Topic This document describes how to forward MD5 hashes from Bit9 Server to Splunk. Beginning in 7.2, we no longer use syslog for Splunk integration and now take advantage of the Bit9 - Splunk App and Splunk Universal Forwarder.
For installation/configuration instructions and additional information, see page on Splunk, see section "Enabling Splunk to Collect Bit9 Data", page 716 of the Using Bit9 7.2 Guide.
If not already done, see section "Enabling Splunk to Collect Bit9 Data", page 716 of the Using Bit9 7.2 Guide.
Enabling "File Catalog" within the External Analytics tab in Admin > System Config of your Bit9 Console will provide the MD5 hash from the file catalog.
File catalog shows up as "eventtype=bit9_fileCatalog" in Splunk. With this data, inside Splunk you can join the data from these two events to get the specific data you want.
Also, in our Splunk app under Investigations > File Investigation, you can type in a SHA-256 hash and get the MD5 and SHA1 to show up.