Data Forwarder Alert Schema v1 Migration

The Data Forwarder Alert Schema v1 will be deactivated on July 31, 2024.


Carbon Black Cloud’s latest-generation Alerts data is now available to ingest directly into your Carbon Black Cloud Data Forwarder-enabled integrations. Making the full power of Carbon Black Cloud’s updated Alert data available to system integrators, the Alerts Forwarder v2 provides a continuous stream of rich Carbon Black Cloud Alerts to be integrated into your SIEM, security lake, and other custom applications.

New Features

  • The Alerts Forwarder v2 Schema has significant updates which mirror the Alerts v7 API Schema.
  • A version field (currently “2.0.0”) has been added to all alerts forwarded from the Alerts Forwarder v2. This field matches the value in the Schema dropdown on the Add Forwarder and Edit Forwarder pages of the Carbon Black Cloud console.

Guides and Resources

Schema Changes

The following table contains the fields to be substituted when migrating to the Alerts Forwarder v2 Schema as well as the new supported fields. The fields or sub-fields not captured here remain the same for their respective API endpoints.

Substituted Fields

Legacy Field Alerts Forwarder v2 Field
alert_classification.classification ml_classification_final_verdict
alert_classification.global_prevalence ml_classification_global_prevalence
alert_classification.org_prevalence ml_classification_org_prevalence
cluster_name k8s_cluster
create_time backend_timestamp
create_time detection_timestamp
first_event_time first_event_timestamp
last_event_time last_event_timestamp
last_update_time backend_update_timestamp
last_update_time* user_update_timestamp
legacy_alert_id id
namespace k8s_namespace
notes_present alert_notes_present
policy_id device_policy_id
policy_name device_policy
port netconn_local_port
port netconn_remote_port
protocol netconn_protocol
remote_domain netconn_remote_domain
remote_ip netconn_remote_ip
remote_namespace remote_k8s_namespace
remote_replica_id remote_k8s_pod_name
remote_workload_kind remote_k8s_kind
remote_workload_name remote_k8s_workload_name
replica_id k8s_pod_name
target_value device_target_value
threat_cause_actor_certificate_authority process_issuer
threat_cause_actor_name process_name
threat_cause_actor_publisher pprocess_publisher
threat_cause_actor_sha256 process_sha256
threat_cause_cause_event_id primary_event_id
threat_cause_md5 process_md5
threat_cause_parent_guid parent_guid
threat_cause_reputation process_reputation
threat_indicators ttps
workflow_changed_by workflow.changed_by
workflow_remediation DEPRECATED
workflow_closure_reason should be used instead. Valid values are:
workflow_state workflow_status
state DISMISSED = status CLOSED
state OPEN = status OPEN
new status `IN_PROGRESS
workload_kind k8s_kind
workload_name k8s_workload_name

New Fields

  • attack_tactic
  • attack_technique
  • blocked_effective_reputation
  • blocked_md5
  • blocked_name
  • blocked_sha256
  • childproc_cmdline
  • childproc_effective_reputation
  • childproc_guid
  • childproc_md5
  • childproc_name
  • childproc_sha256
  • childproc_username
  • determination.change_timestamp
  • determination.changed_by
  • determination.changed_by_type
  • determination.value
  • is_updated
  • k8s_policy
  • k8s_policy_id
  • k8s_rule
  • k8s_rule_id
  • mdr_alert
  • mdr_alert_notes_present
  • mdr_classification.change_timestamp
  • mdr_classification.determination
  • mdr_workflow.change_timestamp
  • mdr_workflow.is_assigned
  • mdr_workflow.status
  • netconn_local_ip
  • netconn_local_ipv4
  • netconn_local_ipv6
  • netconn_remote_ipv4
  • netconn_remote_ipv6
  • org_feature_entitlement
  • parent_cmdline
  • parent_effective_reputation
  • parent_md5
  • parent_name
  • parent_pid
  • parent_reputation
  • parent_sha256
  • parent_username
  • process_cmdline
  • process_effective_reputation
  • process_guid
  • process_pid
  • process_username
  • report_description
  • report_link
  • report_tags
  • rule_category_id
  • rule_config_id
  • rule_config_name
  • rule_config_type
  • threat_name
  • tms_rule_id
  • workflow.change_timestamp
  • workflow.changed_by_type

Give Feedback

New survey coming soon!

Last modified on September 12, 2023