Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Are there plans to make the Bit9 Security Platform CIM Compliant?

robert_miller
Path Finder
‎12-31-2015 09:05 AM

Are there any future plans to make this app CIM compliant? We are using the Enterprise Security app which requires all logs to be CIM compliant in order to take full advantage of the ES app.

Reply

robert_miller
Path Finder
‎01-19-2016 06:12 AM

For other people that might be trying to get this to work with Enterprise Security and have the results show up on your Malware dashboard, below is what I have done thus far. I am open to additional suggestions as well.

Because the Bit9 app does not follow Splunk's naming convention, you will need to append the app to the stanza below:

/appl/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf
[app_imports_update://update_es]
app_regex = (search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)|(bit9-secapp)

Eventtypes - bit9-secapp/local/eventtypes.conf
Because of the limitation with event types and not being able to use pipes or subsearches, I couldn't find a way that would correlate all of the necessary fields. Therefore, I am having to do a search against the Bit9 sourcetype and then send to the index with a new sourcetype "bit9:malware". If anyone has any other suggestions, I am open.

[bit9_malware]
search = index=bit9 sourcetype="bit9:malware"

tags = malware attack

Tags - bit9-secapp/local/tags.conf
[eventtype=bit9_malware]
malware = enabled
attack = enabled

Props - bit9-secapp/local/props.conf
I am not certain on how the action field should be populated just yet because we just installed Bit9. Hopefully, after getting more data into the console and turning on blocking I will see the values I need.

[bit9]

Bit9 CIM Extractions

FIELDALIAS-file_path_for_bit9 = PathName as file_path
FIELDALIAS-file_hash_for_bit9 = FileHash as file_hash
FIELDALIAS-file_name_for_bit9 = FileName as file_name
FIELDALIAS-user_for_bit9 = UserName as user
EVAL-vendor_product = "Bit9"
EVAL-dest_nt_domain = mvindex(split(HostName, "\"),0)
EVAL-action = if(like(GlobalState, "block%"), "blocked", "allowed")
EVAL-dest = HostName
EVAL-dest_ip = HostIP
EVAL-date = strftime(_time,"%Y-%m-%d %H:%M:%S")
EVAL-Sha256 = FileHash

KV Store for File Catalog
If you look at the Bit9 dashboard "File Investigation", it has the setting "latest=now earliest=1" when searching for file hashes. Which means this is running against all time which is fine for now since we just built this index. However, as time progresses this won't be feasible and will slow down our SH. Therefore, I built another search that will collect the results from the file catalog and then put them in a kvstore for quick searching. I ran this search with all time to get the results into the kvstore and then scheduled it to run every 5 minutes. Depending on how long it takes to complete, I might change this to every 10 minutes. I named my kvstore "kvstore_bit9_fileCatalog".

Saved Search outside of the Bit9 app
As I stated above, I had to send the results to a new sourcetype. Below is the search I created that runs every 15 minutes. I opted to create this outside of the Bit9 app because we might push this app to a couple of SHs and I don't want this saved search executing on all SHs. In addition, I haven't figured out if Bit9 is able to capture the signature of the malware. Currently I am using the Category field but I am finding that the values for this field are all "Unknown".

eventtype=bit9_event (EventSubType="Potential risk file detected" OR EventSubType="Malicious file detected") | eval "SHA-256"=FileHash

| lookup kvstore_bit9_fileCatalog FileHash AS FileHash OUTPUT FileSize AS file_size_bytes, Md5 AS MD5, Sha1 AS "SHA-1", Category AS signature, Publisher, TrustValue
| stats latest(date) as date, latest(action) as action, latest(signature) as signature, latest(EventSubType) as EventSubType, latest(user) as user, latest(dest) as dest, latest(dest_ip) as dest_ip, latest(dest_nt_domain) as dest_nt_domain, latest(file_name) as file_name, latest(file_path) as file_path, latest(Publisher) as Publisher, latest(file_size_bytes) as file_size_bytes, latest(file_hash) as file_hash, latest(MD5) as MD5, latest("SHA-1") as "SHA-1", latest("SHA-256") as "SHA-256", latest(TrustValue) as TrustValue, latest(vendor_product) as vendor_product, latest(Bit9Server) as Bit9Server by _time

Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎01-14-2016 04:35 PM

This Bit9 Splunk support TA is CIM-compliant: https://splunkbase.splunk.com/app/2790/ (It does not have any dashboards though)

0 Karma
Reply

w531t4
Path Finder
‎10-05-2017 02:51 PM

I downvoted this post because wrong product

0 Karma
Reply

splunkadunk5
Explorer
‎12-19-2016 08:03 AM

I downvoted this post because wrong product

0 Karma
Reply

bit9
Path Finder
‎01-14-2016 05:05 PM

I downvoted this post because the answer is referring to the wrong product.

0 Karma
Reply

bit9
Path Finder
‎01-14-2016 05:05 PM

That is not the app that is being referred to by the OP. The app you are referring to is the TA for "Bit9 Carbon Black," which is a different product.

The app that the OP asked about, for "Bit9 Security Platform," is not currently CIM-compliant.

0 Karma
Reply

bit9
Path Finder
‎01-04-2016 09:08 AM

Hello, and thank you for your interest in the Bit9 Security Platform app.

We do plan on making the Bit9 Security Platform app CIM-compliant in the future, but we do not have a timetable for that at the moment.

We appreciate your feedback.

0 Karma
Reply

mmcginnis2
Explorer
‎05-18-2016 12:44 PM

Robert Miller did most of the work for you so modifying the current app to include CIM can be done in a few hours.

Also, please look at splitting the TA out from the App and renaming it to fit the normal conventions that Splunk ES is looking for. It looks gross to have to add your app into the regex field.

These settings as robert.miller mentioned above are located in the SplunkES Suite local/inputs.conf file:
[app_imports_update://update_es]
app_regex = (search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)

0 Karma
Reply

maciep
Champion
‎02-10-2016 06:20 AM

Aside from making it CIM-compliant, it would also be helpful if we could have those index-time, search-time operations available in standalone TA too. ES is supposed to live on a search head by itself, so we don't want to have to install the entire bit9 app (with datamodels and saved searches) on ES. Just need the search time operations (props, transforms, lookups, etc) so that CIM mappings are available to ES.

0 Karma
Reply

Mohammed123
Loves-to-Learn Everything
‎06-26-2024 04:58 AM

Please find below I have done cim compliance for the Bit9 security Platform. This will 90 % will be covering if any one can find more post on this.

props.conf
[bit9]
EVAL-dest_nt_domain = mvindex(split(HostName, "\\"),0)
EVAL-date = strftime(_time,"%Y-%m-%d %H:%M:%S")
EVAL-vendor_product="bit9 carbon black"
EVAL-action=case(like(EventSubType,"%change%"),"modified",like(EventSubType,"%delet%"),"deleted",like(EventSubType,"%,modif%"),"modified",like(EventSubType,"%create%"),"created",like(EventSubType,"%fail%"),"failure",like(EventSubType,"%succe%"),"success",like(EventSubType,"%rest%"),"restarted",like(EventSubType,"%shutdown%"),"shutdown",like(EventSubType,"%start%"),"started",like(EventSubType,"%reset%"),"modified",like(EventSubType,"%login%"),"success",like(EventSubType,"%logout%"),"logoff",like(EventSubType,"%attach%"),"created",like(EventSubType,"%detach%"),"deleted",like(EventSubType,"%upgrade%"),"upgraded",like(EventSubType,"%nstall%"),"created",like(EventSubType,"%uninstall%"),"deleted",like(EventSubType,"%finish%"),"success",like(EventSubType,"%close%"),"success",like(EventSubType,"%logout%"),"logoff",like(EventSubType,"%set%"),"modified",like(EventSubType,"%allow%"),"allowed",like(EventSubType,"%block%"),"blocked",like(EventSubType,"%download%"),"created",like(EventSubType,"%detect%"),"allowed",like(EventSubType,"%found%"),"allowed",like(EventSubType,"%discover%"),"created",like(EventSubType,"%error%"),"error",like(EventSubType,"%writ%"),"allowed",like(EventSubType,"%execut%"),"success",like(EventSubType,"%lost%"),"failure",like(EventSubType,"%add%"),"created",like(EventSubType,"%approve%"),"success",like(EventSubType,"%New%"),"allowed",like(EventSubType,"%update%"),"updated",like(EventSubType,"%upload%"),"created",like(EventSubType,"%clone%"),"created",like(EventSubType,"%regis%"),"created",like(EventSubType,"%New unapproved%"),"allowed",OpType=="0","created",OpType=="1","deleted",OpType=="9","created", OpType=="6","started",OpType=="5","modified",OpType=="2","modified",OpType=="12","deleted",OpType=="7","success",OpType=="11","modified",1==1,success)

FIELDALIAS-filepathname =PathName as file_path
FIELDALIAS-severity=priority as severity
FIELDALIAS-signature=EventSubType as signature
FIELDALIAS-signature_id=EventSubTypeId as signature_id
FIELDALIAS-src=src_ip as src
FIELDALIAS-src_user= UserName as src_user
FIELDALIAS-user= UserName as user
FIELDALIAS-category=EventType as Category
FIELDALIAS-description=OpDescription as description
FIELDALIAS-originalfilname=FileName as original_file_name
FIELDALIAS-process=ProcessPath as process
FIELDALIAS-process_path=ProcessPath as process_path
FIELDALIAS-Process_hash=ProcessHash as process_hash
FIELDALIAS-process_name=ProcessFileName as process_name
FIELDALIAS-process_id=ProcessKey as process_id
FIELDALIAS-command=CommandLine as command
FIELDALIAS-object=Policy as object
FIELDALIAS-object_id=PolicyId as object_id
FIELDALIAS-object_category=Platform as object_category
FIELDALIAS-result=EventSubType as result
FIELDALIAS-dvc=dvc_ip as dvc




#####tags.conf
[eventtype=bit9_malware]
malware = enabled
attack = enabled


[eventtype=bit9_event]
endpoint = enabled
filesystem = enabled


[eventtype=bit9_filesOnComputers]
endpoint = enabled
filesystem = enabled


[eventtype=bit9_event_change]
endpoint = enabled
change = enabled


[eventtype=bit9_event_authentication]
authentication = enabled
success = enabled


#### eventtypes.conf
[bit9_fileCatalog]
search = index=$index_name$ sourcetype=bit9 source=*Metadata*

[bit9_filesOnComputers]
search = index=$index_name$ sourcetype=bit9 source=*NetTrace*

[bit9_event]
search = index=$index_name$ sourcetype=bit9 source=*Event*

[bit9_malware]
search= index=$index_name$ sourcetype=bit9 source=*Event* (EventSubType="Potential risk file detected" OR EventSubType="Malicious file detected")


[bit9_event_change]
search = index=$index_name$ sourcetype=bit9 source=*Event* (action!=allowed OR action!=blocked) OR (EventSubType!="*login*" OR EventSubType!="*logout*")


[bit9_event_authentication]
search = index=$index_name$ sourcetype=bit9 source=*Event* (EventSubType="*login*" OR EventSubType="*logout*")

 

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...