Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash?

gsopkoTC
Path Finder
‎03-15-2017 01:20 PM

Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash? hPer the Carbon Black (CB) API reference and JSON response example, the CB JSON response I see within Splunk is correct. However, I don't see that CB Bit9 field being normalized to Splunk Common Information Model (CIM). Is supposed to do this or not? I would be surprised if it did not as Splunk Enterprise Security would also need the md5 field normalized to x.file_hash as well.

0 Karma
Reply

carbonblack
Path Finder
‎03-20-2017 06:43 AM

I will have to ask our Splunk contacts to find out if this is the right mapping. We don't publish the Splunk Add-On (TA), just the Splunk App for Cb Response (DA-ESS-CbResponse). Since Cb tracks benign as well as malicious files, I don't know if automatically mapping all md5s to Malware.file_hash would break other pieces of Enterprise Security.

0 Karma
Reply

gsopkoTC
Path Finder
‎03-20-2017 07:02 AM

Thanks! The file hash could safely be mapped to Email.file_hash or maybe Change Analysis though as that's merely an event and nothing else. The Malware data model would imply that its malware and it simply may not be. After the Email/Change Analysis, then Splunk ES or our app, could make the correlation between the file_hash and anything malicious.

0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top