Alert Fields 1.0.0

This schema version will be deactivated on September 5, 2024.

The Data Forwarder Alert Schema v1 has been deprecated and replaced by Data Forwarder Alert Schema v2.0.0. here.

More information on the new Data Forwarder Schema can be found here.

Schema migration information is with other migration guides here.


Note: As part of the Alerts v7 API release and Alert Forwarder Schema v2, Observed Alerts were removed.

  • Observed Alerts will continue to be returned in Alerts v6 API responses and Data Forwarder Alert Schema v1.
  • An Observed Alert can only be enriched by
    • Searching Enriched Events by alert_id
    • Searching Observations by event_id using created_by_event_id from the Observed Alert
  • An Observed Alert is identified by category = MONITORED in the API response and WARNING in the Alert Forwarder output.
  • Observed Alerts are not returned in Alerts v7 API responses or in the Data Forwarder Alert Schema v2.
  • See Announcing the Alerts V7 API and “Observed Alerts” Become “Observations” for more information.

Common Fields

“Common fields” are present in all alert types, while other fields are only present for a specific alert type.

The Data Forwarder emits a set of common fields for every alert. These fields represent common metadata for the customer, device, and alert.

Field Definition
alert_url A redirect link to refer back to the Carbon Black Cloud console. CB_ANALYTICS alerts will redirect to the Alert Triage page for the specific alert. WATCHLIST alerts will redirect to the Investigate page for the specific alert. DEVICE_CONTROL and CONTAINER_RUNTIME alerts will redirect to the Alerts page.
category Type of alert

WARNING, NOTICE

Note: The values differ from the Alerts API where 'WARNING' is 'THREAT' and 'NOTICE' is 'MONITORED'.
create_time The time the alert was created in ISO 8601 UTC timestamp format to milliseconds

Example: 2021-07-28T18:38:41.000Z
device_external_ip IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”)
device_id Integer ID of the device that created this alert (Always empty for Container Runtime alerts)
device_internal_ip IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) (Always empty for Container Runtime alerts)
device_name Hostname of the device that created this alert (Always empty for Container Runtime alerts)
device_os OS Type of device (Windows/OSX/Linux) (Always empty for Container Runtime alerts)
device_os_version Version of OS on device (Windows 10 x64) (Always empty for Container Runtime alerts)
device_uem_id “Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”) (Always empty for Container Runtime alerts)
device_username Name of the user that installed the device. To get the actual user involved in the device alert, get the underlying event or process data. (Always empty for Container Runtime alerts)
first_event_time The time the first event associated with the alert was seen in ISO 8601 UTC format to seconds

Example: 2021-07-28T17:38:47Z
id The unique long id of the alert
last_event_time The time the most recent event associated with the alert was seen in ISO 8601 UTC format to seconds

Example: 2021-07-28T17:38:47Z
last_update_time The time the alert was last updated in ISO 8601 UTC format to seconds

Example: 2021-07-28T17:38:47Z
legacy_alert_id The unique short id of the alert
notes_present True if notes are associated with the alert
org_key The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations.
policy_id ID associated with the policy that triggered the alert
policy_name Name of the policy that triggered the alert
severity The severity of the alert
tags A list of tags associated with the alert
target_value Device priority as assigned via the policy

LOW, MEDIUM, HIGH, CRITICAL
threat_id ID of the threat to which this alert belongs
type The alert type. Use this field to determine which fields should be expected per the specs below.

CB_ANALYTICS, DEVICE_CONTROL, WATCHLIST, CONTAINER_RUNTIME
workflow Tracking system for alerts as they are triaged and resolved

CB Analytics

Field Definition
blocked_threat_category The category of threat which were not able to take action

UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
created_by_event_id The ID of the event that created the alert
device_location The location of the device

ONSITE, OFFSITE, UNKNOWN
kill_chain_status Phase of the Cyber Kill Chain the alert represents
not_blocked_threat_category Other potentially malicious activity involved in the threat that were able to take action either due to policy config, or not having a relevant rule

UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
policy_applied Whether a policy was applied
process_name Name executable file backing this process on the device’s file system
reason Description of the alert
reason_code Shorthand enum for the full-text reason
run_state Whether the threat in the alert actually ran

DID_NOT_RUN, RAN, UNKNOWN
sensor_action The action taken by the sensor, according to the rules of the policy

POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY
threat_activity_c2 Whether the alert involved a c2 server

NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_activity_dlp Whether the alert involved DLP

NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_activity_phish Whether the alert involved phishing

NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_cause_actor_name The name can be one of the following: process commandline, process path, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan
threat_cause_actor_process_pid PID of the actor process
threat_cause_actor_sha256 SHA256 or remote IP of the threat cause actor. The actor will be a remote IP when the alert is created from a netconn event
threat_cause_cause_event_id Event ID that triggered the event
threat_cause_reputation Reputation of the threat cause
threat_cause_threat_category Threat category

UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
threat_cause_vector Source of the threat cause
threat_indicators List of the threat indicators that make up the threat

Container Runtime

Field Definition
cluster_name Name of the K8s cluster associated with the alert
connection_type Type of connection

INGRESS, EGRESS, INTERNAL_INBOUND, INTERNAL_OUTBOUND
egress_group_id ID of the egress group
egress_group_name Name of the egress group
ip_reputation Reputation assigned by Carbon Black Cloud; ranges 1-100, where 100 is “trustworthy”
namespace Namespace within the K8s cluster associated with the alert
port Listening port; remote or local
protocol Name of the protocol

Example values: HTTP, TLS, TCP, TELNET, SSH
remote_domain Name of the remote domain
remote_ip IP address of the remote side
remote_is_private Type of remote IP: public or private (“private” means within the cluster or the org’s network; “public” means outside of the cluster and the org’s network)

TRUE, FALSE
remote_namespace Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster
remote_replica_id Remote workload replica ID; set if the remote side is another workload in the same cluster
remote_workload_id ID of the remote workload; set if the remote side is another workload in the same cluster
remote_workload_kind Kind of remote workload; set if the remote side is another workload in the same cluster
remote_workload_name Name of the remote workload; set if the remote side is another workload in the same cluster
replica_id Name of the pod within a workload
rule_id Unique identifier for the K8s policy rule
rule_name Name of the K8s policy rule
workload_id ID of the workload within a specific cluster_name/namespace pair
workload_kind Type of workload; Pod, Deployment, Job, etc.
workload_name Name of the workload within a cluster_name/namespace pair

Device Control

Field Definition
device_location The location of the device

ONSITE, OFFSITE, UNKNOWN
external_device_friendly_name The human readable USB device name
policy_applied Whether a policy was applied
product_id The hexadecimal id of the USB device’s product
product_name The name of the USB device’s product
reason Description of the alert
reason_code Shorthand enum for the full-text reason
run_state Whether the threat in the alert actually ran

DID_NOT_RUN, RAN, UNKNOWN
serial_number The serial number of the USB device
threat_cause_cause_event_id Event ID that triggered the event
threat_cause_threat_category Threat category

UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
threat_cause_vector Source of the threat cause
vendor_name The name of the USB device’s vendor
vendor_id The hexadecimal id of the USB device’s vendor

Watchlist

Field Definition
ioc_id ID of the IOC that caused the hit
ioc_field Field name corresponding to the value returned by ioc_hit (only returned for equality IOCs)
ioc_hit IOC field value, or IOC query that matches
process_guid Unique ID of process
process_path Tokenized path of the process’ binary
report_id Id of the report that generated a hit on the process
report_name Name of the report that generated a hit on the process
reason_code GUID string
run_state Run state is always RAN for watchlist alerts
threat_cause_actor_name The process path of the threat actor
threat_cause_actor_process_pid PID of the actor process
threat_cause_actor_sha256 SHA256 or remote IP of the threat cause actor. The actor will be a remote IP when the alert is created from a netconn event
threat_cause_cause_event_id Event ID that triggered the event
threat_cause_reputation Reputation of the threat cause
threat_cause_threat_category Category of the threat cause
threat_cause_vector The source of the threat cause
threat_indicators List of the threat indicators that make up the threat
watchlists List of watchlists associated with an alert

Data Samples

The following are samples of data: CB Analytics, Container Runtime, Device Control, Watchlist

Alerts

CB_ANALYTICS

{
  "type": "CB_ANALYTICS",
  "id": "36259335daf0f2c4edb11ebb2828b41ebaf3867",
  "legacy_alert_id": "ZHGKP3EM",
  "org_key": "ABCD1234",
  "create_time": "2021-01-04T22:22:52Z",
  "last_update_time": "2021-01-04T22:23:05Z",
  "first_event_time": "2021-01-04T22:22:42Z",
  "last_event_time": "2021-01-04T22:22:42Z",
  "threat_id": "f7959830dfea89252d459b056ab43222",
  "severity": 4,
  "category": "NOTICE",
  "device_id": 3625933,
  "device_os": "WINDOWS",
  "device_os_version": "Windows 10 x64",
  "device_name": "win10-ps-moid",
  "device_username": "jdoe@carbonblack.com",
  "policy_id": 6525,
  "policy_name": "default",
  "target_value": "MEDIUM",
  "workflow": {
    "state": "OPEN",
    "remediation": "",
    "last_update_time": "2021-01-04T22:22:52Z",
    "comment": "",
    "changed_by": "Carbon Black"
  },
  "device_internal_ip": "123.45.67.890"
  "device_external_ip": "23.45.67.89",
  "alert_url": "https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM\u0026orgId=123",
  "reason": "The application powershell.exe is executing a fileless script or command.",
  "reason_code": "R_FILELESS",
  "process_name": "powershell.exe",
  "device_location": "OFFSITE",
  "created_by_event_id": "5daf0f2c4edb11ebb2828b41ebaf3867",
  "threat_indicators": [{
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["MODIFY_MEMORY_PROTECTION"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["FILELESS"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["MITRE_T1057_PROCESS_DISCOVERY"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["CODE_DROP"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["ENUMERATE_PROCESSES"]
  }],
  "threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
  "threat_cause_actor_name": "powershell.exe",
  "threat_cause_actor_process_pid": "3292-132541831999374961-0",
  "threat_cause_reputation": "COMMON_WHITE_LIST",
  "threat_cause_threat_category": "NON_MALWARE",
  "threat_cause_vector": "UNKNOWN",
  "threat_cause_cause_event_id": "5daf0f344edb11ebb2828b41ebaf3867",
  "blocked_threat_category": "UNKNOWN",
  "not_blocked_threat_category": "NON_MALWARE",
  "kill_chain_status": ["DELIVER_EXPLOIT"],
  "run_state": "RAN",
  "policy_applied": "NOT_APPLIED"
}

CONTAINER_RUNTIME

{
    "type": "CONTAINER_RUNTIME",
    "id": "aff50e67-d2cd-54a0-c3e3-1c6958d0005e",
    "legacy_alert_id": "aff50e67-d2cd-54a0-c3e3-1c6958d0005e",
    "org_key": "ABCD1234",
    "create_time": "2022-01-31T15:02:10Z",
    "last_update_time": "2022-01-31T15:02:10Z",
    "first_event_time": "2022-01-31T14:59:12Z",
    "last_event_time": "2022-01-31T14:59:12Z",
    "threat_id": "20ade0039400d2baf87c6a868df74ff31c8613b0b5823bd85ce8350e8c18e3cb",
    "severity": 5,
    "category": "WARNING",
    "policy_id": "7cce137c-b9c5-4cf0-96c7-2be6514f7a40",
    "policy_name": "demo001",
    "target_value": "MEDIUM",
    "workflow": {
        "state": "OPEN",
        "remediation": "",
        "last_update_time": "2022-01-31T15:00:14Z",
        "comment": "",
        "changed_by": "Carbon Black"
    },
    "alert_url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1234567",
    "reason": "Detected a connection to a public destination that isn't allowed for this scope",
    "run_state": "RAN",
    "cluster_name": "e2e:containers-e2e-85wt",
    "namespace": "cbcontainers-dataplane",
    "workload_kind": "Deployment",
    "workload_id": "cbcontainers-hardening-enforcer",
    "workload_name": "cbcontainers-hardening-enforcer",
    "replica_id": "cbcontainers-hardening-enforcer-557d87866-4j4j5",
    "connection_type": "EGRESS",
    "remote_is_private": false,
    "remote_ip": "52.23.6.129",
    "protocol": "PROTO_TCP",
    "port": 443,
    "ip_reputation": 48,
    "rule_id": "f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
    "rule_name": "Allowed public destinations"
}

DEVICE_CONTROL

{
    "type": "DEVICE_CONTROL",
    "id": "uds_c8eb7306af264a9ab677814b3af69720",
    "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
    "org_key": "6X3T6RYXJ",
    "create_time": "2020-11-17T22:05:13Z",
    "last_update_time": "2020-11-17T22:05:13Z",
    "first_event_time": "2020-11-17T22:02:16Z",
    "last_event_time": "2020-11-17T22:02:16Z",
    "threat_id": "60b43c178d148756368ddea72f731ce108ea54d2b29171bff509c619d2a7eb6c",
    "severity": 3,
    "category": "WARNING",
    "device_id": 7604419,
    "device_os": "WINDOWS",
    "device_os_version": "Windows 10 x64",
    "device_name": "DESKTOP-4O07JV2",
    "device_username": "jdoe",
    "policy_id": 6997287,
    "policy_name": "Standard",
    "target_value": "MEDIUM",
    "workflow": {
        "state": "OPEN",
        "remediation": "",
        "last_update_time": "2020-11-17T22:02:16Z",
        "comment": "",
        "changed_by": "Carbon Black"
    },
    "device_internal_ip": "172.17.2.130",
    "device_external_ip": "71.218.76.221",
    "alert_url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976",
    "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
    "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
    "device_location": "UNKNOWN",
    "threat_cause_threat_category": "NON_MALWARE",
    "threat_cause_vector": "REMOVABLE_MEDIA",
    "threat_cause_cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
    "sensor_action": "DENY",
    "run_state": "DID_NOT_RUN",
    "policy_applied": "APPLIED",
    "vendor_name": "SanDisk",
    "vendor_id": "0x0781",
    "product_name": "U3 Cruzer Micro",
    "product_id": "0x5406",
    "serial_number": "0875920EF7C2A304"
}

WATCHLIST

{
  "type": "WATCHLIST",
  "id": "951d536a-2817-4790-8c97-c2d31624de7c",
  "legacy_alert_id": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD",
  "org_key": "ABCD1234",
  "create_time": "2021-01-04T23:33:32Z",
  "last_update_time": "2021-01-04T23:33:32Z",
  "first_event_time": "2021-01-04T23:25:58Z",
  "last_event_time": "2021-01-04T23:25:58Z",
  "threat_id": "A22D9AFD42B85FF4FE6C8AE1DB6FBD6C",
  "severity": 7,
  "category": "WARNING",
  "device_id": 3775337,
  "device_os": "WINDOWS",
  "device_name": "CBcloud-win10",
  "device_username": "admin",
  "policy_id": 6525,
  "policy_name": "default",
  "target_value": "MEDIUM",
  "workflow": {
    "state": "OPEN",
    "remediation": "",
    "last_update_time": "2021-01-04T23:32:19Z",
    "comment": "",
    "changed_by": "Carbon Black"
  },
  "device_internal_ip": "123.45.67.890",
  "device_external_ip": "23.45.67.89",
  "alert_url": "https://defense.conferdeploy.net/cb/investigate/processes?orgId=123\u0026query=alert_id%3A951d536a-2817-4790-8c97-c2d31624de7c+AND+device_id%3A3775337\u0026searchWindow=ALL",
  "reason_code": "Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"",
  "process_name": "powershell.exe",
  "threat_indicators": [{
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]
  }],
  "threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
  "threat_cause_actor_name": "powershell.exe",
  "threat_cause_reputation": "COMMON_WHITE_LIST",
  "threat_cause_threat_category": "RESPONSE_WATCHLIST",
  "threat_cause_vector": "UNKNOWN",
  "run_state": "RAN",
  "ioc_id": "e41b000e-eb5a-41f4-aa67-1902d186a457-0",
  "ioc_hit": "(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true",
  "watchlists": [{
    "id": "mrTB06fAQbeNfvl47cQiGg",
    "name": "Carbon Black Advanced Threats"
  }],
  "process_guid": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613",
  "process_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
  "report_name": "Execution - PowerShell Downloading Behaviors Detected",
  "report_id": "MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457",
  "status": "UNRESOLVED"
}

Last modified on October 10, 2023