Carbon Black Cloud: Can SHA256 Hashes Be Included With Notification Data Sent to SIEM?
search cancel

Carbon Black Cloud: Can SHA256 Hashes Be Included With Notification Data Sent to SIEM?

book

Article ID: 288908

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Is it possible to include the file hash in the notification data sent to a SIEM?

Environment

  • Carbon Black Cloud Console: All versions (formerly Predictive Security Cloud)
  • SIEM subscribed to notifications

Resolution

No, file hashes are not included in the Alert notification data. 

Additional Information

  • The Alert information includes the related Event IDs but not the data within the Events (such as Sha256 Hash values)
  • There are multiple hash values associated with each event and multiple events associated with each Alert
  • There is an option to pull the Sha256 value with the API as noted here: 
    • Enterprise EDR: https://developer.carbonblack.com/reference/cb-threathunter/latest/universal-binary-store-api/ 
    • Endpoint Standard: https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/
Powered by Wolken Software