Learn how a Security Analyst working with Splunk Enterprise Security can use the Splunk Intelligence Management (TruSTAR) Unified app to improve detection and triage.
Before you begin configuration of the Unified app, you will need to:
- Create an Indicator Prioritization Intelligence flow (or Intel Workflow) to prepare the data you want to download to Splunk Enterprise or Splunk Enterprise Security for threat hunting. Don't forget to save the API key-pair and enclave ID.
- (Optional) Create a service account that has permissions to read from all the enclaves that you want to use for download of observables or enrichment and that can write on the Enclave that you want to use to submit information from Splunk ES. Save the API Key-pair and Enclave IDs.
- Install the Unified App in your Splunk Enterprise or Splunk Enterprise Security instance. If you are a Splunk Cloud Platform customer, open a support ticket with Splunk for assistance.
- Once you have the details you need, follow the recommended configuration path and jump to the next step (initial configuration). Each step is explained with a short video.