Endpoint Event Schema 1.0.0

The endpoint.event schema version 1.0.0 has been deprecated and replaced by version 1.1.0., which includes Extended Detection and Response (XDR) data.

“Common fields” are present in all event types, while other fields are only present for a specific event type.

Legend:

FILTERABLE - Indicates whether the field is supported in the query for a filter
TOKENIZED - The field supports partial phrase matching through Tokenization
WILDCARD - The field supports wildcard characters

Common Fields

The Carbon Black Cloud Data Forwarder emits a set of common fields for every endpoint event. These fields represent common metadata for the organization, device, and process to which this event belongs.

Note: A new copy of the alert will be sent if something changes on the backend.

Field Name	Definition	Capabilities



`action`	Specific endpoint action observed by sensor during this event. Enum values vary by event `type`	FILTERABLE
`backend_timestamp`	Time when the backend received the batch of events, based on Carbon Black Cloud backend’s clock as an RFC 3339 formatted time string based on UTC to the seconds; may differ from `device_timestamp` by a few minutes due to asynchronous processing Example: `2021-07-28 18:43:51 +0000 UTC`
`device_group`	Sensor group to which the endpoint was assigned when the sensor recorded the event data	FILTERABLE WILDCARD
`device_id`	Integer ID of the device that created this event	FILTERABLE
`device_name`	Hostname of the device that created this event	FILTERABLE WILDCARD
`device_os`	OS Type of device (Windows/OSX/Linux)	FILTERABLE
`device_timestamp`	Time seen on sensor, based on sensor’s clock in RFC 3339 UTC format to seconds Example: `2021-07-28 18:43:51 +0000 UTC`
`event_origin`	Indicates which product the event came from. “EDR” indicates the event originated from Enterprise EDR. “NGAV” indicates the event originated from Endpoint Standard.	FILTERABLE
`org_key`	The organization key associated with the console instance. Can be used to disambiguate events from different Carbon Black Cloud tenant organizations.	FILTERABLE WILDCARD
`parent_guid`	Unique ID of parent process.
`parent_hash`	Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash	FILTERABLE
`parent_path`	Full path to the executable file backing the parent process on the device’s file system	FILTERABLE WILDCARD
`parent_pid`	OS-reported Process ID of the parent process	FILTERABLE
`parent_reputation`	Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud	FILTERABLE
`process_cmdline`	Command line executed by the actor process	FILTERABLE TOKENIZED WILDCARD
`process_fork_pid`	The PID of a process forked from the actor on *nix systems. If f process_pid != process_fork_pid, the current process was forked from original process_pid.	FILTERABLE
`process_guid`	Unique ID of process.
`process_hash`	Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash	FILTERABLE
`process_path`	Full path to the executable file backing this process on the device’s file system	FILTERABLE WILDCARD
`process_pid`	OS-reported Process ID of the current process	FILTERABLE
`process_reputation`	Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud	FILTERABLE
`process_username`	The username associated with the user context that this process was started under	FILTERABLE WILDCARD
`schema`	The schema version. The current schema version is “1”. This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. New fields in an event type or new event types will not result in a new schema version.	FILTERABLE
`sensor_action`	(optional) Included if the sensor blocked the event or terminated the application due to security policy `POLICY_NOT_APPLIED`, `ALLOW`, `ALLOW_AND_LOG`, `TERMINATE`, `DENY`	FILTERABLE
`target_cmdline`	The command line that was executed to create the process represented in the childproc properties.	FILTERABLE TOKENIZED WILDCARD
`type`	The event type. Use this field to determine which fields should be expected per the specs below.	FILTERABLE

Endpoint Standard Fields

Endpoint Standard events have the event_origin field set to NGAV. If you are an Endpoint Standard customer, you will see the below fields populated in the Data Forwarder output. Enterprise EDR fields will also be present, but not populated. Endpoint Standard records only “security-relevant” events, so you will see roughly 10-20x fewer Endpoint Standard events than Enterprise EDR events.

Field	Definition	Capabilities
`alert_id`	The ID of the Alert this event is associated with	FILTERABLE
`device_external_ip`	IP address of the host as seen by the backend (the public IPv4 or IPv6 address used to contact the Carbon Black Cloud)	FILTERABLE
`event_description`	Long textual description of the event as seen in the Carbon Black Cloud web console	FILTERABLE WILDCARD
`event_id`	Internal Endpoint Standard event ID associated with this specific event ⁠— this event ID can be used to find the specific event in the Carbon Black Cloud web console
`process_terminated`	Always FALSE for Endpoint Standard events

Enterprise EDR Fields

Enterprise EDR events have the event_origin field set to EDR. Endpoint Standard fields will be present, but not populated.

Field	Definition	Capabilities
`parent_cmdline`	Process command line associated with the parent process	FILTERABLE TOKENIZED WILDCARD
`process_duration`	The time difference in seconds between the process start and process terminate event
`process_publisher[]` `.name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint	FILTERABLE WILDCARD Filterable field: `process_publisher`
`process_publisher[]` `.state`	See above	FILTERABLE Filterable field: `process_publisher_state`
`process_terminated`	True if process was terminated

API Call

endpoint.event.apicall

Each API-call event is reported as the type “endpoint.event.apicall”. An API-call event includes the fields named in the “Common Fields” section above.

Field	Definition	Capabilities
`crossproc_api`	Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call. Available with: all sensors with Endpoint Standard Windows 3.8 or later sensor with Enterprise EDR macOS sensors with Enterprise EDR (only reporting the PEP_CREATE_PHANDLE_API call made in task_for_pid() requests)	FILTERABLE WILDCARD
`crossproc_action`	The cross-process action initiated by the actor process `ACTION_API_CALL`, `ACTION_DUP_PROCESS_HANDLE`, `ACTION_OPEN_THREAD_HANDLE`, `ACTION_DUP_THREAD_HANDLE`, `ACTION_CREATE_REMOTE_THREAD`	FILTERABLE

Cross-Process Event

endpoint.event.crossproc

Any time a process interacts with another process on the system, that is considered a “cross-process” event. Each cross-process event is reported as the type “endpoint.event.crossproc”. The following fields represent metadata associated with the cross-process event.

Field	Definition	Capabilities
`crossproc_api`	Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call. Available with: all sensors with Endpoint Standard Windows 3.8 or later sensor with Enterprise EDR macOS sensors with Enterprise EDR (only reporting the PEP_CREATE_PHANDLE_API call made in task_for_pid() requests)	FILTERABLE WILDCARD
`crossproc_action`	The cross-process action initiated by the actor process `ACTION_API_CALL`, `ACTION_DUP_PROCESS_HANDLE`, `ACTION_OPEN_THREAD_HANDLE`, `ACTION_DUP_THREAD_HANDLE`, `ACTION_CREATE_REMOTE_THREAD`	FILTERABLE
`crossproc_guid`	Unique ID of the cross process
`crossproc_hash`	Cryptographic hashes of the target of the crossproc event ⁠— this is represented as an array of two elements, MD5 and SHA-256 hash	FILTERABLE
`crossproc_name`	Full path to the target of the crossproc event on the device’s local file system	FILTERABLE WILDCARD
`crossproc_publisher[]` `.name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the crossproc as reported by the endpoint	FILTERABLE WILDCARD Filterable field: `crossproc_publisher`
`crossproc_publisher[]` `.state`	See above	FILTERABLE Filterable field: `crossproc_publisher_state`
`crossproc_reputation`	Carbon Black Cloud Reputation string for the crossproc.	FILTERABLE
`crossproc_target`	True if the process was the target of the cross-process event; false if the process was the actor	FILTERABLE

File Modification

endpoint.event.filemod

Each file-modification event is reported as the type “endpoint.event.filemod”. The following fields represent metadata associated with the file-modification event.

Field	Definition	Capabilities
`filemod_hash`	Cryptographic hashes of the file modified ⁠— this is represented as an array of two elements, MD5 and SHA-256 hash	FILTERABLE
`filemod_name`	Full path to the file being modified on the device’s file system	FILTERABLE WILDCARD

Fileless Script Load

endpoint.event.fileless_scriptload

A “fileless script load” is generated when a process loads a set of script instructions into memory. Each fileless script load event is reported as the type “endpoint.event.fileless_scriptload”. The following fields represent metadata associated with the fileless script load event.

Field	Definition	Capabilities
`fileless_scriptload_cmdline`	Deobfuscated script content run in a fileless context by the process	FILTERABLE TOKENIZED WILDCARD
`fileless_scriptload_cmdline_length`	Character count of the deobfuscated script content run in a fileless context	FILTERABLE
`fileless_scriptload_hash`	SHA-256 hash(es) of the deobfuscated script content run by the process in a fileless context	FILTERABLE

Module Load

endpoint.event.moduleload

A “module load” is generated when a process loads a shared library (DLL in Windows, .so in Linux, .dylib in macOS) into its process memory space. Each module load event is reported as the type “endpoint.event.moduleload”. The following fields represent metadata associated with the module load event.

Field	Definition	Capabilities
`modload_count`	Count of modload events reported by the sensor since last initialization	FILTERABLE
`modload_effective_reputation`	Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred	FILTERABLE
`modload_hash`	MD5 or SHA-256 hash(es) of the module(s) loaded by the process	FILTERABLE
`modload_md5`	MD5 hash of the module loaded by the process	FILTERABLE
`modload_name`	Full path to the module being loaded on the device’s file system	FILTERABLE WILDCARD
`modload_publisher[]` `.name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the moduleload as reported by the endpoint	FILTERABLE WILDCARD Filterable field: `modload_publisher`
`modload_publisher[]` `.state`	See above	FILTERABLE Filterable field: `modload_publisher_state`
`modload_sha256`	SHA-256 hash of the module loaded by the process	FILTERABLE

Network Connection

endpoint.event.netconn

Each network-connection event is reported as the type “endpoint.event.netconn”. In addition to the common fields documented in “Common Fields”, the following fields represent metadata associated with the network-connection event.

Field	Definition	Capabilities
`local_ip`	IPv4 or IPv6 address in string format associated with the “local” end of this network connection	FILTERABLE
`local_port`	UDP/TCP port number associated with the “local” end of this network connection	FILTERABLE
`netconn_domain`	DNS name associated with the “remote” end of this network connection ⁠— may be empty if the name cannot be inferred or the connection is made direct to/from a remote IP address	FILTERABLE WILDCARD
`netconn_inbound`	Set to true if the netconn is inbound	FILTERABLE
`netconn_protocol`	String UDP or TCP protocol identifier	FILTERABLE
`remote_ip`	IPv4 or IPv6 address in string format associated with the “remote” end of this network connection	FILTERABLE
`remote_port`	UDP/TCP port number associated with the “remote” end of this network connection	FILTERABLE

Network Proxy Connection

endpoint.event.netconn_proxy

A “network proxy connection” event is any network connection event in which the process communicates with an intermediary remote device but has a different intended destination - usually an HTTP proxy intermediary. Each network proxy connection event is reported as the type “endpoint.event.netconn_proxy”. In addition to the common fields documented in “Common Fields” as well as the fields documented in “Network Connection - endpoint.event.netconn”, the following fields represent metadata associated with the network proxy connection event.

Field	Definition	Capabilities
`netconn_proxy_domain`	DNS name associated with the “proxy” end of this network connection ⁠— may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address	FILTERABLE WILDCARD
`netconn_proxy_ip`	IPv4 or IPv6 address in string format associated with the “proxy” end of this network connection	FILTERABLE
`netconn_proxy_port`	UDP/TCP port number associated with the “proxy” end of this network connection	FILTERABLE

Process Launch Event

endpoint.event.procstart

Each process launch event is reported as the type “endpoint.event.procstart”. A procstart event can be either a child process or a new process. A child process event will have the action ACTION_CREATE_PROCESS where a new process will have ACTION_PROCESS_DISCOVERED. In the case of a new process you will only have process and childproc properties, there will be no parent properties. The child process properties represent the process being created and the process properties will represent the os system.

The target_cmdline property is the command line that was executed to create the process represented in the childproc properties.

In addition to the common fields documented in “Common Fields”, the following fields represent metadata associated with the process start event.

Field	Definition	Capabilities
`childproc_guid`	Unique ID of the child process.
`childproc_hash`	Cryptographic hashes of the executable file backing the child process, represented as an array of two elements - MD5 and SHA-256 hash	FILTERABLE
`childproc_name`	Full path to the target application for the child process on the device’s local file system	FILTERABLE WILDCARD
`childproc_pid`	OS-reported Process ID of the child process	FILTERABLE
`childproc_publisher[]` `.name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the childproc as reported by the endpoint	FILTERABLE WILDCARD Filterable field: `childproc_publisher`
`childproc_publisher[]` `.state`	See above	FILTERABLE Filterable field: `childproc_publisher_state`
`childproc_reputation`	Carbon Black Cloud Reputation string for the childproc.	FILTERABLE
`childproc_username`	The username associated with the user context that the child process was started under	FILTERABLE WILDCARD

Process Terminate Event

endpoint.event.procend

Each process-terminate event is reported as the type “endpoint.event.procend”. A “procend” event includes the fields named in the “Common Fields” section above.

Registry Modification

endpoint.event.regmod

Each registry-modification event is reported as the type “endpoint.event.regmod”. The following fields represent metadata associated with the registry-modification event.

Field	Definition	Capabilities
`regmod_name`	Full path to the registry key, including the hive, being modified on the Windows device’s registry	FILTERABLE WILDCARD

Script Load

endpoint.event.scriptload

A “script load” is generated when a process loads a script (.ps1, .vb, .bin, etc..) that can be executed by a script interpreter. Each script load event is reported as the type “endpoint.event.scriptload”. The following fields represent metadata associated with the script load event.

EDR Scriptload Event

Field	Definition	Capabilities
`scriptload_effective_reputation`	Effective reputation(s) of the loaded script(s); applied by the sensor when the event occurred Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	FILTERABLE
`scriptload_hash`	MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch	FILTERABLE
`scriptload_name`	Filesystem path of script file(s) loaded at process launch	FILTERABLE WILDCARD
`scriptload_publisher[]` `.name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the scriptload as reported by the endpoint	FILTERABLE WILDCARD Filterable field: `scriptload_publisher`
`scriptload_publisher[]` `.state`	See above	FILTERABLE Filterable field: `scriptload_publisher_state`
`scriptload_reputation`	Reputation(s) of the loaded script(s); applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	FILTERABLE

NGAV Scriptload Event

Field	Definition	Capabilities
`process_loaded_script_hash`	SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process; compare with fileless_scriptload_hash	m FILTERABLE
`process_loaded_script_name`	Filesystem path(s) of any script content loaded from the filesystem through the duration of the process; compare with fileless_scriptload_cmdline, scriptload_content	FILTERABLE WILDCARD
`scriptload_content`	Deobfuscated script content (string, binary, or raw executable image) loaded from the filesystem at process launch; compare with fileless_scriptload_cmdline, process_loaded_script_name Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later and Endpoint Standard product	FILTERABLE
`scriptload_count`	Count of scriptload events across all processes reported by the sensor since last initialization	FILTERABLE
`scriptload_hash`	MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch	FILTERABLE
`scriptload_name`	Filesystem path of script file(s) loaded at process launch	FILTERABLE WILDCARD
`scriptload_content_length`	Character count of the deobfuscated filesystem script; compare with fileless_scriptload_cmdline_length Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later and Endpoint Standard product	FILTERABLE

Volume Event

endpoint.event.volume

Events generated for volume operations, including mounting and un-mounting of external devices. A “volume” event includes the fields named in the “Common Fields” section above.

Data Samples

The following are samples of data: endpoint.event

endpoint.event

{
  "type": "endpoint.event.procstart",
  "process_guid": "ABCD1234-006e8d46-00001310-00000000-1d5fd46cc37d700",
  "parent_guid": "ABCD1234-006e8d46-00000290-00000000-1d5fa5dbbaa12ce",
  "backend_timestamp": "2020-03-25 22:38:54 +0000 UTC",
  "org_key": "ABCD1234",
  "device_id": "7245126",
  "device_name": "cbc-win10",
  "device_external_ip": "72.152.92.146",
  "device_os": "WINDOWS",
  "device_group": "Windows Group",
  "action": "ACTION_CREATE_PROCESS",
  "schema": 1,
  "event_description": "The application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\" invoked the application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\". ",
  "alert_id": "WXYZ0987",
  "event_id": "54885ebc6ee911eabc70416f8358e4f2",
  "device_timestamp": "2020-03-25 22:38:03.353 +0000 UTC",
  "process_terminated": false,
  "process_reputation": "REP_RESOLVING",
  "parent_repuation": "",
  "process_pid": 4880,
  "parent_pid": 656,
  "process_publisher": [
    {
      "name": "Google Inc",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"
    }
  ],
  "process_path": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
  "parent_path": "c:\\windows\\system32\\services.exe",
  "process_hash": [
    "3623a0e7cdcf3310ffb4c87c5b43ae02",
    "0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
  ],
  "parent_hash": [
    "db896369fb58241adf28515e3765c514",
    "a2e369df26c88015fe1f97c7542d6023b5b1e4830c25f94819507ee5bcb1dfcc"
  ],
  "process_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox",
  "parent_cmdline": "",
  "process_username": "CBC-WIN10\\user",
  "sensor_action": "ALLOW",
  "childproc_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
  "childproc_hash": [
    "3623a0e7cdcf3310ffb4c87c5b43ae02",
    "0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
  ],
  "target_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --field-trial-handle=1656,13710686576560040528,13403776044656688818,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=5236 --ignored=\" --type=renderer \" /prefetch:8"
}

Last modified on July 11, 2023

Carbon Black Cloud

Page Contents