5. Manually Enrich a Notable Event (ES)
This is one of several articles discussing things the user can do with the TruSTAR Unified App for Splunk and Enterprise Security.
For other use-cases, see the Overview.
Manually Enrich a Notable Event.
Create an ad-hoc search by specifying values in Status, Owner or other fields displayed on the screen.
Click the Actions carat on the far right of any event to display the Actions menu.
From the Adaptive Response Actions menu, choose +Add New Response Action.
From the list of adaptive response actions, choose TruSTAR - Enrichment.
Select the Enclave(s) to use for the enrichment:
Enable / Disable Urgency adjustment.
Click X in the upper right corner to close this message box and return to the list of Notable Events.
Refresh the browser page.
Reopen the notable event.
View the enrichment in the NE's comment box.
You can enrich a Notable Event using intel from the TruSTAR Enclaves specified in the TruSTAR App configuration.
TruSTAR will only raise the severity of an Event; it will never lower the severity; For example, if an event has a Critical severity score and TruSTAR rates it as High, the Urgent rating will remain unchanged.