1. Do I need to configure the TruSTAR configuration for the TruSTAR add-on or the main TruSTAR app?
The configuration is for the TruSTAR Add-on - this will start pulling data from our API and then index it in Splunk.
2. Will our technology add-on work with a Universal Forwarder?
Our Technology Add-on requires a heavy forwarder if you are deploying in a cluster setup. The Universal Forwarder does not come bundled with Python or a user interface, both of which are required to setup our Technology Add-on. We need Python for Splunk to connect to our REST API and do some pre-processing on the response. Universal Forwarders do not have this capability to connect to a REST API and process data before its indexed.
Splunk documentation for upgrading to a Heavy Forwarder in case that's of interest: https://docs.splunk.com/Documentation/Forwarder/7.0.0/Forwarder/Upgradeauniversalforwardertoaheavyforwarder
3. Since we have clustered environment, I installed the TruSTAR add-on on master cluster node but it didn’t get installed on cluster peers.
So, do i need to install it manually in cluster node’s $Splunk_Home/etc/master-apps and then apply the bundle? Or, do i need to install it manually on every cluster indexer?
The TruSTAR Add-on won't get installed automatically on cluster peers. User has to perform the following steps on Cluster Master:
- Copy the extracted folder for TA_trustar in $SPLUNK_HOME/etc/master-apps
- Verify stanza of index in file $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf, (it should be the same name as selected in modular input at heavy forwarder)
coldPath = $SPLUNK_DB/trustar/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/trustar/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/trustar/thaweddb
repFactor = auto
4. Do i need to install the TruSTAR app on all search heads?
Yes you need to install the TruSTAR app on all search heads. However, users do not have to perform this step manually on all search heads. Users need to follow steps below on Search Head Deployer:
- Copy the extracted folder of TA_trustar and Trustar App in $SPLUNK_HOME/etc/shcluster/apps.
- If user has selected index other than default in modular input configuration at heavy forwarder do the following (else skip to next step) : Modify macro definition of "trustar_get_index" in file $SPLUNK_HOME/etc/shcluster/apps/Trustar/default/macros.conf
- Push the app on search head cluster using below command
$SPLUNK_HOME/bin/splunk apply shcluster-bundle -target <SH_URI>:<management_port> -auth <username>:<password>
5. Am I able to configure custom fields for matches? For example, just match on TruSTARs IP's or urls not everything?
This feature is currently not possible with TruSTAR's Splunk V1 app, however users can run custom search queries to . The new Splunk refresh, TruSTAR Splunk App V2 will have be more configurable and users will have ability to select indexes for the app to search against.
6. Does this app store data into Splunk, i.e. will it consume license and storage?
The TruSTAR app will consume storage - this is standard for threat intelligence applications that let you match intel against your local splunk instance. The TruSTAR platform differentiates from the competition by focusing on high value IOCs that have been submitted by other analysts. This means users will not be receiving large volumes of data.
7. How do I find out if TruSTAR app search is consuming a lot of Splunk memory?
This Splunk knowledge base document has information on how to identify your top memory consuming searches. http://docs.splunk.com/Documentation/Splunk/7.0.0/Troubleshooting/Troubleshootmemoryusage
8. The “export PDF” function on the TruSTAR app on Splunk doesn’t appear to work. How can I export a report?
The Splunk application does not allow the full download of a PDF in the format we have on the app. As a workaround please use your browser to save the report, this will guarantee that the full report is downloaded with a similar appearance.
9. I receive authentication error "Authentication Failed ! Please verify URL, API key, and Secret Key of TruSTAR to Connect." when configuring TruSTAR App.
- Check to make sure all your credentials are entered correctly.
- Verify that you have write and read access for the enclave you have selected.
- Check to see if your firewall is blocking traffic from TruSTAR.
10. If i have Splunk ES can i incorporate data from the TRuSTAR app into ES ?
Currently the TruSTAR app does not have a native integration with Splunk ES. Version 2 of the TruSTAR app will have this capability.