For other people that might be trying to get this to work with Enterprise Security and have the results show up on your Malware dashboard, below is what I have done thus far. I am open to additional suggestions as well.
Because the Bit9 app does not follow Splunk's naming convention, you will need to append the app to the stanza below:
appregex = (search)|([ST]A-.)|(Splunk[ST]A.)|(DA-ESS-.)|(SplunkDA-ESS.)|(bit9-secapp)
Eventtypes - bit9-secapp/local/eventtypes.conf
Because of the limitation with event types and not being able to use pipes or subsearches, I couldn't find a way that would correlate all of the necessary fields. Therefore, I am having to do a search against the Bit9 sourcetype and then send to the index with a new sourcetype "bit9:malware". If anyone has any other suggestions, I am open.
search = index=bit9 sourcetype="bit9:malware"
Tags - bit9-secapp/local/tags.conf
malware = enabled
attack = enabled
Props - bit9-secapp/local/props.conf
I am not certain on how the action field should be populated just yet because we just installed Bit9. Hopefully, after getting more data into the console and turning on blocking I will see the values I need.
FIELDALIAS-filepathforbit9 = PathName as filepath
FIELDALIAS-filehashforbit9 = FileHash as filehash
FIELDALIAS-filenameforbit9 = FileName as filename
FIELDALIAS-userforbit9 = UserName as user
EVAL-vendorproduct = "Bit9"
EVAL-destntdomain = mvindex(split(HostName, "\"),0)
EVAL-action = if(like(GlobalState, "block%"), "blocked", "allowed")
EVAL-dest = HostName
EVAL-destip = HostIP
EVAL-date = strftime(_time,"%Y-%m-%d %H:%M:%S")
EVAL-Sha256 = FileHash
KV Store for File Catalog
If you look at the Bit9 dashboard "File Investigation", it has the setting "latest=now earliest=1" when searching for file hashes. Which means this is running against all time which is fine for now since we just built this index. However, as time progresses this won't be feasible and will slow down our SH. Therefore, I built another search that will collect the results from the file catalog and then put them in a kvstore for quick searching. I ran this search with all time to get the results into the kvstore and then scheduled it to run every 5 minutes. Depending on how long it takes to complete, I might change this to every 10 minutes. I named my kvstore "kvstorebit9fileCatalog".
Saved Search outside of the Bit9 app
As I stated above, I had to send the results to a new sourcetype. Below is the search I created that runs every 15 minutes. I opted to create this outside of the Bit9 app because we might push this app to a couple of SHs and I don't want this saved search executing on all SHs. In addition, I haven't figured out if Bit9 is able to capture the signature of the malware. Currently I am using the Category field but I am finding that the values for this field are all "Unknown".
eventtype=bit9event (EventSubType="Potential risk file detected" OR EventSubType="Malicious file detected") | eval "SHA-256"=FileHash
| lookup kvstorebit9fileCatalog FileHash AS FileHash OUTPUT FileSize AS filesizebytes, Md5 AS MD5, Sha1 AS "SHA-1", Category AS signature, Publisher, TrustValue
| stats latest(date) as date, latest(action) as action, latest(signature) as signature, latest(EventSubType) as EventSubType, latest(user) as user, latest(dest) as dest, latest(destip) as destip, latest(destntdomain) as destntdomain, latest(filename) as filename, latest(filepath) as filepath, latest(Publisher) as Publisher, latest(filesizebytes) as filesizebytes, latest(filehash) as filehash, latest(MD5) as MD5, latest("SHA-1") as "SHA-1", latest("SHA-256") as "SHA-256", latest(TrustValue) as TrustValue, latest(vendorproduct) as vendor_product, latest(Bit9Server) as Bit9Server by _time
That is not the app that is being referred to by the OP. The app you are referring to is the TA for "Bit9 Carbon Black," which is a different product.
The app that the OP asked about, for "Bit9 Security Platform," is not currently CIM-compliant.
Hello, and thank you for your interest in the Bit9 Security Platform app.
We do plan on making the Bit9 Security Platform app CIM-compliant in the future, but we do not have a timetable for that at the moment.
We appreciate your feedback.
Robert Miller did most of the work for you so modifying the current app to include CIM can be done in a few hours.
Also, please look at splitting the TA out from the App and renaming it to fit the normal conventions that Splunk ES is looking for. It looks gross to have to add your app into the regex field.
These settings as robert.miller mentioned above are located in the SplunkES Suite local/inputs.conf file:
appregex = (search)|([ST]A-.)|(Splunk[ST]A.)|(DA-ESS-.)|(SplunkDA-ESS.)
Aside from making it CIM-compliant, it would also be helpful if we could have those index-time, search-time operations available in standalone TA too. ES is supposed to live on a search head by itself, so we don't want to have to install the entire bit9 app (with datamodels and saved searches) on ES. Just need the search time operations (props, transforms, lookups, etc) so that CIM mappings are available to ES.