Splunk Enterprise Security

Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash?

gsopkoTC
Path Finder

Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash? hPer the Carbon Black (CB) API reference and JSON response example, the CB JSON response I see within Splunk is correct. However, I don't see that CB Bit9 field being normalized to Splunk Common Information Model (CIM). Is supposed to do this or not? I would be surprised if it did not as Splunk Enterprise Security would also need the md5 field normalized to x.file_hash as well.

0 Karma

carbonblack
Path Finder

I will have to ask our Splunk contacts to find out if this is the right mapping. We don't publish the Splunk Add-On (TA), just the Splunk App for Cb Response (DA-ESS-CbResponse). Since Cb tracks benign as well as malicious files, I don't know if automatically mapping all md5s to Malware.file_hash would break other pieces of Enterprise Security.

0 Karma

gsopkoTC
Path Finder

Thanks! The file hash could safely be mapped to Email.file_hash or maybe Change Analysis though as that's merely an event and nothing else. The Malware data model would imply that its malware and it simply may not be. After the Email/Change Analysis, then Splunk ES or our app, could make the correlation between the file_hash and anything malicious.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.