Auth Event Schema - 1.0.0


Introduction

The Carbon Black Cloud Data Forwarder emits a set of common fields for every authentication event that occurs on Windows endpoints. The reporting of Windows authentication events supplements the reporting of process events, which enables the correlation of authentication and process activity and yields more context-rich threat hunting and incident response.

Resources

Data Types

Find more detail on the data types here.

Fields

Field Name Definition Datatype
alert_id ID of the alert(s) associated with the process or event. String[]
attack_tactic A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access String
attack_technique A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access String
attack_tid
Allows searching for a specific combination of MITRE ATT&CK tactic and technique; use the format tactic:technique.subtechnique
String
auth_cleartext_credentials_logon True if the logon attempt occurred using cleartext credentials; false if the logon attempt occurred using encrypted credentials Boolean
auth_credential_provider The logon process that validated the credentials in Event ID 4611. Common processes include Winlogon, Schannell, KSecDD, Secondary Logon Service (runas), IKE, HTTP.SYS, SspTest, dsRole, DS Replication CredProvConsent (user account control) String
auth_daemon_logon Identifies if the logon attempt is attributed to a service (Windows) or daemon (macOS/Linux) Boolean
auth_domain_name Domain name of the user the authentication event is attributed to String
auth_elevated_token_logon True if the logon attempt occurred using an elevated token; false if the logon attempt occurred without the use of an elevated token Boolean
auth_event_action Action that results from an authentication attempt String
auth_failed_logon_count Number of failed logon attempts since last successful logon Integer
auth_failure_reason Only used with ACTION_LOGON_FAILED event. The fields are documented at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 String
auth_failure_status Only used with ACTION_LOGON_FAILED event. The fields are documented at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 String
auth_failure_sub_status Hexadecimal code that identifies the logon failure reason String
auth_impersonation_level Values are:
IMPERSONATION_INVALID
IMPERSONATION_NONE - Default, No impersonation
IMPERSONATION_ANONYMOUS - Security Anonymous: The server cannot impersonate or identify the client.
IMPERSONATION_CLIENT - Security Identification: The server can get the identity and privileges of the client, but cannot impersonate the client.
IMPERSONATION_LOCAL_ONLY - Security Impersonation: The server can impersonate the client’s security context on the local system.
IMPERSONATION_LOCAL_OR_REMOTE - Security Delegation: The server can impersonate the client’s security context on remote systems
String
auth_interactive_logon True if the logon attempt was interactive; false if the logon attempt was non-interactive Boolean
auth_key_length For non-kerberos authentication this is the length of the key used to secure the authentication channel Integer
auth_last_failed_logon_time Time of last failed logon String
auth_linked_logon_id When UAC (User Account Control) is enabled and an administrator logs on there are 2 logon sessions created, one with admin privileges and a split token without. This is the linked LUID in 00000000-00000000 format. String
auth_logon_id Locally unique identifier of the user the authentication event is attributed to. Unique per logon session per machine String
auth_logon_type Identifies the logon type initiated by the authentication connection Integer
auth_package Populated for Event id 4610 Events and identifies the authorization package that was loaded String
auth_package_version The version of the authorization package identified in auth_package that was used String
auth_privileges Privilege(s) assigned to the logon session String[]
auth_remote_device Name of the remote device the remote authentication attempt is made from String
auth_remote_ipv4 IP address of the remote device the remote authentication attempt is made from String
auth_remote_ipv6 Where the user was when they logged on - remote ip v6 address String
auth_remote_location Where the user was when they logged on in this format; city, region, country String
auth_remote_logon True if the logon attempt was remote; false if the logon attempt was local Boolean
auth_remote_port Port number the remote authentication attempt is made from Integer
auth_restricted_admin_logon True if the logon attempt occurred using Restricted Admin mode for Remote Desktop Connection; false if the logon attempt occurred without the use of Restricted Admin Mode Boolean
auth_server The server name that authenticated the logon String
auth_user_id Security ID (SID) of the user on a Windows machine. SID is a unique value of variable length used to identify a trustee (security principal) String
auth_user_principal_name User Principal Name (UPN) of the user associated with the authentication event String
auth_username Name of the user the authentication event is attributed to String
auth_virtual_account_logon True if the logon attempt occurred using a virtual account; false if the logon attempt occurred without the use of a virtual account Boolean
backend_timestamp Timestamp when the Carbon Black Cloud processed and enabled the data for searching; occurs after ingress_time; may differ from device_timestamp by a few minutes due to asynchronous processing ISO 8601 UTC timestamp
device_external_ip IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format documented below) String
device_group Sensor group to which the endpoint was assigned when the sensor recorded the event data String
device_group_id ID assigned to the device_group by Carbon Black Cloud; will match on the ad_group_id on the Devices API Integer
device_id ID assigned to the endpoint by Carbon Black Cloud; unique across all Carbon Black Cloud environments String
device_installed_by The Carbon Black Cloud user who was logged in to the endpoint when the sensor was installed (e.g. pat.malarkey@email.com, DOMAIN\pmalarkey or pmalarkey) String
device_internal_ip IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format, documented below) String
device_location The endpoint’s current location relative to the organization’s network, based on the current IP address and the device’s registered DNS domain suffix String
device_name Hostname of the endpoint recorded by the sensor when last initialized String
device_os The operating system of the endpoint String
device_os_version The operating system and version of the endpoint

Requires Windows CBC sensor version 3.5 or later
String
device_policy Policy applied to the endpoint in the Carbon Black Cloud String
device_policy_id ID assigned to the device_policy by the Carbon Black Cloud Integer
device_target_priority The “Target value” configured in the policy assigned to the sensor

Requires Endpoint Standard
String
device_timestamp Sensor-reported timestamp of the batch of events in which this record was submitted to Carbon Black Cloud ISO 8601 UTC timestamp
event_id Unique event identifier assigned by the Carbon Black Cloud String
filemod_count Count of filemod events reported by the sensor since last initialization

Requires Enterprise EDR
Integer
modload_count Count of modload events reported by the sensor since last initialization

Requires Enterprise EDR
Integer
netconn_count Count of netconn events reported by the sensor since last initialization

Requires Enterprise EDR
Integer
org_key Unique alphanumeric string that identifies your organization in the Carbon Black Cloud String
parent_cmdline Command line of the parent process String
parent_cmdline_length Character count of the parent process' command line Integer
parent_effective_reputation Effective reputation of the parent process; applied by the sensor when the event occurred String
parent_effective_reputation_source Source of the effective reputation for the parent process String
parent_guid Unique process identifier assigned to the parent process String
parent_hash MD5 and/or SHA-256 hash of the parent process binary String[]
parent_issuer Certificate authority, signing authority or company that issued the certificate for the binary that is executed by the parent process String[]
parent_name Filesystem path of the parent process binary String
parent_pid Identifier assigned by the operating system to the parent process Integer
parent_product_name Product name embedded in the portable executable header of the binary for the parent process. Windows only. String
parent_publisher[]
.name
Publisher name(s) on the certificate(s) used to sign the Windows or macOS binary of the parent process. Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint Object
parent_publisher[]
.state
See above Object
parent_reputation Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud String
parent_username The user context in which the parent process was executed String
process_cmdline Command line executed by the actor process String
process_cmdline_length Character count of the actor process command line Integer
process_company_name Company name embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
String
process_container_pid Container process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux Integer
process_duration Duration of the process (in milliseconds); available after sensor reports the process has terminated; equal to (process_end_time - process_start_time) Integer
process_effective_reputation Effective reputation of the actor process; applied by the sensor when the event occurred String
process_effective_reputation_source Source of the effective reputation for the actor process String
process_elevated “True” if the process was running with elevated privileges; not present if “False”

Requires Windows CBC sensor version 3.5 or later and Enterprise EDR
Boolean
process_end_time Sensor timestamp when the process terminated; available after sensor reports the process has terminated (only for processes whose start times the sensor captured) String
process_file_description File description embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
String
process_guid Unique process identifier for the actor process String
process_hash MD5 and/or SHA-256 hash of the actor process binary; order may vary when two hashes are reported String[]
process_integrity_level Windows Mandatory Integrity Control (MIC) level of the process

Requires Windows CBC sensor version 3.5 or later and Enterprise EDR
String
process_internal_name Internal name embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
String
process_issuer Certificate authority, signing authority or company that issued the certificate for the binary that is executed by the process String[]
process_loaded_script_hash SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process; compare with fileless_scriptload_hash

Requires Endpoint Standard
String[]
process_loaded_script_name Filesystem path(s) of any script content loaded from the filesystem through the duration of the process; compare with fileless_scriptload_cmdline, scriptload_content

Requires Endpoint Standard
String[]
process_name Filesystem path of the actor process binary! String
process_original_filename Original filename embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
String
process_pid Process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux and macOS Integer
process_privileges Windows privileges associated wth the process (see Microsoft documentation for complete list privilege-constants)

Requires Windows CBC sensor version 3.5 or later and Enterprise EDR
String[]
process_product_name Product name embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
String
process_product_version Product version embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
String
process_publisher[]
.name
Publisher name(s) on the certificate(s) used to sign the Windows or macOS binary of the parent process. Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint Object
process_publisher[]
.state
See above Object
process_reputation Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud String
process_sha256 SHA-256 hash of the actor process binary String
process_start_time Sensor reported timestamp of when the process started; not available for processes running before the sensor starts String
process_username User context in which the actor process was executed.
MacOS - all users for the PID for fork() and exec() transitions,
Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid()"
String
regmod_count Count of regmod events reported by the sensor since last initialization

Requires Enterprise EDR
Integer
scriptload_count Count of scriptload events across all processes reported by the sensor since last initialization

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR
Integer
sensor_action An action performed by the sensor on the process String
sensor_version Version of the sensor installed on the device String
ttp Patterns of behavior (i.e. tactics, techniques, procedures) associated with specific threat actor(s) attributed to events of the process String[]
type The Auth Event type auth.event.logonop String
version The version of the schema being emitted. e.g. 2.0.0 String
windows_event_id Identifier of the Windows event type, specified by Windows OS Integer

Last modified on February 26, 2024