Process Search Fields API for Enterprise EDR

WARNING: This is a legacy document, please view the latest version here.

Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.

Process search fields

This page describes fields that can be used for searching, with following additional information:

  1. Data type describes type of data returned. Special type tokenized indicates that it is a string that is tokenized and can be searched by a partial phrase. If type is followed by [], it means that field contains an array of elements.

  2. Returned indicates that the given field will be returned in the search results. If not, given field can only be used as a query term, but will not be returned as part of the result

  3. DocValues indicates that the given field is stored as docvalues, and can be sorted on. In addition, if field is not marked as “returned”, but has docvalues, it can be returned through the explicit fl=field_name Solr syntax

  4. Searchable indicates that field can be searched. Some fields can only be used as a query term, while others will only be returned in search results

  5. Supports Facets indicates that the field can be used for faceting expressions

Field Name Data Type Returned DocValues Searchable Supports Facets Description
document_guid string Yes No Yes Yes Unique id of solr document. Built as process_guid+server-side timestamp in epoch ms (1/1/1970 based)
process_guid string Yes Yes Yes Yes Unique id of process (same as document_guid above but without the timestamp suffix).
parent_guid string Yes No Yes No process_guid of parent process
backend_timestamp date No Yes Yes No Time when backend received the batch of events in this document, based on backend’s clock. ISO 8601 formatted time string based on UTC
org_id string Yes Yes Yes Yes Globally unique organization key (will likely be Carbon Black Cloud organization id + environment id or some other unique token used across environments)
legacy boolean Yes No Yes No True if process document came from the legacy data stream
ttp string[] No Yes Yes Yes Patterns of behavior (i.e., tactics, techniques, procedures) associated with a specific threat actor or group of threat actors
alert_id string[] Yes No Yes No Alert IDs associated with the process
sensor_action string[] Yes No Yes No Sensor actions associated with the process. This field is set only if one of the following actions have been performed: BLOCK (child process execution was blocked by the CB Sensor), TERMINATE (process was terminated by the CB Sensor)
blocked_hash string[] Yes No Yes No Hashes of child processes blocked by the CB Sensor
device_id long Yes Yes Yes Yes Device id that is guaranteed to be unique within each Carbon Black Cloud environment, which is a set of organizations
device_name string Yes Yes Yes Yes Name of device
device_external_ip string No Yes Yes No IP address of the host (as reported by the backend - could be different than self_reported_device_ip due to proxying, NATing, etc.). Can be either IPv4 or IPv6
device_os string No Yes Yes Yes OS Type of device (Windows/OSX/Linux)
device_group string No Yes Yes Yes Policy group where device belongs
device_group_id string No Yes Yes Yes Id of policy group where device belongs
device_timestamp date Yes Yes Yes No Time seen on sensor, based on sensor’s clock. ISO 8601 formatted time string based on UTC
device_internal_ip string No Yes No No IP address of the host (as reported by the host). Can be either IPv4 or IPv6
process_terminated boolean Yes No Yes No True if process was terminated
process_reputation string No Yes Yes No Reputation of given process as provided by the CDC
process_effective_reputation string No Yes Yes No Reputation of given process as calculated by the sensor.
parent_reputation string No Yes Yes No Reputation of parent process as provided by the CDC
modload_count ¹ int Yes Yes Yes No Cumulative counts of module loads since process tracking started
filemod_count ¹ int Yes Yes Yes No Cumulative counts of file modifications since process tracking started
regmod_count ¹ int Yes Yes Yes No Cumulative counts of registry modifications since process tracking started
netconn_count ¹ int Yes Yes Yes No Cumulative counts of network connections since process tracking started
childproc_count ¹ int Yes Yes Yes No Cumulative counts of child process creations since process tracking started
crossproc_count ¹ int Yes Yes Yes No Cumulative counts of cross-process events since process tracking started
process_pid int[] Yes No Yes No PID of a process. Can be multi-valued in case of exec/fork on Linux/OSX
parent_pid int Yes No Yes No PID of parent process
process_publisher_state string[] No No Yes No Certificate signature state as string (from protobuf)
process_publisher tokenized[] No No Yes No Certificate signer names
process_product_version tokenized[] No No Yes No Product version associated with the process executable (from the binary resource)
process_original_filename tokenized[] No No Yes No Original file name of the process executable (from the binary resource)
process_file_description tokenized[] No No Yes No File description of the process executable (from the binary resource)
process_product_name tokenized[] No No Yes No Product name associated with the process executable (from the binary resource)
process_name tokenized Yes Yes Yes Yes Tokenized file path of the process' main module
parent_name tokenized No Yes Yes Yes Tokenized file path of the parent process' main module
process_hash string[] Yes Yes Yes Yes MD5 and SHA-256 hashes of process' main module
parent_hash string[] No Yes Yes No MD5 and SHA-256 hashes of parent process' main module
process_cmdline tokenized[] No Yes Yes No Cmdlines related to process. It uses special tokenization algorithm
process_username string[] Yes Yes Yes No Usernames related to process. It uses special tokenization algorithm
hash string[] No No Yes No Aggregate set of all MD5 and SHA-256 hashes associated with the process (process_hash, childproc_hash, crossproc_hash, filemod_hash and hash of the modload event) - useful for searching by hash
childproc_name tokenized[] No No Yes No Tokenized file path of the child process' main module
childproc_hash string[] No No Yes No MD5 and SHA-256 hashes of child process' main module
crossproc_name tokenized[] No No Yes No Tokenized file paths of the main module of the other processes from the crossproc action
crossproc_hash string[] No No Yes No MD5 and SHA-256 hashes of the main module of the other processes from the crossproc action
crossproc_action string No No Yes No Type of crossproc actions, as defined in protobuf schema
crossproc_target boolean No No Yes No True if the process was a target of the crossproc action. False if it was an actor.
crossproc_api string No No Yes No Name of system API call made by the process. API calls will in some cases have a target
filemod_hash string[] No No Yes No MD5 and SHA-256 hashes of the files modified by the process
filemod_name tokenized[] No No Yes No Tokenized paths of the files modified by the process
modload_name tokenized[] No No Yes No Tokenized paths of the modules loaded by the process
scriptload_path tokenized[] No No Yes No Tokenized paths of the scripts loaded by the process
regmod_name tokenized[] No No Yes No Tokenized paths of the registry keys modified by the process
netconn_port int No No Yes No Port of the network connection attempted by the process (remote port for outgoing connection, local port for incoming connection)
netconn_ipv4 tokenized No No Yes Yes IPv4 address related to the network connection of the process as integer, so that it can be easily filtered by range
netconn_ipv6 tokenized No No Yes Yes IPv6 address related to the network connection of the process as strings
netconn_domain tokenized No No Yes No Domain name (target FQDN) related to the outbound network connection of the process (if available)
netconn_inbound boolean No No Yes No True if the network connection was inbound. False if the network connection was outbound.
netconn_failed boolean No No Yes No True if the network connection attempt failed. If successful, this field is not set
netconn_location tokenized No No No No Geo location of the remote network connection. Geo location is tokenized to contain City, Region/State and Country
report_id int No No Yes No Id of the report that tagged the process
report_watchlist_id int[] No No Yes No Id of the watchlists related to the report that tagged the process
report_severity int No No Yes No Severity of the report that tagged the process [1..10]
watchlist_hit string[] Yes Yes No No Aggregated values of other report tag fields in following format: “<report_watchlist_id>:<report_id>:<report_severity>”. There will be one value for each watchlist hit.

Notes:

  • ¹ Counts are from either process start or discovery time. Also, the sensor doesn’t persist this info on restart. Therefore, counts will start back from zero if sensor is restarted.

Special String Field Values

Some search fields can have only specific values and they should be treated as ‘enums’

Reputation

Fields: process_reputation, parent_reputation

Reputation level from CDC. Possible values:

  • UNKNOWN
  • COMPROMISED
  • DLP
  • IGNORE
  • TRUSTED_WHITE_LIST
  • ADAPTIVE_WHITE_LIST
  • PUP
  • ADWARE
  • HEURISTIC
  • SUSPECT_MALWARE
  • KNOWN_MALWARE
  • ADMIN_RESTRICTED
  • COMPANY_BLACK_LIST
  • NOT_LISTED
  • COMMON_WHITE_LIST
  • COMPANY_GREY_LIST
  • NOT_COMPANY_WHITE_LIST
  • COMPANY_WHITE_LIST

Cross-process Action

Fields: crossproc_action

Cross-process action that was recorded for the process. Possible values:

  • ACTION_DUP_PROCESS_HANDLE - Process has initiated cross-process process handle duplication in the target process
  • ACTION_OPEN_THREAD_HANDLE - Process has initiated cross-process thread handle open in the target process
  • ACTION_DUP_THREAD_HANDLE - Process has initiated cross-process thread handle duplication in the target process
  • ACTION_CREATE_REMOTE_THREAD - Process has initiated remote thread creation in the target process

Publisher States

Fields: process_publisher_state State of one or more of the publishers associated with the main module of the process

Field is of type Integer containing OR-ed flags that indicate signature state. Possible values:

  • 1 - FILE_SIGNATURE_STATE_SIGNED - File is signed but signature is not guaranteed to be valid
  • 2 - FILE_SIGNATURE_STATE_VERIFIED - the signature is valid, signed will always be set
  • 4 - FILE_SIGNATURE_STATE_NOT_SIGNED - File is not signed
  • 8 - FILE_SIGNATURE_STATE_UNKNOWN - Initial state of all files, is also used when signature verification does not succeed
  • 16 - FILE_SIGNATURE_STATE_CHAINED - The signature chains to a locally trusted root certificate
  • 32 - FILE_SIGNATURE_STATE_TRUSTED - Signature state is Trusted
  • 64 - FILE_SIGNATURE_STATE_OS - File is signed as a component of the OS
  • 128 - FILE_SIGNATURE_STATE_CATALOG_SIGNED - File is signed through the catalog

Special Tokenizations

Some fields are tokenized to allow more efficient searches

File Path Tokenization

Fields: process_name, parent_name, filemod_name, childproc_name, crossproc_name, modload_name, scriptload_name, regmod_name

Search for path hierarchies. Use slash (/) character or escaped backslash (\\) characters and enclose in double quotes if path contains colon or space characters. Exclude any leading path separator. File extension searching also supported.

Search examples: process_name:"c:/windows/system32/cmd.exe" filemod_name:.wcry regmod_name:myregkey/myregvalue modload_name:downloads\\myfile.exe parent_name:"c:/program files"

Domain Name Tokenization

Fields: netconn_domain

Search for any part of the domain. Start or end with ‘.’ to only look for a prefix or suffix.

Search examples: netconn_domain:.google.com netconn_domain:.ru netconn_domain:www.google.com

IPv4 Address Tokenization

Fields: netconn_ipv4

Search examples: netconn_ipv4:192.168.0.10 netconn_ipv4:192.168.0.0/24

IPv6 Address Tokenization

Fields: netconn_ipv6

Search examples: netconn_ipv6:"2001:0db8:85a3:0000:0000:8a2e:0370:7334" netconn_ipv6:"2001:db8::/127"

Command Line Tokenization

Fields: process_cmdline

Words in the command line can be searched, along with switches (-x /x) and file extensions.

Search examples: process_cmdline:"d:/path/myprogram.vbs /v" process_cmdline:"d:" process_cmdline:.vbs process_cmdline:"/v"

Other Field Types

Boolean

Fields: process_terminated Boolean value with possible values: true and false

Search Example: process_terminated:true

Date

Fields: device_timestamp, backend_timestamp

Date/time field formatted as ISO 8601 string based on UTC timezone

Search Examples: device_timestamp:2018-03-14T21:06:45.183Z


Last modified on January 18, 2022