Splunk SIEM + TruSTAR

Analyze notable events and leverage intelligence to quickly understand threat context and prioritize and accelerate triage

 

A Threat Intelligence Integration to Empower Your Splunk SIEM with The Most Relevant Data

Prioritize and accelerate triage, gain more accuracy

The TruSTAR Unified App for Splunk Enterprise and Enterprise Security helps security professionals analyze notable events and leverage intelligence to quickly understand threat context and prioritize and accelerate triage. With TruSTAR and Splunk, analysts can customize data ingest preferences based on Indicator type, tags, and age of Indicator to cut down on data volume exchange between tools for better accuracy.

SIEM video-1
Automatically Transform And Curate Data To Make It Actionable For Automation

How It Works


Workflow graphic with Splunk products

Integration Capabilities

 Automatically download observables from Premium Intelligence, Open Source, or Sharing Groups into Splunk KV Stores for use in searching or to alert against internal log events


star icon

Enrich Events

Enrich notable events in Splunk ES using intelligence from TruSTAR Enclaves

 

 

 

star icon

Correlate with Historical Data

Submit notable events to TruSTAR Enclaves for further enrichment and correlation with historical data to triage alerts based on context and severity
star icon

Prioritize Urgency

Update and prioritize notable event urgency in Splunk ES based on normalized scores from TruSTAR

 

 

Curate Nuanced Detection Sets

The TruSTAR Splunk Unified App leverages Indicator Prioritization Intel Workflows to select intelligence sources, apply priority scores, Safelists, and filters based on Indicator type or attributes. Easily submit prepared data into TruSTAR Enclaves for Splunk to ingest threat enrichment attributes to the indicators associated with security incidents.

Step-2-Sources_Workflows
Step-3-Transformations_Workflows
Splunk Destination Graphic 2
Splunk KV Store
Import Multiple Detection Sets to Splunk

 

Import multiple detection sets with customized expiration from TruSTAR to Splunk KV Stores.

Score, Prioritize, and Enrich Notable Events

 

The TruSTAR Unified App updates a notable event urgency score using normalized scores from intel sources and enriches notable events with structured information found in intel reports about that indicator. Enrichment includes deep links to the individual reports for full context.

Enrich noteable events
Share events
Share Notable Events

 

Use the TruSTAR Unified App to easily share notable events with ISACs or other sharing groups.

Already a TruSTAR customer?

 

Configure Your Splunk SIEM Integration now 

Contact Sales To Get Started