Field Mappings to CIM in the Splunk App for Carbon Black App Control

The Splunk Security Tool requires that data is normalized so that it can be processed and analyzed the same way, regardless of the source. The Splunk App for Carbon Black App Control maps the fields in Carbon Black App Control data analytics output to the Common Information Model (CIM).

See http://www.dmtf.org/standards/cim for more information on the Common Information Model.

The following table shows the CIM mappings in the Splunk App for Carbon Black App Control.

Table 1. Carbon Black App Control Data-to-CIM Mappings in Splunk
Carbon Black App Control Field	CIM Field
HostName	src_nt_host, dest_nt_host, dest, dvc_nt_host
HostIP	src_ip, dest_ip, dvc_ip
FilePath	file_path
FileHash	file_hash, hash
FileName	file_name
FileSize	file_size, size
Message	change_type
EventSubType	action
Timestamp	modtime