Data Forwarder Alert Schema v1 Migration

The Data Forwarder Alert Schema v1 will be deactivated on September 5, 2024.

Overview

Carbon Black Cloud’s latest-generation Alerts data is now available to ingest directly into your Carbon Black Cloud Data Forwarder-enabled integrations. Making the full power of Carbon Black Cloud’s updated Alert data available to system integrators, the Alerts Forwarder v2 provides a continuous stream of rich Carbon Black Cloud Alerts to be integrated into your SIEM, security lake, and other custom applications.

How to Migrate

Typically, the steps to upgrade a production system will be:

  1. Create and enable a new Alert Forwarder that uses the v2 Schema
  2. Update the application that ingests the data from the AWS S3 Bucket or Azure Blob Storage
  3. Verify data is being ingested correctly
  4. Disable and delete the Alert Forwarder using the v1 schema
  5. There may be some duplicate data ingested for the period when both the Alert Schema v1 data was being ingested and the Alert Schema v2 Forwarder was enabled.

If you did not update prior to July 31st 2024

  1. Active Alert Forwarders using v1 schema will have been automatically updated to Alert Forwarder Schema v2
  2. This is to prevent data loss; all available alerts will be published to your S3 bucket however the consuming system may not be able to ingest the new format
  3. Update the application that ingests the data to accept the Alert Forwarder Schema v2
  4. Process the data out of your AWS S3 bucket or Azure Blob Storage

New Features

  • The Alert Forwarder v2 Schema has significant updates which mirror the Alerts v7 API Schema.
  • A version field (currently “2.0.0”) has been added to all alerts forwarded from the Alerts Forwarder v2. This field matches the value in the Schema dropdown on the Add Forwarder and Edit Forwarder pages of the Carbon Black Cloud console.
  • Observed Alerts are not included in the Alert Forwarder output and exist solely within the Investigate page as Observations. The change described in Announcing the Alerts V7 API and Observed Alerts Become Observations also applies to the Data Forwarder Alert Schema v2.

Guides and Resources

Schema Changes

The following table contains the fields to be substituted when migrating to the Alerts Forwarder v2 Schema as well as the new supported fields. The fields or sub-fields not captured here remain the same for their respective API endpoints.

Substituted Fields

Legacy Field Alerts Forwarder v2 Field
alert_classification.classification ml_classification_final_verdict
alert_classification.global_prevalence ml_classification_global_prevalence
alert_classification.org_prevalence ml_classification_org_prevalence
blocked_threat_category
not_blocked_threat_category
threat_cause_threat_category		 threat_category
cluster_name k8s_cluster
create_time backend_timestamp
create_time detection_timestamp
first_event_time first_event_timestamp
last_event_time last_event_timestamp
last_update_time backend_update_timestamp
last_update_time* user_update_timestamp
legacy_alert_id id
namespace k8s_namespace
notes_present alert_notes_present
policy_id device_policy_id
policy_name device_policy
port netconn_local_port
port netconn_remote_port
protocol netconn_protocol
remote_domain netconn_remote_domain
remote_ip netconn_remote_ip
remote_namespace remote_k8s_namespace
remote_replica_id remote_k8s_pod_name
remote_workload_kind remote_k8s_kind
remote_workload_name remote_k8s_workload_name
replica_id k8s_pod_name
target_value device_target_value
threat_cause_actor_certificate_authority process_issuer
threat_cause_actor_name process_name
threat_cause_actor_publisher pprocess_publisher
threat_cause_actor_sha256 process_sha256
threat_cause_cause_event_id primary_event_id
threat_cause_md5 process_md5
threat_cause_parent_guid parent_guid
threat_cause_reputation process_reputation
threat_indicators ttps
watchlists watchlists.id
watchlists watchlists.name
workflow_changed_by workflow.changed_by
workflow_remediation DEPRECATED
workflow_closure_reason should be used instead. Valid values are:
NO_REASON
RESOLVED
RESOLVED_BENIGN_KNOWN_GOOD
DUPLICATE_CLEANUP
OTHER
workflow_state workflow_status
state DISMISSED = status CLOSED
state OPEN = status OPEN
new status `IN_PROGRESS
workload_kind k8s_kind
workload_name k8s_workload_name

New Fields

  • attack_tactic
  • attack_technique
  • blocked_effective_reputation
  • blocked_md5
  • blocked_name
  • blocked_sha256
  • childproc_cmdline
  • childproc_effective_reputation
  • childproc_guid
  • childproc_md5
  • childproc_name
  • childproc_sha256
  • childproc_username
  • determination.change_timestamp
  • determination.changed_by
  • determination.changed_by_type
  • determination.value
  • is_updated
  • k8s_policy
  • k8s_policy_id
  • k8s_rule
  • k8s_rule_id
  • mdr_alert
  • mdr_alert_notes_present
  • mdr_classification.change_timestamp
  • mdr_classification.determination
  • mdr_workflow.change_timestamp
  • mdr_workflow.is_assigned
  • mdr_workflow.status
  • netconn_local_ip
  • netconn_local_ipv4
  • netconn_local_ipv6
  • netconn_remote_ipv4
  • netconn_remote_ipv6
  • org_feature_entitlement
  • parent_cmdline
  • parent_effective_reputation
  • parent_md5
  • parent_name
  • parent_pid
  • parent_reputation
  • parent_sha256
  • parent_username
  • process_cmdline
  • process_effective_reputation
  • process_guid
  • process_pid
  • process_username
  • report_description
  • report_link
  • report_tags
  • rule_category_id
  • rule_config_id
  • rule_config_name
  • rule_config_type
  • threat_name
  • tms_rule_id
  • workflow.change_timestamp
  • workflow.changed_by_type

Last modified on June 3, 2024