The Splunk Security Tool requires that data is normalized so that it can be processed and analyzed the same way, regardless of the source. The Splunk App for Carbon Black App Control maps the fields in Carbon Black App Control data analytics output to the Common Information Model (CIM).

See http://www.dmtf.org/standards/cim for more information on the Common Information Model.

The following table shows the CIM mappings in the Splunk App for Carbon Black App Control.

Table 1. Carbon Black App Control Data-to-CIM Mappings in Splunk

Carbon Black App Control Field

CIM Field

HostName

src_nt_host, dest_nt_host, dest, dvc_nt_host

HostIP

src_ip, dest_ip, dvc_ip

FilePath

file_path

FileHash

file_hash, hash

FileName

file_name

FileSize

file_size, size

Message

change_type

EventSubType

action

Timestamp

modtime