Data Forwarder Alert Schema v1 Migration
The Data Forwarder Alert Schema v1 will be deactivated on July 31, 2024.
Overview
Carbon Black Cloud’s latest-generation Alerts data is now available to ingest directly into your Carbon Black Cloud Data Forwarder-enabled integrations. Making the full power of Carbon Black Cloud’s updated Alert data available to system integrators, the Alerts Forwarder v2 provides a continuous stream of rich Carbon Black Cloud Alerts to be integrated into your SIEM, security lake, and other custom applications.
New Features
- The Alerts Forwarder v2 Schema has significant updates which mirror the Alerts v7 API Schema.
- A version field (currently “2.0.0”) has been added to all alerts forwarded from the Alerts Forwarder v2. This field matches the value in the Schema dropdown on the Add Forwarder and Edit Forwarder pages of the Carbon Black Cloud console.
Guides and Resources
- Data Forwarder Schema
- Alerts Forwarder v2 Schema
- Announcing the Alerts v7 API and “Observed Alerts” Become “Observations
Schema Changes
The following table contains the fields to be substituted when migrating to the Alerts Forwarder v2 Schema as well as the new supported fields. The fields or sub-fields not captured here remain the same for their respective API endpoints.
Substituted Fields
| Legacy Field | Alerts Forwarder v2 Field |
|---|---|
| alert_classification.classification | ml_classification_final_verdict |
| alert_classification.global_prevalence | ml_classification_global_prevalence |
| alert_classification.org_prevalence | ml_classification_org_prevalence |
| blocked_threat_category
not_blocked_threat_category threat_cause_threat_category |
threat_category |
| cluster_name | k8s_cluster |
| create_time | backend_timestamp |
| create_time | detection_timestamp |
| first_event_time | first_event_timestamp |
| last_event_time | last_event_timestamp |
| last_update_time | backend_update_timestamp |
| last_update_time* | user_update_timestamp |
| legacy_alert_id | id |
| namespace | k8s_namespace |
| notes_present | alert_notes_present |
| policy_id | device_policy_id |
| policy_name | device_policy |
| port | netconn_local_port |
| port | netconn_remote_port |
| protocol | netconn_protocol |
| remote_domain | netconn_remote_domain |
| remote_ip | netconn_remote_ip |
| remote_namespace | remote_k8s_namespace |
| remote_replica_id | remote_k8s_pod_name |
| remote_workload_kind | remote_k8s_kind |
| remote_workload_name | remote_k8s_workload_name |
| replica_id | k8s_pod_name |
| target_value | device_target_value |
| threat_cause_actor_certificate_authority | process_issuer |
| threat_cause_actor_name | process_name |
| threat_cause_actor_publisher | pprocess_publisher |
| threat_cause_actor_sha256 | process_sha256 |
| threat_cause_cause_event_id | primary_event_id |
| threat_cause_md5 | process_md5 |
| threat_cause_parent_guid | parent_guid |
| threat_cause_reputation | process_reputation |
| threat_indicators | ttps |
| watchlists | watchlists.id |
| watchlists | watchlists.name |
| workflow_changed_by | workflow.changed_by |
| workflow_remediation | DEPRECATED
workflow_closure_reason should be used instead. Valid values are:
NO_REASON
RESOLVED
RESOLVED_BENIGN_KNOWN_GOOD
DUPLICATE_CLEANUP
OTHER |
| workflow_state | workflow_status
state DISMISSED = status CLOSED
state OPEN = status OPEN
new status `IN_PROGRESS |
| workload_kind | k8s_kind |
| workload_name | k8s_workload_name |
New Fields
attack_tacticattack_techniqueblocked_effective_reputationblocked_md5blocked_nameblocked_sha256childproc_cmdlinechildproc_effective_reputationchildproc_guidchildproc_md5childproc_namechildproc_sha256childproc_usernamedetermination.change_timestampdetermination.changed_bydetermination.changed_by_typedetermination.valueis_updatedk8s_policyk8s_policy_idk8s_rulek8s_rule_idmdr_alertmdr_alert_notes_presentmdr_classification.change_timestampmdr_classification.determinationmdr_workflow.change_timestampmdr_workflow.is_assignedmdr_workflow.statusnetconn_local_ipnetconn_local_ipv4netconn_local_ipv6netconn_remote_ipv4netconn_remote_ipv6org_feature_entitlementparent_cmdlineparent_effective_reputationparent_md5parent_nameparent_pidparent_reputationparent_sha256parent_usernameprocess_cmdlineprocess_effective_reputationprocess_guidprocess_pidprocess_usernamereport_descriptionreport_linkreport_tagsrule_category_idrule_config_idrule_config_namerule_config_typethreat_nametms_rule_idworkflow.change_timestampworkflow.changed_by_type
Give Feedback
New survey coming soon!
Last modified on September 12, 2023