Auth Events API
Overview
Auth Events API provides visibility into authentication events that occur on Windows endpoints. The reporting of Windows authentication events supplements the reporting of process events, which enables the correlation of authentication and process activity and yields more context-rich threat hunting and incident response.
Auth Events collection is disabled by default and must be enabled for each Policy. Verify that the devices for which Auth Events are required have a policy assigned with Auth Event collection enabled.
Use Cases
- Search authentication events; successful, failed, remote, elevated privileges
- Group authentication events by type, user, etc
- Understand how a user is moving laterally
- Identify abnormal user logon activity
Requirements
- Enterprise EDR
- Policy assigned with Auth Event collection enabled
- Windows endpoints (supported by Carbon Black Cloud Windows Sensor 3.9.1+ running on Windows 10.0.15063+)
Key Features
- Provides increased visibility into endpoint activity
- Provides additional context during threat hunting and incident response
- Increases potential for correlation of authentication and process events
- Reduces mean time to respond (MTTR)
- Reduces reliance on third-party solutions for the collection of Windows authentication events
Resources
- Search Fields - Investigate APIs
- Carbon Black Cloud User Guide - Investigate - Auth Events
- Tech Zone - Identity Intelligence - Auth Event Breakdown
- Carbon Black Postman Workspace
- Carbon Black Cloud Python SDK support for Auth Events
Authentication
Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.
Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events
Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:
- Search > Events > org.search.events, allow permission to
CREATE, READ
API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.
Cloud Services Platform Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with OAuth Access Control; API access is controlled using OAuth apps or User API Tokens. This is currently limited to the UK Point of Presence and AWS GovCloud (US).
Environment
Available on
Prod UK and AWS GovCloud (US). Full list of environments is available here; Use the Carbon Black Cloud Console URL from Cloud Services Platform, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events
Access Level
Before you create your OAuth App, you need to create a custom Role with the following permissions under IDENTITY & ACCESS MANAGEMENT > Roles > VMware Carbon Black Cloud:
- _API.Search:org.Events, allow permission to
CREATE, READ
API Authentication
The Cloud Services Platform supports several authentication options, Access Token, API Token, and for backward compatibility, X-Auth-Token. To learn about the differences or how to use the authentication methods see the Authentication Guide.
Quick Start
This Quick Start guide follows a scenario for starting an Auth Events Search Job, getting its results, and then starting and getting the Auth Events Detail results. The workflow steps are:
1. Start Auth Events Search Job
2. Get Auth Events Search Job Result
3. Start Auth Events Detail Job
4. Get Auth Events Detail Job Results
1. Start Auth Events Search Job
2. Get Auth Events Search Job Result
3. Start Auth Events Detail Job
4. Get Auth Events Detail Job Results
1. Start Auth Events Search Job
Start a search in the past 10 weeks that looks for a specific username.
Start a search in the past 10 weeks that looks for a specific username.
Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"query": "auth_username:SYSTEM",
"time_range": {
"window": "-10w"
}
}{
"job_id": "9e846705-ffa4-4ad4-a1be-c97fdca1ac2f-sqs"
}
2. Get Auth Events Search Job Result
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when
For this example, we will limit the displayed results to a single one with the
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when
contacted == completed in the response.
For this example, we will limit the displayed results to a single one with the
rows=1 query parameter.
Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/9e846705-ffa4-4ad4-a1be-c97fdca1ac2f-sqs/results?rows=1Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"results": [
{
"auth_domain_name": "NT AUTHORITY",
"auth_event_action": "LOGON_SUCCESS",
"auth_remote_device": "-",
"auth_remote_port": 0,
"auth_username": "SYSTEM",
"backend_timestamp": "2023-01-13T17:19:01.013Z",
"childproc_count": 0,
"crossproc_count": 48,
"device_group_id": 0,
"device_id": 17686136,
"device_name": "w10cbws2thtplt",
"device_policy_id": 20622246,
"device_timestamp": "2023-01-13T17:17:45.322Z",
"event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
"filemod_count": 3,
"ingress_time": 1673630293265,
"modload_count": 1,
"netconn_count": 35,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
"parent_pid": 608,
"process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
"process_hash": [
"15a556def233f112d127025ab51ac2d3",
"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
],
"process_name": "c:\\windows\\system32\\lsass.exe",
"process_pid": [
776
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 11,
"scriptload_count": 0,
"windows_event_id": 4624
}
],
"num_found": 175,
"num_available": 175,
"approximate_unaggregated": 175,
"num_aggregated": 175,
"contacted": 12,
"completed": 12
}
3. Start Auth Events Detail Job
Using the
Using the
event_id that we received from the Get Auth Events Search Job Results call,
start a Start Auth Events Detail Job to get more detailed information about the event.
Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"event_ids": ["DA9E269E-421D-469D-A212-9062888A02F4"]
}{
"job_id": "d91ecebb-3f70-4088-9724-918978efc0cb-sqs"
}
4. Get Auth Events Detail Job Results
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when
To download or review the Carbon Black Cloud Postman collection, click here.
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when
contacted == completed in the response.
Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs/d91ecebb-3f70-4088-9724-918978efc0cb-sqs/resultsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"results": [
{
"auth_cleartext_credentials_logon": false,
"auth_daemon_logon": true,
"auth_domain_name": "NT AUTHORITY",
"auth_elevated_token_logon": true,
"auth_event_action": "LOGON_SUCCESS",
"auth_failed_logon_count": 0,
"auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
"auth_interactive_logon": false,
"auth_key_length": 0,
"auth_logon_id": "00000000-000003E7",
"auth_logon_type": 5,
"auth_package": "Negotiate",
"auth_remote_device": "-",
"auth_remote_logon": false,
"auth_remote_port": 0,
"auth_restricted_admin_logon": false,
"auth_user_id": "S-1-5-18",
"auth_username": "SYSTEM",
"auth_virtual_account_logon": false,
"backend_timestamp": "2023-01-13T17:18:36.195Z",
"childproc_count": 0,
"crossproc_count": 48,
"device_external_ip": "52.116.18.136",
"device_group_id": 0,
"device_id": 17686136,
"device_installed_by": "CBAWTD\\Administrator",
"device_internal_ip": "192.168.231.164",
"device_location": "UNKNOWN",
"device_name": "w10cbws2thtplt",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "test-monitor",
"device_policy_id": 20622246,
"device_sensor_version": "3.9.0.2352",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-01-13T17:17:45.322Z",
"document_guid": "e0Huct8dQRyYfOEHImpfkA",
"event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
"event_report_code": "SUB_RPT_NONE",
"filemod_count": 3,
"ingress_time": 1673630293265,
"modload_count": 1,
"netconn_count": 35,
"org_id": "ABCD1234",
"parent_cmdline": "wininit.exe",
"parent_cmdline_length": 11,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "IGNORE",
"parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
"parent_hash": [
"9ef51c8ad595c5e2a123c06ad39fccd7",
"268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
],
"parent_name": "c:\\windows\\system32\\wininit.exe",
"parent_pid": 608,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\system32\\lsass.exe"
],
"process_cmdline_length": [
29
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "IGNORE",
"process_elevated": true,
"process_file_description": "Local Security Authority Process",
"process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
"process_hash": [
"15a556def233f112d127025ab51ac2d3",
"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "lsass.exe",
"process_name": "c:\\windows\\system32\\lsass.exe",
"process_original_filename": "lsass.exe",
"process_pid": [
776
],
"process_privileges": [
"SeIncreaseBasePriorityPrivilege",
"SeCreateGlobalPrivilege",
"SeChangeNotifyPrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeDelegateSessionUserImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeDebugPrivilege",
"SeProfileSingleProcessPrivilege",
"SeLockMemoryPrivilege",
"SeCreatePagefilePrivilege",
"SeTimeZonePrivilege",
"SeTcbPrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeImpersonatePrivilege",
"SeCreatePermanentPrivilege",
"SeAuditPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.906",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
"process_start_time": "2023-01-13T14:47:02.982Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 11,
"scriptload_count": 0,
"windows_event_id": 4624
}
],
"num_found": 1,
"num_available": 1,
"approximate_unaggregated": 1,
"num_aggregated": 1,
"contacted": 12,
"completed": 12
}API Calls
Auth Events collection is disabled by default and must be enabled for each Policy. Verify that the Devices for which Auth Events are required have a policy assigned with Auth Event collection enabled.
Get Auth Events Descriptions
Returns the list of auth events and status message descriptions.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/descriptions
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/descriptionsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"event": {
"4624": "An account was successfully logged on",
"4625": "An account failed to log on",
"4634": "An account was logged off",
"4647": "User initiated logoff",
"4648": "A logon was attempted using explicit credentials",
"4672": "Special privileges assigned to new logon",
"4740": "A user account was locked out",
"4776": "The domain controller attempted to validate the credentials for an account",
"4777": "The domain controller failed to validate credentials for an account",
"6272": "Network Policy Server granted access to a user"
},
"status": [
{
"status_id": "0xC0000106L",
"message_code": "STATUS_NAME_TOO_LONG",
"message_description": "A specified name string is too long for its intended use."
},
{
"status_id": "0xC000013DL",
"message_code": "STATUS_REMOTE_RESOURCES",
"message_description": "{Insufficient Resources on Remote Computer} The remote computer has insufficient resources to complete the network request. For instance, there may not be enough memory available on the remote computer to carry out the request at this time."
}
... truncated ...
],
"logon_type": {
"4": {
"title": "Batch",
"description": "Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention."
},
"5": {
"title": "Service",
"description": "A service was started by the Service Control Manager."
},
"7": {
"title": "Unlock",
"description": "This workstation was unlocked."
}
... truncated ...
},
"auth_event_action": {
"ACCOUNT_LOCKED": "A user account was locked out",
"LOGOFF_INITIATED": "User initiated logoff",
"LOGOFF_SUCCESS": "An account was logged off",
"LOGON_DISCOVERED": "Logon session detected",
"LOGON_FAILED": "An account failed to log on",
"LOGON_SUCCESS": "An account was successfully logged on",
"PRIVILEGES_GRANTED": "Special privileges assigned to new logon"
}
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/descriptions \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"event": {
"4624": "An account was successfully logged on",
"4625": "An account failed to log on",
"4634": "An account was logged off",
"4647": "User initiated logoff",
"4648": "A logon was attempted using explicit credentials",
"4672": "Special privileges assigned to new logon",
"4740": "A user account was locked out",
"4776": "The domain controller attempted to validate the credentials for an account",
"4777": "The domain controller failed to validate credentials for an account",
"6272": "Network Policy Server granted access to a user"
},
"status": [
{
"status_id": "0xC0000106L",
"message_code": "STATUS_NAME_TOO_LONG",
"message_description": "A specified name string is too long for its intended use."
},
{
"status_id": "0xC000013DL",
"message_code": "STATUS_REMOTE_RESOURCES",
"message_description": "{Insufficient Resources on Remote Computer} The remote computer has insufficient resources to complete the network request. For instance, there may not be enough memory available on the remote computer to carry out the request at this time."
}
... truncated ...
],
"logon_type": {
"4": {
"title": "Batch",
"description": "Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention."
},
"5": {
"title": "Service",
"description": "A service was started by the Service Control Manager."
},
"7": {
"title": "Unlock",
"description": "This workstation was unlocked."
}
... truncated ...
},
"auth_event_action": {
"ACCOUNT_LOCKED": "A user account was locked out",
"LOGOFF_INITIATED": "User initiated logoff",
"LOGOFF_SUCCESS": "An account was logged off",
"LOGON_DISCOVERED": "Logon session detected",
"LOGON_FAILED": "An account failed to log on",
"LOGON_SUCCESS": "An account was successfully logged on",
"PRIVILEGES_GRANTED": "Special privileges assigned to new logon"
}
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile="example_profile")
descriptions = AuthEvent.get_auth_events_descriptions(cb)
print(descriptions){
'event': {
'4624': 'An account was successfully logged on',
'4625': 'An account failed to log on',
'4634': 'An account was logged off',
'4647': 'User initiated logoff',
'4648': 'A logon was attempted using explicit credentials',
'4672': 'Special privileges assigned to new logon',
'4740': 'A user account was locked out',
'4776': 'The domain controller attempted to validate the credentials for an account',
'4777': 'The domain controller failed to validate credentials for an account',
'6272': 'Network Policy Server granted access to a user'
},
'status': [
{
'status_id': '0xC0000106L',
'message_code': 'STATUS_NAME_TOO_LONG',
'message_description': 'A specified name string is too long for its intended use.'
},
{
'status_id': '0xC000013DL',
'message_code': 'STATUS_REMOTE_RESOURCES',
'message_description': '{Insufficient Resources on Remote Computer} The remote computer has insufficient resources to complete the network request. For instance, there may not be enough memory available on the remote computer to carry out the request at this time.'
}
... truncated ...
],
'logon_type': {
'4': {
'title': 'Batch',
'description': 'Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.'
},
'5': {
'title': 'Service',
'description': 'A service was started by the Service Control Manager.'
},
'7': {
'title': 'Unlock',
'description': 'This workstation was unlocked.'
}
... truncated ...
},
'auth_event_action': {
'ACCOUNT_LOCKED': 'A user account was locked out',
'LOGOFF_INITIATED': 'User initiated logoff',
'LOGOFF_SUCCESS': 'An account was logged off',
'LOGON_DISCOVERED': 'Logon session detected',
'LOGON_FAILED': 'An account failed to log on',
'LOGON_SUCCESS': 'An account was successfully logged on',
'PRIVILEGES_GRANTED': 'Special privileges assigned to new logon'
}
}Events Search
Start Auth Events Search Job
Creates an Auth Events Search job. The results for the search job may be requested using the job_id returned. This route will not request facets.
An alternative to execute searches and get the results in a zipped csv file is the
Event Export functionality
with api_resource = AUTH_EVENTS
which leverages the Job Service API.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
| VMware Cloud Services Platform | _API.Search:org.Events:create |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_jobs
Request Body - application/json
{
"collapse": <boolean>,
"collapse_field": [ "<string>" ],
"criteria": {
"additionalProp1": [ { "<key>": "<value>"} ]
},
"exclusions": {
"additionalProp1": [ { "<key>": "<value>"} ]
},
"fields": [ "<string>" ],
"query": "<string>",
"rows": <integer>,
"sort": [
{
"field": "<string>",
"order": "<string>"
}
],
"start": <integer>,
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| collapse | Collapse is a boolean representing whether or not a user wants the ‘fq’ solr param included in their search. | Boolean | true, false |
| collapse_field | The field(s) to collapse the results by when searching. The search will only return one result per value for the specified field. | Array | Supported: device_id |
| criteria | Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. |
Object | |
| exclusions | Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. |
Object | |
| fields | Fields to include in the results, specify * to return all the default fields. If additional fields are required, consider using the Details Job which is more performant. If needed by the use case, additional fields can be named in this list. |
Array | Example: Values: auth_username, backend_timestamp, childproc_count, crossproc_count, device_group_id, device_id, device_name, device_policy_id, device_timestamp, event_id, filemod_count, ingress_time, modload_count, netconn_count, org_id, parent_guid, parent_pid, process_guid, process_hash, process_name, process_pid, process_username, regmod_count, scriptload_count, windows_event_id,auth_domain_name, auth_event_action, auth_remote_port
Default: ["*"] |
| query | Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. |
String | Example: |
| rows | Number of rows to request for pagination | Long | Default: 500
Max: 10k |
| sort | Sort is a collection of sort parameters that specify a field and order to sort the results. |
Array | Example: order supports asc or desc |
| start | First row to use for pagination | Long | Default: 0 |
| time_range | Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 UTC timestamp
end: ISO 8601 UTC timestamp |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"query": "auth_username:SYSTEM",
"time_range": {
"window": "-50w"
}
}{
"job_id": "62be5c2c-d080-4ce6-b4f3-7c519cc2b41c-sqs"
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{
"query": "auth_username:SYSTEM",
"time_range": {
"window": "-50w"
}
}'
{
"job_id": "62be5c2c-d080-4ce6-b4f3-7c519cc2b41c-sqs"
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')
events = cb.select(AuthEvent).where("auth_username:SYSTEM")
print(*events)AuthEvent object, bound to https://defense.conferdeploy.net
Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------
auth_domain_name: NT AUTHORITY
auth_event_action: LOGOFF_SUCCESS
auth_remote_port: 0
auth_username: SYSTEM
backend_timestamp: 2023-03-08T07:17:32.920Z
childproc_count: 0
crossproc_count: 1852
device_group_id: 0
device_id: 18101914
device_name: richm\win11
device_policy_id: 20886205
device_timestamp: 2023-03-08T07:15:02.355Z
event_id: 4497E16E-5B3C-4AC8-ADA1-51962D55A97F
filemod_count: 33
ingress_time: 1678259788862
modload_count: 7
netconn_count: 113
org_id: ABCD1234
parent_guid: ABCD1234-0114369a-000002ac-00000000-1d94538fb2b...
parent_pid: 684
process_guid: ABCD1234-0114369a-0000033c-00000000-1d94538fb4e...
process_hash: [list:2 items]:
[0]: c0ba0caebf823de8f2ebf49eea9cc5e5
[1]: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
process_name: c:\windows\system32\lsass.exe
process_pid: [list:1 item]:
[0]: 828
process_username: [list:1 item]:
[0]: NT AUTHORITY\SYSTEM
regmod_count: 42
scriptload_count: 0
windows_event_id: 4634Get Auth Events Search Job Results
Retrieves the auth events search results for a given job_id. Results will be sorted based on the sort parameter used when starting the search.
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_jobs/{job_id}/results
Query Parameters
| Parameter | Required | Description | Values | Default |
|---|---|---|---|---|
| start | No | Starting rows of events, used for pagination | Integer | 0 |
| rows | No | Number of events to get, used for pagination | Integer | 10 |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/a5f02ce7-b405-48de-8f52-8ced5789a7c7-sqs/resultsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"results": [
{
"auth_domain_name": "NT AUTHORITY",
"auth_event_action": "LOGON_SUCCESS",
"auth_remote_device": "-",
"auth_remote_port": 0,
"auth_username": "SYSTEM",
"backend_timestamp": "2023-01-13T17:19:01.013Z",
"childproc_count": 0,
"crossproc_count": 48,
"device_group_id": 0,
"device_id": 17686136,
"device_name": "test_name",
"device_policy_id": 20622246,
"device_timestamp": "2023-01-13T17:17:45.322Z",
"event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
"filemod_count": 3,
"ingress_time": 1673630293265,
"modload_count": 1,
"netconn_count": 35,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
"parent_pid": 608,
"process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
"process_hash": [
"15a556def233f112d127025ab51ac2d3",
"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
],
"process_name": "c:\\windows\\system32\\lsass.exe",
"process_pid": [
776
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 11,
"scriptload_count": 0,
"windows_event_id": 4624
}
],
"num_found": 175,
"num_available": 175,
"approximate_unaggregated": 175,
"num_aggregated": 175,
"contacted": 12,
"completed": 12
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/a5f02ce7-b405-48de-8f52-8ced5789a7c7-sqs/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"results": [
{
"auth_domain_name": "NT AUTHORITY",
"auth_event_action": "LOGON_SUCCESS",
"auth_remote_device": "-",
"auth_remote_port": 0,
"auth_username": "SYSTEM",
"backend_timestamp": "2023-01-13T17:19:01.013Z",
"childproc_count": 0,
"crossproc_count": 48,
"device_group_id": 0,
"device_id": 17686136,
"device_name": "test_name",
"device_policy_id": 20622246,
"device_timestamp": "2023-01-13T17:17:45.322Z",
"event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
"filemod_count": 3,
"ingress_time": 1673630293265,
"modload_count": 1,
"netconn_count": 35,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
"parent_pid": 608,
"process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
"process_hash": [
"15a556def233f112d127025ab51ac2d3",
"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
],
"process_name": "c:\\windows\\system32\\lsass.exe",
"process_pid": [
776
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 11,
"scriptload_count": 0,
"windows_event_id": 4624
}
],
"num_found": 175,
"num_available": 175,
"approximate_unaggregated": 175,
"num_aggregated": 175,
"contacted": 12,
"completed": 12
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')
events = cb.select(AuthEvent).where("auth_username:SYSTEM")
print(*events)AuthEvent object, bound to https://defense.conferdeploy.net
Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------
auth_domain_name: NT AUTHORITY
auth_event_action: LOGOFF_SUCCESS
auth_remote_port: 0
auth_username: SYSTEM
backend_timestamp: 2023-03-08T07:17:32.920Z
childproc_count: 0
crossproc_count: 1852
device_group_id: 0
device_id: 18101914
device_name: richm\win11
device_policy_id: 20886205
device_timestamp: 2023-03-08T07:15:02.355Z
event_id: 4497E16E-5B3C-4AC8-ADA1-51962D55A97F
filemod_count: 33
ingress_time: 1678259788862
modload_count: 7
netconn_count: 113
org_id: ABCD1234
parent_guid: ABCD1234-0114369a-000002ac-00000000-1d94538fb2b...
parent_pid: 684
process_guid: ABCD1234-0114369a-0000033c-00000000-1d94538fb4e...
process_hash: [list:2 items]:
[0]: c0ba0caebf823de8f2ebf49eea9cc5e5
[1]: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
process_name: c:\windows\system32\lsass.exe
process_pid: [list:1 item]:
[0]: 828
process_username: [list:1 item]:
[0]: NT AUTHORITY\SYSTEM
regmod_count: 42
scriptload_count: 0
windows_event_id: 4634Get Auth Events Search Suggestions
Returns suggestions for an Auth Events Search based on fields in the organization’s system. Will return field names if the “suggest.q” parameter does not yet contain a colon and will return no suggestion otherwise.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_suggestions
Query Parameters
| Parameter | Required | Description | Values | Default |
|---|---|---|---|---|
suggest.q |
Yes | The query to generate suggestions for | N/A | N/A |
suggest.count |
No | The number of suggestions to return | N/A | 50 |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_suggestions?suggest.q=authX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"suggestions": [
{
"term": "auth_cleartext_credentials_logon",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
},
{
"term": "auth_daemon_logon",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
},
{
"term": "auth_domain_name",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
},
{
"term": "auth_username",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
},
{
"term": "auth_virtual_account_logon",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
}
]
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_suggestions?suggest.q=auth \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"suggestions": [
{
"term": "auth_cleartext_credentials_logon",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
},
{
"term": "auth_daemon_logon",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
},
{
"term": "auth_username",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
},
{
"term": "auth_virtual_account_logon",
"weight": 350,
"required_skus_all": [
"auth"
],
"required_skus_some": []
}
]
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile="example_profile")
suggestions = AuthEvent.search_suggestions(cb, 'auth')
print(suggestions){'term': 'auth_cleartext_credentials_logon', 'weight': 200, 'required_skus_all': ['auth'], 'required_skus_some': []}Get Auth Events Search Validation
Returns the validation status of a given Auth Events query and potentially provides validation on how to fix invalid queries.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_validation
Query Parameters
| Parameter | Required | Description | Values | Default |
|---|---|---|---|---|
q |
Yes | The query to validate | N/A | N/A |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_validation?q="(auth_username:Administrator)AND(device_name:test)"X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"valid": true,
"value_search_query": true
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_validation?q="(auth_username:Administrator)AND(device_name:test)" \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"valid": true,
"value_search_query": true
}Get Auth Events Search Group Results
Retrieves the auth events search group results for a given job_id. Results will be grouped based on the fields provided and/or by timestamp field duration.
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.
Grouping with timestamp field
There are two different methods of grouping available when timestamp field is specified:
Interval (default) - groups the events when the timestamp difference between two consecutive sorted events is less than the duration requested.
Example:
{ event1 = 10:00:00, event2 = 10:07:00, event3 = 10:21:00, event4 = 10:09:00, duration = 10m }
event1, event2, and event4 will be grouped into one since the time difference between sorted consecutive events is less than duration.
Bucket - groups the documents in buckets of duration length, meaning the max time difference between the min and max within a group can be up to the duration.
Example:
{ event1 = 10:00:00, event2 = 10:07:00, event3 = 10:13:00, event4 = 10:21:00, duration = 10m }
event1 and event2 will be grouped into the first group since the time difference between them is less than duration, event3 will not be added to the first group it exceeds the max capacity of Bucket.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_jobs/{job_id}/group_results
Request Body - application/json
{
"fields": [
"<field>"
],
"max_events_per_group": <integer>,
"range": {
"duration": "<string>",
"field": "<string>",
"method": "<string>"
},
"rows": <integer>,
"start": <integer>
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| fields | Fields to include in the results, specify * to return all the default returned fields and add additional fields that have docvalues | Array | Example: Values: auth_username, backend_timestamp, childproc_count, crossproc_count, device_group_id, device_id, device_name, device_policy_id, device_timestamp, event_id, filemod_count, ingress_time, modload_count, netconn_count, org_id, parent_guid, parent_pid, process_guid, process_hash, process_name, process_pid, process_username, regmod_count, scriptload_count, windows_event_id,auth_domain_name, auth_event_action, auth_remote_port
Default: ["*"] |
| max_events_per_group | Maximum number of events in a group, if not provided, all events will be returned | Integer | N/A |
| range | Describes a time window to restrict the search | Object | method: Method of grouping either interval or bucket
field: Timestamp field is used to group the range of results e.g. device_timestamp
duration: Duration for grouping in hours, minutes or seconds like 3h, 5m, 100s |
| rows | Number of rows to request for pagination | Long | Default: 500
Max: 10k |
| start | First row to use for pagination | Long | Default: 0 |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs/group_resultsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"fields": [
"auth_username"
],
"range": {},
"rows": 1
}{
"group_results": [
{
"group_key": "auth_username",
"group_value": "SYSTEM",
"group_start_timestamp": "2023-01-13T17:17:45.322Z",
"group_end_timestamp": "2023-01-13T17:17:45.322Z",
"results": [
{
"auth_cleartext_credentials_logon": false,
"auth_daemon_logon": true,
"auth_domain_name": "NT AUTHORITY",
"auth_elevated_token_logon": true,
"auth_event_action": "LOGON_SUCCESS",
"auth_failed_logon_count": 0,
"auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
"auth_interactive_logon": false,
"auth_key_length": 0,
"auth_logon_id": "00000000-000003E7",
"auth_logon_type": 5,
"auth_package": "Negotiate",
"auth_remote_device": "-",
"auth_remote_logon": false,
"auth_remote_port": 0,
"auth_restricted_admin_logon": false,
"auth_user_id": "S-1-5-18",
"auth_username": "SYSTEM",
"auth_virtual_account_logon": false,
"backend_timestamp": "2023-01-13T17:18:36.195Z",
"childproc_count": 0,
"crossproc_count": 48,
"device_external_ip": "52.116.18.136",
"device_group_id": 0,
"device_id": 17686136,
"device_installed_by": "CBAWTD\\Administrator",
"device_internal_ip": "192.168.231.164",
"device_location": "UNKNOWN",
"device_name": "test_name",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "test-monitor",
"device_policy_id": 20622246,
"device_sensor_version": "3.9.0.2352",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-01-13T17:17:45.322Z",
"document_guid": "e0Huct8dQRyYfOEHImpfkA",
"event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
"event_report_code": "SUB_RPT_NONE",
"filemod_count": 3,
"ingress_time": 1673630293265,
"modload_count": 1,
"netconn_count": 35,
"org_id": "ABCD1234",
"parent_cmdline": "wininit.exe",
"parent_cmdline_length": 11,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "IGNORE",
"parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
"parent_hash": [
"9ef51c8ad595c5e2a123c06ad39fccd7",
"268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
],
"parent_name": "c:\\windows\\system32\\wininit.exe",
"parent_pid": 608,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\system32\\lsass.exe"
],
"process_cmdline_length": [
29
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "IGNORE",
"process_elevated": true,
"process_file_description": "Local Security Authority Process",
"process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
"process_hash": [
"15a556def233f112d127025ab51ac2d3",
"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "lsass.exe",
"process_name": "c:\\windows\\system32\\lsass.exe",
"process_original_filename": "lsass.exe",
"process_pid": [
776
],
"process_privileges": [
"SeIncreaseBasePriorityPrivilege",
"SeCreateGlobalPrivilege",
"SeChangeNotifyPrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeDelegateSessionUserImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeDebugPrivilege",
"SeProfileSingleProcessPrivilege",
"SeLockMemoryPrivilege",
"SeCreatePagefilePrivilege",
"SeTimeZonePrivilege",
"SeTcbPrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeImpersonatePrivilege",
"SeCreatePermanentPrivilege",
"SeAuditPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.906",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
"process_start_time": "2023-01-13T14:47:02.982Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 11,
"scriptload_count": 0,
"windows_event_id": 4624
}
],
"total_events": 1
}
],
"num_found": 1,
"num_available": 1,
"groups_num_available": 1,
"approximate_unaggregated": 1,
"num_aggregated": 1,
"contacted": 11,
"completed": 11
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs/group_results \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{
"fields": [
"auth_username"
],
"range": {},
"rows": 1
}'
{
"group_results": [
{
"group_key": "auth_username",
"group_value": "SYSTEM",
"group_start_timestamp": "2023-01-13T17:17:45.322Z",
"group_end_timestamp": "2023-01-13T17:17:45.322Z",
"results": [
{
"auth_cleartext_credentials_logon": false,
"auth_daemon_logon": true,
"auth_domain_name": "NT AUTHORITY",
"auth_elevated_token_logon": true,
"auth_event_action": "LOGON_SUCCESS",
"auth_failed_logon_count": 0,
"auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
"auth_interactive_logon": false,
"auth_key_length": 0,
"auth_logon_id": "00000000-000003E7",
"auth_logon_type": 5,
"auth_package": "Negotiate",
"auth_remote_device": "-",
"auth_remote_logon": false,
"auth_remote_port": 0,
"auth_restricted_admin_logon": false,
"auth_user_id": "S-1-5-18",
"auth_username": "SYSTEM",
"auth_virtual_account_logon": false,
"backend_timestamp": "2023-01-13T17:18:36.195Z",
"childproc_count": 0,
"crossproc_count": 48,
"device_external_ip": "52.116.18.136",
"device_group_id": 0,
"device_id": 17686136,
"device_installed_by": "CBAWTD\\Administrator",
"device_internal_ip": "192.168.231.164",
"device_location": "UNKNOWN",
"device_name": "test_name",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "test-monitor",
"device_policy_id": 20622246,
"device_sensor_version": "3.9.0.2352",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-01-13T17:17:45.322Z",
"document_guid": "e0Huct8dQRyYfOEHImpfkA",
"event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
"event_report_code": "SUB_RPT_NONE",
"filemod_count": 3,
"ingress_time": 1673630293265,
"modload_count": 1,
"netconn_count": 35,
"org_id": "ABCD1234",
"parent_cmdline": "wininit.exe",
"parent_cmdline_length": 11,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "IGNORE",
"parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
"parent_hash": [
"9ef51c8ad595c5e2a123c06ad39fccd7",
"268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
],
"parent_name": "c:\\windows\\system32\\wininit.exe",
"parent_pid": 608,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\system32\\lsass.exe"
],
"process_cmdline_length": [
29
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "IGNORE",
"process_elevated": true,
"process_file_description": "Local Security Authority Process",
"process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
"process_hash": [
"15a556def233f112d127025ab51ac2d3",
"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "lsass.exe",
"process_name": "c:\\windows\\system32\\lsass.exe",
"process_original_filename": "lsass.exe",
"process_pid": [
776
],
"process_privileges": [
"SeIncreaseBasePriorityPrivilege",
"SeCreateGlobalPrivilege",
"SeChangeNotifyPrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeDelegateSessionUserImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeDebugPrivilege",
"SeProfileSingleProcessPrivilege",
"SeLockMemoryPrivilege",
"SeCreatePagefilePrivilege",
"SeTimeZonePrivilege",
"SeTcbPrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeImpersonatePrivilege",
"SeCreatePermanentPrivilege",
"SeAuditPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.906",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
"process_start_time": "2023-01-13T14:47:02.982Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 11,
"scriptload_count": 0,
"windows_event_id": 4624
}
],
"total_events": 1
}
],
"num_found": 1,
"num_available": 1,
"groups_num_available": 1,
"approximate_unaggregated": 1,
"num_aggregated": 1,
"contacted": 11,
"completed": 11
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')
groups = set(cb.select(AuthEvent).where(process_pid=2000).group_results("device_name"))
for group in groups:
print(group._info){'group_key': 'device_name', 'group_value': 'knox\\win10-02', 'group_start_timestamp': '2023-02-27T14:24:10.244Z', 'group_end_timestamp': '2023-02-27T14:24:10.244Z', 'results': [{'auth_domain_name': 'NT AUTHORITY', 'auth_event_action': 'PRIVILEGES_GRANTED', 'auth_remote_port': 0, 'auth_username': 'SYSTEM', 'backend_timestamp': '2023-02-27T14:25:56.267Z', 'childproc_count': 0, 'crossproc_count': 61, 'device_group_id': 0, 'device_id': 18105995, 'device_name': 'knox\\win10-02', 'device_policy_id': 20622246, 'device_timestamp': '2023-02-27T14:24:10.244Z', 'event_id': '867E90CC-DE87-4427-B1AB-648EC70BD3B9', 'filemod_count': 6, 'ingress_time': 1677507889528, 'modload_count': 0, 'netconn_count': 18, 'org_id': 'ABCD1234', 'parent_guid': 'ABCD1234-0114468b-00000200-00000000-1d948635dae8317', 'parent_pid': 512, 'process_guid': 'ABCD1234-0114468b-00000284-00000000-1d948635e4b072c', 'process_hash': ['8ea6fe0cdac6dd3bae1fadc04d168a4f', 'b77aa726acd44c7c89d32dd46aa07583b88fbe2c34aed394eb6e005824e40893'], 'process_name': 'c:\\windows\\system32\\lsass.exe', 'process_pid': [644], 'process_username': ['NT AUTHORITY\\SYSTEM'], 'regmod_count': 20, 'scriptload_count': 0, 'windows_event_id': 4672}, {'auth_domain_name': 'NT AUTHORITY', 'auth_event_action': 'LOGON_SUCCESS', 'auth_remote_device': '-', 'auth_remote_port': 0, 'auth_username': 'SYSTEM', 'backend_timestamp': '2023-02-27T14:24:54.237Z', 'childproc_count': 0, 'crossproc_count': 61, 'device_group_id': 0, 'device_id': 18105995, 'device_name': 'knox\\win10-02', 'device_policy_id': 20622246, 'device_timestamp': '2023-02-27T14:24:10.244Z', 'event_id': 'F70E0699-05F3-4CD3-BC1F-EB6A0900F910', 'filemod_count': 6, 'ingress_time': 1677507880707, 'modload_count': 0, 'netconn_count': 18, 'org_id': 'ABCD1234', 'parent_guid': 'ABCD1234-0114468b-00000200-00000000-1d948635dae8317', 'parent_pid': 512, 'process_guid': 'ABCD1234-0114468b-00000284-00000000-1d948635e4b072c', 'process_hash': ['8ea6fe0cdac6dd3bae1fadc04d168a4f', 'b77aa726acd44c7c89d32dd46aa07583b88fbe2c34aed394eb6e005824e40893'], 'process_name': 'c:\\windows\\system32\\lsass.exe', 'process_pid': [644], 'process_username': ['NT AUTHORITY\\SYSTEM'], 'regmod_count': 20, 'scriptload_count': 0, 'windows_event_id': 4624}], 'total_events': 2}Events Details
Start Auth Events Detail Job
Creates an auth events detail job. The details will include information about the event that’s not normally accessible during a search. The results for the search job may be requested using the job ID returned.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:create |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/detail_jobs
Request Body - application/json
{
"alert_id": "string",
"event_ids": [ "string" ]
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| alert_id | An alert id to fetch associated observations | String | N/A |
| event_ids | A list of event ids to fetch | Array | |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"event_ids": ["DA9E269E-421D-469D-A212-9062888A02F4"]
}{
"job_id": "6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs"
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{
"event_ids": ["D06DC822-B25E-4162-A5A7-6166BFA9B8DF"]
}'
{
"job_id": "cf037be0-b51d-4d89-8513-f85069f81dac-sqs"
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')
# Get the details of all the results
all_events = cb.select(AuthEvent).where(process_pid=2000)
# Get the details of a particular result by id
event = cb.select(AuthEvent, "example-event-id")
print(all_events[0].get_details()) AuthEvent object, bound to https://defense.conferdeploy.net.
Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------
auth_cleartext_credentials_logon: False
auth_daemon_logon: False
auth_domain_name: NT AUTHORITY
auth_elevated_token_logon: False
auth_event_action: LOGOFF_SUCCESS
auth_failed_logon_count: 0
auth_impersonation_level: IMPERSONATION_INVALID
auth_interactive_logon: False
auth_key_length: 0
auth_logon_id: 00000000-302883E9
auth_logon_type: 9
auth_package: Negotiate
auth_remote_logon: False
auth_remote_port: 0
auth_restricted_admin_logon: False
auth_user_id: S-1-5-18
auth_username: SYSTEM
auth_virtual_account_logon: False
backend_timestamp: 2023-03-08T08:18:19.790Z
childproc_count: 0
crossproc_count: 1859
device_external_ip: 81.153.81.191
device_group_id: 0
device_id: 18101914
device_installed_by: RICHM\Administrator
device_internal_ip: 192.168.200.15
device_location: UNKNOWN
device_name: richm\win11
device_os: WINDOWS
device_os_version: Windows 11 x64
device_policy: richm_policy
device_policy_id: 20886205
device_sensor_version: 3.9.1.2464
device_target_priority: MEDIUM
device_timestamp: 2023-03-08T08:15:03.090Z
document_guid: Svx0mK2hQfurTDWL8XsHiw
event_id: 9D137450-6428-446E-8C23-F0C526156A0C
event_report_code: SUB_RPT_NONE
filemod_count: 33
ingress_time: 1678263444460
modload_count: 7
netconn_count: 113
org_id: ABCD1234
parent_cmdline: wininit.exe
parent_cmdline_length: 11
parent_effective_reputation: LOCAL_WHITE
parent_effective_reputation_source: IGNORE
parent_guid: ABCD1234-0114369a-000002ac-00000000-1d94538fb2b...
parent_hash: [list:2 items]:
[0]: 9efa02fba3a4a914f7e800f3d5b2df54
[1]: 1f3f889b5a0150f4620d1ef4d23d778de243febb8b4d3b7...
parent_name: c:\windows\system32\wininit.exe
parent_pid: 684
parent_publisher: [list:1 item]:
[0]: Microsoft Windows Publisher
parent_publisher_state: [list:4 items]:
[0]: FILE_SIGNATURE_STATE_VERIFIED
[1]: FILE_SIGNATURE_STATE_OS
[2]: FILE_SIGNATURE_STATE_TRUSTED
[...]
parent_reputation: NOT_LISTED
process_cmdline: [list:1 item]:
[0]: C:\Windows\system32\lsass.exe
process_cmdline_length: [list:1 item]:
[0]: 29
process_company_name: Microsoft Corporation
process_effective_reputation: LOCAL_WHITE
process_effective_reputation_source: IGNORE
process_elevated: True
process_file_description: Local Security Authority Process
process_guid: ABCD1234-0114369a-0000033c-00000000-1d94538fb4e...
process_hash: [list:2 items]:
[0]: c0ba0caebf823de8f2ebf49eea9cc5e5
[1]: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
process_integrity_level: SYSTEM
process_internal_name: lsass.exe
process_name: c:\windows\system32\lsass.exe
process_original_filename: lsass.exe
process_pid: [list:1 item]:
[0]: 828
process_privileges: [list:19 items]:
[0]: SeIncreaseBasePriorityPrivilege
[1]: SeCreateGlobalPrivilege
[2]: SeChangeNotifyPrivilege
[...]
process_product_name: Microsoft® Windows® Operating System
process_product_version: 10.0.22000.1098
process_publisher: [list:1 item]:
[0]: Microsoft Windows Publisher
process_publisher_state: [list:4 items]:
[0]: FILE_SIGNATURE_STATE_VERIFIED
[1]: FILE_SIGNATURE_STATE_OS
[2]: FILE_SIGNATURE_STATE_TRUSTED
[...]
process_reputation: NOT_LISTED
process_sha256: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
process_start_time: 2023-02-20T14:38:22.087Z
process_username: [list:1 item]:
[0]: NT AUTHORITY\SYSTEM
regmod_count: 42
scriptload_count: 0
windows_event_id: 4634Get Auth Events Detail Job Results
Retrieves the Auth Events Detail Job results for a given job ID.
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/detail_jobs/{job_id}/results
Query Parameters
| Parameter | Required | Description | Values | Default |
|---|---|---|---|---|
| start | No | First row to use for pagination | Long | Default: 0 |
| rows | No | Number of rows to request for pagination | Long | Default: 500
Max: 10k |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs/6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs/resultsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"results": [
{
"auth_cleartext_credentials_logon": false,
"auth_daemon_logon": true,
"auth_domain_name": "NT AUTHORITY",
"auth_elevated_token_logon": true,
"auth_event_action": "LOGON_SUCCESS",
"auth_failed_logon_count": 0,
"auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
"auth_interactive_logon": false,
"auth_key_length": 0,
"auth_logon_id": "00000000-000003E7",
"auth_logon_type": 5,
"auth_package": "Negotiate",
"auth_remote_device": "-",
"auth_remote_logon": false,
"auth_remote_port": 0,
"auth_restricted_admin_logon": false,
"auth_user_id": "S-1-5-18",
"auth_username": "SYSTEM",
"auth_virtual_account_logon": false,
"backend_timestamp": "2023-01-13T17:18:36.195Z",
"childproc_count": 0,
"crossproc_count": 48,
"device_external_ip": "52.116.18.136",
"device_group_id": 0,
"device_id": 12345678,
"device_installed_by": "CBAWTD\\Administrator",
"device_internal_ip": "192.168.231.164",
"device_location": "UNKNOWN",
"device_name": "test_name",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "test-monitor",
"device_policy_id": 20622246,
"device_sensor_version": "3.9.0.2352",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-01-13T17:17:45.322Z",
"document_guid": "e0Huct8dQRyYfOEHImpfkA",
"event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
"event_report_code": "SUB_RPT_NONE",
"filemod_count": 3,
"ingress_time": 1673630293265,
"modload_count": 1,
"netconn_count": 35,
"org_id": "ABCD1234",
"parent_cmdline": "wininit.exe",
"parent_cmdline_length": 11,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "IGNORE",
"parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
"parent_hash": [
"9ef51c8ad595c5e2a123c06ad39fccd7",
"268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
],
"parent_name": "c:\\windows\\system32\\wininit.exe",
"parent_pid": 608,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\system32\\lsass.exe"
],
"process_cmdline_length": [
29
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "IGNORE",
"process_elevated": true,
"process_file_description": "Local Security Authority Process",
"process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
"process_hash": [
"15a556def233f112d127025ab51ac2d3",
"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "lsass.exe",
"process_name": "c:\\windows\\system32\\lsass.exe",
"process_original_filename": "lsass.exe",
"process_pid": [
776
],
"process_privileges": [
"SeIncreaseBasePriorityPrivilege",
"SeCreateGlobalPrivilege",
"SeChangeNotifyPrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeDelegateSessionUserImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeDebugPrivilege",
"SeProfileSingleProcessPrivilege",
"SeLockMemoryPrivilege",
"SeCreatePagefilePrivilege",
"SeTimeZonePrivilege",
"SeTcbPrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeImpersonatePrivilege",
"SeCreatePermanentPrivilege",
"SeAuditPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.906",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
"process_start_time": "2023-01-13T14:47:02.982Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 11,
"scriptload_count": 0,
"windows_event_id": 4624
}
],
"num_found": 1,
"num_available": 1,
"approximate_unaggregated": 1,
"num_aggregated": 1,
"contacted": 11,
"completed": 11
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs/6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"results": [
{
"auth_cleartext_credentials_logon": false,
"auth_daemon_logon": true,
"auth_domain_name": "NT AUTHORITY",
"auth_elevated_token_logon": true,
"auth_event_action": "LOGON_SUCCESS",
"auth_failed_logon_count": 0,
"auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
"auth_interactive_logon": false,
"auth_key_length": 0,
"auth_logon_id": "00000000-000003E7",
"auth_logon_type": 5,
"auth_package": "Negotiate",
"auth_remote_device": "-",
"auth_remote_logon": false,
"auth_remote_port": 0,
"auth_restricted_admin_logon": false,
"auth_user_id": "S-1-5-18",
"auth_username": "SYSTEM",
"auth_virtual_account_logon": false,
"backend_timestamp": "2023-01-13T17:18:36.195Z",
"childproc_count": 0,
"crossproc_count": 48,
"device_external_ip": "52.116.18.136",
"device_group_id": 0,
"device_id": 12345678,
"device_installed_by": "CBAWTD\\Administrator",
"device_internal_ip": "192.168.231.164",
"device_location": "UNKNOWN",
"device_name": "test_name",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "test-monitor",
"device_policy_id": 20622246,
"device_sensor_version": "3.9.0.2352",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-01-13T17:17:45.322Z",
"document_guid": "e0Huct8dQRyYfOEHImpfkA",
"event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
"event_report_code": "SUB_RPT_NONE",
"filemod_count": 3,
"ingress_time": 1673630293265,
"modload_count": 1,
"netconn_count": 35,
"org_id": "ABCD1234",
"parent_cmdline": "wininit.exe",
"parent_cmdline_length": 11,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "IGNORE",
"parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
"parent_hash": [
"9ef51c8ad595c5e2a123c06ad39fccd7",
"268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
],
"parent_name": "c:\\windows\\system32\\wininit.exe",
"parent_pid": 608,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\system32\\lsass.exe"
],
"process_cmdline_length": [
29
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "IGNORE",
"process_elevated": true,
"process_file_description": "Local Security Authority Process",
"process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
"process_hash": [
"15a556def233f112d127025ab51ac2d3",
"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "lsass.exe",
"process_name": "c:\\windows\\system32\\lsass.exe",
"process_original_filename": "lsass.exe",
"process_pid": [
776
],
"process_privileges": [
"SeIncreaseBasePriorityPrivilege",
"SeCreateGlobalPrivilege",
"SeChangeNotifyPrivilege",
"SeCreateSymbolicLinkPrivilege",
"SeDelegateSessionUserImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeDebugPrivilege",
"SeProfileSingleProcessPrivilege",
"SeLockMemoryPrivilege",
"SeCreatePagefilePrivilege",
"SeTimeZonePrivilege",
"SeTcbPrivilege",
"SeIncreaseWorkingSetPrivilege",
"SeImpersonatePrivilege",
"SeCreatePermanentPrivilege",
"SeAuditPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.906",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
"process_start_time": "2023-01-13T14:47:02.982Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 11,
"scriptload_count": 0,
"windows_event_id": 4624
}
],
"num_found": 1,
"num_available": 1,
"approximate_unaggregated": 1,
"num_aggregated": 1,
"contacted": 11,
"completed": 11
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')
# Get the details of all the results
all_events = cb.select(AuthEvent).where(process_pid=2000)
# Get the details of a particular result by id
event = cb.select(AuthEvent, "example-event-id")
print(all_events[0].get_details()) AuthEvent object, bound to https://defense.conferdeploy.net.
Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------
auth_cleartext_credentials_logon: False
auth_daemon_logon: False
auth_domain_name: NT AUTHORITY
auth_elevated_token_logon: False
auth_event_action: LOGOFF_SUCCESS
auth_failed_logon_count: 0
auth_impersonation_level: IMPERSONATION_INVALID
auth_interactive_logon: False
auth_key_length: 0
auth_logon_id: 00000000-302883E9
auth_logon_type: 9
auth_package: Negotiate
auth_remote_logon: False
auth_remote_port: 0
auth_restricted_admin_logon: False
auth_user_id: S-1-5-18
auth_username: SYSTEM
auth_virtual_account_logon: False
backend_timestamp: 2023-03-08T08:18:19.790Z
childproc_count: 0
crossproc_count: 1859
device_external_ip: 81.153.81.191
device_group_id: 0
device_id: 18101914
device_installed_by: RICHM\Administrator
device_internal_ip: 192.168.200.15
device_location: UNKNOWN
device_name: richm\win11
device_os: WINDOWS
device_os_version: Windows 11 x64
device_policy: richm_policy
device_policy_id: 20886205
device_sensor_version: 3.9.1.2464
device_target_priority: MEDIUM
device_timestamp: 2023-03-08T08:15:03.090Z
document_guid: Svx0mK2hQfurTDWL8XsHiw
event_id: 9D137450-6428-446E-8C23-F0C526156A0C
event_report_code: SUB_RPT_NONE
filemod_count: 33
ingress_time: 1678263444460
modload_count: 7
netconn_count: 113
org_id: ABCD1234
parent_cmdline: wininit.exe
parent_cmdline_length: 11
parent_effective_reputation: LOCAL_WHITE
parent_effective_reputation_source: IGNORE
parent_guid: ABCD1234-0114369a-000002ac-00000000-1d94538fb2b...
parent_hash: [list:2 items]:
[0]: 9efa02fba3a4a914f7e800f3d5b2df54
[1]: 1f3f889b5a0150f4620d1ef4d23d778de243febb8b4d3b7...
parent_name: c:\windows\system32\wininit.exe
parent_pid: 684
parent_publisher: [list:1 item]:
[0]: Microsoft Windows Publisher
parent_publisher_state: [list:4 items]:
[0]: FILE_SIGNATURE_STATE_VERIFIED
[1]: FILE_SIGNATURE_STATE_OS
[2]: FILE_SIGNATURE_STATE_TRUSTED
[...]
parent_reputation: NOT_LISTED
process_cmdline: [list:1 item]:
[0]: C:\Windows\system32\lsass.exe
process_cmdline_length: [list:1 item]:
[0]: 29
process_company_name: Microsoft Corporation
process_effective_reputation: LOCAL_WHITE
process_effective_reputation_source: IGNORE
process_elevated: True
process_file_description: Local Security Authority Process
process_guid: ABCD1234-0114369a-0000033c-00000000-1d94538fb4e...
process_hash: [list:2 items]:
[0]: c0ba0caebf823de8f2ebf49eea9cc5e5
[1]: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
process_integrity_level: SYSTEM
process_internal_name: lsass.exe
process_name: c:\windows\system32\lsass.exe
process_original_filename: lsass.exe
process_pid: [list:1 item]:
[0]: 828
process_privileges: [list:19 items]:
[0]: SeIncreaseBasePriorityPrivilege
[1]: SeCreateGlobalPrivilege
[2]: SeChangeNotifyPrivilege
[...]
process_product_name: Microsoft® Windows® Operating System
process_product_version: 10.0.22000.1098
process_publisher: [list:1 item]:
[0]: Microsoft Windows Publisher
process_publisher_state: [list:4 items]:
[0]: FILE_SIGNATURE_STATE_VERIFIED
[1]: FILE_SIGNATURE_STATE_OS
[2]: FILE_SIGNATURE_STATE_TRUSTED
[...]
process_reputation: NOT_LISTED
process_sha256: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
process_start_time: 2023-02-20T14:38:22.087Z
process_username: [list:1 item]:
[0]: NT AUTHORITY\SYSTEM
regmod_count: 42
scriptload_count: 0
windows_event_id: 4634Events Facet
Start Auth Events Facet Job
Creates an Auth Events Facet job. The results for the facet job may be requested using the job_id returned. This route will not request processes.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
| VMware Cloud Services Platform | _API.Search:org.Events:create |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/facet_jobs
Request Body - application/json
{
"criteria": {
"<additionalProp1>": [ { "<key>": "<value>" } ]
},
"exclusions": {
"<additionalProp1>": [ { "<key>": "<value>" } ]
},
"query": "<string>",
"ranges": [
{
"bucket_size": { "<key>": "<value>" },
"end": { "<key>": "<value>" },
"field": "<string>",
"start": { "<key>": "<value>" }
}
],
"terms": {
"fields": [ "<string>" ],
"rows": <integer>
},
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| criteria | Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. |
Object | |
| exclusions | Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. |
Object | |
| query | Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. |
String | Example: |
| ranges | Allows grouping for properties that are ISO 8601 UTC timestamps or numbers. Bucket size for ISO 8601 UTC timestamps uses SOLR DateMathParser | Array | |
| terms | The enriched events fields to facet and how many of the top entries to return. | Object | 100 |
| time_range | Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 UTC timestamp
end: ISO 8601 UTC timestamp |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/facet_jobsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"criteria": {},
"exclusions": {},
"query": "(auth_username:Administrator) AND (device_name:test_name)",
"terms": {
"fields": [
"windows_event_id",
"auth_username",
"auth_user_id",
"auth_logon_type",
"auth_logon_id",
"auth_domain_name",
"auth_remote_device",
"auth_remote_ipv4",
"auth_remote_port",
"auth_privileges",
"auth_interactive_logon",
"auth_remote_logon",
"parent_guid",
"process_name",
"device_name"
],
"rows": 1
},
"time_range": {
"start": "2023-01-10T16:20:40.471Z",
"end": "2023-01-20T16:20:40.471Z"
}
}{
"job_id": "ff19b247-8b27-4bec-84d8-7b316660c389"
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/facet_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{
"criteria": {},
"exclusions": {},
"query": "(auth_username:Administrator) AND (device_name:w10cbws2thtplt)",
"terms": {
"fields": [
"windows_event_id",
"auth_username",
"process_name",
"device_name"
],
"rows": 1
},
"time_range": {
"window": "-50w"
}
}'
{
"job_id": "ff19b247-8b27-4bec-84d8-7b316660c389"
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')
events_facet = cb.select(AuthEventFacet).where("auth_username:SYSTEM").add_facet_field("process_name")
print(events_facet.results)AuthEventFacet object, bound to https://defense.conferdeploy.net.
-------------------------------------------------------------------------------
completed: 54
contacted: 54
job_id: 05292684-7661-4b25-8803-e9be7116c0a0
num_found: 198
ranges: [list:0 items]
terms: [list:1 item]:
[0]: {'values': [{'total': 198, 'id': 'c:\\windows\\...Get Auth Events Facet Job Results
Retrieves the auth event facet results for a given job_id.
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/facet_jobs/{job_id}/results
Query Parameters
| Parameter | Required | Description | Values | Default |
|---|---|---|---|---|
| limit | No | Maximum number of facets per category | Integer | 100 |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/facet_jobs/ff19b247-8b27-4bec-84d8-7b316660c389/resultsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"ranges": [],
"terms": [
{
"values": [
{
"total": 26,
"id": "CBAWTD",
"name": "CBAWTD"
}
],
"field": "auth_domain_name"
},
{
"values": [
{
"total": 21,
"id": "true",
"name": "true"
}
],
"field": "auth_interactive_logon"
},
{
"values": [
{
"total": 3,
"id": "00000000-000682E5",
"name": "00000000-000682E5"
}
],
"field": "auth_logon_id"
},
{
"values": [
{
"total": 10,
"id": "11",
"name": "11"
}
],
"field": "auth_logon_type"
},
{
"values": [
{
"total": 5,
"id": "SeBackupPrivilege",
"name": "SeBackupPrivilege"
}
],
"field": "auth_privileges"
},
{
"values": [
{
"total": 15,
"id": "W10CBWS2THTPLT",
"name": "W10CBWS2THTPLT"
}
],
"field": "auth_remote_device"
},
{
"values": [
{
"total": 10,
"id": "127.0.0.1",
"name": "127.0.0.1"
}
],
"field": "auth_remote_ipv4"
},
{
"values": [
{
"total": 26,
"id": "false",
"name": "false"
}
],
"field": "auth_remote_logon"
},
{
"values": [
{
"total": 26,
"id": "0",
"name": "0"
}
],
"field": "auth_remote_port"
},
{
"values": [
{
"total": 21,
"id": "S-1-5-21-1613105849-671609947-2392320032-500",
"name": "S-1-5-21-1613105849-671609947-2392320032-500"
}
],
"field": "auth_user_id"
},
{
"values": [
{
"total": 26,
"id": "Administrator",
"name": "Administrator"
}
],
"field": "auth_username"
},
{
"values": [
{
"total": 26,
"id": "test_name",
"name": "test_name"
}
],
"field": "device_name"
},
{
"values": [
{
"total": 4,
"id": "ABCD1234-010dde78-0000025c-00000000-1d9273b461e9f0f",
"name": "ABCD1234-010dde78-0000025c-00000000-1d9273b461e9f0f"
}
],
"field": "parent_guid"
},
{
"values": [
{
"total": 20,
"id": "c:\\windows\\system32\\lsass.exe",
"name": "c:\\windows\\system32\\lsass.exe"
}
],
"field": "process_name"
},
{
"values": [
{
"total": 10,
"id": "4624",
"name": "4624"
}
],
"field": "windows_event_id"
}
],
"num_found": 26,
"contacted": 9,
"completed": 9
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/facet_jobs/ff19b247-8b27-4bec-84d8-7b316660c389/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"ranges": [],
"terms": [
{
"values": [
{
"total": 26,
"id": "CBAWTD",
"name": "CBAWTD"
}
],
"field": "auth_domain_name"
},
{
"values": [
{
"total": 21,
"id": "true",
"name": "true"
}
],
"field": "auth_interactive_logon"
},
{
"values": [
{
"total": 3,
"id": "00000000-000682E5",
"name": "00000000-000682E5"
}
],
"field": "auth_logon_id"
},
{
"values": [
{
"total": 10,
"id": "11",
"name": "11"
}
],
"field": "auth_logon_type"
},
{
"values": [
{
"total": 5,
"id": "SeBackupPrivilege",
"name": "SeBackupPrivilege"
}
],
"field": "auth_privileges"
},
{
"values": [
{
"total": 15,
"id": "W10CBWS2THTPLT",
"name": "W10CBWS2THTPLT"
}
],
"field": "auth_remote_device"
},
{
"values": [
{
"total": 10,
"id": "127.0.0.1",
"name": "127.0.0.1"
}
],
"field": "auth_remote_ipv4"
},
{
"values": [
{
"total": 26,
"id": "false",
"name": "false"
}
],
"field": "auth_remote_logon"
},
{
"values": [
{
"total": 26,
"id": "0",
"name": "0"
}
],
"field": "auth_remote_port"
},
{
"values": [
{
"total": 21,
"id": "S-1-5-21-1613105849-671609947-2392320032-500",
"name": "S-1-5-21-1613105849-671609947-2392320032-500"
}
],
"field": "auth_user_id"
},
{
"values": [
{
"total": 26,
"id": "Administrator",
"name": "Administrator"
}
],
"field": "auth_username"
},
{
"values": [
{
"total": 26,
"id": "test_name",
"name": "test_name"
}
],
"field": "device_name"
},
{
"values": [
{
"total": 4,
"id": "ABCD1234-010dde78-0000025c-00000000-1d9273b461e9f0f",
"name": "ABCD1234-010dde78-0000025c-00000000-1d9273b461e9f0f"
}
],
"field": "parent_guid"
},
{
"values": [
{
"total": 20,
"id": "c:\\windows\\system32\\lsass.exe",
"name": "c:\\windows\\system32\\lsass.exe"
}
],
"field": "process_name"
},
{
"values": [
{
"total": 10,
"id": "4624",
"name": "4624"
}
],
"field": "windows_event_id"
}
],
"num_found": 26,
"contacted": 9,
"completed": 9
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')
events_facet = cb.select(AuthEventFacet).where("auth_username:SYSTEM").add_facet_field("process_name")
print(events_facet.results)AuthEventFacet object, bound to https://defense.conferdeploy.net.
-------------------------------------------------------------------------------
completed: 54
contacted: 54
job_id: 05292684-7661-4b25-8803-e9be7116c0a0
num_found: 198
ranges: [list:0 items]
terms: [list:1 item]:
[0]: {'values': [{'total': 198, 'id': 'c:\\windows\\...Give Feedback
New survey coming soon!
Last modified on February 14, 2024