All Apps and Add-ons

Anyone else see that Bit9 Carbon Black aliases CIM fields incorrectly?

marand
Explorer

Hi all

We recently enabled some telemetry on our CbR agents. This means we now receive type:netconn events.
A netconn event turns out to be a kind of a mix of dns/domain and traffic sourcetype. Everything is tagged for the Traffic DM.

So we added an alias to map the "domain" field from the netconn event as "query" and tagged the netconn events containing a "domain" value with the correct Network Resolution constraint tags; and voilá, Network Resolution DM gets populated. Threat Activity works.

But that made me look at the other fields....and....obvious aliases are missing and even plain wrong in some cases

Some quick examples:

Consider the following "dns" events:

index="carbonblack" sourcetype="bit9:carbonblack:json" netconn AND NOT domain=""

These are with a direction=outbound. Setting aside that they are not tagged for Network Resolution by default (one could argue this is kind of correct), some aliases are missing, such as src_ip and src_port even though they are part of the raw log. Technically we don't need them for neither the DNS DM or the Traffic DM, but there is no reason not to have them.

That's a minor issue and fixable.

However, looking at netconn inbound events is where the the whole thing is a mess:

index=carbonblack sourcetype=bit9:carbonblack:json event_type=netconn AND direction=inbound

Here the aliases have not been flipped to account for the direction being inbound.
remote_* values in the raw log are being aliased to "dest_*". Since this is an INBOUND event, the mapping should of course be remote_* -> src_* and local_* -> dest_*, since the local machine is the destination.

Can anyone confirm that this is what they also are seeing?

We plan on fixing this ourselves, but we feel that this should be fixed by the TA dev's, because there are a lot of changes that need to be done.

br
Marc

0 Karma

marand
Explorer

We fixed the whole thing ourselves. Switched around some fields, removed some cruft and mapped netconn eventtypes that have a domain to the Network Resolution datamodel.

Next up: process execution mapping to the Change Analysis datamodel (file_name, file_hash, etc.)

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...