Event Search Fields API for Enterprise EDR
Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.
Version: v1
You may continue to use the information on this page, but the latest field documentation can be found here.
Event Search Fields
This page describes fields that can be used for searching, with following additional information:
-
‘Data type’ describes type of data returned. Special type ‘tokenized’ indicates that it is a string that is tokenized and can be searched through partial phrase. If type is followed by [], it means that field contains array of elements
-
‘Returned’ indicates that given field will be returned in the search results. If not, given field can only be used in search, but will not be returned as part of the result
-
‘Searchable’ indicates that field can be searched. Some fields can only be searched, while some will only be returned on search results
-
‘Supports Facets’ indicates that the field can be used for faceting expressions
| Field Name | Data Type | Returned | Searchable | Supports Facets | Description |
|---|---|---|---|---|---|
| event_guid | string | Yes | Yes | Yes | a globally unique identifier for this event document |
| process_guid | string | Yes | Yes | Yes | process guid representing the process that this event belongs to |
| event_type | string | Yes | Yes | Yes | event type, one of: filemod, netconn, regmod, modload, crossproc, childproc |
| event_timestamp | date | Yes | Yes | Yes | timestamp of the event on the device |
| backend_timestamp | date | Yes | Yes | Yes | timestamp for when the process was ingested by the backend |
| created_timestamp | date | Yes | Yes | Yes | timestamp for when the event document was created |
| sensor_action | string | Yes | Yes | Yes | associated action (if any) that sensor took on this operation, one of: ACTION_TERMINATE and ACTION_BLOCK |
| alert_id | string | Yes | Yes | Yes | id of the alert associated with this event |
| ttp | string[] | Yes | Yes | Yes | list of TTPs associated with this event |
| legacy | boolean | Yes | Yes | Yes | true if this event comes from the CbD data stream |
| legacy_description | tokenized string | Yes | Yes | Yes | description for events that come from the CbD data stream |
| filemod_md5 | string | Yes | Yes | Yes | md5 of the actor that modified the file |
| filemod_sha256 | string | Yes | Yes | Yes | sha256 of the actor that modified the file |
| filemod_name | filepath | Yes | Yes | Yes | path for the file that was modified |
| filemod_action | string | Yes | Yes | Yes | action associated with the file operation, one or more of ACTION_INVALID, ACTION_FILE_CREATE, ACTION_FILE_WRITE, ACTION_FILE_DELETE, ACTION_FILE_LAST_WRITE, ACTION_FILE_MOD_OPEN, ACTION_FILE_RENAME, ACTION_FILE_UNDELETE, ACTION_FILE_TRUNCATE, ACTION_FILE_OPEN_READ, ACTION_FILE_OPEN_WRITE, ACTION_FILE_OPEN_DELETE, ACTION_FILE_OPEN_EXECUTE, ACTION_FILE_READ |
| netconn_protocol | string | Yes | Yes | Yes | protocol of the network connection |
| netconn_remote_ipv4 | int | Yes | Yes | Yes | ipv4 the event connected to |
| netconn_remote_ipv6 | string | Yes | Yes | Yes | ipv6 the event connected to |
| netconn_remote_port | int | Yes | Yes | Yes | port that the event connected to |
| netconn_local_ipv4 | int | Yes | Yes | Yes | ipv4 of the process making the network connection |
| netconn_local_ipv6 | string | Yes | Yes | Yes | ipv6 of the process making the network connection |
| netconn_local_port | int | Yes | Yes | Yes | port of the process making the network connection |
| netconn_domain | domainpath | Yes | Yes | Yes | domain name (targed FQDN) related to the outbound network connection of the process (if available) |
| netconn_inbound | boolean | Yes | Yes | Yes | true if the connection was an outbound connection |
| netconn_location | string | Yes | Yes | Yes | Geolocation of the remote network connection. Geolocation is tokenized to contain City, Region/State and Country |
| netconn_action | string | Yes | Yes | Yes | action associated with the registry operation, one or more of: ACTION_CONNECTION_CREATE, ACTION_CONNECTION_CLOSE, ACTION_CONNECTION_ESTABLISHED, ACTION_CONNECTION_CREATE_FAILED, ACTION_CONNECTION_LISTEN |
| regmod_name | filepath | Yes | Yes | Yes | registry modifications by this event |
| regmod_new_name | filepath | Yes | Yes | Yes | new name of registry key in case of the rename |
| regmod_action | string | Yes | Yes | Yes | action associated with the registry operation, one or more of: ACTION_INVALID, ACTION_CREATE_KEY, ACTION_WRITE_VALUE, ACTION_DELETE_KEY, ACTION_DELETE_VALUE, ACTION_RENAME_KEY, ACTION_RESTORE_KEY, ACTION_REPLACE_KEY, ACTION_SET_SECURITY |
| modload_name | filepath | Yes | Yes | Yes | modules loaded by this event |
| modload_md5 | string | Yes | Yes | Yes | md5 for the modules loaded |
| modload_sha256 | string | Yes | Yes | Yes | sha256 for the modules loaded |
| modload_reputation | string | Yes | Yes | Yes | reputation for the modules loaded |
| modload_action | string | Yes | Yes | Yes | action associated with the modload operation, for now can only be: ACTION_LOAD_MODULE |
| modload_publisher | string | Yes | Yes | Yes | publisher that signed this module, if any |
| modload_publisher_state | string | Yes | Yes | Yes | Set of states associated with the publisher of the module. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED |
| scriptload_name | filepath | Yes | Yes | Yes | script loaded by this event |
| scriptload_md5 | string | Yes | Yes | Yes | md5 for the script loaded |
| scriptload_sha256 | string | Yes | Yes | Yes | sha256 for the script loaded |
| scriptload_reputation | string | Yes | Yes | Yes | reputation for the script loaded |
| scriptload_publisher | string | Yes | Yes | Yes | publisher that signed this script, if any |
| scriptload_publisher_state | string | Yes | Yes | Yes | Set of states associated with the publisher of the script. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED |
| crossproc_target | boolean | Yes | Yes | Yes | true if this crossproc event document is a target of a crossproc |
| crossproc_action | string | Yes | Yes | Yes | cross-process action that was recorded for the process, one or more of: ACTION_DUP_PROCESS_HANDLE, ACTION_OPEN_THREAD_HANDLE, ACTION_DUP_THREAD_HANDLE, ACTION_CREATE_REMOTE_THREAD, ACTION_API_CALL |
| crossproc_name | filepath | Yes | Yes | Yes | path of this side of the crossproc event |
| crossproc_md5 | string | Yes | Yes | Yes | md5 of this side of the crossproc event |
| crossproc_sha256 | string | Yes | Yes | Yes | sha256 of this side of the crossproc event |
| crossproc_reputation | string | Yes | Yes | Yes | reputation of this side of the crossproc event |
| crossproc_process_guid | string | Yes | Yes | Yes | process guid of this side of the crossproc event |
| crossproc_api | string | Yes | Yes | Yes | system function called by the actor, if any |
| childproc_process_guid | string | Yes | Yes | Yes | process guid for the child process |
| childproc_md5 | string | Yes | Yes | Yes | md5 for the child process |
| childproc_sha256 | string | Yes | Yes | Yes | sha256 for the child process |
| childproc_name | filepath | Yes | Yes | Yes | path of the child process |
| childproc_reputation | string | Yes | Yes | Yes | reputation of the child process |
| childproc_cmdline | cmdpath | Yes | Yes | Yes | cmdlines for the child process |
| childproc_username | user_context | Yes | Yes | Yes | usernames for the child process |
| childproc_modload_count | int | Yes | Yes | Yes | number of modloads made by the child process |
| childproc_filemod_count | int | Yes | Yes | Yes | number of filemods made by the child process |
| childproc_regmod_count | int | Yes | Yes | Yes | number of regmods made by the child process |
| childproc_netconn_count | int | Yes | Yes | Yes | number of netconns made by the child process |
| childproc_childproc_count | int | Yes | Yes | Yes | number of childprocs made by the child process |
| childproc_crossproc_target_count | int | Yes | Yes | Yes | number of crossproc targets made by the child process |
| childproc_crossproc_actor_count | int | Yes | Yes | Yes | number of crossproc actors made by the child process |
Last modified on January 1, 0001