Alerts API

Introduction

We have extended the capabilities of the Alerts API by improving the methods of retrieving alerts, and adding functionality to manage the workflow by updating the alert status. This will allow you to more efficiently call an API by providing a wider range of filterable fields, including creation time, category, type, status, tag and more, as well as the ability to dismiss alerts.

Search Request

Alert search request. Multiple pathways support similar request body schemas, including those listed below.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.alerts READ

Requests

POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/_search
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/cbanalytics/_search
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/vmware/_search
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/watchlist/_search

Below is an example request body for a request to /v6/orgs/{org_key}/alerts/_search. Additional criteria properties are available for the CbAnalytics, VMWare, and Watchlist pathways, listed below.

Request Body

{
    "criteria": {
        "category": ["<string>", "<string>"],
        "create_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "device_id": ["<long>", "<long>"],
        "device_name": ["<string>", "<string>"],
        "device_os": ["<string>", "<string>"],
        "device_os_version": ["<string>", "<string>"],
        "device_username": ["<string>", "<string>"],
        "first_event_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "group_results": "<boolean>",
        "id": ["<string>", "<string>"],
        "last_event_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "legacy_alert_id": ["<string>", "<string>"],
        "minimum_severity": "<integer>",
        "policy_id": ["<long>", "<long>"],
        "policy_name": ["<string>", "<string>"],
        "process_name": ["<string>", "<string>"],
        "process_sha256": ["<string>", "<string>"],
        "reputation": ["<string>", "<string>"],
        "tag": ["<string>", "<string>"],
        "target_value": ["<string>", "<string>"],
        "threat_id": ["<string>", "<string>"],
        "type": ["<string>", "<string>"],
        "last_update_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "workflow": ["<string>", "<string>"],
    },
    "query": "<string>",
    "rows": "<long>",
    "sort": [
        {
            "field": "<string>",
            "order": "<string>"
        },
        {
            "field": "<string>",
            "order": "<string>"
        }
    ],
    "start": "<long>"
}

Body Schema

Field Description Default Required
criteria Map of criteria to filter results on. Allowed values: target_value, not_blocked_threat_category, device_os_version, policy_id, minimum_severity, legacy_alert_id, tag, id, run_state, threat_cause_vector,device_username, threat_id, device_id, device_os, kill_chain_status, group_results, process_sha256, policy_name, reputation, type, category, workflow, reason_code, device_name, process_name, blocked_threat_category, device_location, sensor_action, policy_applied, create_time, last_update_time, first_event_time, last_event_time N/A No
query query to perform search N/A No
rows For pagination, how many results to return 20 No
sort.field Field to sort the results by. Allowed values: first_event_time, last_event_time, severity, target_value N/A No
sort.order How to order the results. Allowed values: ASC, DESC N/A No
start For pagination, where to start retrieving results from 0 No

Time Criteria

Alert APIs support filtering via the create_time, last_update_time, first_event_time, and last_event_time criteria fields. These time criteria filters can use either the range field or the start and end fields.

  • range can be either all (to indicate all time), or a specific duration specified as -[quantity][unit], where unit is one of:
    • s for seconds
    • m for minutes
    • h for hours
    • d for days
    • w for weeks
    • y for years
  • start and end are specified as ISO-8601 strings. start must be less than end.

Additional Supported criteria Parameter Values

Pathway Additional Allowed Values
/v6/orgs/{org_key}/alerts/cbanalytics/_search blocked_threat_category, policy_applied, sensor_action, device_location, reason_code, kill_chain_status, not_blocked_threat_category, run_state, threat_cause_vector
v6/orgs/{org_key}/alerts/vmware/_search group_id
/v6/orgs/{org_key}/alerts/watchlist/_search report_id, watchlist_name, report_name, watchlist_id

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-dev01.cbdtest.io/appservices/v6/orgs/ASDF1234/alerts/_search

Request Body

{
    "criteria": {
		"device_id": [388948],
		"device_os": ["MAC"],
		"device_os_version": ["10.14.6"],
		"device_username": ["support@carbonblack.com"],
		"group_results": true,
		"id": ["038894832709076d63111e99466f73575fcf3ca"],
		"minimum_severity": 3,
		"policy_name": ["default"],
		"process_name": ["IPv6-Off"]

    },
    "rows": 1,
    "start": 0
}

Response

{
 "results": [
   {
     "id": "038894832709076d63111e99466f73575fcf3ca",
     "legacy_alert_id": "1DDU8H9N",
     "org_key": "ASDF1234",
     "create_time": "2019-09-13T14:17:21.668Z",
     "last_update_time": "2019-09-13T14:17:21.668Z",
     "first_event_time": "2019-09-13T14:16:55.878Z",
     "last_event_time": "2019-09-13T14:16:55.878Z",
     "threat_id": "b7ce4f79e8903c09d2cd6b615c965c9f",
     "severity": 3,
     "category": "MONITORED",
     "device_id": 123,
     "device_os": "MAC",
     "device_os_version": "<OS Version>",
     "device_name": "<System-Name>",
     "device_username": "support@carbonblack.com",
     "policy_id": 1,
     "policy_name": "default",
     "target_value": "MISSION_CRITICAL"
    }
  ]
}

Get Single Alert by ID

Get a single alert using an ID.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.alerts READ

Request

GET <psc-hostname>/appservices/v6/org/{org_key}/alerts/{id}

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/225219783948647d55b11e9962bf3b07592c207

Response

{
 "type": "CB_ANALYTICS",
 "id": "225219783948647d55b11e9962bf3b07592c207",
 "legacy_alert_id": "L1QDMJUO",
 "org_key": "ASDF1234",
 "create_time": "2019-09-12T12:47:45.595Z",
 "last_update_time": "2019-09-12T12:47:45.595Z",
 "first_event_time": "2019-09-12T12:47:36.703Z",
 "last_event_time": "2019-09-12T12:47:36.703Z",
 "threat_id": "e7ba0f751456211fea35b9d955dc5098",
 "severity": 7,
 "category": "THREAT",
 "device_id": "<device-id>",
 "device_os": "<device-os>",
 "device_os_version": "<device-os>",
 "device_name": "<device-name>",
 "device_username": "<device-username>",
 "policy_id": 1,
 "policy_name": "default",
 "target_value": "MISSION_CRITICAL"
}

Facet Request

Alert facets search request. Multiple pathways support similar request body schemas, including those listed below.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.alerts READ

Requests

POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/_facet
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/cbanalytics/_facet
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/vmware/_facet
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/watchlist/_facet

Below is an example request body for a request to /v6/orgs/{org_key}/alerts/_facet. Additional criteria properties are available for the CbAnalytics, VMWare, and Watchlist pathways, listed below.

Request Body

{
    "criteria": {
        "category": ["<string>", "<string>"],
        "create_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "device_id": ["<long>", "<long>"],
        "device_name": ["<string>", "<string>"],
        "device_os": ["<string>", "<string>"],
        "device_os_version": ["<string>", "<string>"],
        "device_username": ["<string>", "<string>"],
        "first_event_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "group_results": "<boolean>",
        "id": ["<string>", "<string>"],
        "last_event_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "legacy_alert_id": ["<string>", "<string>"],
        "minimum_severity": "<integer>",
        "policy_id": ["<long>", "<long>"],
        "policy_name": ["<string>", "<string>"],
        "process_name": ["<string>", "<string>"],
        "process_sha256": ["<string>", "<string>"],
        "reputation": ["<string>", "<string>"],
        "tag": ["<string>", "<string>"],
        "target_value": ["<string>", "<string>"],
        "threat_id": ["<string>", "<string>"],
        "type": ["<string>", "<string>"],
        "last_update_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "workflow": ["<string>", "<string>"],
    },
    "query": "<string>",
    "terms": {
        "fields": ["<string>", "<string>"],
        "rows": "<integer>"
    }
}

Body Schema

Field Description Default Required
criteria Map of criteria to filter results on. Allowed values: threat_id, target_value, device_id, device_os_versions, policy_id, device_os, minimum_severity,create_time, last_update_time, first_event_time, last_event_time, legacy_alert_id,group_results,process_sha256,policy_name,reputation,type,id,category,device_username, device_name,tag,workflow,process_name N/A No
query query to perform facet search N/A No
terms.fields Alert facet type. Allowed values: policy_applied_state, device_id, policy_id, policy_applied, status, device_name, policy_name, reputation, tag, sensor_action, run_state, category, workflow, application_name, application_hash, alert_type N/A Yes
terms.rows For pagination, how many results to return 20 No

Time Criteria

Alert APIs support filtering via the create_time, last_update_time, first_event_time, and last_event_time criteria fields. These time criteria filters can use either the range field or the start and end fields.

  • range can be either all (to indicate all time), or a specific duration specified as -[quantity][unit], where unit is one of:
    • s for seconds
    • m for minutes
    • h for hours
    • d for days
    • w for weeks
    • y for years
  • start and end are specified as ISO-8601 strings. start must be less than end.

Additional Supported criteria Parameter Values

Pathway Additional Allowed Values
/v6/orgs/{org_key}/alerts/cbanalytics/_facet blocked_threat_category, policy_applied, sensor_action, device_location, reason_code, kill_chain_status, not_blocked_threat_category, run_state, threat_cause_vector
v6/orgs/{org_key}/alerts/vmware/_facet group_id
/v6/orgs/{org_key}/alerts/watchlist/_facet report_id, watchlist_name, report_name, watchlist_id

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/_facet

Request Body

{
    "criteria": {
        "category": ["THREAT", "INFO"],
    },
    "terms": {
    	"fields": ["ALERT_TYPE"],
        "rows": 50
    }
}

Response

{
   "results": [
       {
           "field": "alert_type",
           "values": [
               {
                   "total": 587,
                   "id": "CB_ANALYTICS",
                   "name": "CB_ANALYTICS"
               },
               {
                   "total": 0,
                   "id": "VMWARE",
                   "name": "VMWARE"
               },
               {
                   "total": 0,
                   "id": "WATCHLIST",
                   "name": "WATCHLIST"
               }
           ]
       }
   ]
}

Get Status of Workflow Update

Get the current status of a workflow update request.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.alerts.dismiss EXECUTE

Request

GET <psc-hostname>/appservices/v6/orgs/{org_key}/workflow/status/{requestId}

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/workflow/status/{requestId}

Response

{
  "errors": ["string"],
  "failed_ids": ["string"],
  "id": "string",
  "num_hits": 0,
  "num_success": 0,
  "status": "QUEUED",
  "workflow": {
    "changed_by": "string",
    "comment": "string",
    "last_update_time": "2019-09-17T00:39:23.823Z",
    "remediation": "string",
    "state": "OPEN"
  }
 }

Update Single Event Workflow

Update the workflow of a single event.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.alerts.dismiss EXECUTE

Request

POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/{id}/workflow

Request Body

{
    "state": "<string>",
    "comment": "<string>",
    "remediation_state": "<string>"
}

Body Schema

Field Description Default Required
state Workflow state to filter on. Allowed values: dismissed, open N/A No
comment Comment to include with operation N/A No
remediation state Description or justification for the change. Accepts any string. N/A No

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/{id}/workflow

Request Body

{
    "criteria": {
        "category": ["THREAT", "INFO"]
    },
    "terms": {
    	"fields": ["ALERT_TYPE"],
        "rows": 50
    }
}

Response

{
   "results": [
       {
           "field": "alert_type",
           "values": [
               {
                   "total": 868,
                   "id": "CB_ANALYTICS",
                   "name": "CB_ANALYTICS"
               },
               {
                   "total": 0,
                   "id": "VMWARE",
                   "name": "VMWARE"
               },
               {
                   "total": 0,
                   "id": "WATCHLIST",
                   "name": "WATCHLIST"
               }
           ]
       }
   ]
}

Update Bulk Event Workflows

Bulk update alerts’ workflow by search definition. Multiple pathways support similar request body schemas, including those listed below.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.alerts.dismiss EXECUTE

Requests

POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/workflow/_criteria
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/cbanalytics/workflow/_criteria
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/vmware/workflow/_criteria
POST <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/watchlist/workflow/_criteria

Below is an example request body for a request to v6/orgs/{org_key}/alerts/workflow/_criteria. Additional criteria properties are available for the CbAnalytics, VMWare, and Watchlist pathways, listed below.

Request Body

{
    "state": "<string>",
    "comment": "<string>",
    "criteria": {
        "category": ["<string>", "<string>"],
        "create_time": {
            "end": "<dateTime>",
            "range": "<string>",
            "start": "<dateTime>"
        },
        "device_id": ["<long>", "<long>"],
        "device_name": ["<string>", "<string>"],
        "device_os": ["<string>", "<string>"],
        "device_os_version": ["<string>", "<string>"],
        "device_username": ["<string>", "<string>"],
        "group_results": "<boolean>",
        "id": ["<string>", "<string>"],
        "legacy_alert_id": ["<string>", "<string>"],
        "minimum_severity": "<integer>",
        "policy_id": ["<long>", "<long>"],
        "policy_name": ["<string>", "<string>"],
        "process_name": ["<string>", "<string>"],
        "process_sha256": ["<string>", "<string>"],
        "report_id": ["<string>", "<string>"],
        "report_name": ["<string>", "<string>"],
        "reputation": ["<string>", "<string>"],
        "tag": ["<string>", "<string>"],
        "target_value": ["<string>", "<string>"],
        "threat_id": ["<string>", "<string>"],
        "type": ["<string>", "<string>"],
        "watchlist_id": ["<string>", "<string>"],
        "watchlist_name": ["<string>", "<string>"],
        "workflow": ["<string>", "<string>"],
    },
    "query": "<string>",
    "remediation_state": "<string>"
}

Body Schema

Field Description Default Required
criteria Map of criteria to filter results on. Allowed values: threat_id, target_value, device_id, device_os_versions, policy_id, device_os, minimum_severity, legacy_alert_id,group_results,process_sha256,policy_name,reputation,type,id,category,device_username, device_name,tag,workflow,process_name, create_time, last_update_time, first_event_time, last_event_time N/A No
query query to perform N/A No
state Workflow state to filter on. Allowed values: dismissed, open N/A No
comment Comment to include with operation N/A No
remediation state Description or justification for the change. Accepts any string. N/A No

Additional Supported criteria Parameter Values

Pathway Additional Allowed Values
/v6/orgs/{org_key}/alerts/cbanalytics/workflow/_criteria blocked_threat_category, policy_applied, sensor_action, device_location, reason_code, kill_chain_status, not_blocked_threat_category, run_state, threat_cause_vector
v6/orgs/{org_key}/alerts/vmware/workflow/_criteria group_id
/v6/orgs/{org_key}/alerts/watchlist/workflow/_criteria report_id, watchlist_name, report_name, watchlist_id

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/watchlist/workflow/_criteria

Request Body

{
  "comment": "string",
  "criteria": {
    "category": ["THREAT"],
    "create_time": {
      "end": "2019-09-17T00:03:47.277Z",
      "start": "2019-09-17T00:03:47.277Z"
    },
    "device_id": [324552, 12344, 997745],
    "device_name": ["hostmachine", "device.local", "DOMAIN\\DEVICE"],
    "device_os": ["WINDOWS"],
    "device_os_version": ["string"],
    "device_username": ["string"],
    "group_results": true,
    "id": ["string"],
    "legacy_alert_id": ["CTAS5XKG", "TJFY5ZBW"],
    "minimum_severity": 5,
    "policy_id": [1, 525, 644],
    "policy_name": ["Default", "Advanced", "Monitored"],
    "process_name": ["explorer.exe", "chrome.app", "setup.py"],
    "process_sha256": ["131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267"],
    "report_id": ["string"],
    "report_name": ["string"],
    "reputation": ["KNOWN_MALWARE"],
    "tag": ["string"],
    "target_value": ["LOW"],
    "threat_id": ["03ea43268c536a0bde8b765bca1696e9", "41edc35062138af3f1fea4b3bf7046a5"],
    "type": ["CB_ANALYTICS"],
    "watchlist_id": ["string"],
    "watchlist_name": ["string"],
    "workflow": ["OPEN"],
  },
  "query": "string",
  "remediation_state": "string",
  "state": "OPEN"
}

Response

{
 "request_id": "14617a6cd8df11e9974f1d8882e43ec1"
}

Get Suggestions

Get suggestions on keys and field values.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.alerts READ

Parameters

Name Description Default Required
suggest.q The query string for which you want completion suggestions. Leave this value blank, suggest.q=, to return all key suggestions. N/A Yes

Request

GET <psc-hostname>/appservices/v6/orgs/{org_key}/alerts/search_suggestions

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense.conferdeploy.net/appservices/v6/orgs/ASDF1234/alerts/search_suggestions?suggest.q=

Response

{
   "suggestions": [
       {
           "term": "threat_category",
           "weight": 525
       },
       {
           "term": "watchlist_name",
           "weight": 512
       },
       {
           "term": "ttp",
           "weight": 486
       },
       {
           "term": "run_state",
           "weight": 481
       },
       {
           "term": "device_name",
           "weight": 477
       },
       {
           "term": "alert_id",
           "weight": 472
       },
       {
           "term": "event_id",
           "weight": 472
       },
       {
           "term": "threat_vector",
           "weight": 468
       },
       {
           "term": "device_username",
           "weight": 461
       },
       {
           "term": "report_id",
           "weight": 458
       },
       {
           "term": "process_guid",
           "weight": 431
       },
       {
           "term": "process_name",
           "weight": 431
       },
       {
           "term": "sensor_action",
           "weight": 424
       },
       {
           "term": "alert_severity",
           "weight": 419
       },
       {
           "term": "device_id",
           "weight": 412
       },
       {
           "term": "device_os",
           "weight": 412
       },
       {
           "term": "device_policy",
           "weight": 401
       },
       {
           "term": "process_pid",
           "weight": 311
       },
       {
           "term": "process_hash",
           "weight": 306
       },
       {
           "term": "process_reputation",
           "weight": 287
       }
   ]
}

Schemas

Base Alert

Field Definition Data Type Values
category The category of the alert String THREAT, MONITORED, INFO, MINOR, SERIOUS, CRITICAL
create_time The time the alert was created String ISO 8601 timestamp
device_id The identifier assigned by Carbon Black Cloud to the device associated with the alert. Integer N/A
device_name The hostname of the device associated with the alert. String N/A
device_os The operating system of the device associated with the alert String WINDOWS, MAC, LINUX, OTHER
device_os_version The operating system and version on the device String N/A
device_username The username of the logged on user during the alert. If the user is not available then it may be populated with the device owner String N/A
first_event_time The time of the first event associated with the alert String ISO 8601 timestamp
group_details Details about a group of alerts when “Group Alerts” is enabled in the search request Object
{
  "count": 5,
  "total_devices": 3
}
id The identifier for the alert String N/A
last_event_time The time of the latest event associated with the alert String ISO 8601 timestamp
last_update_time The last time the alert was updated String ISO 8601 timestamp
legacy_alert_id Unique short id for the alerts to support easier consumption in the UI console. Use the id for API requests String N/A
notes_present Indicates if notes are associated with the threat_id Boolean N/A
org_key The unique identifier for the organization associated with the alert String N/A
policy_id The identifier for the policy associated with the device at the time of the alert String N/A
policy_name The name of the policy associated with the device at the time of the alert String N/A
severity The threat ranking of the alert Integer 1-10
tags Tags associated with the alert Array
[ "tag1", "tag2" ]
target_value The priority of the device assigned by the policy String LOW, MEDIUM, HIGH, MISSION_CRITICAL
threat_id The identifier of a threat which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. String N/A
type Type of alert String CB_ANALYTICS, VMWARE, WATCHLIST
workflow Tracking system for alerts as they are triaged and resolved Object
{
  "changed_by": "username",
  "comment": "Beginning to investigate",
  "last_update_time": "2019-09-13T14:17:21.668Z",
  "remediation": null,
  "state": "OPEN"  
}
remediation supports ACTION_TAKEN, NO_ACTION_NEEDED, FALSE_POSITIVE_KNOWN_GOOD_SOFTWARE, FALSE_POSITIVE_KNOWN_GOOD_BEHAVIOR or a custom string

state supports OPEN or DISMISSED

CB Analytics Alert

CB Analytic alerts are created from the Endpoint Standard NGAV offering

Note: This alert will also include all of the fields from Base Alert

Field Definition Data Type Values
blocked_threat_category The category of threat which we were able to take action on String UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
created_by_event_id Event identifier that initiated the alert String N/A
device_location Whether the device was on or off premise when the alert started String ONSITE, OFFSITE, UNKNOWN
kill_chain_status The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert Array
[ "EXECUTE_GOAL", "BREACH" ]
supported values RECONNAISSANCE, WEAPONIZE, DELIVER_EXPLOIT, INSTALL_RUN, COMMAND_AND_CONTROL, EXECUTE_GOAL, BREACH
not_blocked_threat_category Other potentially malicious activity involved in the threat that we weren’t able to take action on (either due to policy config, or not having a relevant rule) String UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
policy_applied Whether a policy was applied String APPLIED, NOT_APPLIED
process_name The process that triggered the alert String N/A
reason Description of the alert String N/A
reason_code String N/A
run_state Whether the threat in the alert ran String DID_NOT_RUN, RAN, UNKNOWN
sensor_action The action taken by the sensor, according to the rule of the policy String POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY
threat_activity_c2 Whether the alert involved a command and control (c2) server String NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_activity_dlp Whether the alert involved data loss prevention (DLP) String NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_activity_phish Whether the alert involved phishing String NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_cause_actor_name Process name or IP address of the threat actor String N/A
threat_cause_actor_process_pid Process identifier (PID) of the actor process String N/A
threat_cause_actor_sha256 SHA256 of the threat cause actor String N/A
threat_cause_event_id ID of the Event that triggered the threat String N/A
threat_cause_reputation Reputation of the threat cause String KNOWN_MALWARE, SUSPECT_MALWARE, PUP, NOT_LISTED, ADAPTIVE_WHITE_LIST, COMMON_WHITE_LIST, TRUSTED_WHITE_LIST, COMPANY_BLACK_LIST
threat_cause_category Category of the threat cause String UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
threat_cause_vector The source of the threat cause String EMAIL, WEB, GENERIC_SERVER, GENERIC_CLIENT, REMOTE_DRIVE, REMOVABLE_MEDIA, UNKNOWN, APP_STORE, THIRD_PARTY
threat_indicators List of the threat indicators that make up the threat Array
[
{
  "process_name": "<string>",
  "sha256": "<string>",
  "ttps": ["<string>", <string>],
}
]

Watchlist Alert

Watchlist alerts are created from alert enabled watchlists in Enterprise EDR

Note: This alert will also include all of the fields from Base Alert

Field Definition Data Type Values
ioc_field The field the indicator of comprise (IOC) hit contains String N/A
ioc_hit IOC field value or IOC query that matches String N/A
ioc_id The identifier of the IOC that cause the hit String N/A
process_guid The global unique identifier of the process that triggered the hit String N/A
process_name The name of the process that triggered the hit String N/A
reason Description of the alert String N/A
report_id The identifier of the report that contains the IOC String N/A
report_name The name of the report that contains the IOC String N/A
run_state Run state is always RAN for watchlist alerts String RAN
threat_cause_actor_md5 MD5 of the threat cause actor String N/A
threat_cause_actor_name Process name or IP address of the threat actor String N/A
threat_cause_actor_sha256 SHA256 of the threat cause actor String N/A
threat_cause_reputation Reputation of the threat cause String KNOWN_MALWARE, SUSPECT_MALWARE, PUP, NOT_LISTED, ADAPTIVE_WHITE_LIST, COMMON_WHITE_LIST, TRUSTED_WHITE_LIST, COMPANY_BLACK_LIST
threat_cause_category Category of the threat cause String UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
threat_cause_vector The source of the threat cause String EMAIL, WEB, GENERIC_SERVER, GENERIC_CLIENT, REMOTE_DRIVE, REMOVABLE_MEDIA, UNKNOWN, APP_STORE, THIRD_PARTY
threat_indicators List of the threat indicators that make up the threat Array
[
{
  "process_name": "<string>",
  "sha256": "<string>",
  "ttps": ["<string>", <string>],
}
]
watchlists List of watchlists associated with an alert Array
[
{
  "id": "<string>",
  "name": "<string>",
}
]
Last modified on September 23, 2020