Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash?

gsopkoTC
Path Finder
‎03-15-2017 01:20 PM

Does the Splunk Add-on for Bit9 Carbon Black format the CB JSON md5 field to either Malware.file_hash or Email.file_hash? hPer the Carbon Black (CB) API reference and JSON response example, the CB JSON response I see within Splunk is correct. However, I don't see that CB Bit9 field being normalized to Splunk Common Information Model (CIM). Is supposed to do this or not? I would be surprised if it did not as Splunk Enterprise Security would also need the md5 field normalized to x.file_hash as well.

0 Karma
Reply

carbonblack
Path Finder
‎03-20-2017 06:43 AM

I will have to ask our Splunk contacts to find out if this is the right mapping. We don't publish the Splunk Add-On (TA), just the Splunk App for Cb Response (DA-ESS-CbResponse). Since Cb tracks benign as well as malicious files, I don't know if automatically mapping all md5s to Malware.file_hash would break other pieces of Enterprise Security.

0 Karma
Reply

gsopkoTC
Path Finder
‎03-20-2017 07:02 AM

Thanks! The file hash could safely be mapped to Email.file_hash or maybe Change Analysis though as that's merely an event and nothing else. The Malware data model would imply that its malware and it simply may not be. After the Email/Change Analysis, then Splunk ES or our app, could make the correlation between the file_hash and anything malicious.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...