FAQ: TruSTAR for Splunk ES

Updated 1 month ago by TruSTAR

This document contains technical information and frequently asked questions (FAQ) about the TruSTAR Workflow App for Splunk Enterprise Security (ES).

App Components

The TruSTAR App for Splunk ES consists of three primary components: 

  • Downloader, also known as an "input" or "modinput" in Splunk
  • An Enrich Adaptive Response Action, or modalert in Splunk
  • A Submit Adaptive Response Action, or modalert in Splunk

Downloader

This component downloads Indicators that meet the criteria you specify in the input setup page to your Splunk ES Threat Intelligence Datamodel's threat intelligence kvstores, and expires them after the time you specify in the input setup page.  Once in the Threat Intelligence kvstores, Splunk ES's "threat gen" searches can hunt the indexes you point those searches at for the presence of any Indicators imported from TruSTAR and generate notable events from any matches. 

The Downloader automatically sends your TruSTAR whitelist to Splunk ES. The Downloader will run only for the period of time equal to the “interval” specified in the Input.

Enrich Adaptive Response Action

The Enrich action retrieves Indicator summary information from TruSTAR's Indicator Summaries endpoint and adds it as a comment titled "Threat Activity Detected" to your notable events.  This information can used by analysts to triage notable events and determine whether or not to investigate further.  This action can be added to any correlation search created by the user to automatically enrich "Threat Activity Detected" notable events. 

Submit Adaptive Response Action

This action submits an event to a TruSTAR Enclave of the user's choice.  This action can be used on any log event in Splunk ES. The action will search your intelligence sources in TruSTAR for enrichment of any Indicators that TruSTAR identifies in the event.  This action can also be added to any saved-search to automatically submit log events that match specific criteria you choose to TruSTAR for further investigation or enrichment. 

Check Splunk User Account Permissions

  1. Click the Settings menu in the upper-right corner, then click Access Controls.
    SplunkES_Install_Figure1
  2. On the Access Controls page, click Users.
    SplunkES_Install_Figure2
  3. On the Users page, examine the Roles column. Any user who needs to use the Enrich or Submit actions requires Admin as one of their account roles.
    SplunkES_Install_Figure3

FAQ

Can't execute Submit or Enrich commands

Splunk ES requires that the Splunk user account have Admin permissions in order to execute Submit or Enrich commands. You can check the error message in Splunk ES to see if your permissions are the issue.

  1. To find the error message for an adaptive response action failure, click on the hyperlink labeled View Adaptive Response Invocations. When you click on that hyperlink, you’ll be taken to a search results page.
    SplunkES_FAQ_Figure1
  2. Read through the log entries to find the error message.  The text in red box below shows the error is due to the user’s Splunk account having insufficient role permissions.
    SplunkES_FAQ_Figure2

To check if your account has the correct permissions, see the section User Requirements in the Splunk ES Installation document.

Splunk ES Urgency Scoring

A Threat Activity Notable Event in Splunk ES contains a single Indicator, enabling TruSTAR to adjust the urgency score based on enrichment from TruSTAR enclaves. Read more here.

TruSTAR queries all the Enclaves you have access to in order to obtain the normalized scores for that Indicator. TruSTAR assigns the Indicator a score that is equal to the max of all those normalized scores and sets the Notable Event’s Urgency score according that score, as shown in the table below.

TruSTAR Normalized Indicator Score

Splunk ES Notable Event Urgency Score

0

Informational

1

Low

2

Medium

3

High

[nothing that maps to “critical”]

Critical

TruSTAR can only enrich the Urgency Score for Threat Activity events. It cannot not change the Urgency Score for any other type of Notable Events.
Remove false positive from KV Store

If a false positive exists in your KV Store and it is not set to age out following an update to your company's Allow List, then run this query in the Splunk “Search and Reporting” app to remove the false positive URL from the appropriate KV Store:

|inputlookup http_intel | search NOT url="falsepositive.com" | outputlookup http_intel

To remove all variations of an entry (utilizing wildcard) for a particular indicator in the KV Store, use the following query in the Splunk Search and Reporting app:

|inputlookup http_intel | search NOT url="*falsepositive*" | outputlookup http_intel

Restore Indicators accidentally deleted in Splunk ES

In order to restore deleted Indicators in Splunk ES, you must reconfigure all the input configurations in the TruSTAR App, which then reloads the Indicators from TruSTAR to Splunk ES.

  1. Make note of all the input configurations. For example, Name, Interval, Global Account, Enclave IDs, IOC Types, Tags, Expiration Days. It may be easiest to take a screen shot or photo of the configuration.
  2. Delete the input configurations.
  3. Re-enter the input configurations using the information from step 1.

This removes the existing checkpoints for the inputs and restarts the ingestion process, which will restore the missing Indicators.


How Did We Do?