SHA1, SHA256, MD5 (delete all others displayed in this field)
  • Expiration: 180 days

Input 3

Acme Corporation is also interested in alerting on IP addresses reported on by Intelligence Sources A,B,C,D, and E, but only if the reporting is timestamped within the last 7 days. To accommodate this interest, they configure a third input that downloads IP addresses from Enclaves A,B,C, and D and retains them for 7 days. 

  • Name: Malicious IPs
  • Enclave ID: <enclaveA_ID, enclaveB_ID, enclaveC_ID, enclaveD_ID>
  • Indicator Types: IP
  • Expiration: 7 days

Input 4

Acme Corporation is also a member of a sharing group named CyberSleuths. Acme wants another input to copy all Indicators from that sharing group Enclave and retain them for 90 days.  

  • Name: CyberSleuth Intel
  • Enclave ID: <CyberSleuth_ID>
  • Indicator Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 90 days

Input 5

Acme Corporation also runs a script that copies Intel Reports and Indicators that meet certain criteria to an Enclave named ACME_CURATED that they believe contains very high-signal data. For example, that script transfers only Indicators with scores by sources A, B, and C that surpass certain thresholds. Acme wants to configure an input that copies all Indicator types from that Enclave and retains them for 180 days. 

  • Name: ACME Curated Intel
  • Enclave ID: <ACME_CURATED_ID>
  • IOC Types: All available (do not remove any Indicators from the default list display)
  • Expiration: 180 days
Acme could also curate an Enclave for each Indicator type, then pipe those into Splunk ES by configuring a new input for each type. This is especially useful when you want to use different expiration dates for different Indicators; for example, have email addresses expire after 30 days while SHA1 data expires after 180 days.

FAQ

Q. Why can't I execute Submit or Enrich commands in the TruSTAR App?

Splunk ES requires that the Splunk user account have Admin permissions in order to execute Submit or Enrich commands. You can check the error message in Splunk ES to see if your permissions are the issue.

  1. To find the error message for an adaptive response action failure, click on the hyperlink labeled View Adaptive Response Invocations. When you click on that hyperlink, you’ll be taken to a search results page.
    SplunkES_FAQ_Figure1
  2. Read through the log entries to find the error message.  The text in red box below shows the error is due to the user’s Splunk account having insufficient role permissions.
    SplunkES_FAQ_Figure2

To check if your account has the correct permissions, see the section User Requirements in the Splunk ES Installation document.

Q. How does Splunk ES Urgency Scoring work with TruSTAR?

A Threat Activity Notable Event in Splunk ES contains a single Indicator, enabling TruSTAR to adjust the urgency score based on enrichment from TruSTAR enclaves. Read more here.

TruSTAR queries all the Enclaves you have access to in order to obtain the normalized scores for that IOC. TruSTAR assigns the Indicator a score that is equal to the max of all those normalized scores and sets the Notable Event’s Urgency score according that score, as shown in the table below.

TruSTAR Normalized Indicator Score

Splunk ES Notable Event Urgency Score

0

Informational

1

Low

2

Medium

3

High

[nothing that maps to “critical”]

Critical

TruSTAR can only enrich the Urgency Score for Threat Activity events. It cannot not change the Urgency Score for any other type of Notable Events.
Q. How do I remove a false positive from my kvstore?

If a false positive exists in your kvstore and it is not set to age out following an update to your company's Allow List, then run this query in the Splunk “Search and Reporting” app to remove the false positive URL from the appropriate kvstore:

|inputlookup http_intel | search NOT url="falsepositive.com" | outputlookup http_intel

To remove all variations of an entry (utilizing wildcard) for a particular indicator in the kvstore, use the following query in the Splunk Search and Reporting app:

|inputlookup http_intel | search NOT url="*falsepositive*" | outputlookup http_intel


How Did We Do?