Back to Blogs
New Alert Fields for the CBC Event Forwarder
New Alert Fields for the CBC Event Forwarder
Posted on August 12, 2020
We are happy to announce some additional alert fields for the Event Forwarder Configuration API. The tables below provide the new field names and descriptions of each.
All field information can be found in the Event Forwarder Data Mapping Guide.
New Common Alert Fields
| Field Name | Description |
|---|---|
| device_internal_ip | IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
| device_external_ip | IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
| device_uem_id | “Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”) |
New Watchlist Alert fields
| Field Name | Description |
|---|---|
| report_id | Id of the report that generated a hit on the process |
| report_name | Name of the report that generated a hit on the process |
| process_path | Tokenized path of the process’ binary |