Splunk Enterprise Security

Are there plans to make the Bit9 Security Platform CIM Compliant?

robert_miller
Path Finder

Are there any future plans to make this app CIM compliant? We are using the Enterprise Security app which requires all logs to be CIM compliant in order to take full advantage of the ES app.

robert_miller
Path Finder

For other people that might be trying to get this to work with Enterprise Security and have the results show up on your Malware dashboard, below is what I have done thus far. I am open to additional suggestions as well.

Because the Bit9 app does not follow Splunk's naming convention, you will need to append the app to the stanza below:

/appl/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf
[app_imports_update://update_es]
app_regex = (search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)|(bit9-secapp)

Eventtypes - bit9-secapp/local/eventtypes.conf
Because of the limitation with event types and not being able to use pipes or subsearches, I couldn't find a way that would correlate all of the necessary fields. Therefore, I am having to do a search against the Bit9 sourcetype and then send to the index with a new sourcetype "bit9:malware". If anyone has any other suggestions, I am open.

[bit9_malware]
search = index=bit9 sourcetype="bit9:malware"

tags = malware attack

Tags - bit9-secapp/local/tags.conf
[eventtype=bit9_malware]
malware = enabled
attack = enabled

Props - bit9-secapp/local/props.conf
I am not certain on how the action field should be populated just yet because we just installed Bit9. Hopefully, after getting more data into the console and turning on blocking I will see the values I need.

[bit9]

Bit9 CIM Extractions

FIELDALIAS-file_path_for_bit9 = PathName as file_path
FIELDALIAS-file_hash_for_bit9 = FileHash as file_hash
FIELDALIAS-file_name_for_bit9 = FileName as file_name
FIELDALIAS-user_for_bit9 = UserName as user
EVAL-vendor_product = "Bit9"
EVAL-dest_nt_domain = mvindex(split(HostName, "\"),0)
EVAL-action = if(like(GlobalState, "block%"), "blocked", "allowed")
EVAL-dest = HostName
EVAL-dest_ip = HostIP
EVAL-date = strftime(_time,"%Y-%m-%d %H:%M:%S")
EVAL-Sha256 = FileHash

KV Store for File Catalog
If you look at the Bit9 dashboard "File Investigation", it has the setting "latest=now earliest=1" when searching for file hashes. Which means this is running against all time which is fine for now since we just built this index. However, as time progresses this won't be feasible and will slow down our SH. Therefore, I built another search that will collect the results from the file catalog and then put them in a kvstore for quick searching. I ran this search with all time to get the results into the kvstore and then scheduled it to run every 5 minutes. Depending on how long it takes to complete, I might change this to every 10 minutes. I named my kvstore "kvstore_bit9_fileCatalog".

Saved Search outside of the Bit9 app
As I stated above, I had to send the results to a new sourcetype. Below is the search I created that runs every 15 minutes. I opted to create this outside of the Bit9 app because we might push this app to a couple of SHs and I don't want this saved search executing on all SHs. In addition, I haven't figured out if Bit9 is able to capture the signature of the malware. Currently I am using the Category field but I am finding that the values for this field are all "Unknown".

eventtype=bit9_event (EventSubType="Potential risk file detected" OR EventSubType="Malicious file detected") | eval "SHA-256"=FileHash

| lookup kvstore_bit9_fileCatalog FileHash AS FileHash OUTPUT FileSize AS file_size_bytes, Md5 AS MD5, Sha1 AS "SHA-1", Category AS signature, Publisher, TrustValue
| stats latest(date) as date, latest(action) as action, latest(signature) as signature, latest(EventSubType) as EventSubType, latest(user) as user, latest(dest) as dest, latest(dest_ip) as dest_ip, latest(dest_nt_domain) as dest_nt_domain, latest(file_name) as file_name, latest(file_path) as file_path, latest(Publisher) as Publisher, latest(file_size_bytes) as file_size_bytes, latest(file_hash) as file_hash, latest(MD5) as MD5, latest("SHA-1") as "SHA-1", latest("SHA-256") as "SHA-256", latest(TrustValue) as TrustValue, latest(vendor_product) as vendor_product, latest(Bit9Server) as Bit9Server by _time

mreynov_splunk
Splunk Employee
Splunk Employee

This Bit9 Splunk support TA is CIM-compliant: https://splunkbase.splunk.com/app/2790/ (It does not have any dashboards though)

0 Karma

w531t4
Path Finder

I downvoted this post because wrong product

0 Karma

splunkadunk5
Explorer

I downvoted this post because wrong product

0 Karma

bit9
Path Finder

I downvoted this post because the answer is referring to the wrong product.

0 Karma

bit9
Path Finder

That is not the app that is being referred to by the OP. The app you are referring to is the TA for "Bit9 Carbon Black," which is a different product.

The app that the OP asked about, for "Bit9 Security Platform," is not currently CIM-compliant.

0 Karma

bit9
Path Finder

Hello, and thank you for your interest in the Bit9 Security Platform app.

We do plan on making the Bit9 Security Platform app CIM-compliant in the future, but we do not have a timetable for that at the moment.

We appreciate your feedback.

0 Karma

mmcginnis2
Explorer

Robert Miller did most of the work for you so modifying the current app to include CIM can be done in a few hours.

Also, please look at splitting the TA out from the App and renaming it to fit the normal conventions that Splunk ES is looking for. It looks gross to have to add your app into the regex field.

These settings as robert.miller mentioned above are located in the SplunkES Suite local/inputs.conf file:
[app_imports_update://update_es]
app_regex = (search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)

0 Karma

maciep
Champion

Aside from making it CIM-compliant, it would also be helpful if we could have those index-time, search-time operations available in standalone TA too. ES is supposed to live on a search head by itself, so we don't want to have to install the entire bit9 app (with datamodels and saved searches) on ES. Just need the search time operations (props, transforms, lookups, etc) so that CIM mappings are available to ES.

0 Karma

Mohammed123
Loves-to-Learn Everything

Please find below I have done cim compliance for the Bit9 security Platform. This will 90 % will be covering if any one can find more post on this.

props.conf
[bit9]
EVAL-dest_nt_domain = mvindex(split(HostName, "\\"),0)
EVAL-date = strftime(_time,"%Y-%m-%d %H:%M:%S")
EVAL-vendor_product="bit9 carbon black"
EVAL-action=case(like(EventSubType,"%change%"),"modified",like(EventSubType,"%delet%"),"deleted",like(EventSubType,"%,modif%"),"modified",like(EventSubType,"%create%"),"created",like(EventSubType,"%fail%"),"failure",like(EventSubType,"%succe%"),"success",like(EventSubType,"%rest%"),"restarted",like(EventSubType,"%shutdown%"),"shutdown",like(EventSubType,"%start%"),"started",like(EventSubType,"%reset%"),"modified",like(EventSubType,"%login%"),"success",like(EventSubType,"%logout%"),"logoff",like(EventSubType,"%attach%"),"created",like(EventSubType,"%detach%"),"deleted",like(EventSubType,"%upgrade%"),"upgraded",like(EventSubType,"%nstall%"),"created",like(EventSubType,"%uninstall%"),"deleted",like(EventSubType,"%finish%"),"success",like(EventSubType,"%close%"),"success",like(EventSubType,"%logout%"),"logoff",like(EventSubType,"%set%"),"modified",like(EventSubType,"%allow%"),"allowed",like(EventSubType,"%block%"),"blocked",like(EventSubType,"%download%"),"created",like(EventSubType,"%detect%"),"allowed",like(EventSubType,"%found%"),"allowed",like(EventSubType,"%discover%"),"created",like(EventSubType,"%error%"),"error",like(EventSubType,"%writ%"),"allowed",like(EventSubType,"%execut%"),"success",like(EventSubType,"%lost%"),"failure",like(EventSubType,"%add%"),"created",like(EventSubType,"%approve%"),"success",like(EventSubType,"%New%"),"allowed",like(EventSubType,"%update%"),"updated",like(EventSubType,"%upload%"),"created",like(EventSubType,"%clone%"),"created",like(EventSubType,"%regis%"),"created",like(EventSubType,"%New unapproved%"),"allowed",OpType=="0","created",OpType=="1","deleted",OpType=="9","created", OpType=="6","started",OpType=="5","modified",OpType=="2","modified",OpType=="12","deleted",OpType=="7","success",OpType=="11","modified",1==1,success)

FIELDALIAS-filepathname =PathName as file_path
FIELDALIAS-severity=priority as severity
FIELDALIAS-signature=EventSubType as signature
FIELDALIAS-signature_id=EventSubTypeId as signature_id
FIELDALIAS-src=src_ip as src
FIELDALIAS-src_user= UserName as src_user
FIELDALIAS-user= UserName as user
FIELDALIAS-category=EventType as Category
FIELDALIAS-description=OpDescription as description
FIELDALIAS-originalfilname=FileName as original_file_name
FIELDALIAS-process=ProcessPath as process
FIELDALIAS-process_path=ProcessPath as process_path
FIELDALIAS-Process_hash=ProcessHash as process_hash
FIELDALIAS-process_name=ProcessFileName as process_name
FIELDALIAS-process_id=ProcessKey as process_id
FIELDALIAS-command=CommandLine as command
FIELDALIAS-object=Policy as object
FIELDALIAS-object_id=PolicyId as object_id
FIELDALIAS-object_category=Platform as object_category
FIELDALIAS-result=EventSubType as result
FIELDALIAS-dvc=dvc_ip as dvc




#####tags.conf
[eventtype=bit9_malware]
malware = enabled
attack = enabled


[eventtype=bit9_event]
endpoint = enabled
filesystem = enabled


[eventtype=bit9_filesOnComputers]
endpoint = enabled
filesystem = enabled


[eventtype=bit9_event_change]
endpoint = enabled
change = enabled


[eventtype=bit9_event_authentication]
authentication = enabled
success = enabled


#### eventtypes.conf
[bit9_fileCatalog]
search = index=$index_name$ sourcetype=bit9 source=*Metadata*

[bit9_filesOnComputers]
search = index=$index_name$ sourcetype=bit9 source=*NetTrace*

[bit9_event]
search = index=$index_name$ sourcetype=bit9 source=*Event*

[bit9_malware]
search= index=$index_name$ sourcetype=bit9 source=*Event* (EventSubType="Potential risk file detected" OR EventSubType="Malicious file detected")


[bit9_event_change]
search = index=$index_name$ sourcetype=bit9 source=*Event* (action!=allowed OR action!=blocked) OR (EventSubType!="*login*" OR EventSubType!="*logout*")


[bit9_event_authentication]
search = index=$index_name$ sourcetype=bit9 source=*Event* (EventSubType="*login*" OR EventSubType="*logout*")

 

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...