Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash? hPer the Carbon Black (CB) API reference and JSON response example, the CB JSON response I see within Splunk is correct. However, I don't see that CB Bit9 field being normalized to Splunk Common Information Model (CIM). Is supposed to do this or not? I would be surprised if it did not as Splunk Enterprise Security would also need the md5 field normalized to x.file_hash as well.
I will have to ask our Splunk contacts to find out if this is the right mapping. We don't publish the Splunk Add-On (TA), just the Splunk App for Cb Response (DA-ESS-CbResponse). Since Cb tracks benign as well as malicious files, I don't know if automatically mapping all md5s to Malware.file_hash would break other pieces of Enterprise Security.
Thanks! The file hash could safely be mapped to Email.file_hash or maybe Change Analysis though as that's merely an event and nothing else. The Malware data model would imply that its malware and it simply may not be. After the Email/Change Analysis, then Splunk ES or our app, could make the correlation between the file_hash and anything malicious.