All Apps and Add-ons

Carbon Black TA and Cb Response App: Parsed field names don't match app dashboards?

TonyLeeVT
Builder

Hello, our admins have the following app and TA installed per the integration video's instructions, however the field names do not seem to be aligned between the app and TA:

  • Carbon Black TA (Technogy Add-on) - this will allow Splunk to parse the events sent via the Cb Response Event Forwarder (above)
  • Cb Response App for Splunk - provides dashboards, workflow actions, and more to help visualize and explore Carbon Black data

For example, in the Cb Response Endpoint Status dashboard, the "Total Agents Seen" timeline is powered by the following search:

`cb` earliest=-7h |timechart dc(computer_name) |streamstats max("Total Agents Seen") as "Max Agents Seen"

The timeline is blank because computer_name does not appear as a field. Instead, it seems as though HostName is the parsed field name for us?

Similarly the Process Timeline dashboard is powered by the following search:

`cb` process_guid="$proc_guid$" | timechart span=30m count by type

But we do not see a field called process_guid.

If it helps, our field names look like the following:
ABId
ABState
BanName
Bit9Server
change_type
CLVersion
CommandLine
DetachedPublisher
EventParam1
EventParam2
EventParam3
EventParam4
EventSubType

Most of our field names do not use an underscore, they are instead camel case.

0 Karma

dbroggy
Path Finder

Catch 22 - if you go with the Cb Protect app from Carbon Black, you don't get CIM compliant tags, so it won't likely work with Enterprise Security. At least there's no mention that the Cb Protect app is CIM compliant.

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @TonyLeeVT - Did one of the answers below help provide a solution to your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

carbonblack
Path Finder

Hi @TonyLeeVT, the fields you're referencing are from Cb Protection (the former Bit9 product), but you're using the Cb Response App for Splunk.

You want the Cb Protection App for Splunk which is available here: https://splunkbase.splunk.com/app/1790/

Hope this helps!

0 Karma

deepashri_123
Motivator

Hey@TonyLeeVT,

Can you give some details about your environment? Also where have you installed the TA?
This link refers to where the TA has to be added in case of distributed environment:
http://docs.splunk.com/Documentation/AddOns/released/Bit9CarbonBlack/Install

Let me know if this helps!!!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.