The Splunk Security Tool requires that data is normalized so that it can be processed and analyzed the same way, regardless of the source. The Splunk App for Carbon Black App Control maps the fields in Carbon Black App Control data analytics output to the Common Information Model (CIM).
See http://www.dmtf.org/standards/cim for more information on the Common Information Model.
The following table shows the CIM mappings in the Splunk App for Carbon Black App Control.
Carbon Black App Control Field |
CIM Field |
---|---|
HostName |
src_nt_host, dest_nt_host, dest, dvc_nt_host |
HostIP |
src_ip, dest_ip, dvc_ip |
FilePath |
file_path |
FileHash |
file_hash, hash |
FileName |
file_name |
FileSize |
file_size, size |
Message |
change_type |
EventSubType |
action |
Timestamp |
modtime |