Event Search Fields API for CB ThreatHunter

Version: v1

Event Search Fields

This page describes fields that can be used for searching, with following additional information:

  1. ‘Data type’ describes type of data returned. Special type ‘tokenized’ indicates that it is a string that is tokenized and can be searched through partial phrase. If type is followed by [], it means that field contains array of elements

  2. ‘Returned’ indicates that given field will be returned in the search results. If not, given field can only be used in search, but will not be returned as part of the result

  3. ‘Searchable’ indicates that field can be searched. Some fields can only be searched, while some will only be returned on search results

  4. ‘Supports Facets’ indicates that the field can be used for faceting expressions

Field Name Data Type Returned Searchable Supports Facets Description
event_guid string Yes Yes Yes a globally unique identifier for this event document
process_guid string Yes Yes Yes process guid representing the process that this event belongs to
event_type string Yes Yes Yes event type, one of: filemod, netconn, regmod, modload, crossproc, childproc
event_timestamp date Yes Yes Yes timestamp of the event on the device
backend_timestamp date Yes Yes Yes timestamp for when the process was ingested by the backend
created_timestamp date Yes Yes Yes timestamp for when the event document was created
sensor_action string Yes Yes Yes associated action (if any) that sensor took on this operation, one of: ACTION_TERMINATE and ACTION_BLOCK
alert_id string Yes Yes Yes id of the alert associated with this event
ttp string[] Yes Yes Yes list of TTPs associated with this event
legacy boolean Yes Yes Yes true if this event comes from the CbD data stream
legacy_description tokenized string Yes Yes Yes description for events that come from the CbD data stream
filemod_md5 string Yes Yes Yes md5 of the actor that modified the file
filemod_sha256 string Yes Yes Yes sha256 of the actor that modified the file
filemod_name filepath Yes Yes Yes path for the file that was modified
filemod_action string Yes Yes Yes action associated with the file operation, one or more of ACTION_INVALID, ACTION_FILE_CREATE, ACTION_FILE_WRITE, ACTION_FILE_DELETE, ACTION_FILE_LAST_WRITE, ACTION_FILE_MOD_OPEN, ACTION_FILE_RENAME, ACTION_FILE_UNDELETE, ACTION_FILE_TRUNCATE, ACTION_FILE_OPEN_READ, ACTION_FILE_OPEN_WRITE, ACTION_FILE_OPEN_DELETE, ACTION_FILE_OPEN_EXECUTE, ACTION_FILE_READ
netconn_protocol string Yes Yes Yes protocol of the network connection
netconn_remote_ipv4 int Yes Yes Yes ipv4 the event connected to
netconn_remote_ipv6 string Yes Yes Yes ipv6 the event connected to
netconn_remote_port int Yes Yes Yes port that the event connected to
netconn_local_ipv4 int Yes Yes Yes ipv4 of the process making the network connection
netconn_local_ipv6 string Yes Yes Yes ipv6 of the process making the network connection
netconn_local_port int Yes Yes Yes port of the process making the network connection
netconn_domain domainpath Yes Yes Yes domain name (targed FQDN) related to the outbound network connection of the process (if available)
netconn_inbound boolean Yes Yes Yes true if the connection was an outbound connection
netconn_location string Yes Yes Yes Geolocation of the remote network connection. Geolocation is tokenized to contain City, Region/State and Country
netconn_action string Yes Yes Yes action associated with the registry operation, one or more of: ACTION_CONNECTION_CREATE, ACTION_CONNECTION_CLOSE, ACTION_CONNECTION_ESTABLISHED, ACTION_CONNECTION_CREATE_FAILED, ACTION_CONNECTION_LISTEN
regmod_name filepath Yes Yes Yes registry modifications by this event
regmod_new_name filepath Yes Yes Yes new name of registry key in case of the rename
regmod_action string Yes Yes Yes action associated with the registry operation, one or more of: ACTION_INVALID, ACTION_CREATE_KEY, ACTION_WRITE_VALUE, ACTION_DELETE_KEY, ACTION_DELETE_VALUE, ACTION_RENAME_KEY, ACTION_RESTORE_KEY, ACTION_REPLACE_KEY, ACTION_SET_SECURITY
modload_name filepath Yes Yes Yes modules loaded by this event
modload_md5 string Yes Yes Yes md5 for the modules loaded
modload_sha256 string Yes Yes Yes sha256 for the modules loaded
modload_reputation string Yes Yes Yes reputation for the modules loaded
modload_action string Yes Yes Yes action associated with the modload operation, for now can only be: ACTION_LOAD_MODULE
modload_publisher string Yes Yes Yes publisher that signed this module, if any
modload_publisher_state string Yes Yes Yes Set of states associated with the publisher of the module. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED
scriptload_name filepath Yes Yes Yes script loaded by this event
scriptload_md5 string Yes Yes Yes md5 for the script loaded
scriptload_sha256 string Yes Yes Yes sha256 for the script loaded
scriptload_reputation string Yes Yes Yes reputation for the script loaded
scriptload_publisher string Yes Yes Yes publisher that signed this script, if any
scriptload_publisher_state string Yes Yes Yes Set of states associated with the publisher of the script. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED
crossproc_target boolean Yes Yes Yes true if this crossproc event document is a target of a crossproc
crossproc_action string Yes Yes Yes cross-process action that was recorded for the process, one or more of: ACTION_DUP_PROCESS_HANDLE, ACTION_OPEN_THREAD_HANDLE, ACTION_DUP_THREAD_HANDLE, ACTION_CREATE_REMOTE_THREAD, ACTION_API_CALL
crossproc_name filepath Yes Yes Yes path of this side of the crossproc event
crossproc_md5 string Yes Yes Yes md5 of this side of the crossproc event
crossproc_sha256 string Yes Yes Yes sha256 of this side of the crossproc event
crossproc_reputation string Yes Yes Yes reputation of this side of the crossproc event
crossproc_process_guid string Yes Yes Yes process guid of this side of the crossproc event
crossproc_api string Yes Yes Yes system function called by the actor, if any
childproc_process_guid string Yes Yes Yes process guid for the child process
childproc_md5 string Yes Yes Yes md5 for the child process
childproc_sha256 string Yes Yes Yes sha256 for the child process
childproc_name filepath Yes Yes Yes path of the child process
childproc_reputation string Yes Yes Yes reputation of the child process
childproc_cmdline cmdpath Yes Yes Yes cmdlines for the child process
childproc_username user_context Yes Yes Yes usernames for the child process
childproc_modload_count int Yes Yes Yes number of modloads made by the child process
childproc_filemod_count int Yes Yes Yes number of filemods made by the child process
childproc_regmod_count int Yes Yes Yes number of regmods made by the child process
childproc_netconn_count int Yes Yes Yes number of netconns made by the child process
childproc_childproc_count int Yes Yes Yes number of childprocs made by the child process
childproc_crossproc_target_count int Yes Yes Yes number of crossproc targets made by the child process
childproc_crossproc_actor_count int Yes Yes Yes number of crossproc actors made by the child process
Last modified on April 1, 2019