TruSTAR Unified | Splunkbase
You are currently in preview mode for new Splunkbase! To return to the original Splunkbase, click here.
TruSTAR Unified app icon

TruSTAR Unified

TruSTAR integration for both Splunk Enterprise and Enterprise Security users. Installation Docs: https://support.trustar.co/article/x6yn7kzq52-install-tru-star-unified-for-splunk (video) Using this app to improve detection & triage: https://lantern.splunk.com/Splunk_Product_Learning_Guides/Splunk_Int_Mgmt/UnifiedApp_UseCase?mt-learningpath=intelmgmtunifiedappconfig# ** Notes to SplunkCloud SRE: - This app must be installed on searchheads (NOT IDM), and includes a modinput, which must be allowed to run on the searchhead. - The modinput contains checks to ensure that it will only run on the cluster Captain in and SHC deployment. - The app contains modactions that need to be available on all SHC nodes, so the app needs to be installed on all SHC nodes. - The modinput fetches cyber threat observables from TruSTAR's REST API and posts them to the searchheads' kvstores using the kvstore "batch_save" endpoint, not an index as most modinputs do. This is why it must run on the searchheads, not an IDM. There is no config option that would allow the user to tell the modinput to post the observables to that endpoint on a different host, it's hard-coded to post to "localhost". References for exceptions to "no modinputs on SHs policy": - Case #1685202 "Vet and Install TruSTAR App for Splunk ES." (Circa April 7, 2020) (TruSTAR App for Splunk ES was this app's predecessor) - Case # 2646540

Built by Splunk Inc.
splunk product badge

Latest Version 2.0.4
June 22, 2022
Compatibility
Platform Version: 9.0, 8.2, 8.1, 8.0
Rating

5

StarStarStarStarStar

(1)

Support
TruSTAR Unified support icon
Splunk Supported app
Learn more

TruSTAR integration for both Splunk Enterprise and Enterprise Security users. Installation Docs: https://support.trustar.co/article/x6yn7kzq52-install-tru-star-unified-for-splunk (video) Using this app to improve detection & triage: https://lantern.splunk.com/Splunk_Product_Learning_Guides/Splunk_Int_Mgmt/UnifiedApp_UseCase?mt-learningpath=intelmgmtunifiedappconfig# ** Notes to SplunkCloud SRE: - This app must be installed on searchheads (NOT IDM), and includes a modinput, which must be allowed to run on the searchhead. - The modinput contains checks to ensure that it will only run on the cluster Captain in and SHC deployment. - The app contains modactions that need to be available on all SHC nodes, so the app needs to be installed on all SHC nodes. - The modinput fetches cyber threat observables from TruSTAR's REST API and posts them to the searchheads' kvstores using the kvstore "batch_save" endpoint, not an index as most modinputs do. This is why it must run on the searchheads, not an IDM. There is no config option that would allow the user to tell the modinput to post the observables to that endpoint on a different host, it's hard-coded to post to "localhost". References for exceptions to "no modinputs on SHs policy": - Case #1685202 "Vet and Install TruSTAR App for Splunk ES." (Circa April 7, 2020) (TruSTAR App for Splunk ES was this app's predecessor) - Case # 2646540

Categories

Created By

Splunk Inc.

Type

app

Downloads

926

Featured in Collection

Getting Started with Security

Resources

Login to report this app listing