Process Search Fields API for CB ThreatHunter

Version: v1

Process search fields

This page describes fields that can be used for searching, with following additional information: 1. ‘Data type’ describes type of data returned. Special type ‘tokenized’ indicates that it is a string that is tokenized and can be searched by a partial phrase. If type is followed by [], it means that field contains an array of elements. 1. ‘Returned’ indicates that the given field will be returned in the search results. If not, given field can only be used as a query term, but will not be returned as part of the result 1. ‘DocValues’ indicates that the given field is stored as docvalues, and can be sorted on. In addition, if field is not marked as “returned”, but has docvalues, it can be returned through the explicit fl=field_name Solr syntax 1. ‘Searchable’ indicates that field can be searched. Some fields can only be used as a query term, while others will only be returned in search results 1. ‘Supports Facets’ indicates that the field can be used for faceting expressions

Field Name Data Type Returned DocValues Supports Facets Description
document_guid string yes no yes Unique id of solr document. Built as process_guid+server-side timestamp in epoch ms (1/1/1970 based). This field is searchable.
process_guid string yes yes yes Unique id of process (same as document_guid above but without the timestamp suffix). This field is searchable.
parent_guid string yes no no process_guid of parent process. This field is searchable.
backend_timestamp date no yes no Time when backend received the batch of events in this document, based on backend’s clock. ISO-8601 formatted time string based on UTC. This field is searchable.
org_id string yes yes yes Globally unique organization key (will likely be PSC organization id + PSC environment id or some other unique token used across environments). This field is searchable.
legacy boolean yes yes yes True if process document came from the legacy data stream (deprecated, use enriched). This field is searchable.
enriched boolean yes yes yes True if process document came from the CbD data stream. This field is searchable.
enriched_event_type string yes yes yes CbD enriched event type. This field is searchable.
ttp string[] no yes yes Patterns of behavior (i.e., tactics, techniques, procedures) associated with a specific threat actor or group of threat actors. This field is searchable.
alert_id string[] yes no no Alert IDs associated with the process. This field is searchable.
sensor_action string[] yes no no Sensor actions associated with the process. This field is set only if one of the following actions have been performed: BLOCK (child process execution was blocked by the Cb Sensor), TERMINATE (process was terminated by the Cb Sensor). This field is searchable.
sensor_action_reason string[] yes no no List of reasons (if any) that explains why sensor performed a specific actions on the process. Examples are POLICY_ENFORCEMENT, POLICY_DENY, etc.. This field is searchable.
blocked_hash string[] yes no no Hashes of child processes blocked by the Cb Sensor. This field is searchable.
device_id long yes yes yes Device id that is guaranteed to be unique within each PSC environment, which is a set of organizations. This field is searchable.
device_name string yes yes yes Name of device. This field is searchable.
device_external_ip string no yes no IP address of the host (as reported by the backend - could be different than self_reported_device_ip due to proxying, NATing, etc.). Can be either IPv4 or IPv6. This field is searchable.
device_os string no yes yes OS Type of device (Windows/OSX/Linux). This field is searchable.
device_os_version tokenized no no no Version string related to device OS. This field is searchable.
device_group string no yes yes Sensor group where the device belongs. This field is searchable.
device_group_id long yes yes yes Id of sensor group where the device belongs. This field is searchable.
device_policy string no yes yes Policy applied to the device. This field is searchable.
device_policy_id long yes yes yes Id of policy applied to the device. This field is searchable.
device_timestamp date yes yes no Time seen on sensor, based on sensor’s clock. ISO-8601 formatted time string based on UTC. This field is searchable.
device_internal_ip string no yes no IP address of the host (as reported by the host). Can be either IPv4 or IPv6. This field is not searchable.
modload_count ¹ int yes yes no Cumulative counts of module loads since process tracking started. This field is searchable.
filemod_count ¹ int yes yes no Cumulative counts of file modifications since process tracking started. This field is searchable.
regmod_count ¹ int yes yes no Cumulative counts of registry modifications since process tracking started. This field is searchable.
netconn_count ¹ int yes yes no Cumulative counts of network connections since process tracking started. This field is searchable.
childproc_count ¹ int yes yes no Cumulative counts of child process creations since process tracking started. This field is searchable.
crossproc_count ¹ int yes yes no Cumulative counts of cross-process events since process tracking started. This field is searchable.
process_pid int[] yes no no PID of a process. Can be multi-valued in case of exec/fork on Linux/OSX. This field is searchable.
process_start_time date no no no Time when process was started. ISO-8601 formatted time string based on UTC. This field is searchable.
process_duration int no no no Duration of process in milliseconds. Only terminated processes will have this field set. This field is searchable.
process_publisher_state string[] no no no Certificate signature state as string. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED or FILE_SIGNATURE_STATE_NOT_SIGNED if not signed. This field is searchable.
process_publisher tokenized[] no no no Certificate signer names. This field is searchable.
process_product_version tokenized[] no no no Product version associated with the process executable (from the binary resource). This field is searchable.
process_original_filename tokenized[] no no no Original file name of the process executable (from the binary resource). This field is searchable.
process_file_description tokenized[] no no no File description of the process executable (from the binary resource). This field is searchable.
process_product_name tokenized[] no no no Product name associated with the process executable (from the binary resource). This field is searchable.
process_name tokenized yes yes yes Tokenized file path of the process’ main module. This field is searchable.
process_hash string[] yes yes yes MD5 and SHA-256 hashes of process’ main module in a multi-valued field. This field is searchable.
process_sha256 string no yes yes SHA-256 hash of process’ main module. This field is not searchable.
process_cmdline tokenized[] no no no Command lines related to process. It uses special tokenization algorithm. This field is searchable.
process_cmdline_length int[] no no no Length of command lines related to process. This field is searchable.
process_username string[] yes yes no Usernames related to process. It uses special tokenization algorithm. This field is searchable.
process_service_name string[] no yes yes Windows service names related to process. This field is searchable.
process_elevated boolean no no no True if process is run with elevated privileges. This field is searchable.
process_integrity_level string no no no Windows Mandatory Integrity Control (MIC) integrity level. Can be LOW, MEDIUM, HIGH, SYSTEM or PROTECTED. This field is searchable.
process_privileges string[] no no no Windows privileges associated with the process like SeAuditPrivilege or SeImpersonatePrivilege (see Microsoft documentation for complete list). This field is searchable.
process_terminated boolean yes no no True if process was terminated. This field is searchable.
process_reputation string no yes no Reputation of given process as provided by the CDC. This field is searchable.
process_effective_reputation string no yes no Reputation of given process as calculated by the sensor. This field is searchable.
parent_pid int yes no no PID of parent process. This field is searchable.
parent_name tokenized no yes yes Tokenized file path of the parent process’ main module. This field is searchable.
parent_cmdline tokenized no no no Command line related to process. It uses special tokenization algorithm. This field is searchable.
parent_cmdline_length int no no no Length of command line related to process. This field is searchable.
parent_hash string[] no yes no MD5 and SHA-256 hashes of parent process’ main module. This field is searchable.
parent_publisher_state string no no no Certificate signature state of the parent as string. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED or FILE_SIGNATURE_STATE_NOT_SIGNED if not signed. This field is searchable.
parent_reputation string no yes no Reputation of parent process as provided by the CDC. This field is searchable.
parent_effective_reputation string no yes no Reputation of parent process as calculated by the sensor. This field is searchable.
hash string[] no no no Aggregate set of all MD5 and SHA-256 hashes associated with the process (process_hash, childproc_hash, crossproc_hash, filemod_hash and hash of the modload event) - useful for searching by hash. This field is searchable.
childproc_reputation string[] no no no Reputation of child processes as provided by the CDC. This field is searchable.
childproc_publisher_state string[] no no no Certificate signature state of the children as string. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED or FILE_SIGNATURE_STATE_NOT_SIGNED if not signed. This field is searchable.
childproc_effective_reputation string[] no no no Reputation of child processes as calculated by the sensor. This field is searchable.
childproc_guid string[] no no no GUIDs of all child processes of this process. This field is searchable.
childproc_name tokenized[] no no no Tokenized file path of the child process’ main module. This field is searchable.
childproc_hash string[] no no no MD5 and SHA-256 hashes of child process’ main module. This field is searchable.
childproc_cmdline tokenized[] no no no Command lines related to child processes. It uses special tokenization algorithm. This field is searchable.
childproc_cmdline_length int[] no no no Length of command lines related to child processes. This field is searchable.
crossproc_name tokenized[] no no no Tokenized file paths of the main module of the other processes from the crossproc action. This field is searchable.
crossproc_hash string[] no no no MD5 and SHA-256 hashes of the main module of the other processes from the crossproc action. This field is searchable.
crossproc_action string no no no Type of crossproc actions, as defined in protobuf schema. This field is searchable.
crossproc_target boolean no no no True if the process was a target of the crossproc action. False if it was an actor. This field is searchable.
crossproc_api string no no no Name of system API call made by the process. API calls will in some cases have a target. This field is searchable.
filemod_hash string[] no no no MD5 and SHA-256 hashes of the files modified by the process. This field is searchable.
filemod_name tokenized[] no no no Tokenized paths of the files modified by the process. This field is searchable.
filemod_publisher_state string[] no no no Certificate signature state of the written files as string. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED or FILE_SIGNATURE_STATE_NOT_SIGNED if not signed. This field is searchable.
modload_name tokenized[] no no no Tokenized paths of the modules loaded by the process. This field is searchable.
modload_hash string[] no no no MD5 and SHA-256 hashes of the loaded module. This field is searchable.
modload_publisher tokenized[] no no no Certificate signer names for the loaded modules. This field is searchable.
modload_publisher_state string[] no no no Certificate signature states of the loaded modules as string. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED or FILE_SIGNATURE_STATE_NOT_SIGNED if not signed. This field is searchable.
scriptload_name tokenized[] no no no Tokenized paths of the scripts loaded by the process. This field is searchable.
scriptload_hash string[] no no no MD5 and SHA-256 hashes of the loaded script. This field is searchable.
scriptload_publisher tokenized[] no no no Certificate signer names for the loaded scripts. This field is searchable.
scriptload_publisher_state string[] no no no Certificate signature states of the loaded scripts as string. Can be combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED or FILE_SIGNATURE_STATE_NOT_SIGNED if not signed. This field is searchable.
fileless_scriptload_hash string[] no no no SHA-256 hashes of the fileless script commands. This field is searchable.
fileless_scriptload_cmdline tokenized[] no no no Deobfuscated command lines of fileless scripts. This field is searchable.
fileless_scriptload_cmdline_length int[] no no no Length of fileless script command lines. This field is searchable.
regmod_name tokenized[] no no no Tokenized paths of the registry keys modified by the process. This field is searchable.
netconn_port int no no no Port of the network connection attempted by the process (remote port for outgoing connection, local port for incoming connection). This field is searchable.
netconn_ipv4 tokenized no no yes Remote IPv4 address related to the network connection of the process as integer, so that it can be easily filtered by range. This field is searchable.
netconn_ipv6 tokenized no no yes Remote IPv6 address related to the network connection of the process as strings. This field is searchable.
netconn_local_ipv4 tokenized no no no Local IPv4 address related to the network connection of the process as integer, so that it can be easily filtered by range. This field is searchable.
netconn_local_ipv6 tokenized no no no Local IPv6 address related to the network connection of the process as strings. This field is searchable.
netconn_domain tokenized no no no Domain name (target FQDN) related to the outbound network connection of the process (if available). This field is searchable.
netconn_inbound boolean no no no True if the network connection was inbound. False if the network connection was outbound. This field is searchable.
netconn_failed boolean no no no True if the network connection attempt failed. If successful, this field is not set. This field is searchable.
netconn_location tokenized no no no Geo location of the remote network connection. Geo location is tokenized to contain City, Region/State and Country. This field is not searchable.
netconn_protocol string no yes yes Network protocol related to the network connection. Can be PROTO_TCP or PROTO_UDP. This field is searchable.
report_id int no no no Id of the report that tagged the process. This field is searchable.
report_severity int no no no Severity of the report that tagged the process [1..10]. This field is searchable.
watchlist_id int[] no no no Id of the watchlists related to the report that tagged the process. This field is searchable.
watchlist_name tokenized no no no Names of the watchlists related to the report that tagged the process. This field is searchable.
watchlist_hit string[] yes yes no Aggregated values of other report tag fields in following format: “::”. There will be one value for each watchlist hit. This field is not searchable.
event_id string yes no no CBD Event id (valid only for events coming through Analytics). This field is searchable.
event_type string yes yes yes CBD Event type (valid only for events coming through Analytics). One of CREATE_PROCESS, DATA_ACCESS, FILE_CREATE, INJECT_CODE, NETWORK, POLICY_ACTION, REGISTRY_ACCESS, SYSTEM_API_CALL. This field is searchable.
event_description string yes no no CBD Event description (valid only for events coming through Analytics). This field is searchable.
event_attack_stage string no yes yes Stage where attack was terminated by CBD. Can be one of RECONNAISSANCE, WEAPONIZE, DELIVER_EXPLOIT, INSTALL_RUN, COMMAND_AND_CONTROL, EXECUTE_GOAL, BREACH. This field is searchable.
event_threat_score int no no yes Score associated with the threat detected by CBD Analytics. This field is searchable.

Notes: * ¹ Counts are from either process start or discovery time. Also, the sensor doesn’t persist this info on restart. Therefore, counts will start back from zero if sensor is restarted.

Special String Field Values

Some search fields can have only specific values and they should be treated as ‘enums’

Reputation

Fields: process_reputation, parent_reputation

Reputation level from CDC

Possible values: * UNRECOGNIZED * REP_RESOLVING * REP_COMPROMISED_OBSOLETE * REP_DLP_OBSOLETE * REP_IGNORE * REP_WHITE * REP_ADAPTIVE * REP_POTENTIALLY_UNWANTED_APP * REP_ADWARE * REP_HEURISTIC * REP_SUSPECT_MALWARE * REP_KNOWN_MALWARE * REP_ADMIN_RESTRICT_OBSOLETE * REP_COMPANY_BLACK * REP_NOT_LISTED * REP_COMMON * REP_GRAY_OBSOLETE * REP_NOT_COMPANY_WHITE_OBSOLETE * REP_COMPANY_WHITE * REP_LOCAL_WHITE

Cross-process Action

Fields: crossproc_action

Cross-process action that was recorded for the process

Possible values: * ACTION_DUP_PROCESS_HANDLE - Process has initiated cross-process process handle duplication in the target process * ACTION_OPEN_THREAD_HANDLE - Process has initiated cross-process thread handle open in the target process * ACTION_DUP_THREAD_HANDLE - Process has initiated cross-process thread handle duplication in the target process * ACTION_CREATE_REMOTE_THREAD - Process has initiated remote thread creation in the target process

Publisher States

Fields: process_publisher_state State of one or more of the publishers associated with the main module of the process

Field is of type Integer containing OR-ed flags that indicate signature state * 1 - FILE_SIGNATURE_STATE_SIGNED - File is signed but signature is not guaranteed to be valid * 2 - FILE_SIGNATURE_STATE_VERIFIED - the signature is valid, signed will always be set * 4 - FILE_SIGNATURE_STATE_NOT_SIGNED - File is not signed * 8 - FILE_SIGNATURE_STATE_UNKNOWN - Initial state of all files, is also used when signature verification does not succeed * 16 - FILE_SIGNATURE_STATE_CHAINED - The signature chains to a locally trusted root certificate * 32 - FILE_SIGNATURE_STATE_TRUSTED - Signature state is Trusted * 64 - FILE_SIGNATURE_STATE_OS - File is signed as a component of the OS * 128 - FILE_SIGNATURE_STATE_CATALOG_SIGNED - File is signed through the catalog

Possible values: *

Special Tokenizations

Some fields are tokenized to allow more efficient searches

File Path Tokenization

Fields: process_name, parent_name, filemod_name, childproc_name, crossproc_name, modload_name, scriptload_name, regmod_name

Search for path hierarchies. Use slash (/) character or escaped backslash (\\) characters and enclose in double quotes if path contains colon or space characters. Exclude any leading path separator. File extension searching also supported.

Search examples: process_name:"c:/windows/system32/cmd.exe" filemod_name:.wcry regmod_name:myregkey/myregvalue modload_name:downloads\\myfile.exe parent_name:"c:/program files"

Domain name Tokenization

Fields: netconn_domain

Search for any part of the domain. Start or end with ‘.’ to only look for a prefix or suffix.

Search examples: netconn_domain:.google.com netconn_domain:.ru netconn_domain:www.google.com

IPv4 Address Tokenization

Fields: netconn_ipv4

Search examples: netconn_ipv4:192.168.0.10 netconn_ipv4:192.168.0.0/24

IPv6 Address Tokenization

Fields: netconn_ipv6

Search examples: netconn_ipv6:"2001:0db8:85a3:0000:0000:8a2e:0370:7334" netconn_ipv6:"2001:db8::/127"

Command Line Tokenization

Fields: process_cmdline

Words in the command line can be searched, along with switches (-x /x) and file extensions.

Search examples: process_cmdline:"d:/path/myprogram.vbs /v" process_cmdline:"d:" process_cmdline:.vbs process_cmdline:"/v"

Other Field Types

Boolean

Fields: process_terminated Boolean value with possible values: true and false

Search Example: process_terminated:true

Date

Fields: device_timestamp, backend_timestamp

Date/time field formatted as ISO-8601 string based on UTC timezone

Search Examples: device_timestamp:2018-03-14T21:06:45.183Z

Last modified on April 1, 2019