Alert Fields 1.0.0
This schema version will be deactivated on July 31, 2024.
The Data Forwarder Alert Schema v1 has been deprecated and replaced by Data Forwarder Alert Schema v2.0.0. here.
More information on the new Data Forwarder Schema can be found here.
Schema migration information is with other migration guides here.
Note: As part of the Alerts v7 API release and Alert Forwarder Schema v2, Observed Alerts were removed.
- Observed Alerts will continue to be returned in Alerts v6 API responses and Data Forwarder Alert Schema v1.
- An Observed Alert can only be enriched by
- Searching Enriched Events by
alert_id - Searching Observations by
event_idusingcreated_by_event_idfrom the Observed Alert
- Searching Enriched Events by
- An Observed Alert is identified by
category=MONITOREDin the API response andWARNINGin the Alert Forwarder output. - Observed Alerts are not returned in Alerts v7 API responses or in the Data Forwarder Alert Schema v2.
- See Announcing the Alerts V7 API and “Observed Alerts” Become “Observations” for more information.
Common Fields
“Common fields” are present in all alert types, while other fields are only present for a specific alert type.
The Data Forwarder emits a set of common fields for every alert. These fields represent common metadata for the customer, device, and alert.
| Field | Definition |
|---|---|
alert_url |
A redirect link to refer back to the Carbon Black Cloud console. CB_ANALYTICS alerts will redirect to the Alert Triage page for the specific alert. WATCHLIST alerts will redirect to the Investigate page for the specific alert. DEVICE_CONTROL and CONTAINER_RUNTIME alerts will redirect to the Alerts page. |
category |
Type of alert
WARNING, NOTICE
Note: The values differ from the Alerts API where 'WARNING' is 'THREAT' and 'NOTICE' is 'MONITORED'. |
create_time |
The time the alert was created in ISO 8601 UTC timestamp format to milliseconds
Example: 2021-07-28T18:38:41.000Z |
device_external_ip |
IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
device_id |
Integer ID of the device that created this alert (Always empty for Container Runtime alerts) |
device_internal_ip |
IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) (Always empty for Container Runtime alerts) |
device_name |
Hostname of the device that created this alert (Always empty for Container Runtime alerts) |
device_os |
OS Type of device (Windows/OSX/Linux) (Always empty for Container Runtime alerts) |
device_os_version |
Version of OS on device (Windows 10 x64) (Always empty for Container Runtime alerts) |
device_uem_id |
“Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”) (Always empty for Container Runtime alerts) |
device_username |
Name of the user that installed the device. To get the actual user involved in the device alert, get the underlying event or process data. (Always empty for Container Runtime alerts) |
first_event_time |
The time the first event associated with the alert was seen in ISO 8601 UTC format to seconds
Example: 2021-07-28T17:38:47Z |
id |
The unique long id of the alert |
last_event_time |
The time the most recent event associated with the alert was seen in ISO 8601 UTC format to seconds
Example: 2021-07-28T17:38:47Z |
last_update_time |
The time the alert was last updated in ISO 8601 UTC format to seconds
Example: 2021-07-28T17:38:47Z |
legacy_alert_id |
The unique short id of the alert |
notes_present |
True if notes are associated with the alert |
org_key |
The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations. |
policy_id |
ID associated with the policy that triggered the alert |
policy_name |
Name of the policy that triggered the alert |
severity |
The severity of the alert |
tags |
A list of tags associated with the alert |
target_value |
Device priority as assigned via the policy
LOW, MEDIUM, HIGH, CRITICAL |
threat_id |
ID of the threat to which this alert belongs |
type |
The alert type. Use this field to determine which fields should be expected per the specs below.
CB_ANALYTICS, DEVICE_CONTROL, WATCHLIST, CONTAINER_RUNTIME |
workflow |
Tracking system for alerts as they are triaged and resolved |
CB Analytics
| Field | Definition |
|---|---|
blocked_threat_category |
The category of threat which were not able to take action
UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
created_by_event_id |
The ID of the event that created the alert |
device_location |
The location of the device
ONSITE, OFFSITE, UNKNOWN |
kill_chain_status |
Phase of the Cyber Kill Chain the alert represents |
not_blocked_threat_category |
Other potentially malicious activity involved in the threat that were able to take action either due to policy config, or not having a relevant rule
UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
policy_applied |
Whether a policy was applied |
process_name |
Name executable file backing this process on the device’s file system |
reason |
Description of the alert |
reason_code |
Shorthand enum for the full-text reason |
run_state |
Whether the threat in the alert actually ran
DID_NOT_RUN, RAN, UNKNOWN |
sensor_action |
The action taken by the sensor, according to the rules of the policy
POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY |
threat_activity_c2 |
Whether the alert involved a c2 server
NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_activity_dlp |
Whether the alert involved DLP
NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_activity_phish |
Whether the alert involved phishing
NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_cause_actor_name |
The name can be one of the following: process commandline, process path, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan |
threat_cause_actor_process_pid |
PID of the actor process |
threat_cause_actor_sha256 |
SHA256 or remote IP of the threat cause actor. The actor will be a remote IP when the alert is created from a netconn event |
threat_cause_cause_event_id |
Event ID that triggered the event |
threat_cause_reputation |
Reputation of the threat cause |
threat_cause_threat_category |
Threat category
UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
threat_cause_vector |
Source of the threat cause |
threat_indicators |
List of the threat indicators that make up the threat |
Container Runtime
| Field | Definition |
|---|---|
cluster_name |
Name of the K8s cluster associated with the alert |
connection_type |
Type of connection
INGRESS, EGRESS, INTERNAL_INBOUND, INTERNAL_OUTBOUND |
egress_group_id |
ID of the egress group |
egress_group_name |
Name of the egress group |
ip_reputation |
Reputation assigned by Carbon Black Cloud; ranges 1-100, where 100 is “trustworthy” |
namespace |
Namespace within the K8s cluster associated with the alert |
port |
Listening port; remote or local |
protocol |
Name of the protocol
Example values: HTTP, TLS, TCP, TELNET, SSH |
remote_domain |
Name of the remote domain |
remote_ip |
IP address of the remote side |
remote_is_private |
Type of remote IP: public or private (“private” means within the cluster or the org’s network; “public” means outside of the cluster and the org’s network)
TRUE, FALSE |
remote_namespace |
Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster |
remote_replica_id |
Remote workload replica ID; set if the remote side is another workload in the same cluster |
remote_workload_id |
ID of the remote workload; set if the remote side is another workload in the same cluster |
remote_workload_kind |
Kind of remote workload; set if the remote side is another workload in the same cluster |
remote_workload_name |
Name of the remote workload; set if the remote side is another workload in the same cluster |
replica_id |
Name of the pod within a workload |
rule_id |
Unique identifier for the K8s policy rule |
rule_name |
Name of the K8s policy rule |
workload_id |
ID of the workload within a specific cluster_name/namespace pair |
workload_kind |
Type of workload; Pod, Deployment, Job, etc. |
workload_name |
Name of the workload within a cluster_name/namespace pair |
Device Control
| Field | Definition |
|---|---|
device_location |
The location of the device
ONSITE, OFFSITE, UNKNOWN |
external_device_friendly_name |
The human readable USB device name |
policy_applied |
Whether a policy was applied |
product_id |
The hexadecimal id of the USB device’s product |
product_name |
The name of the USB device’s product |
reason |
Description of the alert |
reason_code |
Shorthand enum for the full-text reason |
run_state |
Whether the threat in the alert actually ran
DID_NOT_RUN, RAN, UNKNOWN |
serial_number |
The serial number of the USB device |
threat_cause_cause_event_id |
Event ID that triggered the event |
threat_cause_threat_category |
Threat category
UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
threat_cause_vector |
Source of the threat cause |
vendor_name |
The name of the USB device’s vendor |
vendor_id |
The hexadecimal id of the USB device’s vendor |
Watchlist
| Field | Definition |
|---|---|
ioc_id |
ID of the IOC that caused the hit |
ioc_field |
Field name corresponding to the value returned by ioc_hit (only returned for equality IOCs) |
ioc_hit |
IOC field value, or IOC query that matches |
process_guid |
Unique ID of process |
process_path |
Tokenized path of the process’ binary |
report_id |
Id of the report that generated a hit on the process |
report_name |
Name of the report that generated a hit on the process |
reason_code |
GUID string |
run_state |
Run state is always RAN for watchlist alerts |
threat_cause_actor_name |
The process path of the threat actor |
threat_cause_actor_process_pid |
PID of the actor process |
threat_cause_actor_sha256 |
SHA256 or remote IP of the threat cause actor. The actor will be a remote IP when the alert is created from a netconn event |
threat_cause_cause_event_id |
Event ID that triggered the event |
threat_cause_reputation |
Reputation of the threat cause |
threat_cause_threat_category |
Category of the threat cause |
threat_cause_vector |
The source of the threat cause |
threat_indicators |
List of the threat indicators that make up the threat |
watchlists |
List of watchlists associated with an alert |
Data Samples
The following are samples of data: CB Analytics, Container Runtime, Device Control, Watchlist
Alerts
CB_ANALYTICS
{
"type": "CB_ANALYTICS",
"id": "36259335daf0f2c4edb11ebb2828b41ebaf3867",
"legacy_alert_id": "ZHGKP3EM",
"org_key": "ABCD1234",
"create_time": "2021-01-04T22:22:52Z",
"last_update_time": "2021-01-04T22:23:05Z",
"first_event_time": "2021-01-04T22:22:42Z",
"last_event_time": "2021-01-04T22:22:42Z",
"threat_id": "f7959830dfea89252d459b056ab43222",
"severity": 4,
"category": "NOTICE",
"device_id": 3625933,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_name": "win10-ps-moid",
"device_username": "jdoe@carbonblack.com",
"policy_id": 6525,
"policy_name": "default",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2021-01-04T22:22:52Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "123.45.67.890"
"device_external_ip": "23.45.67.89",
"alert_url": "https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM\u0026orgId=123",
"reason": "The application powershell.exe is executing a fileless script or command.",
"reason_code": "R_FILELESS",
"process_name": "powershell.exe",
"device_location": "OFFSITE",
"created_by_event_id": "5daf0f2c4edb11ebb2828b41ebaf3867",
"threat_indicators": [{
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MODIFY_MEMORY_PROTECTION"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["FILELESS"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MITRE_T1057_PROCESS_DISCOVERY"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["CODE_DROP"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["ENUMERATE_PROCESSES"]
}],
"threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threat_cause_actor_name": "powershell.exe",
"threat_cause_actor_process_pid": "3292-132541831999374961-0",
"threat_cause_reputation": "COMMON_WHITE_LIST",
"threat_cause_threat_category": "NON_MALWARE",
"threat_cause_vector": "UNKNOWN",
"threat_cause_cause_event_id": "5daf0f344edb11ebb2828b41ebaf3867",
"blocked_threat_category": "UNKNOWN",
"not_blocked_threat_category": "NON_MALWARE",
"kill_chain_status": ["DELIVER_EXPLOIT"],
"run_state": "RAN",
"policy_applied": "NOT_APPLIED"
}CONTAINER_RUNTIME
{
"type": "CONTAINER_RUNTIME",
"id": "aff50e67-d2cd-54a0-c3e3-1c6958d0005e",
"legacy_alert_id": "aff50e67-d2cd-54a0-c3e3-1c6958d0005e",
"org_key": "ABCD1234",
"create_time": "2022-01-31T15:02:10Z",
"last_update_time": "2022-01-31T15:02:10Z",
"first_event_time": "2022-01-31T14:59:12Z",
"last_event_time": "2022-01-31T14:59:12Z",
"threat_id": "20ade0039400d2baf87c6a868df74ff31c8613b0b5823bd85ce8350e8c18e3cb",
"severity": 5,
"category": "WARNING",
"policy_id": "7cce137c-b9c5-4cf0-96c7-2be6514f7a40",
"policy_name": "demo001",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2022-01-31T15:00:14Z",
"comment": "",
"changed_by": "Carbon Black"
},
"alert_url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1234567",
"reason": "Detected a connection to a public destination that isn't allowed for this scope",
"run_state": "RAN",
"cluster_name": "e2e:containers-e2e-85wt",
"namespace": "cbcontainers-dataplane",
"workload_kind": "Deployment",
"workload_id": "cbcontainers-hardening-enforcer",
"workload_name": "cbcontainers-hardening-enforcer",
"replica_id": "cbcontainers-hardening-enforcer-557d87866-4j4j5",
"connection_type": "EGRESS",
"remote_is_private": false,
"remote_ip": "52.23.6.129",
"protocol": "PROTO_TCP",
"port": 443,
"ip_reputation": 48,
"rule_id": "f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
"rule_name": "Allowed public destinations"
}DEVICE_CONTROL
{
"type": "DEVICE_CONTROL",
"id": "uds_c8eb7306af264a9ab677814b3af69720",
"legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
"org_key": "6X3T6RYXJ",
"create_time": "2020-11-17T22:05:13Z",
"last_update_time": "2020-11-17T22:05:13Z",
"first_event_time": "2020-11-17T22:02:16Z",
"last_event_time": "2020-11-17T22:02:16Z",
"threat_id": "60b43c178d148756368ddea72f731ce108ea54d2b29171bff509c619d2a7eb6c",
"severity": 3,
"category": "WARNING",
"device_id": 7604419,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_name": "DESKTOP-4O07JV2",
"device_username": "jdoe",
"policy_id": 6997287,
"policy_name": "Standard",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2020-11-17T22:02:16Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "172.17.2.130",
"device_external_ip": "71.218.76.221",
"alert_url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976",
"reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
"reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
"device_location": "UNKNOWN",
"threat_cause_threat_category": "NON_MALWARE",
"threat_cause_vector": "REMOVABLE_MEDIA",
"threat_cause_cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
"sensor_action": "DENY",
"run_state": "DID_NOT_RUN",
"policy_applied": "APPLIED",
"vendor_name": "SanDisk",
"vendor_id": "0x0781",
"product_name": "U3 Cruzer Micro",
"product_id": "0x5406",
"serial_number": "0875920EF7C2A304"
}WATCHLIST
{
"type": "WATCHLIST",
"id": "951d536a-2817-4790-8c97-c2d31624de7c",
"legacy_alert_id": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD",
"org_key": "ABCD1234",
"create_time": "2021-01-04T23:33:32Z",
"last_update_time": "2021-01-04T23:33:32Z",
"first_event_time": "2021-01-04T23:25:58Z",
"last_event_time": "2021-01-04T23:25:58Z",
"threat_id": "A22D9AFD42B85FF4FE6C8AE1DB6FBD6C",
"severity": 7,
"category": "WARNING",
"device_id": 3775337,
"device_os": "WINDOWS",
"device_name": "CBcloud-win10",
"device_username": "admin",
"policy_id": 6525,
"policy_name": "default",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2021-01-04T23:32:19Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "123.45.67.890",
"device_external_ip": "23.45.67.89",
"alert_url": "https://defense.conferdeploy.net/cb/investigate/processes?orgId=123\u0026query=alert_id%3A951d536a-2817-4790-8c97-c2d31624de7c+AND+device_id%3A3775337\u0026searchWindow=ALL",
"reason_code": "Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"",
"process_name": "powershell.exe",
"threat_indicators": [{
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]
}],
"threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threat_cause_actor_name": "powershell.exe",
"threat_cause_reputation": "COMMON_WHITE_LIST",
"threat_cause_threat_category": "RESPONSE_WATCHLIST",
"threat_cause_vector": "UNKNOWN",
"run_state": "RAN",
"ioc_id": "e41b000e-eb5a-41f4-aa67-1902d186a457-0",
"ioc_hit": "(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true",
"watchlists": [{
"id": "mrTB06fAQbeNfvl47cQiGg",
"name": "Carbon Black Advanced Threats"
}],
"process_guid": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613",
"process_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"report_name": "Execution - PowerShell Downloading Behaviors Detected",
"report_id": "MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457",
"status": "UNRESOLVED"
}Last modified on October 10, 2023