Splunk ES FAQ

Updated 3 weeks ago by Elvis Hovor

This document contains technical information and frequently asked questions (FAQ) about the TruSTAR App for Splunk Enterprise Security (ES).

Navigate to our Installation doc or our User guide for Splunk ES

App Components

The TruSTAR App for Splunk ES consists of three primary components: 

  • Downloader, also known as an "input" or "modinput" in Splunk
  • An Enrich Adaptive Response Action, or modalert in Splunk
  • A Submit Adaptive Response Action, or modalert in Splunk

Downloader

This component downloads IOCs that meet the criteria you specify in the input setup page to your Splunk ES Threat Intelligence Datamodel's threat intelligence kvstores, and expires them after the time you specify in the input setup page.  Once in the Threat Intelligence kvstores, Splunk ES's "threat gen" searches can hunt the indexes you point those searches at for the presence of any IOCs imported from TruSTAR and generate notable events from any matches. 

Enrich Adaptive Response Action

The Enrich action retrieves indicator summary information from the Station platform's "Indicator Summaries" endpoint and adds it as a comment to your notable events titled "Threat Activity Detected".  This is intended to be used by analysts to help triage notable events - help determine  whether or not to investigate the threat match further.  This action can be added to any correlation search created by the user to automatically enrich "Threat Activity Detected" notable events. 

Submit Adaptive Response Action

This action submits an event to an enclave of the user's choice in the Station platform.  This action can be used on any log event in Splunk and will trigger the Station platform to reach out to your indicator-query closed intelligence sources for further enrichment about any indicators the Station platform identifies in the event.  This action can also be added to any saved-search to automatically submit log events that match criteria of the user's choosing to Station for further investigation or enrichment. 

Using Inputs

The TruSTAR App for Splunk ES includes the ability to configure multiple inputs from your TruSTAR TruSTAR enclaves. This gives you very granular control over which IOCs are imported into Splunk ES and used to create notable events and reduces the likelihood of importing IOCs that will cause Splunk ES to create notable events that turn out to be false positives.

The Splunk ES integration does not have the ability to generate report or indicator tags in Station

To help you understand the power of granular inputs, here is an example for a fictional company, Acme Corporation.

Input 1

The SOC at Acme Corporation wants Splunk ES to always be on the lookout for any sign of any IOC that Acme has investigated and determined malicious. They store these IOCs in a case management enclave in TruSTAR Station.

  • Name: Acme IOCs
  • Enclave ID: <case-management enclave in TruSTAR Station>
  • IOC Types: All available (do not remove any IOCs from the default list display)
  • Expiration: 360 days

Input 2

Acme Corporation is also extremely concerned about file hashes reported on by Intelligence Source X. They are not interested in alerting on any other IOC type reported on by that intelligence source, and they are not interested in hashes reported on by any other intelligence source. 

  • Name: X-Intel Source
  • Enclave ID: <case-management enclave in TruSTAR Station>
  • IOC Types: SHA1, SHA256, MD5 (delete all others displayed in this field)
  • Expiration: 180 days

Input 3

Let's assume that Acme Corporation is also interested in alerting on IP addresses reported on by Intelligence Sources A,B,C,D, and E, but only if the reporting is timestamped within the last 7 days.  To accommodate this interest, the user could configure a third input that downloads IPs from enclaves A,B,C, and D and retains them only for 7 days. 

  • Name: Malicious IPs
  • Enclave ID: <enclaveA_ID, enclaveB_ID, enclaveC_ID, enclaveD_ID>
  • IOC Types: IP
  • Expiration: 7 days

Input 4

Let's assume that Acme Corporation is also a member of a sharing group named CyberSleuths. Acme Corporation wants another input to download all IOCs from that sharing group enclave and retain them for 90 days.  

  • Name: CyberSleuth Intel
  • Enclave ID: <CyberSleuth_ID>
  • IOC Types: All available (do not remove any IOCs from the default list display)
  • Expiration: 90 days

Input 5

Acme Corporation also runs a script that transfers reports and IOCs that meet certain criteria to an enclave named ACME_CURATED that they believe contains very high-signal data. For example, that script transfers to that enclave only indicators whose scores by sources A, B, and C surpass certain thresholds. Acme wants to configure an input that downloads all IOC types from that enclave and retains them for 180 days. 

  • Name: ACME Curated Intel
  • Enclave ID: <ACME_CURATED_ID>
  • IOC Types: All available (do not remove any IOCs from the default list display)
  • Expiration: 180 days
Acme could also curate an enclave for each IOC type, then pipe those into Splunk ES by configuring a new input for each IOC type. This is especially useful when you want to use different expiration dates for different IOCs; for example, have email addresses expire after 30 days while SHA1 data would expire after 180 days.

FAQ

Q. Why can't I execute Submit or Enrich commands in the TruSTAR App.

Splunk ES requires that the Splunk user account have Admin permissions in order to execute Submit or Enrich commands. You can check the error message in Splunk ES to see if your permissions are the issue.

  1. To find the error message for an adaptive response action failure, click on the hyperlink labeled View Adaptive Response Invocations. When you click on that hyperlink, you’ll be taken to a search results page.
    SplunkES_FAQ_Figure1
  2. Read through the log entries to find the error message.  The text in red box below shows the error is due to the user’s Splunk account having insufficient role permissions.
    SplunkES_FAQ_Figure2

To check if your account has the correct permissions, see the section User Requirements in the Splunk ES Installation document.

Q. How does Splunk ES Urgency Scoring work with TruSTAR?

A Threat Activity Notable Event contains a single IOC, enabling TruSTAR to adjust the urgency score based on enrichment from TruSTAR enclaves. Read more here

TruSTAR queries all the enclaves you have access to in order to obtain the normalized scores for that IOC. TruSTAR assigns the IOC a score that is equal to the max of all those normalized scores and sets the Notable Event’s Urgency score according that score, as shown in the table below.

TruSTAR Normalized Indicator Score

Splunk ES Notable Event Urgency Score

0

Informational

1

Low

2

Medium

3

High

[nothing that maps to “critical”]

Critical

TruSTAR can only enrich the Urgency Score for Threat Activity events. It cannot not change the Urgency Score for any other type of Notable Events.


How Did We Do?