Auth Event Schema - 1.0.0
Introduction
The Carbon Black Cloud Data Forwarder emits a set of common fields for every authentication event that occurs on Windows endpoints. The reporting of Windows authentication events supplements the reporting of process events, which enables the correlation of authentication and process activity and yields more context-rich threat hunting and incident response.
Resources
Data Types
Find more detail on the data types here.
Fields
Field Name | Definition | Datatype |
---|---|---|
alert_id |
ID of the alert(s) associated with the process or event. | String[] |
attack_tactic |
A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access | String |
attack_technique |
A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access | String |
attack_tid |
Allows searching for a specific combination of MITRE ATT&CK tactic and technique; use the format tactic:technique.subtechnique |
String |
auth_cleartext_credentials_logon |
True if the logon attempt occurred using cleartext credentials; false if the logon attempt occurred using encrypted credentials | Boolean |
auth_credential_provider |
The logon process that validated the credentials in Event ID 4611. Common processes include Winlogon, Schannell, KSecDD, Secondary Logon Service (runas), IKE, HTTP.SYS, SspTest, dsRole, DS Replication CredProvConsent (user account control) | String |
auth_daemon_logon |
Identifies if the logon attempt is attributed to a service (Windows) or daemon (macOS/Linux) | Boolean |
auth_domain_name |
Domain name of the user the authentication event is attributed to | String |
auth_elevated_token_logon |
True if the logon attempt occurred using an elevated token; false if the logon attempt occurred without the use of an elevated token | Boolean |
auth_event_action |
Action that results from an authentication attempt | String |
auth_failed_logon_count |
Number of failed logon attempts since last successful logon | Integer |
auth_failure_reason |
Only used with ACTION_LOGON_FAILED event. The fields are documented at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 | String |
auth_failure_status |
Only used with ACTION_LOGON_FAILED event. The fields are documented at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 | String |
auth_failure_sub_status |
Hexadecimal code that identifies the logon failure reason | String |
auth_impersonation_level |
Values are:
IMPERSONATION_INVALID
IMPERSONATION_NONE - Default, No impersonation
IMPERSONATION_ANONYMOUS - Security Anonymous: The server cannot impersonate or identify the client.
IMPERSONATION_CLIENT - Security Identification: The server can get the identity and privileges of the client, but cannot impersonate the client.
IMPERSONATION_LOCAL_ONLY - Security Impersonation: The server can impersonate the client’s security context on the local system.
IMPERSONATION_LOCAL_OR_REMOTE - Security Delegation: The server can impersonate the client’s security context on remote systems |
String |
auth_interactive_logon |
True if the logon attempt was interactive; false if the logon attempt was non-interactive | Boolean |
auth_key_length |
For non-kerberos authentication this is the length of the key used to secure the authentication channel | Integer |
auth_last_failed_logon_time |
Time of last failed logon | String |
auth_linked_logon_id |
When UAC (User Account Control) is enabled and an administrator logs on there are 2 logon sessions created, one with admin privileges and a split token without. This is the linked LUID in 00000000-00000000 format. |
String |
auth_logon_id |
Locally unique identifier of the user the authentication event is attributed to. Unique per logon session per machine | String |
auth_logon_type |
Identifies the logon type initiated by the authentication connection | Integer |
auth_package |
Populated for Event id 4610 Events and identifies the authorization package that was loaded | String |
auth_package_version |
The version of the authorization package identified in auth_package that was used |
String |
auth_privileges |
Privilege(s) assigned to the logon session | String[] |
auth_remote_device |
Name of the remote device the remote authentication attempt is made from | String |
auth_remote_ipv4 |
IP address of the remote device the remote authentication attempt is made from | String |
auth_remote_ipv6 |
Where the user was when they logged on - remote ip v6 address | String |
auth_remote_location |
Where the user was when they logged on in this format; city, region, country |
String |
auth_remote_logon |
True if the logon attempt was remote; false if the logon attempt was local | Boolean |
auth_remote_port |
Port number the remote authentication attempt is made from | Integer |
auth_restricted_admin_logon |
True if the logon attempt occurred using Restricted Admin mode for Remote Desktop Connection; false if the logon attempt occurred without the use of Restricted Admin Mode | Boolean |
auth_server |
The server name that authenticated the logon | String |
auth_user_id |
Security ID (SID) of the user on a Windows machine. SID is a unique value of variable length used to identify a trustee (security principal) | String |
auth_user_principal_name |
User Principal Name (UPN) of the user associated with the authentication event | String |
auth_username |
Name of the user the authentication event is attributed to | String |
auth_virtual_account_logon |
True if the logon attempt occurred using a virtual account; false if the logon attempt occurred without the use of a virtual account | Boolean |
backend_timestamp |
Timestamp when the Carbon Black Cloud processed and enabled the data for searching; occurs after ingress_time; may differ from device_timestamp by a few minutes due to asynchronous processing |
ISO 8601 UTC timestamp |
device_external_ip |
IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format documented below) | String |
device_group |
Sensor group to which the endpoint was assigned when the sensor recorded the event data | String |
device_group_id |
ID assigned to the device_group by Carbon Black Cloud; will match on the ad_group_id on the Devices API | Integer |
device_id |
ID assigned to the endpoint by Carbon Black Cloud; unique across all Carbon Black Cloud environments | String |
device_installed_by |
The Carbon Black Cloud user who was logged in to the endpoint when the sensor was installed (e.g. pat.malarkey@email.com, DOMAIN\pmalarkey or pmalarkey) | String |
device_internal_ip |
IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format, documented below) | String |
device_location |
The endpoint’s current location relative to the organization’s network, based on the current IP address and the device’s registered DNS domain suffix | String |
device_name |
Hostname of the endpoint recorded by the sensor when last initialized | String |
device_os |
The operating system of the endpoint | String |
device_os_version |
The operating system and version of the endpoint
Requires Windows CBC sensor version 3.5 or later |
String |
device_policy |
Policy applied to the endpoint in the Carbon Black Cloud | String |
device_policy_id |
ID assigned to the device_policy by the Carbon Black Cloud | Integer |
device_target_priority |
The “Target value” configured in the policy assigned to the sensor
Requires Endpoint Standard |
String |
device_timestamp |
Sensor-reported timestamp of the batch of events in which this record was submitted to Carbon Black Cloud | ISO 8601 UTC timestamp |
event_id |
Unique event identifier assigned by the Carbon Black Cloud | String |
filemod_count |
Count of filemod events reported by the sensor since last initialization
Requires Enterprise EDR |
Integer |
modload_count |
Count of modload events reported by the sensor since last initialization
Requires Enterprise EDR |
Integer |
netconn_count |
Count of netconn events reported by the sensor since last initialization
Requires Enterprise EDR |
Integer |
org_key |
Unique alphanumeric string that identifies your organization in the Carbon Black Cloud | String |
parent_cmdline |
Command line of the parent process | String |
parent_cmdline_length |
Character count of the parent process' command line | Integer |
parent_effective_reputation |
Effective reputation of the parent process; applied by the sensor when the event occurred | String |
parent_effective_reputation_source |
Source of the effective reputation for the parent process | String |
parent_guid |
Unique process identifier assigned to the parent process | String |
parent_hash |
MD5 and/or SHA-256 hash of the parent process binary | String[] |
parent_issuer |
Certificate authority, signing authority or company that issued the certificate for the binary that is executed by the parent process | String[] |
parent_name |
Filesystem path of the parent process binary | String |
parent_pid |
Identifier assigned by the operating system to the parent process | Integer |
parent_product_name |
Product name embedded in the portable executable header of the binary for the parent process. Windows only. | String |
parent_publisher[]
.name |
Publisher name(s) on the certificate(s) used to sign the Windows or macOS binary of the parent process. Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint | Object |
parent_publisher[]
.state |
See above | Object |
parent_reputation |
Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud | String |
parent_username |
The user context in which the parent process was executed | String |
process_cmdline |
Command line executed by the actor process | String |
process_cmdline_length |
Character count of the actor process command line | Integer |
process_company_name |
Company name embedded in the portable executable header of the Windows process binary
Requires Windows CBC sensor and Enterprise EDR |
String |
process_container_pid |
Container process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux | Integer |
process_duration |
Duration of the process (in milliseconds); available after sensor reports the process has terminated; equal to (process_end_time - process_start_time) | Integer |
process_effective_reputation |
Effective reputation of the actor process; applied by the sensor when the event occurred | String |
process_effective_reputation_source |
Source of the effective reputation for the actor process | String |
process_elevated |
“True” if the process was running with elevated privileges; not present if “False”
Requires Windows CBC sensor version 3.5 or later and Enterprise EDR |
Boolean |
process_end_time |
Sensor timestamp when the process terminated; available after sensor reports the process has terminated (only for processes whose start times the sensor captured) | String |
process_file_description |
File description embedded in the portable executable header of the Windows process binary
Requires Windows CBC sensor and Enterprise EDR |
String |
process_guid |
Unique process identifier for the actor process | String |
process_hash |
MD5 and/or SHA-256 hash of the actor process binary; order may vary when two hashes are reported | String[] |
process_integrity_level |
Windows Mandatory Integrity Control (MIC) level of the process
Requires Windows CBC sensor version 3.5 or later and Enterprise EDR |
String |
process_internal_name |
Internal name embedded in the portable executable header of the Windows process binary
Requires Windows CBC sensor and Enterprise EDR |
String |
process_issuer |
Certificate authority, signing authority or company that issued the certificate for the binary that is executed by the process | String[] |
process_loaded_script_hash |
SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process; compare with fileless_scriptload_hash
Requires Endpoint Standard |
String[] |
process_loaded_script_name |
Filesystem path(s) of any script content loaded from the filesystem through the duration of the process; compare with fileless_scriptload_cmdline, scriptload_content
Requires Endpoint Standard |
String[] |
process_name |
Filesystem path of the actor process binary! | String |
process_original_filename |
Original filename embedded in the portable executable header of the Windows process binary
Requires Windows CBC sensor and Enterprise EDR |
String |
process_pid |
Process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux and macOS | Integer |
process_privileges |
Windows privileges associated wth the process (see Microsoft documentation for complete list privilege-constants)
Requires Windows CBC sensor version 3.5 or later and Enterprise EDR |
String[] |
process_product_name |
Product name embedded in the portable executable header of the Windows process binary
Requires Windows CBC sensor and Enterprise EDR |
String |
process_product_version |
Product version embedded in the portable executable header of the Windows process binary
Requires Windows CBC sensor and Enterprise EDR |
String |
process_publisher[]
.name |
Publisher name(s) on the certificate(s) used to sign the Windows or macOS binary of the parent process. Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint | Object |
process_publisher[]
.state |
See above | Object |
process_reputation |
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud | String |
process_sha256 |
SHA-256 hash of the actor process binary | String |
process_start_time |
Sensor reported timestamp of when the process started; not available for processes running before the sensor starts | String |
process_username |
User context in which the actor process was executed.
MacOS - all users for the PID for fork() and exec() transitions, Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid()" |
String |
regmod_count |
Count of regmod events reported by the sensor since last initialization
Requires Enterprise EDR |
Integer |
scriptload_count |
Count of scriptload events across all processes reported by the sensor since last initialization
Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR |
Integer |
sensor_action |
An action performed by the sensor on the process | String |
sensor_version |
Version of the sensor installed on the device | String |
ttp |
Patterns of behavior (i.e. tactics, techniques, procedures) associated with specific threat actor(s) attributed to events of the process | String[] |
type |
The Auth Event type auth.event.logonop |
String |
version |
The version of the schema being emitted. e.g. 2.0.0 |
String |
windows_event_id |
Identifier of the Windows event type, specified by Windows OS | Integer |
Last modified on February 26, 2024