5. Manually Enrich a Notable Event (ES)

Updated 7 months ago by Steven Chamales

This is one of several articles discussing things the user can do with the TruSTAR Unified App for Splunk and Enterprise Security.

For other use-cases, see the Overview.

Manually Enrich a Notable Event.

Create an ad-hoc search by specifying values in Status, Owner or other fields displayed on the screen.

  • In the example below:
    • the only parameter selected was "Last 90 Days" in the Time field.
    • The Incident Review search returned the list of results you see at the bottom of the screen.

Click the Actions carat on the far right of any event to display the Actions menu.

  • A menu will appear.
  • Choose Run Adaptive Response Actions from that menu.
  • The Adaptive Response Actions menu will appear.

From the Adaptive Response Actions menu, choose +Add New Response Action.

  • A list of adaptive response actions will appear.

From the list of adaptive response actions, choose TruSTAR - Enrichment.

  • The TruSTAR - Enrichment action's config dialog box will appear.

Select the Enclave(s) to use for the enrichment:

  • Default: Queries the Enclaves you configured in the TruSTAR App as enrichment enclaves.
  • Custom: Queries a specified list of one or more TruSTAR Enclaves, or ALL Enclaves. To specify a list of Enclaves, provide a list of Enclave IDs, separated by commas.

Enable / Disable Urgency adjustment.

  • This allows the enrichment to adjust the urgency of the Notable Event based on information from the enrichment.
  • TruSTAR recommends leaving this setting Enabled.

  • Click Run to start the enrichment action.
  • The Adaptive Response Actions dialog box provides confirmation that the enrichment action is being executed.

Click X in the upper right corner to close this message box and return to the list of Notable Events.

Refresh the browser page.

Reopen the notable event.

View the enrichment in the NE's comment box.

This feature is only available with Splunk ES.

You can enrich a Notable Event using intel from the TruSTAR Enclaves specified in the TruSTAR App configuration.

This enrichment action checks only the Enclaves specified in the Configuration section of the TruSTAR App. It displays the information those Enclaves have at the time of the action; to receive additional enrichment, rerun this action.

TruSTAR will only raise the severity of an Event; it will never lower the severity; For example, if an event has a Critical severity score and TruSTAR rates it as High, the Urgent rating will remain unchanged.

How Did We Do?