We have extended the capabilities of the Alerts API by improving the methods of retrieving alerts, and adding functionality to manage the workflow by updating the alert status. This will allow you to more efficiently call an API by providing a wider range of filterable fields, including creation time, category, type, status, tag and more, as well as the ability to dismiss alerts.
Alert search request. Multiple pathways support similar request body schemas, including those listed below.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.alerts |
READ |
Requests
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/_search
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/cbanalytics/_search
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/vmware/_search
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/watchlist/_search
Below is an example request body for a request to /v6/orgs/{org_key}/alerts/_search. Additional criteria properties are available for the CbAnalytics, VMWare, and Watchlist pathways, listed below.
Request Body
{
"criteria": {
"category": ["<string>", "<string>"],
"create_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"device_id": ["<long>", "<long>"],
"device_name": ["<string>", "<string>"],
"device_os": ["<string>", "<string>"],
"device_os_version": ["<string>", "<string>"],
"device_username": ["<string>", "<string>"],
"first_event_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"group_results": "<boolean>",
"id": ["<string>", "<string>"],
"last_event_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"legacy_alert_id": ["<string>", "<string>"],
"minimum_severity": "<integer>",
"policy_id": ["<long>", "<long>"],
"policy_name": ["<string>", "<string>"],
"process_name": ["<string>", "<string>"],
"process_sha256": ["<string>", "<string>"],
"reputation": ["<string>", "<string>"],
"tag": ["<string>", "<string>"],
"target_value": ["<string>", "<string>"],
"threat_id": ["<string>", "<string>"],
"type": ["<string>", "<string>"],
"last_update_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"workflow": ["<string>", "<string>"],
},
"query": "<string>",
"rows": "<long>",
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<long>"
}Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
criteria |
Map of criteria to filter results on. Allowed values: target_value, not_blocked_threat_category, device_os_version, policy_id, minimum_severity, legacy_alert_id, tag, id, run_state, threat_cause_vector,device_username, threat_id, device_id, device_os, kill_chain_status, group_results, process_sha256, policy_name, reputation, type, category, workflow, reason_code, device_name, process_name, blocked_threat_category, device_location, sensor_action, policy_applied, create_time, last_update_time, first_event_time, last_event_time |
N/A | No |
query |
query to perform search | N/A | No |
rows |
For pagination, how many results to return | 20 | No |
sort.field |
Field to sort the results by. Allowed values: first_event_time, last_event_time, severity, target_value |
N/A | No |
sort.order |
How to order the results. Allowed values: ASC, DESC |
N/A | No |
start |
For pagination, where to start retrieving results from | 0 | No |
Time Criteria
Alert APIs support filtering via the create_time, last_update_time, first_event_time, and last_event_time criteria fields.
These time criteria filters can use either the range field or the start and end fields.
range can be either all (to indicate all time), or a specific duration specified as -[quantity][unit], where unit is one of:
s for secondsm for minutesh for hoursd for daysw for weeksy for yearsstart and end are specified as ISO-8601 strings. start must be less than end.Additional Supported criteria Parameter Values
| Pathway | Additional Allowed Values |
|---|---|
/v6/orgs/{org_key}/alerts/cbanalytics/_search |
blocked_threat_category, policy_applied, sensor_action, device_location, reason_code, kill_chain_status, not_blocked_threat_category, run_state, threat_cause_vector |
v6/orgs/{org_key}/alerts/vmware/_search |
group_id |
/v6/orgs/{org_key}/alerts/watchlist/_search |
report_id, watchlist_name, report_name, watchlist_id |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-dev01.cbdtest.io/appservices/v6/orgs/ASDF1234/alerts/_search
Request Body
{
"criteria": {
"device_id": [388948],
"device_os": ["MAC"],
"device_os_version": ["10.14.6"],
"device_username": ["support@carbonblack.com"],
"group_results": true,
"id": ["038894832709076d63111e99466f73575fcf3ca"],
"minimum_severity": 3,
"policy_name": ["default"],
"process_name": ["IPv6-Off"]
},
"rows": 1,
"start": 0
}Response
{
"results": [
{
"id": "038894832709076d63111e99466f73575fcf3ca",
"legacy_alert_id": "1DDU8H9N",
"org_key": "ASDF1234",
"create_time": "2019-09-13T14:17:21.668Z",
"last_update_time": "2019-09-13T14:17:21.668Z",
"first_event_time": "2019-09-13T14:16:55.878Z",
"last_event_time": "2019-09-13T14:16:55.878Z",
"threat_id": "b7ce4f79e8903c09d2cd6b615c965c9f",
"severity": 3,
"category": "MONITORED",
"device_id": 123,
"device_os": "MAC",
"device_os_version": "<OS Version>",
"device_name": "<System-Name>",
"device_username": "support@carbonblack.com",
"policy_id": 1,
"policy_name": "default",
"target_value": "MISSION_CRITICAL"
}
]
}Get a single alert using an ID.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.alerts |
READ |
Request
GET <psc-hostname>/appservices/v6/org/{org_key}/alerts/{id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/225219783948647d55b11e9962bf3b07592c207
Response
{
"type": "CB_ANALYTICS",
"id": "225219783948647d55b11e9962bf3b07592c207",
"legacy_alert_id": "L1QDMJUO",
"org_key": "ASDF1234",
"create_time": "2019-09-12T12:47:45.595Z",
"last_update_time": "2019-09-12T12:47:45.595Z",
"first_event_time": "2019-09-12T12:47:36.703Z",
"last_event_time": "2019-09-12T12:47:36.703Z",
"threat_id": "e7ba0f751456211fea35b9d955dc5098",
"severity": 7,
"category": "THREAT",
"device_id": "<device-id>",
"device_os": "<device-os>",
"device_os_version": "<device-os>",
"device_name": "<device-name>",
"device_username": "<device-username>",
"policy_id": 1,
"policy_name": "default",
"target_value": "MISSION_CRITICAL"
}Alert facets search request. Multiple pathways support similar request body schemas, including those listed below.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.alerts |
READ |
Requests
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/_facet
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/cbanalytics/_facet
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/vmware/_facet
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/watchlist/_facet
Below is an example request body for a request to /v6/orgs/{org_key}/alerts/_facet. Additional criteria properties are available for the CbAnalytics, VMWare, and Watchlist pathways, listed below.
Request Body
{
"criteria": {
"category": ["<string>", "<string>"],
"create_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"device_id": ["<long>", "<long>"],
"device_name": ["<string>", "<string>"],
"device_os": ["<string>", "<string>"],
"device_os_version": ["<string>", "<string>"],
"device_username": ["<string>", "<string>"],
"first_event_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"group_results": "<boolean>",
"id": ["<string>", "<string>"],
"last_event_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"legacy_alert_id": ["<string>", "<string>"],
"minimum_severity": "<integer>",
"policy_id": ["<long>", "<long>"],
"policy_name": ["<string>", "<string>"],
"process_name": ["<string>", "<string>"],
"process_sha256": ["<string>", "<string>"],
"reputation": ["<string>", "<string>"],
"tag": ["<string>", "<string>"],
"target_value": ["<string>", "<string>"],
"threat_id": ["<string>", "<string>"],
"type": ["<string>", "<string>"],
"last_update_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"workflow": ["<string>", "<string>"],
},
"query": "<string>",
"terms": {
"fields": ["<string>", "<string>"],
"rows": "<integer>"
}
}Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
criteria |
Map of criteria to filter results on. Allowed values: threat_id, target_value, device_id, device_os_versions, policy_id, device_os, minimum_severity,create_time, last_update_time, first_event_time, last_event_time, legacy_alert_id,group_results,process_sha256,policy_name,reputation,type,id,category,device_username, device_name,tag,workflow,process_name |
N/A | No |
query |
query to perform facet search | N/A | No |
terms.fields |
Alert facet type. Allowed values: policy_applied_state, device_id, policy_id, policy_applied, status, device_name, policy_name, reputation, tag, sensor_action, run_state, category, workflow, application_name, application_hash, alert_type |
N/A | Yes |
terms.rows |
For pagination, how many results to return | 20 | No |
Time Criteria
Alert APIs support filtering via the create_time, last_update_time, first_event_time, and last_event_time criteria fields.
These time criteria filters can use either the range field or the start and end fields.
range can be either all (to indicate all time), or a specific duration specified as -[quantity][unit], where unit is one of:
s for secondsm for minutesh for hoursd for daysw for weeksy for yearsstart and end are specified as ISO-8601 strings. start must be less than end.Additional Supported criteria Parameter Values
| Pathway | Additional Allowed Values |
|---|---|
/v6/orgs/{org_key}/alerts/cbanalytics/_facet |
blocked_threat_category, policy_applied, sensor_action, device_location, reason_code, kill_chain_status, not_blocked_threat_category, run_state, threat_cause_vector |
v6/orgs/{org_key}/alerts/vmware/_facet |
group_id |
/v6/orgs/{org_key}/alerts/watchlist/_facet |
report_id, watchlist_name, report_name, watchlist_id |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/_facet
Request Body
{
"criteria": {
"category": ["THREAT", "INFO"],
},
"terms": {
"fields": ["ALERT_TYPE"],
"rows": 50
}
}Response
{
"results": [
{
"field": "alert_type",
"values": [
{
"total": 587,
"id": "CB_ANALYTICS",
"name": "CB_ANALYTICS"
},
{
"total": 0,
"id": "VMWARE",
"name": "VMWARE"
},
{
"total": 0,
"id": "WATCHLIST",
"name": "WATCHLIST"
}
]
}
]
}Get the current status of a workflow update request.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.alerts.dismiss |
EXECUTE |
Request
GET <psc-hostname>/appservices/v6/orgs/{org_key}/workflow/status/{requestId}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/workflow/status/{requestId}
Response
{
"errors": ["string"],
"failed_ids": ["string"],
"id": "string",
"num_hits": 0,
"num_success": 0,
"status": "QUEUED",
"workflow": {
"changed_by": "string",
"comment": "string",
"last_update_time": "2019-09-17T00:39:23.823Z",
"remediation": "string",
"state": "OPEN"
}
}Update the workflow of a single event.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.alerts.dismiss |
EXECUTE |
Request
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/{id}/workflow
Request Body
{
"state": "<string>",
"comment": "<string>",
"remediation_state": "<string>"
}Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
state |
Workflow state to filter on. Allowed values: dismissed, open |
N/A | No |
comment |
Comment to include with operation | N/A | No |
remediation state |
Description or justification for the change. Accepts any string. | N/A | No |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/{id}/workflow
Request Body
{
"criteria": {
"category": ["THREAT", "INFO"]
},
"terms": {
"fields": ["ALERT_TYPE"],
"rows": 50
}
}Response
{
"results": [
{
"field": "alert_type",
"values": [
{
"total": 868,
"id": "CB_ANALYTICS",
"name": "CB_ANALYTICS"
},
{
"total": 0,
"id": "VMWARE",
"name": "VMWARE"
},
{
"total": 0,
"id": "WATCHLIST",
"name": "WATCHLIST"
}
]
}
]
}Bulk update alerts’ workflow by search definition. Multiple pathways support similar request body schemas, including those listed below.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.alerts.dismiss |
EXECUTE |
Requests
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/workflow/_criteria
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/cbanalytics/workflow/_criteria
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/vmware/workflow/_criteria
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/watchlist/workflow/_criteria
Below is an example request body for a request to v6/orgs/{org_key}/alerts/workflow/_criteria. Additional criteria properties are available for the CbAnalytics, VMWare, and Watchlist pathways, listed below.
Request Body
{
"state": "<string>",
"comment": "<string>",
"criteria": {
"category": ["<string>", "<string>"],
"create_time": {
"end": "<dateTime>",
"range": "<string>",
"start": "<dateTime>"
},
"device_id": ["<long>", "<long>"],
"device_name": ["<string>", "<string>"],
"device_os": ["<string>", "<string>"],
"device_os_version": ["<string>", "<string>"],
"device_username": ["<string>", "<string>"],
"group_results": "<boolean>",
"id": ["<string>", "<string>"],
"legacy_alert_id": ["<string>", "<string>"],
"minimum_severity": "<integer>",
"policy_id": ["<long>", "<long>"],
"policy_name": ["<string>", "<string>"],
"process_name": ["<string>", "<string>"],
"process_sha256": ["<string>", "<string>"],
"report_id": ["<string>", "<string>"],
"report_name": ["<string>", "<string>"],
"reputation": ["<string>", "<string>"],
"tag": ["<string>", "<string>"],
"target_value": ["<string>", "<string>"],
"threat_id": ["<string>", "<string>"],
"type": ["<string>", "<string>"],
"watchlist_id": ["<string>", "<string>"],
"watchlist_name": ["<string>", "<string>"],
"workflow": ["<string>", "<string>"],
},
"query": "<string>",
"remediation_state": "<string>"
}Body Schema
| Field | Description | Default | Required |
|---|---|---|---|
criteria |
Map of criteria to filter results on. Allowed values: threat_id, target_value, device_id, device_os_versions, policy_id, device_os, minimum_severity, legacy_alert_id,group_results,process_sha256,policy_name,reputation,type,id,category,device_username, device_name,tag,workflow,process_name, create_time, last_update_time, first_event_time, last_event_time |
N/A | No |
query |
query to perform | N/A | No |
state |
Workflow state to filter on. Allowed values: dismissed, open |
N/A | No |
comment |
Comment to include with operation | N/A | No |
remediation state |
Description or justification for the change. Accepts any string. | N/A | No |
Additional Supported criteria Parameter Values
| Pathway | Additional Allowed Values |
|---|---|
/v6/orgs/{org_key}/alerts/cbanalytics/workflow/_criteria |
blocked_threat_category, policy_applied, sensor_action, device_location, reason_code, kill_chain_status, not_blocked_threat_category, run_state, threat_cause_vector |
v6/orgs/{org_key}/alerts/vmware/workflow/_criteria |
group_id |
/v6/orgs/{org_key}/alerts/watchlist/workflow/_criteria |
report_id, watchlist_name, report_name, watchlist_id |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/watchlist/workflow/_criteria
Request Body
{
"comment": "string",
"criteria": {
"category": ["THREAT"],
"create_time": {
"end": "2019-09-17T00:03:47.277Z",
"start": "2019-09-17T00:03:47.277Z"
},
"device_id": [324552, 12344, 997745],
"device_name": ["hostmachine", "device.local", "DOMAIN\\DEVICE"],
"device_os": ["WINDOWS"],
"device_os_version": ["string"],
"device_username": ["string"],
"group_results": true,
"id": ["string"],
"legacy_alert_id": ["CTAS5XKG", "TJFY5ZBW"],
"minimum_severity": 5,
"policy_id": [1, 525, 644],
"policy_name": ["Default", "Advanced", "Monitored"],
"process_name": ["explorer.exe", "chrome.app", "setup.py"],
"process_sha256": ["131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267"],
"report_id": ["string"],
"report_name": ["string"],
"reputation": ["KNOWN_MALWARE"],
"tag": ["string"],
"target_value": ["LOW"],
"threat_id": ["03ea43268c536a0bde8b765bca1696e9", "41edc35062138af3f1fea4b3bf7046a5"],
"type": ["CB_ANALYTICS"],
"watchlist_id": ["string"],
"watchlist_name": ["string"],
"workflow": ["OPEN"],
},
"query": "string",
"remediation_state": "string",
"state": "OPEN"
}Response
{
"request_id": "14617a6cd8df11e9974f1d8882e43ec1"
}Get suggestions on keys and field values.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.alerts |
READ |
Parameters
| Name | Description | Default | Required |
|---|---|---|---|
suggest.q |
The query string for which you want completion suggestions. Leave this value blank, suggest.q=, to return all key suggestions. |
N/A | Yes |
Request
GET <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/search_suggestions
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/search_suggestions?suggest.q=
Response
{
"suggestions": [
{
"term": "threat_category",
"weight": 525
},
{
"term": "watchlist_name",
"weight": 512
},
{
"term": "ttp",
"weight": 486
},
{
"term": "run_state",
"weight": 481
},
{
"term": "device_name",
"weight": 477
},
{
"term": "alert_id",
"weight": 472
},
{
"term": "event_id",
"weight": 472
},
{
"term": "threat_vector",
"weight": 468
},
{
"term": "device_username",
"weight": 461
},
{
"term": "report_id",
"weight": 458
},
{
"term": "process_guid",
"weight": 431
},
{
"term": "process_name",
"weight": 431
},
{
"term": "sensor_action",
"weight": 424
},
{
"term": "alert_severity",
"weight": 419
},
{
"term": "device_id",
"weight": 412
},
{
"term": "device_os",
"weight": 412
},
{
"term": "device_policy",
"weight": 401
},
{
"term": "process_pid",
"weight": 311
},
{
"term": "process_hash",
"weight": 306
},
{
"term": "process_reputation",
"weight": 287
}
]
}| Field | Definition | Data Type | Values |
|---|---|---|---|
category |
The category of the alert | String | THREAT, MONITORED, INFO, MINOR, SERIOUS, CRITICAL |
create_time |
The time the alert was created | String | ISO 8601 timestamp |
device_id |
The identifier assigned by Carbon Black Cloud to the device associated with the alert. | Integer | N/A |
device_name |
The hostname of the device associated with the alert. | String | N/A |
device_os |
The operating system of the device associated with the alert | String | WINDOWS, MAC, LINUX, OTHER |
device_os_version |
The operating system and version on the device | String | N/A |
device_username |
The username of the logged on user during the alert. If the user is not available then it may be populated with the device owner | String | N/A |
first_event_time |
The time of the first event associated with the alert | String | ISO 8601 timestamp |
group_details |
Details about a group of alerts when “Group Alerts” is enabled in the search request | Object | |
id |
The identifier for the alert | String | N/A |
last_event_time |
The time of the latest event associated with the alert | String | ISO 8601 timestamp |
last_update_time |
The last time the alert was updated | String | ISO 8601 timestamp |
legacy_alert_id |
Unique short id for the alerts to support easier consumption in the UI console. Use the id for API requests |
String | N/A |
notes_present |
Indicates if notes are associated with the threat_id | Boolean | N/A |
org_key |
The unique identifier for the organization associated with the alert | String | N/A |
policy_id |
The identifier for the policy associated with the device at the time of the alert | String | N/A |
policy_name |
The name of the policy associated with the device at the time of the alert | String | N/A |
severity |
The threat ranking of the alert | Integer | 1-10 |
tags |
Tags associated with the alert | Array | |
target_value |
The priority of the device assigned by the policy | String | LOW, MEDIUM, HIGH, MISSION_CRITICAL |
threat_id |
The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. | String | N/A |
type |
Type of alert | String | CB_ANALYTICS, VMWARE, WATCHLIST |
workflow |
Tracking system for alerts as they are triaged and resolved | Object | remediation supports ACTION_TAKEN, NO_ACTION_NEEDED, FALSE_POSITIVE_KNOWN_GOOD_SOFTWARE, FALSE_POSITIVE_KNOWN_GOOD_BEHAVIOR or a custom string
state supports OPEN or DISMISSED |
CB Analytic alerts are created from the Endpoint Standard NGAV offering
Note: This alert will also include all of the fields from Base Alert
| Field | Definition | Data Type | Values |
|---|---|---|---|
blocked_threat_category |
The category of threat which we were able to take action on | String | UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
created_by_event_id |
Event identifier that initiated the alert | String | N/A |
device_location |
Whether the device was on or off premise when the alert started | String | ONSITE, OFFSITE, UNKNOWN |
kill_chain_status |
The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert | Array | RECONNAISSANCE, WEAPONIZE, DELIVER_EXPLOIT, INSTALL_RUN, COMMAND_AND_CONTROL, EXECUTE_GOAL, BREACH |
not_blocked_threat_category |
Other potentially malicious activity involved in the threat that we weren’t able to take action on (either due to policy config, or not having a relevant rule) | String | UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
policy_applied |
Whether a policy was applied | String | APPLIED, NOT_APPLIED |
process_name |
The process that triggered the alert | String | N/A |
reason |
Description of the alert | String | N/A |
reason_code |
String | N/A | |
run_state |
Whether the threat in the alert ran | String | DID_NOT_RUN, RAN, UNKNOWN |
sensor_action |
The action taken by the sensor, according to the rule of the policy | String | POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY |
threat_activity_c2 |
Whether the alert involved a command and control (c2) server | String | NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_activity_dlp |
Whether the alert involved data loss prevention (DLP) | String | NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_activity_phish |
Whether the alert involved phishing | String | NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_cause_actor_name |
Process name or IP address of the threat actor | String | N/A |
threat_cause_actor_process_pid |
Process identifier (PID) of the actor process | String | N/A |
threat_cause_actor_sha256 |
SHA256 of the threat cause actor | String | N/A |
threat_cause_event_id |
ID of the Event that triggered the threat | String | N/A |
threat_cause_reputation |
Reputation of the threat cause | String | KNOWN_MALWARE, SUSPECT_MALWARE, PUP, NOT_LISTED, ADAPTIVE_WHITE_LIST, COMMON_WHITE_LIST, TRUSTED_WHITE_LIST, COMPANY_BLACK_LIST |
threat_cause_category |
Category of the threat cause | String | UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
threat_cause_vector |
The source of the threat cause | String | EMAIL, WEB, GENERIC_SERVER, GENERIC_CLIENT, REMOTE_DRIVE, REMOVABLE_MEDIA, UNKNOWN, APP_STORE, THIRD_PARTY |
threat_indicators |
List of the threat indicators that make up the threat | Array | |
Watchlist alerts are created from alert enabled watchlists in Enterprise EDR
Note: This alert will also include all of the fields from Base Alert
| Field | Definition | Data Type | Values |
|---|---|---|---|
ioc_field |
The field the indicator of comprise (IOC) hit contains | String | N/A |
ioc_hit |
IOC field value or IOC query that matches | String | N/A |
ioc_id |
The identifier of the IOC that cause the hit | String | N/A |
process_guid |
The global unique identifier of the process that triggered the hit | String | N/A |
process_name |
The name of the process that triggered the hit | String | N/A |
reason |
Description of the alert | String | N/A |
report_id |
The identifier of the report that contains the IOC | String | N/A |
report_name |
The name of the report that contains the IOC | String | N/A |
run_state |
Run state is always RAN for watchlist alerts | String | RAN |
threat_cause_actor_md5 |
MD5 of the threat cause actor | String | N/A |
threat_cause_actor_name |
Process name or IP address of the threat actor | String | N/A |
threat_cause_actor_sha256 |
SHA256 of the threat cause actor | String | N/A |
threat_cause_reputation |
Reputation of the threat cause | String | KNOWN_MALWARE, SUSPECT_MALWARE, PUP, NOT_LISTED, ADAPTIVE_WHITE_LIST, COMMON_WHITE_LIST, TRUSTED_WHITE_LIST, COMPANY_BLACK_LIST |
threat_cause_category |
Category of the threat cause | String | UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
threat_cause_vector |
The source of the threat cause | String | EMAIL, WEB, GENERIC_SERVER, GENERIC_CLIENT, REMOTE_DRIVE, REMOVABLE_MEDIA, UNKNOWN, APP_STORE, THIRD_PARTY |
threat_indicators |
List of the threat indicators that make up the threat | Array | |
watchlists |
List of watchlists associated with an alert | Array | |