Skip to main content
 
 
Splunk Lantern

Unified App: Use case - Splunk Intel Management (TruSTAR)

 

Splunk Intel Management (Legacy) has reached end of sale. If you are an Splunk Enterprise Security customer interested in similar functionality through Splunk Threat Intelligence Management, see the following page: Using Threat Intelligence Management.

Learn how a Security Analyst working with Splunk Enterprise Security can use the TruSTAR Unified app to improve detection and triage.

Getting Ready  

Before you begin configuration of the Unified app, you will need to:

  1. Create an Indicator Prioritization Intelligence flow  (or Intel Workflow) to prepare the data you want to download to Splunk Enterprise or Splunk Enterprise Security for threat hunting. Don't forget to save the API key-pair and enclave ID. 
  2. (Optional) Create a service account that has permissions to read from all the enclaves that you want to use for download of observables or enrichment and that can write on the Enclave that you want to use to submit information from Splunk ES. Save the API Key-pair and Enclave IDs. 
  3. Install the Unified App in your Splunk Enterprise or Splunk Enterprise Security instance. If you are a Splunk Cloud Platform customer, open a support ticket with Splunk for assistance. 
  4. Once you have the details you need, follow the recommended configuration path and jump to the next step (initial configuration). Each step is explained with a short video.
Splunk Intel Management (TruSTAR) - Setting up the Unified App for Splunk ES
Pages: 5