Watchlist Hit Schema 1.0.0


The Carbon Black Cloud Data Forwarder emits a set of fields for every watchlist hit. These fields represent metadata for the organization, device, process, ioc, report and watchlist to which the hit belongs.

Note: Certain fields that were previously included in this listing, but were never actually populated, have been removed.
Field Definition Datatype
alert_id The ID of the Alert this watchlist hit is associated with String
create_time The time the watchlist hit was created in ISO 8601 UTC timestamp format to milliseconds

Example: 2021-07-28T18:38:41.000Z
ISO 8601 UTC timestamp
device_external_ip IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) String
device_id Integer ID of the device that created this watchlist hit Integer
device_internal_ip IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) String
device_name Hostname of the device that created this watchlist hit String
device_os OS Type of device (Windows/OSX/Linux) String
ioc_field Field the IOC hit contains String
ioc_hit IOC field value, or IOC query that matches String
ioc_id ID of the IOC that caused the hit String
org_key The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations. String
parent_cmdline Command line executed by the parent process String
parent_guid Unique ID of parent process. Please see this document for more information on how a process GUID is used and each of its components. String
parent_hash Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash String[]
parent_path Full path to the executable file backing the parent process on the device’s file system String
parent_pid OS-reported Process ID of the parent process Integer
parent_publisher[]
.name
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint Object
parent_publisher[]
.state
See above Object
parent_reputation Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud String
parent_username The username associated with the user context that the parent process was started under String
process_cmdline Command line executed by the actor process String
process_guid Unique ID of process. Please see this document for more information on how a process GUID is used and each of its components. String
process_hash Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash String[]
process_path Full path to the executable file backing this process on the device’s file system String
process_pid OS-reported Process ID of the current process Integer
process_publisher[]
.name
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint Object
process_publisher[]
.state
See above Object
process_reputation Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud String
process_username The username associated with the user context that this process was started under String
report_id ID of the watchlist report(s) that detected a hit on the process String
report_name Name of the watchlist report(s) that detected a hit on the process String
report_tags List of tags associated with the report(s) that detected a hit on the process String[]
schema Not implemented String
severity The severity of the watchlist hit Integer
type The watchlist hit type

watchlist.hit
String
watchlists List of watchlists that contain the report of the ioc hit. List of id, name tuples.
e.g.
"watchlists": [{
  "id": "P5f9AW29TGmTOvBW156Cig",
  "name": "ATT\u0026CK Framework"
}]
Object[]

Data Samples

The following are samples of data: watchlist.hit

watchlist.hit

{
  "schema": 1,
  "create_time": "2021-12-10T19:28:27.384Z",
  "device_external_ip": "200.201.30.123",
  "device_id": 4467271,
  "device_internal_ip": "10.33.4.214",
  "device_name": "Carbonblack-win1",
  "device_os": "WINDOWS",
  "ioc_hit": "(((process_name:cmd.exe AND process_cmdline:\\/c) AND -childproc_name:facefoduninstaller.exe)) -enriched:true",
  "ioc_id": "565642-0",
  "org_key": "ABCDE12345",
  "parent_cmdline": "\"C:\\Program Files\\Aella\\aella_conf_win_srv\\aella_conf_win_srv.exe\"",
  "parent_guid": "ABCDE12345-00442a47-00001520-00000000-1d7d5d3419e653f",
  "parent_hash": ["6174da1a2dd7594456bbb3ae50ac5587", "2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515"],
  "parent_path": "c:\\program files\\aella\\aella_conf_win_srv\\aella_conf_win_srv.exe",
  "parent_pid": 5408,
  "parent_publisher": [{
    "name": "Stellar Cyber Inc",
    "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"
  }],
  "parent_reputation": "REP_ADAPTIVE",
  "parent_username": "NT AUTHORITY\\SYSTEM",
  "process_cmdline": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc queryex aella_conf\"",
  "process_guid": "ABCDE12345-00442a47-00001574-00000000-1d7edfbdd2d4880",
  "process_hash": ["d0fce3afa6aa1d58ce9fa336cc2b675b", "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22"],
  "process_path": "c:\\windows\\syswow64\\cmd.exe",
  "process_pid": 5492,
  "process_publisher": [{
    "name": "Microsoft Windows",
    "state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"
  }],
  "process_reputation": "REP_WHITE",
  "process_username": "NT AUTHORITY\\SYSTEM",
  "report_id": "CFnKBKLTv6hUkBGFobRdg-565642",
  "report_name": "Execution - Command-Line Interface (cmd.exe /c)",
  "report_tags": ["attack", "attackframework", "threathunting", "hunting", "windows", "execution", "t1059"],
  "severity": 1,
  "type": "watchlist.hit",
  "watchlists": [{
    "id": "P5f9AW29TGmTOvBW156Cig",
    "name": "ATT\u0026CK Framework"
  }]
}

Last modified on July 23, 2024