Watchlist Hit Schema 1.0.0
The Carbon Black Cloud Data Forwarder emits a set of fields for every watchlist hit. These fields represent metadata for the organization, device, process, ioc, report and watchlist to which the hit belongs.
| Field | Definition |
|---|---|
alert_id |
The ID of the Alert this watchlist hit is associated with |
create_time |
The time the watchlist hit was created in ISO 8601 UTC timestamp format to milliseconds
Example: 2021-07-28T18:38:41.000Z |
device_external_ip |
IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
device_id |
Integer ID of the device that created this watchlist hit |
device_internal_ip |
IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
device_name |
Hostname of the device that created this watchlist hit |
device_os |
OS Type of device (Windows/OSX/Linux) |
device_uem_id |
“Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”) |
ioc_field |
Field the IOC hit contains |
ioc_hit |
IOC field value, or IOC query that matches |
ioc_id |
ID of the IOC that caused the hit |
org_key |
The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations. |
parent_cmdline |
Command line executed by the parent process |
parent_guid |
Unique ID of parent process. Please see this document for more information on how a process GUID is used and each of its components. |
parent_hash |
Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash |
parent_path |
Full path to the executable file backing the parent process on the device’s file system |
parent_pid |
OS-reported Process ID of the parent process |
parent_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint |
parent_publisher[]
.state |
See above |
parent_reputation |
Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud |
parent_username |
The username associated with the user context that the parent process was started under |
process_cmdline |
Command line executed by the actor process |
process_guid |
Unique ID of process. Please see this document for more information on how a process GUID is used and each of its components. |
process_hash |
Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash |
process_path |
Full path to the executable file backing this process on the device’s file system |
process_pid |
OS-reported Process ID of the current process |
process_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint |
process_publisher[]
.state |
See above |
process_reputation |
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud |
process_username |
The username associated with the user context that this process was started under |
report_id |
ID of the watchlist report(s) that detected a hit on the process |
report_name |
Name of the watchlist report(s) that detected a hit on the process |
report_tags |
List of tags associated with the report(s) that detected a hit on the process |
severity |
The severity of the watchlist hit |
type |
The watchlist hit type
watchlist.hit |
watchlists |
List of watchlists that contain the report of the ioc hit |
Data Samples
The following are samples of data: watchlist.hit
watchlist.hit
{
"schema": 1,
"create_time": "2021-12-10T19:28:27.384Z",
"device_external_ip": "200.201.30.123",
"device_id": 4467271,
"device_internal_ip": "10.33.4.214",
"device_name": "Carbonblack-win1",
"device_os": "WINDOWS",
"ioc_hit": "(((process_name:cmd.exe AND process_cmdline:\\/c) AND -childproc_name:facefoduninstaller.exe)) -enriched:true",
"ioc_id": "565642-0",
"org_key": "ABCDE12345",
"parent_cmdline": "\"C:\\Program Files\\Aella\\aella_conf_win_srv\\aella_conf_win_srv.exe\"",
"parent_guid": "ABCDE12345-00442a47-00001520-00000000-1d7d5d3419e653f",
"parent_hash": ["6174da1a2dd7594456bbb3ae50ac5587", "2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515"],
"parent_path": "c:\\program files\\aella\\aella_conf_win_srv\\aella_conf_win_srv.exe",
"parent_pid": 5408,
"parent_publisher": [{
"name": "Stellar Cyber Inc",
"state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"
}],
"parent_reputation": "REP_ADAPTIVE",
"parent_username": "NT AUTHORITY\\SYSTEM",
"process_cmdline": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc queryex aella_conf\"",
"process_guid": "ABCDE12345-00442a47-00001574-00000000-1d7edfbdd2d4880",
"process_hash": ["d0fce3afa6aa1d58ce9fa336cc2b675b", "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22"],
"process_path": "c:\\windows\\syswow64\\cmd.exe",
"process_pid": 5492,
"process_publisher": [{
"name": "Microsoft Windows",
"state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"
}],
"process_reputation": "REP_WHITE",
"process_username": "NT AUTHORITY\\SYSTEM",
"report_id": "CFnKBKLTv6hUkBGFobRdg-565642",
"report_name": "Execution - Command-Line Interface (cmd.exe /c)",
"report_tags": ["attack", "attackframework", "threathunting", "hunting", "windows", "execution", "t1059"],
"severity": 1,
"type": "watchlist.hit",
"watchlists": [{
"id": "P5f9AW29TGmTOvBW156Cig",
"name": "ATT\u0026CK Framework"
}]
}Give Feedback
Use this form to give us feedback about this site or any of the documentation.
Last modified on July 13, 2023