Carbon Black Cloud IP displayed in Splunk field for sha256
Article ID: 290045
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Splunk displays IP in "carbon_black_cloud.alert.threat_cause.actor.sha256" instead of hash value.
Environment
- Carbon Black Cloud
- Enterprise EDR
- Endpoint Standard Web Console: All Versions
Cause
This is an expected behaviour.
Resolution
As per the Developer network guide, the field "threat_cause_actor_sha256" displays this information :
"SHA256 or remote IP of the threat cause actor. The actor will be a remote IP when the alert is created from a netconn event"
"SHA256 or remote IP of the threat cause actor. The actor will be a remote IP when the alert is created from a netconn event"
Additional Information
If it is not displaying an IP or a hash, please contact Carbon Black support with a full screenshot of the issue.
Feedback
Yes
No
Powered by
