This document describes how the Carbon Black Cloud Forwarders map field types into the output JSON format.
Basic data types such as “int” and “string” map directly to the corresponding JSON data types. Additional data types are described below:
“Common fields” are present in all event types, while other fields are only present for a specific event type.
The Carbon Black Cloud Event Forwarder emits a set of common fields for every endpoint event. These fields represent common metadata for the customer, device, and process to which this event belongs.
Field | Definition |
---|---|
type |
The event type. Use this field to determine which fields should be expected per the specs below. |
schema |
The schema version. The current schema version is “1”. This schema version will only be incremented if the field definitions are changed in a backwards-incompatible way. New fields in an event type or new event types will not result in a new schema version. |
org_key |
The organization key associated with the console instance. Can be used to disambiguate events from different customers/organizations. |
backend_timestamp |
Time when the backend received the batch of events, based on Carbon Black Cloud backend’s clock as an ISO-8601 formatted time string based on UTC. |
process_guid |
Unique ID of process. Please see this document for more information on how a process GUID is used and each of its components. |
parent_guid |
Unique ID of parent process. Please see this document for more information on how a process GUID is used and each of its components. |
device_id |
Integer ID of the device that created this event |
device_name |
Hostname of the device that created this event |
device_os |
OS Type of device (Windows/OSX/Linux) |
device_group |
Policy group where device belongs |
action |
String enum containing the type represented by this event |
device_timestamp |
Time seen on sensor, based on sensor’s clock. ISO-8601 formatted time string based on UTC. |
process_reputation |
Carbon Black Cloud Reputation string for the current process. |
parent_reputation |
Carbon Black Cloud Reputation string for the parent process |
process_pid |
OS-reported Process ID of the current process |
parent_pid |
OS-reported Process ID of the parent process |
process_path |
Full path to the executable file backing this process on the device’s file system |
parent_path |
Full path to the executable file backing the parent process on the device’s file system |
process_hash |
Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash |
process_loaded_script_hash[] |
SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process |
process_loaded_script_name |
Filesystem path(s) of any script content loaded from the filesystem during the the process |
parent_hash |
Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash |
process_cmdline |
Process command line |
process_username |
The username associated with the user context that this process was started under |
sensor_action |
(optional) Included if the sensor blocked the event or terminated the application due to security policy
POLICY_NOT_APPLIED , ALLOW , ALLOW_AND_LOG , TERMINATE , DENY |
childproc_name |
Full path to the target of the event on the device’s local file system |
childproc_hash |
Cryptographic hashes of the executable file backing the child process, represented as an array of two elements - MD5 and SHA-256 hash |
childproc_guid |
Unique ID of the child process. See this document for more information on how a process GUID is used and each of its components. |
childproc_pid |
OS-reported Process ID of the child process |
childproc_username |
The username associated with the user context that the child process was started under |
childproc_reputation |
Carbon Black Cloud Reputation string for the childproc. |
childproc_publisher |
Array with objects of two keys: “name” and “state” Each array entry is a signature entry for the childproc as reported by the endpoint |
target_cmdline |
Process command line associated with the target process |
process_fork_pid |
The PID of a process forked from the actor on *nix systems. If f process_pid != process_fork_pid, the current process was forked from original process_pid. |
event_origin |
Indicates which product the event came from.
“EDR” indicates the event originated from Enterprise EDR. “NGAV” indicates the event originated from Endpoint Standard. |
Endpoint Standard events have the event_origin
field set to NGAV
. If you are an Endpoint Standard customer, you will see the below fields populated in the Event Forwarder output. Enterprise EDR fields will also be present, but not populated. Endpoint Standard records only “security-relevant” events, so you will see roughly 10-20x fewer Endpoint Standard events than Enterprise EDR events.
Field | Definition |
---|---|
device_external_ip |
IP address of the host as seen by the backend (the public IPv4 or IPv6 address used to contact the Carbon Black Cloud) |
process_terminated |
Always FALSE for Endpoint Standard events |
event_description |
Long textual description of the event as seen in the Carbon Black Cloud web console |
event_id |
Internal Endpoint Standard event ID associated with this specific event — this event ID can be used to find the specific event in the Carbon Black Cloud web console |
alert_id |
The ID of the Alert this event is associated with |
Enterprise EDR events have the event_origin
field set to EDR
. Endpoint Standard fields will be present, but not populated.
Field | Definition |
---|---|
process_terminated |
True if process was terminated |
process_publisher[]
.name
.state |
Array with objects of two keys: “name” and “state” Each array entry is a signature entry for the process as reported by the endpoint |
parent_cmdline |
Process command line associated with the parent process |
process_duration |
The time difference in seconds between the process start and process terminate event |
Events generated for volume operations, including mounting and un-mounting of external devices. A “volume” event includes the fields named in the “Common Fields” section above.
Each process launch event is reported as the type “endpoint.event.procstart”. A “procstart” event only includes the fields named in the “Common Fields” section above.
Each process-terminate event is reported as the type “endpoint.event.procend”. A “procend” event includes the fields named in the “Common Fields” section above.
Each API-call event is reported as the type “endpoint.event.apicall”. An API-call event includes the fields named in the “Common Fields” section above.
Each network-connection event is reported as the type “endpoint.event.netconn”. In addition to the common fields documented in “Common Fields”, the following fields represent metadata associated with the network-connection event.
Field | Definition |
---|---|
remote_port |
UDP/TCP port number associated with the “remote” end of this network connection |
remote_ip |
IPv4 or IPv6 address in string format associated with the “remote” end of this network connection |
local_port |
UDP/TCP port number associated with the “local” end of this network connection |
local_ip |
IPv4 or IPv6 address in string format associated with the “local” end of this network connection |
netconn_domain |
DNS name associated with the “remote” end of this network connection — may be empty if the name cannot be inferred or the connection is made direct to/from a remote IP address |
netconn_inbound |
Set to true if the netconn is inbound |
netconn_protocol |
String UDP or TCP protocol identifier |
Each file-modification event is reported as the type “endpoint.event.filemod”. The following fields represent metadata associated with the file-modification event.
Field | Definition |
---|---|
filemod_hash |
Cryptographic hashes of the file modified — this is represented as an array of two elements, MD5 and SHA-256 hash |
filemod_name |
Full path to the file being modified on the device’s file system |
Each registry-modification event is reported as the type “endpoint.event.regmod”. The following fields represent metadata associated with the registry-modification event.
Field | Definition |
---|---|
regmod_name |
Full path to the registry key, including the hive, being modified on the Windows device’s registry |
A “module load” is generated every time a process loads a shared library (DLL in Windows, .so in Linux, .dylib in macOS) into its process memory space. Each module load event is reported as the type “endpoint.event.moduleload”. The following fields represent metadata associated with the module load event.
Field | Definition |
---|---|
modload_name |
Full path to the module being loaded on the device’s file system |
Any time a process interacts with another process on the system, that is considered a “cross-process” event. Each cross-process event is reported as the type “endpoint.event.crossproc”. The following fields represent metadata associated with the cross-process event.
Field | Definition |
---|---|
crossproc_name |
Full path to the target of the crossproc event on the device’s local file system |
crossproc_hash |
Cryptographic hashes of the target of the crossproc event — this is represented as an array of two elements, MD5 and SHA-256 hash |
crossproc_reputation |
Carbon Black Cloud Reputation string for the crossproc. |
crossproc_publisher |
Array with objects of two keys: “name” and “state” Each array entry is a signature entry for the crossproc as reported by the endpoint |
“Common fields” are present in all alert types, while other fields are only present for a specific alert type.
The Event Forwarder emits a set of common fields for every alert. These fields represent common metadata for the customer, device, and alert.
Field | Definition |
---|---|
type |
The alert type. Use this field to determine which fields should be expected per the specs below.
CB_ANALYTICS , DEVICE_CONTROL , WATCHLIST |
id |
The unique long id of the alert |
legacy_alert_id |
The unique short id of the alert |
org_key |
The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations. |
create_time |
The time the alert was created |
last_update_time |
The time the alert was last updated |
first_event_time |
The time the first event associated with the alert was seen |
last_event_time |
The time the most recent event associated with the alert was seen |
threat_id |
ID of the threat to which this alert belongs |
severity |
The severity of the alert |
category |
Type of alert
WARNING , NOTICE
Note: The values differ from the Alerts API where WARNING is THREAT and NOTICE is MONITORED |
device_id |
Integer ID of the device that created this alert |
device_os |
OS Type of device (Windows/OSX/Linux) |
device_os_version |
Version of OS on device (Windows 10 x64) |
device_name |
Hostname of the device that created this alert |
device_username |
Logged on user during the alert |
device_internal_ip |
IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
device_external_ip |
IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) |
device_uem_id |
“Unified Endpoint Management” identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured. Unique across Carbon Black Cloud in GUID format (e.g. “FC3992EE-A8CD-5AD5-AC6D-A477490456E4”) |
policy_id |
ID associated with the policy that triggered the alert |
policy_name |
Name of the policy that triggered the alert |
target_value |
Device priority as assigned via the policy
LOW , MEDIUM , HIGH , CRITICAL |
workflow |
Tracking system for alerts as they are triaged and resolved |
notes_present |
True if notes are associated with the alert |
tags |
A list of tags associated with the alert |
alert_url |
A redirect link to refer back to the Carbon Black Cloud console. CB_ANALYTICS alerts will redirect to the Alert Triage page for the specific alert. WATCHLIST alerts will redirect to the Investigate page for the specific alert. DEVICE_CONTROL alerts will redirect to the Alerts page. |
Field | Definition |
---|---|
reason |
Description of the alert |
reason_code |
Shorthand enum for the full-text reason |
process_name |
Name executable file backing this process on the device’s file system |
device_location |
The location of the device
ONSITE , OFFSITE , UNKNOWN |
created_by_event_id |
The ID of the event that created the alert |
threat_indicators |
List of the threat indicators that make up the threat |
threat_activity_dlp |
Whether the alert involved DLP
NOT_ATTEMPTED , ATTEMPTED , SUCCEEDED |
threat_activity_phish |
Whether the alert involved phishing
NOT_ATTEMPTED , ATTEMPTED , SUCCEEDED |
threat_activity_c2 |
Whether the alert involved a c2 server
NOT_ATTEMPTED , ATTEMPTED , SUCCEEDED |
threat_cause_actor_sha256 |
SHA256 of the threat cause actor |
threat_cause_actor_name |
Process name or IP address of the threat actor |
threat_cause_actor_process_pid |
PID of the actor process |
threat_cause_reputation |
Reputation of the threat cause |
threat_cause_threat_category |
Threat category
UNKNOWN , NON_MALWARE , NEW_MALWARE , KNOWN_MALWARE , RISKY_PROGRAM |
threat_cause_vector |
Source of the threat cause |
threat_cause_cause_event_id |
Event ID that triggered the event |
blocked_threat_category |
The category of threat which were not able to take action
UNKNOWN , NON_MALWARE , NEW_MALWARE , KNOWN_MALWARE , RISKY_PROGRAM |
not_blocked_threat_category |
Other potentially malicious activity involved in the threat that were able to take action either due to policy config, or not having a relevant rule
UNKNOWN , NON_MALWARE , NEW_MALWARE , KNOWN_MALWARE , RISKY_PROGRAM |
kill_chain_status |
Phase of the Cyber Kill Chain the alert represents |
sensor_action |
The action taken by the sensor, according to the rules of the policy
POLICY_NOT_APPLIED , ALLOW , ALLOW_AND_LOG , TERMINATE , DENY |
run_state |
Whether the threat in the alert actually ran
DID_NOT_RUN , RAN , UNKNOWN |
policy_applied |
Whether a policy was applied |
Field | Definition |
---|---|
reason |
Description of the alert |
reason_code |
Shorthand enum for the full-text reason |
device_location |
The location of the device
ONSITE , OFFSITE , UNKNOWN |
threat_cause_threat_category |
Threat category
UNKNOWN , NON_MALWARE , NEW_MALWARE , KNOWN_MALWARE , RISKY_PROGRAM |
threat_cause_vector |
Source of the threat cause |
threat_cause_cause_event_id |
Event ID that triggered the event |
run_state |
Whether the threat in the alert actually ran
DID_NOT_RUN , RAN , UNKNOWN |
policy_applied |
Whether a policy was applied |
vendor_name |
The name of the USB device’s vendor |
vendor_id |
The hexadecimal id of the USB device’s vendor |
product_name |
The name of the USB device’s product |
product_id |
The hexadecimal id of the USB device’s product |
external_device_friendly_name |
The human readable USB device name |
serial_number |
The serial number of the USB device |
Field | Definition |
---|---|
ioc_id |
ID of the IOC that caused the hit |
ioc_field |
Field the IOC hit contains |
ioc_hit |
IOC field value, or IOC query that matches |
watchlists |
List of watchlists associated with an alert |
process_guid |
Unique ID of process |
report_id |
Id of the report that generated a hit on the process |
report_name |
Name of the report that generated a hit on the process |
process_path |
Tokenized path of the process’ binary |
The following are samples of data: endpoint.event, Watchlist Alert, CB ANALYTICS Alert.
{
"type": "endpoint.event.procstart",
"process_guid": "ABCD1234-006e8d46-00001310-00000000-1d5fd46cc37d700",
"parent_guid": "ABCD1234-006e8d46-00000290-00000000-1d5fa5dbbaa12ce",
"backend_timestamp": "2020-03-25 22:38:54 +0000 UTC",
"org_key": "ABCD1234",
"device_id": "7245126",
"device_name": "cbc-win10",
"device_external_ip": "72.152.92.146",
"device_os": "WINDOWS",
"device_group": "Windows Group",
"action": "ACTION_CREATE_PROCESS",
"schema": 1,
"event_description": "The application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\" invoked the application \"<share><link hash=\"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\". ",
"alert_id": "WXYZ0987",
"event_id": "54885ebc6ee911eabc70416f8358e4f2",
"device_timestamp": "2020-03-25 22:38:03.353 +0000 UTC",
"process_terminated": false,
"process_reputation": "REP_RESOLVING",
"parent_repuation": "",
"process_pid": 4880,
"parent_pid": 656,
"process_publisher": null,
"process_path": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"parent_path": "c:\\windows\\system32\\services.exe",
"process_hash": [
"3623a0e7cdcf3310ffb4c87c5b43ae02",
"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
],
"parent_hash": [
"db896369fb58241adf28515e3765c514",
"a2e369df26c88015fe1f97c7542d6023b5b1e4830c25f94819507ee5bcb1dfcc"
],
"process_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox",
"parent_cmdline": "",
"process_username": "CBC-WIN10\\user",
"sensor_action": "ACTION_ALLOW",
"childproc_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"childproc_hash": [
"3623a0e7cdcf3310ffb4c87c5b43ae02",
"0f407d7194e7955e312b177b16cc409ac89b4d0494c60ce75469fd4c474d4043"
],
"target_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --field-trial-handle=1656,13710686576560040528,13403776044656688818,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=5236 --ignored=\" --type=renderer \" /prefetch:8"
}
{
"type": "WATCHLIST",
"id": "951d536a-2817-4790-8c97-c2d31624de7c",
"legacy_alert_id": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613-BC154984541016AFD2467DF221AA20FD",
"org_key": "ABCD1234",
"create_time": "2021-01-04T23:33:32Z",
"last_update_time": "2021-01-04T23:33:32Z",
"first_event_time": "2021-01-04T23:25:58Z",
"last_event_time": "2021-01-04T23:25:58Z",
"threat_id": "A22D9AFD42B85FF4FE6C8AE1DB6FBD6C",
"severity": 7,
"category": "WARNING",
"device_id": 3775337,
"device_os": "WINDOWS",
"device_name": "CBcloud-win10",
"device_username": "admin",
"policy_id": 6525,
"policy_name": "default",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2021-01-04T23:32:19Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "123.45.67.890",
"device_external_ip": "23.45.67.89",
"alert_url": "https://defense.conferdeploy.net/cb/investigate/processes?orgId=123\u0026query=alert_id%3A951d536a-2817-4790-8c97-c2d31624de7c+AND+device_id%3A3775337\u0026searchWindow=ALL",
"reason_code": "Process powershell.exe was detected by the report \"Execution - PowerShell Downloading Behaviors Detected\" in watchlist \"Carbon Black Advanced Threats\"",
"process_name": "powershell.exe",
"threat_indicators": [{
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["e41b000e-eb5a-41f4-aa67-1902d186a457-0"]
}],
"threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threat_cause_actor_name": "powershell.exe",
"threat_cause_reputation": "COMMON_WHITE_LIST",
"threat_cause_threat_category": "RESPONSE_WATCHLIST",
"threat_cause_vector": "UNKNOWN",
"run_state": "RAN",
"ioc_id": "e41b000e-eb5a-41f4-aa67-1902d186a457-0",
"ioc_hit": "(process_cmdline:powershell* AND (process_cmdline:.downloaddata OR process_cmdline:.downloadstring OR process_cmdline:.downloadfile) -process_cmdline:chocolatey.org*) -enriched:true",
"watchlists": [{
"id": "mrTB06fAQbeNfvl47cQiGg",
"name": "Carbon Black Advanced Threats"
}],
"process_guid": "ABCD1234-00399b69-000033f0-00000000-1d6e2f0ef087613",
"process_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"report_name": "Execution - PowerShell Downloading Behaviors Detected",
"report_id": "MLRtPcpQGKFh5OE4BT3tQ-e41b000e-eb5a-41f4-aa67-1902d186a457",
"status": "UNRESOLVED"
}
{
"type": "CB_ANALYTICS",
"id": "36259335daf0f2c4edb11ebb2828b41ebaf3867",
"legacy_alert_id": "ZHGKP3EM",
"org_key": "ABCD1234",
"create_time": "2021-01-04T22:22:52Z",
"last_update_time": "2021-01-04T22:23:05Z",
"first_event_time": "2021-01-04T22:22:42Z",
"last_event_time": "2021-01-04T22:22:42Z",
"threat_id": "f7959830dfea89252d459b056ab43222",
"severity": 4,
"category": "NOTICE",
"device_id": 3625933,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_name": "win10-ps-moid",
"device_username": "jdoe@carbonblack.com",
"policy_id": 6525,
"policy_name": "default",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2021-01-04T22:22:52Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "123.45.67.890"
"device_external_ip": "23.45.67.89",
"alert_url": "https://defense.conferdeploy.net/triage?incidentId=ZHGKP3EM\u0026orgId=123",
"reason": "The application powershell.exe is executing a fileless script or command.",
"reason_code": "R_FILELESS",
"process_name": "powershell.exe",
"device_location": "OFFSITE",
"created_by_event_id": "5daf0f2c4edb11ebb2828b41ebaf3867",
"threat_indicators": [{
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MODIFY_MEMORY_PROTECTION"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["FILELESS"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["MITRE_T1057_PROCESS_DISCOVERY"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["CODE_DROP"]
}, {
"process_name": "powershell.exe",
"sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"ttps": ["ENUMERATE_PROCESSES"]
}],
"threat_cause_actor_sha256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
"threat_cause_actor_name": "powershell.exe",
"threat_cause_actor_process_pid": "3292-132541831999374961-0",
"threat_cause_reputation": "COMMON_WHITE_LIST",
"threat_cause_threat_category": "NON_MALWARE",
"threat_cause_vector": "UNKNOWN",
"threat_cause_cause_event_id": "5daf0f344edb11ebb2828b41ebaf3867",
"blocked_threat_category": "UNKNOWN",
"not_blocked_threat_category": "NON_MALWARE",
"kill_chain_status": ["DELIVER_EXPLOIT"],
"run_state": "RAN",
"policy_applied": "NOT_APPLIED"
}
{
"type": "DEVICE_CONTROL",
"id": "uds_c8eb7306af264a9ab677814b3af69720",
"legacy_alert_id": "C8EB7306-AF26-4A9A-B677-814B3AF69720",
"org_key": "6X3T6RYXJ",
"create_time": "2020-11-17T22:05:13Z",
"last_update_time": "2020-11-17T22:05:13Z",
"first_event_time": "2020-11-17T22:02:16Z",
"last_event_time": "2020-11-17T22:02:16Z",
"threat_id": "60b43c178d148756368ddea72f731ce108ea54d2b29171bff509c619d2a7eb6c",
"severity": 3,
"category": "WARNING",
"device_id": 7604419,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_name": "DESKTOP-4O07JV2",
"device_username": "jdoe",
"policy_id": 6997287,
"policy_name": "Standard",
"target_value": "MEDIUM",
"workflow": {
"state": "OPEN",
"remediation": "",
"last_update_time": "2020-11-17T22:02:16Z",
"comment": "",
"changed_by": "Carbon Black"
},
"device_internal_ip": "172.17.2.130",
"device_external_ip": "71.218.76.221",
"alert_url": "https://defense-eap01.conferdeploy.net/alerts?orgId=1889976",
"reason": "Access attempted on unapproved USB device SanDisk U3 Cruzer Micro (SN: 0875920EF7C2A304). A Deny Policy Action was applied.",
"reason_code": "6D578342-9DE5-4353-9C25-1D3D857BFC5B:DCAEB1FA-513C-4026-9AB6-37A935873FBC",
"device_location": "UNKNOWN",
"threat_cause_threat_category": "NON_MALWARE",
"threat_cause_vector": "REMOVABLE_MEDIA",
"threat_cause_cause_event_id": "FCEE2AF0-D832-4C9F-B988-F11B46028C9E",
"sensor_action": "DENY",
"run_state": "DID_NOT_RUN",
"policy_applied": "APPLIED",
"vendor_name": "SanDisk",
"vendor_id": "0x0781",
"product_name": "U3 Cruzer Micro",
"product_id": "0x5406",
"serial_number": "0875920EF7C2A304"
}
Event Forwarder Configuration API Documentation
Quick Setup in Postman & S3 Bucket Configuration
Deconstructing the Process GUID For event field mapping between EDR (CB Response) events to Carbon Black Cloud Event Forwarder events, see the Migration Guide.