Splunk Enterprise Security

Are there plans to make the Bit9 Security Platform CIM Compliant?

Path Finder

Are there any future plans to make this app CIM compliant? We are using the Enterprise Security app which requires all logs to be CIM compliant in order to take full advantage of the ES app.

Path Finder

For other people that might be trying to get this to work with Enterprise Security and have the results show up on your Malware dashboard, below is what I have done thus far. I am open to additional suggestions as well.

Because the Bit9 app does not follow Splunk's naming convention, you will need to append the app to the stanza below:

/appl/splunk/etc/apps/SplunkEnterpriseSecuritySuite/local/inputs.conf
[appimportsupdate://updatees]
app
regex = (search)|([ST]A-.)|(Splunk[ST]A.)|(DA-ESS-.)|(SplunkDA-ESS.)|(bit9-secapp)

Eventtypes - bit9-secapp/local/eventtypes.conf
Because of the limitation with event types and not being able to use pipes or subsearches, I couldn't find a way that would correlate all of the necessary fields. Therefore, I am having to do a search against the Bit9 sourcetype and then send to the index with a new sourcetype "bit9:malware". If anyone has any other suggestions, I am open.

[bit9_malware]
search = index=bit9 sourcetype="bit9:malware"

tags = malware attack

Tags - bit9-secapp/local/tags.conf
[eventtype=bit9_malware]
malware = enabled
attack = enabled

Props - bit9-secapp/local/props.conf
I am not certain on how the action field should be populated just yet because we just installed Bit9. Hopefully, after getting more data into the console and turning on blocking I will see the values I need.

[bit9]

Bit9 CIM Extractions

FIELDALIAS-filepathforbit9 = PathName as filepath
FIELDALIAS-filehashforbit9 = FileHash as filehash
FIELDALIAS-filenameforbit9 = FileName as filename
FIELDALIAS-userforbit9 = UserName as user
EVAL-vendorproduct = "Bit9"
EVAL-dest
ntdomain = mvindex(split(HostName, "\"),0)
EVAL-action = if(like(GlobalState, "block%"), "blocked", "allowed")
EVAL-dest = HostName
EVAL-dest
ip = HostIP
EVAL-date = strftime(_time,"%Y-%m-%d %H:%M:%S")
EVAL-Sha256 = FileHash

KV Store for File Catalog
If you look at the Bit9 dashboard "File Investigation", it has the setting "latest=now earliest=1" when searching for file hashes. Which means this is running against all time which is fine for now since we just built this index. However, as time progresses this won't be feasible and will slow down our SH. Therefore, I built another search that will collect the results from the file catalog and then put them in a kvstore for quick searching. I ran this search with all time to get the results into the kvstore and then scheduled it to run every 5 minutes. Depending on how long it takes to complete, I might change this to every 10 minutes. I named my kvstore "kvstorebit9fileCatalog".

Saved Search outside of the Bit9 app
As I stated above, I had to send the results to a new sourcetype. Below is the search I created that runs every 15 minutes. I opted to create this outside of the Bit9 app because we might push this app to a couple of SHs and I don't want this saved search executing on all SHs. In addition, I haven't figured out if Bit9 is able to capture the signature of the malware. Currently I am using the Category field but I am finding that the values for this field are all "Unknown".

eventtype=bit9event (EventSubType="Potential risk file detected" OR EventSubType="Malicious file detected") | eval "SHA-256"=FileHash

| lookup kvstore
bit9fileCatalog FileHash AS FileHash OUTPUT FileSize AS filesizebytes, Md5 AS MD5, Sha1 AS "SHA-1", Category AS signature, Publisher, TrustValue
| stats latest(date) as date, latest(action) as action, latest(signature) as signature, latest(EventSubType) as EventSubType, latest(user) as user, latest(dest) as dest, latest(dest
ip) as destip, latest(destntdomain) as destntdomain, latest(filename) as filename, latest(filepath) as filepath, latest(Publisher) as Publisher, latest(filesizebytes) as filesizebytes, latest(filehash) as filehash, latest(MD5) as MD5, latest("SHA-1") as "SHA-1", latest("SHA-256") as "SHA-256", latest(TrustValue) as TrustValue, latest(vendorproduct) as vendor_product, latest(Bit9Server) as Bit9Server by _time

Splunk Employee
Splunk Employee

This Bit9 Splunk support TA is CIM-compliant: https://splunkbase.splunk.com/app/2790/ (It does not have any dashboards though)

0 Karma

Path Finder

I downvoted this post because wrong product

0 Karma

Explorer

I downvoted this post because wrong product

0 Karma

Path Finder

I downvoted this post because the answer is referring to the wrong product.

0 Karma

Path Finder

That is not the app that is being referred to by the OP. The app you are referring to is the TA for "Bit9 Carbon Black," which is a different product.

The app that the OP asked about, for "Bit9 Security Platform," is not currently CIM-compliant.

0 Karma

Path Finder

Hello, and thank you for your interest in the Bit9 Security Platform app.

We do plan on making the Bit9 Security Platform app CIM-compliant in the future, but we do not have a timetable for that at the moment.

We appreciate your feedback.

0 Karma

Explorer

Robert Miller did most of the work for you so modifying the current app to include CIM can be done in a few hours.

Also, please look at splitting the TA out from the App and renaming it to fit the normal conventions that Splunk ES is looking for. It looks gross to have to add your app into the regex field.

These settings as robert.miller mentioned above are located in the SplunkES Suite local/inputs.conf file:
[appimportsupdate://updatees]
app
regex = (search)|([ST]A-.)|(Splunk[ST]A.)|(DA-ESS-.)|(SplunkDA-ESS.)

0 Karma

Champion

Aside from making it CIM-compliant, it would also be helpful if we could have those index-time, search-time operations available in standalone TA too. ES is supposed to live on a search head by itself, so we don't want to have to install the entire bit9 app (with datamodels and saved searches) on ES. Just need the search time operations (props, transforms, lookups, etc) so that CIM mappings are available to ES.

0 Karma