Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Forward the MD5 hash to Splunk in Bit9 7.2

Forward the MD5 hash to Splunk in Bit9 7.2

Version
7.2.

Topic
This document describes how to forward MD5 hashes from Bit9 Server to Splunk. Beginning in 7.2, we no longer use syslog for Splunk integration and now take advantage of the Bit9 - Splunk App and Splunk Universal Forwarder.

For installation/configuration instructions and additional information, see page  on Splunk, see section  "Enabling Splunk to Collect Bit9 Data", page 716 of the Using Bit9 7.2 Guide.


Steps

  1. If not already done, see section  "Enabling Splunk to Collect Bit9 Data", page 716 of the Using Bit9 7.2 Guide.
  2. Enabling "File Catalog" within the External Analytics tab in Admin > System Config of your Bit9 Console will provide the MD5 hash from the file catalog.
  3. File catalog shows up as "eventtype=bit9_fileCatalog" in Splunk. With this data, inside Splunk you can join the data from these two events to get the specific data you want.
  4. Also, in our Splunk app under Investigations > File Investigation, you can type in a SHA-256 hash and get the MD5 and SHA1 to show up.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-17-2015
Views:
614