Event Forwarder Data Guide

Environment

  • Carbon Black Cloud Console: December 2019 Release (0.51.0 backend) and Higher
  • CB Cloud Event Forwarder: All Versions
  • Amazon Simple Storage Service (Amazon S3)

Objective

This document describes how the Carbon Black Cloud Forwarders map field types into the output JSON format.

Data Types

Basic data types such as “int” and “string” map directly to the corresponding JSON data types. Additional data types are described below:

  • Base64 - JSON string containing base64 encoded binary data.
  • Ipaddr - JSON string containing canonically formatted IPv4 or IPv6 address.
  • Datetime - JSON string containing ISO-8601 date/time format. If no time zone is included, UTC is assumed. All timestamps emitted by the Event Forwarder are sent in ISO-8601 format.
  • String enum - JSON string containing the stringified version of the enum from the relevant protobuf field, with the common prefix stripped off. For example, “BLOCK”.
  • String enum bitmask - Same as above, but for bitmask input fields, add OR " | " markers between each set bit. For example, for a CbFileAction of 0x300 would be “OPEN_READ | OPEN_WRITE”.

Event Fields

“Common fields” are present in all event types, while other fields are only present for a specific event type.

Common Fields

The Carbon Black Cloud Event Forwarder emits a set of common fields for every endpoint event. These fields represent common metadata for the customer, device, and process to which this event belongs.

Note: A new copy of the alert will be sent if something changes on the backend.

Field Definition
type The event type. Use this field to determine which fields should be expected per the specs below.
schema The schema version. The current schema version is “1”. This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. New fields in an event type or new event types will not result in a new schema version.
org_key The organization key associated with the console instance. Can be used to disambiguate events from different customers/organizations.
backend_timestamp Time when the backend received the batch of events, based on Carbon Black Cloud backend’s clock as an ISO-8601 formatted time string based on UTC.
process_guid Unique ID of process. Please see this document for more information on how a process GUID is used and each of its components.
parent_guid Unique ID of parent process. Please see this document for more information on how a process GUID is used and each of its components.
device_id Integer ID of the device that created this event
device_name Hostname of the device that created this event
device_os OS Type of device (Windows/OSX/Linux)
device_group Policy group where device belongs
action String enum containing the type represented by this event
device_timestamp Time seen on sensor, based on sensor’s clock. ISO-8601 formatted time string based on UTC.
process_reputation Carbon Black Cloud Reputation string for the current process.
parent_reputation Carbon Black Cloud Reputation string for the parent process
process_pid OS-reported Process ID of the current process
parent_pid OS-reported Process ID of the parent process
process_path Full path to the executable file backing this process on the device’s file system
parent_path Full path to the executable file backing the parent process on the device’s file system
process_hash Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash
parent_hash Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash
process_cmdline Process command line
process_username The username associated with the user context that this process was started under
sensor_action (optional) Included if the sensor blocked the event or terminated the application due to security policy

POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY
target_cmdline Process command line associated with the target process
process_fork_pid The PID of a process forked from the actor on *nix systems. If f process_pid != process_fork_pid, the current process was forked from original process_pid.
event_origin Indicates which product the event came from.
“EDR” indicates the event originated from Enterprise EDR.
“NGAV” indicates the event originated from Endpoint Standard.

Endpoint Standard Fields

Endpoint Standard events have the event_origin field set to NGAV. If you are an Endpoint Standard customer, you will see the below fields populated in the Event Forwarder output. Enterprise EDR fields will also be present, but not populated. Endpoint Standard records only “security-relevant” events, so you will see roughly 10-20x fewer Endpoint Standard events than Enterprise EDR events.

Field Definition
device_external_ip IP address of the host as seen by the backend (the public IPv4 or IPv6 address used to contact the Carbon Black Cloud)
process_terminated Always FALSE for Endpoint Standard events
event_description Long textual description of the event as seen in the Carbon Black Cloud web console
event_id Internal Endpoint Standard event ID associated with this specific event ⁠— this event ID can be used to find the specific event in the Carbon Black Cloud web console
alert_id The ID of the Alert this event is associated with

Enterprise EDR Fields

Enterprise EDR events have the event_origin field set to EDR. Endpoint Standard fields will be present, but not populated.

Field Definition
process_terminated True if process was terminated
process_publisher[]
.name
.state
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint
parent_cmdline Process command line associated with the parent process
process_duration The time difference in seconds between the process start and process terminate event

Volume Event - endpoint.event.volume

Events generated for volume operations, including mounting and un-mounting of external devices. A “volume” event includes the fields named in the “Common Fields” section above.

Process Launch Event - endpoint.event.procstart

Each process launch event is reported as the type “endpoint.event.procstart”. A procstart event can be either a child process or a new process. A child process event will have the action ACTION_CREATE_PROCESS where a new process will have ACTION_PROCESS_DISCOVERED. In the case of a new process you will only have process and childproc properties, there will be no parent properties. The child process properties represent the process being created and the process properties will represent the os system.

The target_cmdline property is the command line that was executed to create the process represented in the childproc properties.

In addition to the common fields documented in “Common Fields”, the following fields represent metadata associated with the process start event.

Field Definition
childproc_guid Unique ID of the child process. See this document for more information on how a process GUID is used and each of its components.
childproc_hash Cryptographic hashes of the executable file backing the child process, represented as an array of two elements - MD5 and SHA-256 hash
childproc_name Full path to the target application for the child process on the device’s local file system
childproc_pid OS-reported Process ID of the child process
childproc_publisher[]
.name
.state
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the childproc as reported by the endpoint
childproc_reputation Carbon Black Cloud Reputation string for the childproc.
childproc_username The username associated with the user context that the child process was started under

Process Terminate Event - endpoint.event.procend

Each process-terminate event is reported as the type “endpoint.event.procend”. A “procend” event includes the fields named in the “Common Fields” section above.

API Call - endpoint.event.apicall

Each API-call event is reported as the type “endpoint.event.apicall”. An API-call event includes the fields named in the “Common Fields” section above.

Field Definition
crossproc_api Name of the operating system API called by the actor process; some API calls have a target

Network Connection - endpoint.event.netconn

Each network-connection event is reported as the type “endpoint.event.netconn”. In addition to the common fields documented in “Common Fields”, the following fields represent metadata associated with the network-connection event.

Field Definition
remote_port UDP/TCP port number associated with the “remote” end of this network connection
remote_ip IPv4 or IPv6 address in string format associated with the “remote” end of this network connection
local_port UDP/TCP port number associated with the “local” end of this network connection
local_ip IPv4 or IPv6 address in string format associated with the “local” end of this network connection
netconn_domain DNS name associated with the “remote” end of this network connection ⁠— may be empty if the name cannot be inferred or the connection is made direct to/from a remote IP address
netconn_inbound Set to true if the netconn is inbound
netconn_protocol String UDP or TCP protocol identifier

Network Proxy Connection - endpoint.event.netconn_proxy

Note: This event is preview only and will be released on March 22nd. See here for more details.

A “network proxy connection” event is any network connection event in which the process communicates with an intermediary remote device but has a different intended destination - usually an HTTP proxy intermediary. Each network proxy connection event is reported as the type “endpoint.event.netconn_proxy”. In addition to the common fields documented in “Common Fields” as well as the fields documented in “Network Connection - endpoint.event.netconn”, the following fields represent metadata associated with the network proxy connection event.

Field Definition
netconn_proxy_ip IPv4 or IPv6 address in string format associated with the “proxy” end of this network connection
netconn_proxy_port UDP/TCP port number associated with the “proxy” end of this network connection
netconn_proxy_domain DNS name associated with the “proxy” end of this network connection ⁠— may be empty if the name cannot be inferred or the connection is made direct to/from a proxy IP address

File Modification - endpoint.event.filemod

Each file-modification event is reported as the type “endpoint.event.filemod”. The following fields represent metadata associated with the file-modification event.

Field Definition
filemod_hash Cryptographic hashes of the file modified ⁠— this is represented as an array of two elements, MD5 and SHA-256 hash
filemod_name Full path to the file being modified on the device’s file system

Registry Modification - endpoint.event.regmod

Each registry-modification event is reported as the type “endpoint.event.regmod”. The following fields represent metadata associated with the registry-modification event.

Field Definition
regmod_name Full path to the registry key, including the hive, being modified on the Windows device’s registry

Module Load - endpoint.event.moduleload

Note: This event type will be updated with additional properties on March 22nd. See here for more details.

A “module load” is generated when a process loads a shared library (DLL in Windows, .so in Linux, .dylib in macOS) into its process memory space. Each module load event is reported as the type “endpoint.event.moduleload”. The following fields represent metadata associated with the module load event.

Field Definition
modload_name Full path to the module being loaded on the device’s file system
modload_action Action associated with the modload operation
modload_count Count of modload events reported by the sensor since last initialization
modload_effective_reputation Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred
modload_hash MD5 or SHA-256 hash(es) of the module(s) loaded by the process
modload_publisher[]
.name
.state
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the moduleload as reported by the endpoint

Script Load - endpoint.event.scriptload

Note: This event is preview only and will be released on March 22nd. See here for more details.

A “script load” is generated when a process loads a script (.ps1, .vb, .bin, etc..) that can be executed by a script interpreter. Each script load event is reported as the type “endpoint.event.scriptload”. The following fields represent metadata associated with the script load event.

EDR Scriptload Event

Field Definition
scriptload_hash MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch
scriptload_name Filesystem path of script file(s) loaded at process launch
scriptload_publisher[]
.name
.state
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the scriptload as reported by the endpoint

NGAV Scriptload Event

Field Definition
scriptload_hash MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch
scriptload_name Filesystem path of script file(s) loaded at process launch
scriptload_count Count of scriptload events across all processes reported by the sensor since last initialization

Fileless Script Load - endpoint.event.fileless_scriptload

Note: This event is preview only and will be released on March 22nd. See here for more details.

A “fileless script load” is generated when a process loads a set of script instructions into memory. Each fileless script load event is reported as the type “endpoint.event.fileless_scriptload”. The following fields represent metadata associated with the fileless script load event.

Field Definition
fileless_scriptload_cmdline Deobfuscated script content run in a fileless context by the process
fileless_scriptload_cmdline_length Character count of the deobfuscated script content run in a fileless context
fileless_scriptload_hash SHA-256 hash(es) of the deobfuscated script content run by the process in a fileless context

Cross-Process Event - endpoint.event.crossproc

Any time a process interacts with another process on the system, that is considered a “cross-process” event. Each cross-process event is reported as the type “endpoint.event.crossproc”. The following fields represent metadata associated with the cross-process event.

Field Definition
crossproc_name Full path to the target of the crossproc event on the device’s local file system
crossproc_hash Cryptographic hashes of the target of the crossproc event ⁠— this is represented as an array of two elements, MD5 and SHA-256 hash
crossproc_reputation Carbon Black Cloud Reputation string for the crossproc.
crossproc_publisher[]
.name
.state
Array with objects of two keys: “name” and “state”. Each array entry is a signature entry for the crossproc as reported by the endpoint
crossproc_guid Unique ID of the cross process
crossproc_api Name of the operating system API called by the actor process; some API calls have a target
crossproc_target True if the process was the target of the cross-process event; false if the process was the actor

Alert Fields

“Common fields” are present in all alert types, while other fields are only present for a specific alert type.

Common Fields

The Event Forwarder emits a set of common fields for every alert. These fields represent common metadata for the customer, device, and alert.

Field Definition
type The alert type. Use this field to determine which fields should be expected per the specs below.

CB_ANALYTICS, DEVICE_CONTROL, WATCHLIST
id The unique long id of the alert
legacy_alert_id The unique short id of the alert
org_key The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations.
create_time The time the alert was created
last_update_time The time the alert was last updated
first_event_time The time the first event associated with the alert was seen
last_event_time The time the most recent event associated with the alert was seen
threat_id ID of the threat to which this alert belongs
severity The severity of the alert
category Type of alert

WARNING, NOTICE

Note: The values differ from the Alerts API where WARNING is THREAT and NOTICE is MONITORED
device_id Integer ID of the device that created this alert
device_os OS Type of device (Windows/OSX/Linux)
device_os_version Version of OS on device (Windows 10 x64)
device_name Hostname of the device that created this alert
device_username Name of the user that installed the device. To get the actual user involved in the device alert, get the underlying event or process data.
device_internal_ip IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”)
device_external_ip IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”)
device_uem_id “Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”)
policy_id ID associated with the policy that triggered the alert
policy_name Name of the policy that triggered the alert
target_value Device priority as assigned via the policy

LOW, MEDIUM, HIGH, CRITICAL
workflow Tracking system for alerts as they are triaged and resolved
notes_present True if notes are associated with the alert
tags A list of tags associated with the alert
alert_url A redirect link to refer back to the Carbon Black Cloud console. CB_ANALYTICS alerts will redirect to the Alert Triage page for the specific alert. WATCHLIST alerts will redirect to the Investigate page for the specific alert. DEVICE_CONTROL alerts will redirect to the Alerts page.

CB_ANALYTICS

Field Definition
reason Description of the alert
reason_code Shorthand enum for the full-text reason
process_name Name executable file backing this process on the device’s file system
device_location The location of the device

ONSITE, OFFSITE, UNKNOWN
created_by_event_id The ID of the event that created the alert
threat_indicators List of the threat indicators that make up the threat
threat_activity_dlp Whether the alert involved DLP

NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_activity_phish Whether the alert involved phishing

NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_activity_c2 Whether the alert involved a c2 server

NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED
threat_cause_actor_sha256 SHA256 of the threat cause actor
threat_cause_actor_name Process name or IP address of the threat actor
threat_cause_actor_process_pid PID of the actor process
threat_cause_reputation Reputation of the threat cause
threat_cause_threat_category Threat category

UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
threat_cause_vector Source of the threat cause
threat_cause_cause_event_id Event ID that triggered the event
blocked_threat_category The category of threat which were not able to take action

UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
not_blocked_threat_category Other potentially malicious activity involved in the threat that were able to take action either due to policy config, or not having a relevant rule

UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
kill_chain_status Phase of the Cyber Kill Chain the alert represents
sensor_action The action taken by the sensor, according to the rules of the policy

POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY
run_state Whether the threat in the alert actually ran

DID_NOT_RUN, RAN, UNKNOWN
policy_applied Whether a policy was applied

Device Control

Field Definition
reason Description of the alert
reason_code Shorthand enum for the full-text reason
device_location The location of the device

ONSITE, OFFSITE, UNKNOWN
threat_cause_threat_category Threat category

UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM
threat_cause_vector Source of the threat cause
threat_cause_cause_event_id Event ID that triggered the event
run_state Whether the threat in the alert actually ran

DID_NOT_RUN, RAN, UNKNOWN
policy_applied Whether a policy was applied
vendor_name The name of the USB device’s vendor
vendor_id The hexadecimal id of the USB device’s vendor
product_name The name of the USB device’s product
product_id The hexadecimal id of the USB device’s product
external_device_friendly_name The human readable USB device name
serial_number The serial number of the USB device

WATCHLIST

Field Definition
ioc_id ID of the IOC that caused the hit
ioc_field Field the IOC hit contains
ioc_hit IOC field value, or IOC query that matches
watchlists List of watchlists associated with an alert
process_guid Unique ID of process
report_id Id of the report that generated a hit on the process
report_name Name of the report that generated a hit on the process
process_path Tokenized path of the process’ binary

Data Samples

The following are samples of data: endpoint.event, Watchlist Alert, CB ANALYTICS Alert.

Sample 1 - endpoint.event

{
  "type": "endpoint.event.procstart",
  "process_guid": "ABCD1234-006e8d46-00001310-00000000-1d5fd46cc37d700",
  "parent_guid": "ABCD1234-006e8d46-00000290-00000000-1d5fa5dbbaa12ce",
  "backend_timestamp": "2020-03-25 22:38:54 +0000 UTC",
  "org_key": "ABCD1234",
  "device_id": "7245126",
  "device_name": "cbc-win10",
  "device_external_ip": "72.152.92.146",
  "device_os": "WINDOWS",
  "device_group": "Windows Group",
  "action": "ACTION_CREATE_PROCESS",
  "schema": 1,
  "event_description": "The application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\" invoked the application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\". ",
  "alert_id": "WXYZ0987",
  "event_id": "54885ebc6ee911eabc70416f8358e4f2",
  "device_timestamp": "2020-03-25 22:38:03.353 +0000 UTC",
  "process_terminated": false,
  "process_reputation": "REP_RESOLVING",
  "parent_repuation": "",
  "process_pid": 4880,
  "parent_pid": 656,
  "process_publisher": null,
  "process_path": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
  "parent_path": "c:\\windows\\system32\\services.exe",
  "process_hash": [
    "3623a0e7cdcf3310ffb4c87c5b43ae02",
    "0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
  ],
  "parent_hash": [
    "db896369fb58241adf28515e3765c514",
    "a2e369df26c88015fe1f97c7542d6023b5b1e4830c25f94819507ee5bcb1dfcc"
  ],
  "process_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox",
  "parent_cmdline": "",
  "process_username": "CBC-WIN10\\user",
  "sensor_action": "ALLOW",
  "childproc_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
  "childproc_hash": [
    "3623a0e7cdcf3310ffb4c87c5b43ae02",
    "0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
  ],
  "target_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --field-trial-handle=1656,13710686576560040528,13403776044656688818,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=5236 --ignored=\" --type=renderer \" /prefetch:8"
}

Sample 2 - Watchlist Alert

{
  "type": "WATCHLIST",
  "id": "951d536a-2817-4790-8c97-c2d31624de7c",
  "legacy_alert_id": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD",
  "org_key": "ABCD1234",
  "create_time": "2021-01-04T23:33:32Z",
  "last_update_time": "2021-01-04T23:33:32Z",
  "first_event_time": "2021-01-04T23:25:58Z",
  "last_event_time": "2021-01-04T23:25:58Z",
  "threat_id": "A22D9AFD42B85FF4FE6C8AE1DB6FBD6C",
  "severity": 7,
  "category": "WARNING",
  "device_id": 3775337,
  "device_os": "WINDOWS",
  "device_name": "CBcloud-win10",
  "device_username": "admin",
  "policy_id": 6525,
  "policy_name": "default",
  "target_value": "MEDIUM",
  "workflow": {
    "state": "OPEN",
    "remediation": "",
    "last_update_time": "2021-01-04T23:32:19Z",
    "comment": "",
    "changed_by": "Carbon Black"
  },
  "device_internal_ip": "123.45.67.890",
  "device_external_ip": "23.45.67.89",
  "alert_url": "https://defense.conferdeploy.net/cb/investigate/processes?orgId=123\u0026query=alert_id%3A951d536a-2817-4790-8c97-c2d31624de7c+AND+device_id%3A3775337\u0026searchWindow=ALL",
  "reason_code": "Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"",
  "process_name": "powershell.exe",
  "threat_indicators": [{
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]
  }],
  "threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
  "threat_cause_actor_name": "powershell.exe",
  "threat_cause_reputation": "COMMON_WHITE_LIST",
  "threat_cause_threat_category": "RESPONSE_WATCHLIST",
  "threat_cause_vector": "UNKNOWN",
  "run_state": "RAN",
  "ioc_id": "e41b000e-eb5a-41f4-aa67-1902d186a457-0",
  "ioc_hit": "(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true",
  "watchlists": [{
    "id": "mrTB06fAQbeNfvl47cQiGg",
    "name": "Carbon Black Advanced Threats"
  }],
  "process_guid": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613",
  "process_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
  "report_name": "Execution - PowerShell Downloading Behaviors Detected",
  "report_id": "MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457",
  "status": "UNRESOLVED"
}

Sample 3 - CB ANALYTICS Alert

{
  "type": "CB_ANALYTICS",
  "id": "36259335daf0f2c4edb11ebb2828b41ebaf3867",
  "legacy_alert_id": "ZHGKP3EM",
  "org_key": "ABCD1234",
  "create_time": "2021-01-04T22:22:52Z",
  "last_update_time": "2021-01-04T22:23:05Z",
  "first_event_time": "2021-01-04T22:22:42Z",
  "last_event_time": "2021-01-04T22:22:42Z",
  "threat_id": "f7959830dfea89252d459b056ab43222",
  "severity": 4,
  "category": "NOTICE",
  "device_id": 3625933,
  "device_os": "WINDOWS",
  "device_os_version": "Windows 10 x64",
  "device_name": "win10-ps-moid",
  "device_username": "jdoe@carbonblack.com",
  "policy_id": 6525,
  "policy_name": "default",
  "target_value": "MEDIUM",
  "workflow": {
    "state": "OPEN",
    "remediation": "",
    "last_update_time": "2021-01-04T22:22:52Z",
    "comment": "",
    "changed_by": "Carbon Black"
  },
  "device_internal_ip": "123.45.67.890"
  "device_external_ip": "23.45.67.89",
  "alert_url": "https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM\u0026orgId=123",
  "reason": "The application powershell.exe is executing a fileless script or command.",
  "reason_code": "R_FILELESS",
  "process_name": "powershell.exe",
  "device_location": "OFFSITE",
  "created_by_event_id": "5daf0f2c4edb11ebb2828b41ebaf3867",
  "threat_indicators": [{
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["MODIFY_MEMORY_PROTECTION"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["FILELESS"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["MITRE_T1057_PROCESS_DISCOVERY"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["CODE_DROP"]
  }, {
    "process_name": "powershell.exe",
    "sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "ttps": ["ENUMERATE_PROCESSES"]
  }],
  "threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
  "threat_cause_actor_name": "powershell.exe",
  "threat_cause_actor_process_pid": "3292-132541831999374961-0",
  "threat_cause_reputation": "COMMON_WHITE_LIST",
  "threat_cause_threat_category": "NON_MALWARE",
  "threat_cause_vector": "UNKNOWN",
  "threat_cause_cause_event_id": "5daf0f344edb11ebb2828b41ebaf3867",
  "blocked_threat_category": "UNKNOWN",
  "not_blocked_threat_category": "NON_MALWARE",
  "kill_chain_status": ["DELIVER_EXPLOIT"],
  "run_state": "RAN",
  "policy_applied": "NOT_APPLIED"
}

Sample 4 - Device Control Alert

{
    "type": "DEVICE_CONTROL",
    "id": "uds_c8eb7306af264a9ab677814b3af69720",
    "legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
    "org_key": "6X3T6RYXJ",
    "create_time": "2020-11-17T22:05:13Z",
    "last_update_time": "2020-11-17T22:05:13Z",
    "first_event_time": "2020-11-17T22:02:16Z",
    "last_event_time": "2020-11-17T22:02:16Z",
    "threat_id": "60b43c178d148756368ddea72f731ce108ea54d2b29171bff509c619d2a7eb6c",
    "severity": 3,
    "category": "WARNING",
    "device_id": 7604419,
    "device_os": "WINDOWS",
    "device_os_version": "Windows 10 x64",
    "device_name": "DESKTOP-4O07JV2",
    "device_username": "jdoe",
    "policy_id": 6997287,
    "policy_name": "Standard",
    "target_value": "MEDIUM",
    "workflow": {
        "state": "OPEN",
        "remediation": "",
        "last_update_time": "2020-11-17T22:02:16Z",
        "comment": "",
        "changed_by": "Carbon Black"
    },
    "device_internal_ip": "172.17.2.130",
    "device_external_ip": "71.218.76.221",
    "alert_url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976",
    "reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
    "reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
    "device_location": "UNKNOWN",
    "threat_cause_threat_category": "NON_MALWARE",
    "threat_cause_vector": "REMOVABLE_MEDIA",
    "threat_cause_cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
    "sensor_action": "DENY",
    "run_state": "DID_NOT_RUN",
    "policy_applied": "APPLIED",
    "vendor_name": "SanDisk",
    "vendor_id": "0x0781",
    "product_name": "U3 Cruzer Micro",
    "product_id": "0x5406",
    "serial_number": "0875920EF7C2A304"
}

View the Full Documentation

Event Forwarder Configuration API Documentation

Quick Setup in Postman & S3 Bucket Configuration

Deconstructing the Process GUID For event field mapping between EDR (CB Response) events to Carbon Black Cloud Event Forwarder events, see the Migration Guide.

Last modified on April 2, 2021