Data Forwarder Fields
Environment
- Carbon Black Cloud Console: December 2019 Release (0.51.0 backend) and Higher
- CB Cloud Data Forwarder: All Versions
- Amazon Simple Storage Service (Amazon S3)
Objective
This document describes how the Carbon Black Cloud Forwarders map field types into the output JSON format.
Data Types
Basic data types such as “int” and “string” map directly to the corresponding JSON data types. Additional data types are described below:
- Base64 - JSON string containing base64 encoded binary data.
- Ipaddr - JSON string containing canonically formatted IPv4 or IPv6 address.
- Datetime - JSON string containing ISO 8601 date/time format. If no time zone is included, UTC is assumed. All timestamps emitted by the Data Forwarder are sent in ISO 8601 format.
- String enum - JSON string containing the stringified version of the enum from the relevant protobuf field, with the common prefix stripped off. For example, “BLOCK”.
- String enum bitmask - Same as above, but for bitmask input fields, add OR " | " markers between each set bit. For example, for a CbFileAction of 0x300 would be “OPEN_READ | OPEN_WRITE”.
Event Fields
“Common fields” are present in all event types, while other fields are only present for a specific event type.
Legend:
- FILTERABLE - Indicates whether the field is supported in the query for a filter
- TOKENIZED - The field supports partial phrase matching through Tokenization
- WILDCARD - The field supports wildcard characters
Common Fields
The Carbon Black Cloud Data Forwarder emits a set of common fields for every endpoint event. These fields represent common metadata for the organization, device, and process to which this event belongs.
Note: A new copy of the alert will be sent if something changes on the backend.| Field | Definition | Capabilities |
|---|---|---|
action |
Specific endpoint action observed by sensor during this event. Enum values vary by event type |
FILTERABLE |
backend_timestamp |
Time when the backend received the batch of events, based on Carbon Black Cloud backend’s clock as an RFC 3339 formatted time string based on UTC to the seconds; may differ from device_timestamp by a few minutes due to asynchronous processing
Example: 2021-07-28 18:43:51 +0000 UTC |
|
device_group |
Sensor group to which the endpoint was assigned when the sensor recorded the event data | FILTERABLE WILDCARD |
device_id |
Integer ID of the device that created this event | FILTERABLE |
device_name |
Hostname of the device that created this event | FILTERABLE WILDCARD |
device_os |
OS Type of device (Windows/OSX/Linux) | FILTERABLE |
device_timestamp |
Time seen on sensor, based on sensor’s clock in RFC 3339 UTC format to seconds
Example: 2021-07-28 18:43:51 +0000 UTC |
|
event_origin |
Indicates which product the event came from.
“EDR” indicates the event originated from Enterprise EDR. “NGAV” indicates the event originated from Endpoint Standard. |
FILTERABLE |
org_key |
The organization key associated with the console instance. Can be used to disambiguate events from different Carbon Black Cloud tenant organizations. | FILTERABLE WILDCARD |
parent_guid |
Unique ID of parent process. Please see this document for more information on how a process GUID is used and each of its components. | |
parent_hash |
Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash | FILTERABLE |
parent_path |
Full path to the executable file backing the parent process on the device’s file system | FILTERABLE WILDCARD |
parent_pid |
OS-reported Process ID of the parent process | FILTERABLE |
parent_reputation |
Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud | FILTERABLE |
process_cmdline |
Command line executed by the actor process | FILTERABLE TOKENIZED WILDCARD |
process_fork_pid |
The PID of a process forked from the actor on *nix systems. If f process_pid != process_fork_pid, the current process was forked from original process_pid. | FILTERABLE |
process_guid |
Unique ID of process. Please see this document for more information on how a process GUID is used and each of its components. | |
process_hash |
Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash | FILTERABLE |
process_path |
Full path to the executable file backing this process on the device’s file system | FILTERABLE WILDCARD |
process_pid |
OS-reported Process ID of the current process | FILTERABLE |
process_reputation |
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud | FILTERABLE |
process_username |
The username associated with the user context that this process was started under | FILTERABLE WILDCARD |
schema |
The schema version. The current schema version is “1”. This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. New fields in an event type or new event types will not result in a new schema version. | FILTERABLE |
sensor_action |
(optional) Included if the sensor blocked the event or terminated the application due to security policy
POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY |
FILTERABLE |
target_cmdline |
Process command line associated with the target process | FILTERABLE TOKENIZED WILDCARD |
type |
The event type. Use this field to determine which fields should be expected per the specs below. | FILTERABLE |
Endpoint Standard Fields
Endpoint Standard events have the event_origin field set to NGAV. If you are an Endpoint Standard customer, you will see the below fields populated in the Data Forwarder output. Enterprise EDR fields will also be present, but not populated. Endpoint Standard records only “security-relevant” events, so you will see roughly 10-20x fewer Endpoint Standard events than Enterprise EDR events.
| Field | Definition | Capabilities |
|---|---|---|
alert_id |
The ID of the Alert this event is associated with | FILTERABLE |
device_external_ip |
IP address of the host as seen by the backend (the public IPv4 or IPv6 address used to contact the Carbon Black Cloud) | FILTERABLE |
event_description |
Long textual description of the event as seen in the Carbon Black Cloud web console | FILTERABLE WILDCARD |
event_id |
Internal Endpoint Standard event ID associated with this specific event — this event ID can be used to find the specific event in the Carbon Black Cloud web console | |
process_terminated |
Always FALSE for Endpoint Standard events |
Enterprise EDR Fields
Enterprise EDR events have the event_origin field set to EDR. Endpoint Standard fields will be present, but not populated.
| Field | Definition | Capabilities |
|---|---|---|
parent_cmdline |
Process command line associated with the parent process | FILTERABLE TOKENIZED WILDCARD |
process_duration |
The time difference in seconds between the process start and process terminate event | |
process_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint |
FILTERABLE
WILDCARD
Filterable field: process_publisher |
process_publisher[]
.state |
See above |
FILTERABLE
Filterable field: process_publisher_state |
process_terminated |
True if process was terminated |
API Call
endpoint.event.apicall
Each API-call event is reported as the type “endpoint.event.apicall”. An API-call event includes the fields named in the “Common Fields” section above.
| Field | Definition | Capabilities |
|---|---|---|
crossproc_api |
Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call.
Available with:
|
FILTERABLE WILDCARD |
crossproc_action |
The cross-process action initiated by the actor process
ACTION_API_CALL, ACTION_DUP_PROCESS_HANDLE, ACTION_OPEN_THREAD_HANDLE, ACTION_DUP_THREAD_HANDLE, ACTION_CREATE_REMOTE_THREAD |
FILTERABLE |
Cross-Process Event
endpoint.event.crossproc
Any time a process interacts with another process on the system, that is considered a “cross-process” event. Each cross-process event is reported as the type “endpoint.event.crossproc”. The following fields represent metadata associated with the cross-process event.
| Field | Definition | Capabilities |
|---|---|---|
crossproc_api |
Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call.
Available with:
|
FILTERABLE WILDCARD |
crossproc_action |
The cross-process action initiated by the actor process
ACTION_API_CALL, ACTION_DUP_PROCESS_HANDLE, ACTION_OPEN_THREAD_HANDLE, ACTION_DUP_THREAD_HANDLE, ACTION_CREATE_REMOTE_THREAD |
FILTERABLE |
crossproc_guid |
Unique ID of the cross process | |
crossproc_hash |
Cryptographic hashes of the target of the crossproc event — this is represented as an array of two elements, MD5 and SHA-256 hash | FILTERABLE |
crossproc_name |
Full path to the target of the crossproc event on the device’s local file system | FILTERABLE WILDCARD |
crossproc_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the crossproc as reported by the endpoint |
FILTERABLE
WILDCARD
Filterable field: crossproc_publisher |
crossproc_publisher[]
.state |
See above |
FILTERABLE
Filterable field: crossproc_publisher_state |
crossproc_reputation |
Carbon Black Cloud Reputation string for the crossproc. | FILTERABLE |
crossproc_target |
True if the process was the target of the cross-process event; false if the process was the actor | FILTERABLE |
File Modification
endpoint.event.filemod
Each file-modification event is reported as the type “endpoint.event.filemod”. The following fields represent metadata associated with the file-modification event.
| Field | Definition | Capabilities |
|---|---|---|
filemod_hash |
Cryptographic hashes of the file modified — this is represented as an array of two elements, MD5 and SHA-256 hash | FILTERABLE |
filemod_name |
Full path to the file being modified on the device’s file system | FILTERABLE WILDCARD |
Fileless Script Load
endpoint.event.fileless_scriptload
A “fileless script load” is generated when a process loads a set of script instructions into memory. Each fileless script load event is reported as the type “endpoint.event.fileless_scriptload”. The following fields represent metadata associated with the fileless script load event.
| Field | Definition | Capabilities |
|---|---|---|
fileless_scriptload_cmdline |
Deobfuscated script content run in a fileless context by the process | FILTERABLE TOKENIZED WILDCARD |
fileless_scriptload_cmdline_length |
Character count of the deobfuscated script content run in a fileless context | FILTERABLE |
fileless_scriptload_hash |
SHA-256 hash(es) of the deobfuscated script content run by the process in a fileless context | FILTERABLE |
Module Load
endpoint.event.moduleload
A “module load” is generated when a process loads a shared library (DLL in Windows, .so in Linux, .dylib in macOS) into its process memory space. Each module load event is reported as the type “endpoint.event.moduleload”. The following fields represent metadata associated with the module load event.
| Field | Definition | Capabilities |
|---|---|---|
modload_count |
Count of modload events reported by the sensor since last initialization | FILTERABLE |
modload_effective_reputation |
Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred | FILTERABLE |
modload_hash |
MD5 or SHA-256 hash(es) of the module(s) loaded by the process | FILTERABLE |
modload_md5 |
MD5 hash of the module loaded by the process | FILTERABLE |
modload_name |
Full path to the module being loaded on the device’s file system | FILTERABLE WILDCARD |
modload_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the moduleload as reported by the endpoint |
FILTERABLE
WILDCARD
Filterable field: modload_publisher |
modload_publisher[]
.state |
See above |
FILTERABLE
Filterable field: modload_publisher_state |
modload_sha256 |
SHA-256 hash of the module loaded by the process | FILTERABLE |
Network Connection
endpoint.event.netconn
Each network-connection event is reported as the type “endpoint.event.netconn”. In addition to the common fields documented in “Common Fields”, the following fields represent metadata associated with the network-connection event.
| Field | Definition | Capabilities |
|---|---|---|
local_ip |
IPv4 or IPv6 address in string format associated with the “local” end of this network connection | FILTERABLE |
local_port |
UDP/TCP port number associated with the “local” end of this network connection | FILTERABLE |
netconn_domain |
DNS name associated with the “remote” end of this network connection — may be empty if the name cannot be inferred or the connection is made direct to/from a remote IP address | FILTERABLE WILDCARD |
netconn_inbound |
Set to true if the netconn is inbound | FILTERABLE |
netconn_protocol |
String UDP or TCP protocol identifier | FILTERABLE |
remote_ip |
IPv4 or IPv6 address in string format associated with the “remote” end of this network connection | FILTERABLE |
remote_port |
UDP/TCP port number associated with the “remote” end of this network connection | FILTERABLE |
Network Proxy Connection
endpoint.event.netconn_proxy
A “network proxy connection” event is any network connection event in which the process communicates with an intermediary remote device but has a different intended destination - usually an HTTP proxy intermediary. Each network proxy connection event is reported as the type “endpoint.event.netconn_proxy”. In addition to the common fields documented in “Common Fields” as well as the fields documented in “Network Connection - endpoint.event.netconn”, the following fields represent metadata associated with the network proxy connection event.
| Field | Definition | Capabilities |
|---|---|---|
netconn_proxy_domain |
DNS name associated with the “proxy” end of this network connection — may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address | FILTERABLE WILDCARD |
netconn_proxy_ip |
IPv4 or IPv6 address in string format associated with the “proxy” end of this network connection | FILTERABLE |
netconn_proxy_port |
UDP/TCP port number associated with the “proxy” end of this network connection | FILTERABLE |
Process Launch Event
endpoint.event.procstart
Each process launch event is reported as the type “endpoint.event.procstart”. A procstart event can be either a child process or a new process. A child process event will have the action ACTION_CREATE_PROCESS where a new process will have ACTION_PROCESS_DISCOVERED. In the case of a new process you will only have process and childproc properties, there will be no parent properties. The child process properties represent the process being created and the process properties will represent the os system.
The target_cmdline property is the command line that was executed to create the process represented in the childproc properties.
In addition to the common fields documented in “Common Fields”, the following fields represent metadata associated with the process start event.
| Field | Definition | Capabilities |
|---|---|---|
childproc_guid |
Unique ID of the child process. See this document for more information on how a process GUID is used and each of its components. | |
childproc_hash |
Cryptographic hashes of the executable file backing the child process, represented as an array of two elements - MD5 and SHA-256 hash | FILTERABLE |
childproc_name |
Full path to the target application for the child process on the device’s local file system | FILTERABLE WILDCARD |
childproc_pid |
OS-reported Process ID of the child process | FILTERABLE |
childproc_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the childproc as reported by the endpoint |
FILTERABLE
WILDCARD
Filterable field: childproc_publisher |
childproc_publisher[]
.state |
See above |
FILTERABLE
Filterable field: childproc_publisher_state |
childproc_reputation |
Carbon Black Cloud Reputation string for the childproc. | FILTERABLE |
childproc_username |
The username associated with the user context that the child process was started under | FILTERABLE WILDCARD |
Process Terminate Event
endpoint.event.procend
Each process-terminate event is reported as the type “endpoint.event.procend”. A “procend” event includes the fields named in the “Common Fields” section above.
Registry Modification
endpoint.event.regmod
Each registry-modification event is reported as the type “endpoint.event.regmod”. The following fields represent metadata associated with the registry-modification event.
| Field | Definition | Capabilities |
|---|---|---|
regmod_name |
Full path to the registry key, including the hive, being modified on the Windows device’s registry | FILTERABLE WILDCARD |
Script Load
endpoint.event.scriptload
A “script load” is generated when a process loads a script (.ps1, .vb, .bin, etc..) that can be executed by a script interpreter. Each script load event is reported as the type “endpoint.event.scriptload”. The following fields represent metadata associated with the script load event.
EDR Scriptload Event
| Field | Definition | Capabilities |
|---|---|---|
scriptload_effective_reputation |
Effective reputation(s) of the loaded script(s); applied by the sensor when the event occurred
Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
FILTERABLE |
scriptload_hash |
MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch | FILTERABLE |
scriptload_name |
Filesystem path of script file(s) loaded at process launch | FILTERABLE WILDCARD |
scriptload_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the scriptload as reported by the endpoint |
FILTERABLE
WILDCARD
Filterable field: scriptload_publisher |
scriptload_publisher[]
.state |
See above |
FILTERABLE
Filterable field: scriptload_publisher_state |
scriptload_reputation |
Reputation(s) of the loaded script(s); applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
FILTERABLE |
NGAV Scriptload Event
| Field | Definition | Capabilities |
|---|---|---|
process_loaded_script_hash |
SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process; compare with fileless_scriptload_hash | m FILTERABLE |
process_loaded_script_name |
Filesystem path(s) of any script content loaded from the filesystem through the duration of the process; compare with fileless_scriptload_cmdline, scriptload_content | FILTERABLE WILDCARD |
scriptload_content |
Deobfuscated script content (string, binary, or raw executable image) loaded from the filesystem at process launch; compare with fileless_scriptload_cmdline, process_loaded_script_name
Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later and Endpoint Standard product For more information see here |
FILTERABLE |
scriptload_count |
Count of scriptload events across all processes reported by the sensor since last initialization | FILTERABLE |
scriptload_hash |
MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch | FILTERABLE |
scriptload_name |
Filesystem path of script file(s) loaded at process launch | FILTERABLE WILDCARD |
scriptload_content_length |
Character count of the deobfuscated filesystem script; compare with fileless_scriptload_cmdline_length
Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later and Endpoint Standard product For more information see here |
FILTERABLE |
Volume Event
endpoint.event.volume
Events generated for volume operations, including mounting and un-mounting of external devices. A “volume” event includes the fields named in the “Common Fields” section above.
Alert Fields
“Common fields” are present in all alert types, while other fields are only present for a specific alert type.
Common Fields
The Data Forwarder emits a set of common fields for every alert. These fields represent common metadata for the customer, device, and alert.
| Field | Definition |
|---|---|
alert_url |
A redirect link to refer back to the Carbon Black Cloud console. CB_ANALYTICS alerts will redirect to the Alert Triage page for the specific alert. WATCHLIST alerts will redirect to the Investigate page for the specific alert. DEVICE_CONTROL and CONTAINER_RUNTIME alerts will redirect to the Alerts page. |
category |
Type of alert
WARNING, NOTICE
Note: The values differ from the Alerts API where 'WARNING' is 'THREAT' and 'NOTICE' is 'MONITORED'. |
create_time |
The time the alert was created in ISO 8601 UTC timestamp format to milliseconds
Example: 2021-07-28T18:38:41.000Z |
device_external_ip |
IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
device_id |
Integer ID of the device that created this alert (Always empty for Container Runtime alerts) |
device_internal_ip |
IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) (Always empty for Container Runtime alerts) |
device_name |
Hostname of the device that created this alert (Always empty for Container Runtime alerts) |
device_os |
OS Type of device (Windows/OSX/Linux) (Always empty for Container Runtime alerts) |
device_os_version |
Version of OS on device (Windows 10 x64) (Always empty for Container Runtime alerts) |
device_uem_id |
“Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”) (Always empty for Container Runtime alerts) |
device_username |
Name of the user that installed the device. To get the actual user involved in the device alert, get the underlying event or process data. (Always empty for Container Runtime alerts) |
first_event_time |
The time the first event associated with the alert was seen in ISO 8601 UTC format to seconds
Example: 2021-07-28T17:38:47Z |
id |
The unique long id of the alert |
last_event_time |
The time the most recent event associated with the alert was seen in ISO 8601 UTC format to seconds
Example: 2021-07-28T17:38:47Z |
last_update_time |
The time the alert was last updated in ISO 8601 UTC format to seconds
Example: 2021-07-28T17:38:47Z |
legacy_alert_id |
The unique short id of the alert |
notes_present |
True if notes are associated with the alert |
org_key |
The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations. |
policy_id |
ID associated with the policy that triggered the alert |
policy_name |
Name of the policy that triggered the alert |
severity |
The severity of the alert |
tags |
A list of tags associated with the alert |
target_value |
Device priority as assigned via the policy
LOW, MEDIUM, HIGH, CRITICAL |
threat_id |
ID of the threat to which this alert belongs |
type |
The alert type. Use this field to determine which fields should be expected per the specs below.
CB_ANALYTICS, DEVICE_CONTROL, WATCHLIST, CONTAINER_RUNTIME |
workflow |
Tracking system for alerts as they are triaged and resolved |
CB Analytics
| Field | Definition |
|---|---|
blocked_threat_category |
The category of threat which were not able to take action
UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
created_by_event_id |
The ID of the event that created the alert |
device_location |
The location of the device
ONSITE, OFFSITE, UNKNOWN |
kill_chain_status |
Phase of the Cyber Kill Chain the alert represents |
not_blocked_threat_category |
Other potentially malicious activity involved in the threat that were able to take action either due to policy config, or not having a relevant rule
UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
policy_applied |
Whether a policy was applied |
process_name |
Name executable file backing this process on the device’s file system |
reason |
Description of the alert |
reason_code |
Shorthand enum for the full-text reason |
run_state |
Whether the threat in the alert actually ran
DID_NOT_RUN, RAN, UNKNOWN |
sensor_action |
The action taken by the sensor, according to the rules of the policy
POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY |
threat_activity_c2 |
Whether the alert involved a c2 server
NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_activity_dlp |
Whether the alert involved DLP
NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_activity_phish |
Whether the alert involved phishing
NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED |
threat_cause_actor_name |
The name can be one of the following: process commandline, process path, process name, or analytic matched threat. Analytic matched threats are Exploit, Malware, PUP, or Trojan |
threat_cause_actor_process_pid |
PID of the actor process |
threat_cause_actor_sha256 |
SHA256 or remote IP of the threat cause actor. The actor will be a remote IP when the alert is created from a netconn event |
threat_cause_cause_event_id |
Event ID that triggered the event |
threat_cause_reputation |
Reputation of the threat cause |
threat_cause_threat_category |
Threat category
UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
threat_cause_vector |
Source of the threat cause |
threat_indicators |
List of the threat indicators that make up the threat |
Container Runtime
| Field | Definition |
|---|---|
cluster_name |
Name of the K8s cluster associated with the alert |
connection_type |
Type of connection
INGRESS, EGRESS, INTERNAL_INBOUND, INTERNAL_OUTBOUND |
egress_group_id |
ID of the egress group |
egress_group_name |
Name of the egress group |
ip_reputation |
Reputation assigned by Carbon Black Cloud; ranges 1-100, where 100 is “trustworthy” |
namespace |
Namespace within the K8s cluster associated with the alert |
port |
Listening port; remote or local |
protocol |
Name of the protocol
Example values: HTTP, TLS, TCP, TELNET, SSH |
remote_domain |
Name of the remote domain |
remote_ip |
IP address of the remote side |
remote_is_private |
Type of remote IP: public or private (“private” means within the cluster or the org’s network; “public” means outside of the cluster and the org’s network)
TRUE, FALSE |
remote_namespace |
Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster |
remote_replica_id |
Remote workload replica ID; set if the remote side is another workload in the same cluster |
remote_workload_id |
ID of the remote workload; set if the remote side is another workload in the same cluster |
remote_workload_kind |
Kind of remote workload; set if the remote side is another workload in the same cluster |
remote_workload_name |
Name of the remote workload; set if the remote side is another workload in the same cluster |
replica_id |
Name of the pod within a workload |
rule_id |
Unique identifier for the K8s policy rule |
rule_name |
Name of the K8s policy rule |
workload_id |
ID of the workload within a specific cluster_name/namespace pair |
workload_kind |
Type of workload; Pod, Deployment, Job, etc. |
workload_name |
Name of the workload within a cluster_name/namespace pair |
Device Control
| Field | Definition |
|---|---|
device_location |
The location of the device
ONSITE, OFFSITE, UNKNOWN |
external_device_friendly_name |
The human readable USB device name |
policy_applied |
Whether a policy was applied |
product_id |
The hexadecimal id of the USB device’s product |
product_name |
The name of the USB device’s product |
reason |
Description of the alert |
reason_code |
Shorthand enum for the full-text reason |
run_state |
Whether the threat in the alert actually ran
DID_NOT_RUN, RAN, UNKNOWN |
serial_number |
The serial number of the USB device |
threat_cause_cause_event_id |
Event ID that triggered the event |
threat_cause_threat_category |
Threat category
UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM |
threat_cause_vector |
Source of the threat cause |
vendor_name |
The name of the USB device’s vendor |
vendor_id |
The hexadecimal id of the USB device’s vendor |
Watchlist
| Field | Definition |
|---|---|
ioc_id |
ID of the IOC that caused the hit |
ioc_field |
Field name corresponding to the value returned by ioc_hit (only returned for equality IOCs) |
ioc_hit |
IOC field value, or IOC query that matches |
process_guid |
Unique ID of process |
process_path |
Tokenized path of the process’ binary |
report_id |
Id of the report that generated a hit on the process |
report_name |
Name of the report that generated a hit on the process |
reason_code |
GUID string |
run_state |
Run state is always RAN for watchlist alerts |
threat_cause_actor_name |
The process path of the threat actor |
threat_cause_actor_process_pid |
PID of the actor process |
threat_cause_actor_sha256 |
SHA256 or remote IP of the threat cause actor. The actor will be a remote IP when the alert is created from a netconn event |
threat_cause_cause_event_id |
Event ID that triggered the event |
threat_cause_reputation |
Reputation of the threat cause |
threat_cause_threat_category |
Category of the threat cause |
threat_cause_vector |
The source of the threat cause |
threat_indicators |
List of the threat indicators that make up the threat |
watchlists |
List of watchlists associated with an alert |
Watchlist Hit Fields
The Carbon Black Cloud Data Forwarder emits a set of fields for every watchlist hit. These fields represent metadata for the organization, device, process, ioc, report and watchlist to which the hit belongs.
| Field | Definition |
|---|---|
alert_id |
The ID of the Alert this watchlist hit is associated with |
create_time |
The time the watchlist hit was created in ISO 8601 UTC timestamp format to milliseconds
Example: 2021-07-28T18:38:41.000Z |
device_external_ip |
IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
device_id |
Integer ID of the device that created this watchlist hit |
device_internal_ip |
IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
device_name |
Hostname of the device that created this watchlist hit |
device_os |
OS Type of device (Windows/OSX/Linux) |
device_uem_id |
“Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”) |
ioc_field |
Field the IOC hit contains |
ioc_hit |
IOC field value, or IOC query that matches |
ioc_id |
ID of the IOC that caused the hit |
org_key |
The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations. |
parent_cmdline |
Command line executed by the parent process |
parent_guid |
Unique ID of parent process. Please see this document for more information on how a process GUID is used and each of its components. |
parent_hash |
Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash |
parent_path |
Full path to the executable file backing the parent process on the device’s file system |
parent_pid |
OS-reported Process ID of the parent process |
parent_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint |
parent_publisher[]
.state |
See above |
parent_reputation |
Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud |
parent_username |
The username associated with the user context that the parent process was started under |
process_cmdline |
Command line executed by the actor process |
process_guid |
Unique ID of process. Please see this document for more information on how a process GUID is used and each of its components. |
process_hash |
Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash |
process_path |
Full path to the executable file backing this process on the device’s file system |
process_pid |
OS-reported Process ID of the current process |
process_publisher[]
.name |
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint |
process_publisher[]
.state |
See above |
process_reputation |
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud |
process_username |
The username associated with the user context that this process was started under |
report_id |
ID of the watchlist report(s) that detected a hit on the process |
report_name |
Name of the watchlist report(s) that detected a hit on the process |
report_tags |
List of tags associated with the report(s) that detected a hit on the process |
severity |
The severity of the watchlist hit |
type |
The watchlist hit type
watchlist.hit |
watchlists |
List of watchlists that contain the report of the ioc hit |
Data Samples
The following are samples of data: endpoint.event, Watchlist Alert, CB ANALYTICS Alert.
endpoint.event
{
"type": "endpoint.event.procstart",
"process_guid": "ABCD1234-006e8d46-00001310-00000000-1d5fd46cc37d700",
"parent_guid": "ABCD1234-006e8d46-00000290-00000000-1d5fa5dbbaa12ce",
"backend_timestamp": "2020-03-25 22:38:54 +0000 UTC",
"org_key": "ABCD1234",
"device_id": "7245126",
"device_name": "cbc-win10",
"device_external_ip": "72.152.92.146",
"device_os": "WINDOWS",
"device_group": "Windows Group",
"action": "ACTION_CREATE_PROCESS",
"schema": 1,
"event_description": "The application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\" invoked the application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\". ",
"alert_id": "WXYZ0987",
"event_id": "54885ebc6ee911eabc70416f8358e4f2",
"device_timestamp": "2020-03-25 22:38:03.353 +0000 UTC",
"process_terminated": false,
"process_reputation": "REP_RESOLVING",
"parent_repuation": "",
"process_pid": 4880,
"parent_pid": 656,
"process_publisher": [
{
"name": "Google Inc",
"state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"
}
],
"process_path": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"parent_path": "c:\\windows\\system32\\services.exe",
"process_hash": [
"3623a0e7cdcf3310ffb4c87c5b43ae02",
"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
],
"parent_hash": [
"db896369fb58241adf28515e3765c514",
"a2e369df26c88015fe1f97c7542d6023b5b1e4830c25f94819507ee5bcb1dfcc"
],
"process_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox",
"parent_cmdline": "",
"process_username": "CBC-WIN10\\user",
"sensor_action": "ALLOW",
"childproc_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"childproc_hash": [
"3623a0e7cdcf3310ffb4c87c5b43ae02",
"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
],
"target_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --field-trial-handle=1656,13710686576560040528,13403776044656688818,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=5236 --ignored=\" --type=renderer \" /prefetch:8"
}Alerts
WATCHLIST
{
"type": "WATCHLIST",
"id": "951d536a-2817-4790-8c97-c2d31624de7c",
"legacy_alert_id": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD",
"org_key": "ABCD1234",
"create_time": "2021-01-04T23:33:32Z",
"last_update_time": "2021-01-04T23:33:32Z",
"first_event_time": "2021-01-04T23:25:58Z",
"last_event_time": "2021-01-04T23:25:58Z",
"threat_id": "A22D9AFD42B85FF4FE6C8AE1DB6FBD6C",
"severity": 7,
"category": "WARNING",
"device_id": 3775337,
"device_os": "WINDOWS",
"device_name": "CBcloud-win10",
"device_username": "admin",
"policy_id": 6525,
"policy_name": "default",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2021-01-04T23:32:19Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "123.45.67.890",
"device_external_ip": "23.45.67.89",
"alert_url": "https://defense.conferdeploy.net/cb/investigate/processes?orgId=123\u0026query=alert_id%3A951d536a-2817-4790-8c97-c2d31624de7c+AND+device_id%3A3775337\u0026searchWindow=ALL",
"reason_code": "Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"",
"process_name": "powershell.exe",
"threat_indicators": [{
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]
}],
"threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threat_cause_actor_name": "powershell.exe",
"threat_cause_reputation": "COMMON_WHITE_LIST",
"threat_cause_threat_category": "RESPONSE_WATCHLIST",
"threat_cause_vector": "UNKNOWN",
"run_state": "RAN",
"ioc_id": "e41b000e-eb5a-41f4-aa67-1902d186a457-0",
"ioc_hit": "(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true",
"watchlists": [{
"id": "mrTB06fAQbeNfvl47cQiGg",
"name": "Carbon Black Advanced Threats"
}],
"process_guid": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613",
"process_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"report_name": "Execution - PowerShell Downloading Behaviors Detected",
"report_id": "MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457",
"status": "UNRESOLVED"
}CB_ANALYTICS
{
"type": "CB_ANALYTICS",
"id": "36259335daf0f2c4edb11ebb2828b41ebaf3867",
"legacy_alert_id": "ZHGKP3EM",
"org_key": "ABCD1234",
"create_time": "2021-01-04T22:22:52Z",
"last_update_time": "2021-01-04T22:23:05Z",
"first_event_time": "2021-01-04T22:22:42Z",
"last_event_time": "2021-01-04T22:22:42Z",
"threat_id": "f7959830dfea89252d459b056ab43222",
"severity": 4,
"category": "NOTICE",
"device_id": 3625933,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_name": "win10-ps-moid",
"device_username": "jdoe@carbonblack.com",
"policy_id": 6525,
"policy_name": "default",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2021-01-04T22:22:52Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "123.45.67.890"
"device_external_ip": "23.45.67.89",
"alert_url": "https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM\u0026orgId=123",
"reason": "The application powershell.exe is executing a fileless script or command.",
"reason_code": "R_FILELESS",
"process_name": "powershell.exe",
"device_location": "OFFSITE",
"created_by_event_id": "5daf0f2c4edb11ebb2828b41ebaf3867",
"threat_indicators": [{
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MODIFY_MEMORY_PROTECTION"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["FILELESS"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MITRE_T1057_PROCESS_DISCOVERY"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["CODE_DROP"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["ENUMERATE_PROCESSES"]
}],
"threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threat_cause_actor_name": "powershell.exe",
"threat_cause_actor_process_pid": "3292-132541831999374961-0",
"threat_cause_reputation": "COMMON_WHITE_LIST",
"threat_cause_threat_category": "NON_MALWARE",
"threat_cause_vector": "UNKNOWN",
"threat_cause_cause_event_id": "5daf0f344edb11ebb2828b41ebaf3867",
"blocked_threat_category": "UNKNOWN",
"not_blocked_threat_category": "NON_MALWARE",
"kill_chain_status": ["DELIVER_EXPLOIT"],
"run_state": "RAN",
"policy_applied": "NOT_APPLIED"
}CONTAINER_RUNTIME
{
"type": "CONTAINER_RUNTIME",
"id": "aff50e67-d2cd-54a0-c3e3-1c6958d0005e",
"legacy_alert_id": "aff50e67-d2cd-54a0-c3e3-1c6958d0005e",
"org_key": "ABCD1234",
"create_time": "2022-01-31T15:02:10Z",
"last_update_time": "2022-01-31T15:02:10Z",
"first_event_time": "2022-01-31T14:59:12Z",
"last_event_time": "2022-01-31T14:59:12Z",
"threat_id": "20ade0039400d2baf87c6a868df74ff31c8613b0b5823bd85ce8350e8c18e3cb",
"severity": 5,
"category": "WARNING",
"policy_id": "7cce137c-b9c5-4cf0-96c7-2be6514f7a40",
"policy_name": "demo001",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2022-01-31T15:00:14Z",
"comment": "",
"changed_by": "Carbon Black"
},
"alert_url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1234567",
"reason": "Detected a connection to a public destination that isn't allowed for this scope",
"run_state": "RAN",
"cluster_name": "e2e:containers-e2e-85wt",
"namespace": "cbcontainers-dataplane",
"workload_kind": "Deployment",
"workload_id": "cbcontainers-hardening-enforcer",
"workload_name": "cbcontainers-hardening-enforcer",
"replica_id": "cbcontainers-hardening-enforcer-557d87866-4j4j5",
"connection_type": "EGRESS",
"remote_is_private": false,
"remote_ip": "52.23.6.129",
"protocol": "PROTO_TCP",
"port": 443,
"ip_reputation": 48,
"rule_id": "f8b1637a-dc0c-49bb-bc28-5b48f97e6d58",
"rule_name": "Allowed public destinations"
}DEVICE_CONTROL
{
"type": "DEVICE_CONTROL",
"id": "uds_c8eb7306af264a9ab677814b3af69720",
"legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
"org_key": "6X3T6RYXJ",
"create_time": "2020-11-17T22:05:13Z",
"last_update_time": "2020-11-17T22:05:13Z",
"first_event_time": "2020-11-17T22:02:16Z",
"last_event_time": "2020-11-17T22:02:16Z",
"threat_id": "60b43c178d148756368ddea72f731ce108ea54d2b29171bff509c619d2a7eb6c",
"severity": 3,
"category": "WARNING",
"device_id": 7604419,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_name": "DESKTOP-4O07JV2",
"device_username": "jdoe",
"policy_id": 6997287,
"policy_name": "Standard",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2020-11-17T22:02:16Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "172.17.2.130",
"device_external_ip": "71.218.76.221",
"alert_url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976",
"reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
"reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
"device_location": "UNKNOWN",
"threat_cause_threat_category": "NON_MALWARE",
"threat_cause_vector": "REMOVABLE_MEDIA",
"threat_cause_cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
"sensor_action": "DENY",
"run_state": "DID_NOT_RUN",
"policy_applied": "APPLIED",
"vendor_name": "SanDisk",
"vendor_id": "0x0781",
"product_name": "U3 Cruzer Micro",
"product_id": "0x5406",
"serial_number": "0875920EF7C2A304"
}watchlist.hit
{
"schema": 1,
"create_time": "2021-12-10T19:28:27.384Z",
"device_external_ip": "200.201.30.123",
"device_id": 4467271,
"device_internal_ip": "10.33.4.214",
"device_name": "Carbonblack-win1",
"device_os": "WINDOWS",
"ioc_hit": "(((process_name:cmd.exe AND process_cmdline:\\/c) AND -childproc_name:facefoduninstaller.exe)) -enriched:true",
"ioc_id": "565642-0",
"org_key": "6X3T6RYXJ",
"parent_cmdline": "\"C:\\Program Files\\Aella\\aella_conf_win_srv\\aella_conf_win_srv.exe\"",
"parent_guid": "6X3T6RYXJ-00442a47-00001520-00000000-1d7d5d3419e653f",
"parent_hash": ["6174da1a2dd7594456bbb3ae50ac5587", "2ad7d1a17ee2dd897a5a45515e5ae46f8b6b61d3f67c90c1fa0c7910f06d0515"],
"parent_path": "c:\\program files\\aella\\aella_conf_win_srv\\aella_conf_win_srv.exe",
"parent_pid": 5408,
"parent_publisher": [{
"name": "Stellar Cyber Inc",
"state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED"
}],
"parent_reputation": "REP_ADAPTIVE",
"parent_username": "NT AUTHORITY\\SYSTEM",
"process_cmdline": "C:\\WINDOWS\\system32\\cmd.exe /c \"sc queryex aella_conf\"",
"process_guid": "6X3T6RYXJ-00442a47-00001574-00000000-1d7edfbdd2d4880",
"process_hash": ["d0fce3afa6aa1d58ce9fa336cc2b675b", "4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22"],
"process_path": "c:\\windows\\syswow64\\cmd.exe",
"process_pid": 5492,
"process_publisher": [{
"name": "Microsoft Windows",
"state": "FILE_SIGNATURE_STATE_SIGNED | FILE_SIGNATURE_STATE_VERIFIED | FILE_SIGNATURE_STATE_TRUSTED | FILE_SIGNATURE_STATE_OS | FILE_SIGNATURE_STATE_CATALOG_SIGNED"
}],
"process_reputation": "REP_WHITE",
"process_username": "NT AUTHORITY\\SYSTEM",
"report_id": "CFnKBKLTv6hUkBGFobRdg-565642",
"report_name": "Execution - Command-Line Interface (cmd.exe /c)",
"report_tags": ["attack", "attackframework", "threathunting", "hunting", "windows", "execution", "t1059"],
"severity": 1,
"type": "watchlist.hit",
"watchlists": [{
"id": "P5f9AW29TGmTOvBW156Cig",
"name": "ATT\u0026CK Framework"
}]
}View the Full Documentation
Related Resources
-
Deconstructing the Process GUID For event field mapping between EDR (CB Response) events to Carbon Black Cloud Data Forwarder events, see the Migration Guide.