Splunk Enterprise: Import Indicators from TruSTAR

Updated 1 month ago by Sachit Soni

This script enables you to extract Indicators from TruSTAR Enclaves and import them into a kvstore in Splunk Enterprise. This is useful for teams who do not use Splunk Enterprise Security (ES), which has a full-featured integration with TruSTAR.

Activating This Script

Contact your TruSTAR account manager and provide the following information:

  • Source Enclave ID(s)
  • Kvstore collection name
  • .splunkc file
  • Frequency of script execution. The default is every 24 hours but you can request a different time interval to meet your organization's needs.

After you have provided the information, your account manager will configure the feature and then email you with confirmation that the script has been enabled.

How It Works

  1. Initializes kvstore. If a collection by that name does not yet exist, the script creates a new kvstore.
  2. Searches TruSTAR for all Indicators from the specified Enclave(s), including metadata and scoring summary information.
  3. Maps Indicators and related metadata and scores to the specified kvstore and imports them into Splunk Enterprise.


How Did We Do?