Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash?

gsopkoTC
Path Finder
‎03-15-2017 01:20 PM

Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash? hPer the Carbon Black (CB) API reference and JSON response example, the CB JSON response I see within Splunk is correct. However, I don't see that CB Bit9 field being normalized to Splunk Common Information Model (CIM). Is supposed to do this or not? I would be surprised if it did not as Splunk Enterprise Security would also need the md5 field normalized to x.file_hash as well.

0 Karma
Reply

carbonblack
Path Finder
‎03-20-2017 06:43 AM

I will have to ask our Splunk contacts to find out if this is the right mapping. We don't publish the Splunk Add-On (TA), just the Splunk App for Cb Response (DA-ESS-CbResponse). Since Cb tracks benign as well as malicious files, I don't know if automatically mapping all md5s to Malware.file_hash would break other pieces of Enterprise Security.

0 Karma
Reply

gsopkoTC
Path Finder
‎03-20-2017 07:02 AM

Thanks! The file hash could safely be mapped to Email.file_hash or maybe Change Analysis though as that's merely an event and nothing else. The Malware data model would imply that its malware and it simply may not be. After the Email/Change Analysis, then Splunk ES or our app, could make the correlation between the file_hash and anything malicious.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...