Back to Blogs

New Alert Fields for the CBC Event Forwarder

Posted on August 12, 2020


We are happy to announce some additional alert fields for the Event Forwarder Configuration API. The tables below provide the new field names and descriptions of each.

New Common Alert Fields

Field Name Description
device_internal_ip IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”)
device_external_ip IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”)
device_uem_id “Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”)

New Watchlist Alert fields

Field Name Description
report_id Id of the report that generated a hit on the process
report_name Name of the report that generated a hit on the process
process_path Tokenized path of the process’ binary