Search Fields - Processes and Enriched Events
Version: v2
The following table lists the fields that can be returned in the response or used for searching with the Carbon Black Cloud Platform Search API for Processes or Platform Search API for Enriched Events.
Using the Schema
View the definition of each field, default values, whether it is required, searchable and/or tokenized. You can also see accepted values and routes supported per each field.
Possible routes
- EVENT - Returns data about an observable occurrence on an endpoint
- ENRICHED_EVENT - Returns endpoint data that has been analyzed against typical attacker behavior and flagged as potentially malicious
- PROCESS - Returns data about instances where a program was executed on an endpoint
- FACET - These fields can be used for sorting and filtering search queries or returning most prevalent values.
- DETAILS - Returns the full set of data for Processes or Enriched Events
- ENRICHED_EVENT DETAILS - Returns the full set of data only for Enriched Events
- SUMMARY / TREE - Returns fields from a process summary search
Note: For fields where the Routes Supported column contains no entries, this means this field is not returned by any API route - it is only useable in the search request.
Additional indicators
- TOKENIZED - Can be searched by a partial phrase
- Searchable - Indicates that the field can be used in the criteria, exclusion or query elements of search requests e.g.
process_name:chrome.exe - Value-Searchable - Indicates that the field’s value is searchable though a value based query e.g.
chrome.exe- Rather than having to explicitly search
process_name:chrome.exe OR childproc_name:chrome.exe OR filemod_name:chrome.exe, a search forchrome.exewill find that string in any of those three fields for you as well as in other value search enabled fields
- Rather than having to explicitly search
- Aggregation Only - Indicates that the field is only returned for the Aggregation endpoint for Enriched Events
- Processes Only - Indicates that the field is only searchable for Processes
- *** - Indicates that the field needs to be requested in the
fieldsproperty of a search job
Searching across both Endpoint Standard and Enterprise EDR data? See below for limitations.
Schema
Note: Additional details and examples can be found in the Carbon Black Cloud console search guide.
| Field Name | Definition | Values | Routes Supported |
|---|---|---|---|
alert_category |
Searchable.
A Carbon Black Cloud classification for events tagged to an alert indicating whether the event is a “threat” or “observed” Requires Endpoint Standard |
String[]
THREAT, OBSERVED |
ENRICHED_EVENT PROCESS EVENT FACET DETAILS |
alert_id |
Searchable.
ID of the alert(s) associated with the process or event. Note id or legacy_alert_id will work for searching events or processes associated with a CB_ANALYTIC alert |
TOKENIZED
String[] |
ENRICHED_EVENT PROCESS EVENT FACET DETAILS |
backend_timestamp |
Searchable.
Timestamp when the Carbon Black Cloud processed and enabled the data for searching; occurs after ingress_time; may differ from device_timestamp by a few minutes due to asynchronous processing |
ISO 8601 UTC timestamp | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
blocked_effective_reputation |
Searchable.
Value-Searchable. Effective reputation of the blocked file; applied by the sensor when the event occurs |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT PROCESS DETAILS |
blocked_hash |
Searchable.
MD5 and SHA-256 hash(es) of the child process(es) binary; for any process(es) terminated by the sensor |
String[] | ENRICHED_EVENT PROCESS DETAILS |
blocked_name |
Searchable.
Value-Searchable. Tokenized file path of the files blocked by sensor action |
TOKENIZED
String |
ENRICHED_EVENT PROCESS DETAILS |
childproc_cmdline |
Searchable.
Value-Searchable. Command line of the child process. |
TOKENIZED
String |
ENRICHED_EVENT DETAILS EVENT |
childproc_cmdline_length |
Searchable.
Character count of the child process' command line Requires Endpoint Standard |
Integer | ENRICHED_EVENT DETAILS |
childproc_count |
Searchable.
Count of childproc events reported by the sensor since last initialization Requires Enterprise EDR |
Integer | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
childproc_effective_reputation |
Searchable.
Value-Searchable. Effective reputation of the child process; applied by the sensor when the event occurs |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT DETAILS EVENT |
childproc_effective_reputation_source |
Source of the effective reputation for the child process | String
IGNORE, CLOUD, PRE_EXISTING, AV, IT_TOOLS, CERT, HASH_REP, APPROVED_DATABASE |
ENRICHED_EVENT DETAILS |
childproc_guid |
Searchable.
Unique identifier for the child process; same as childproc_process_guid |
String | ENRICHED_EVENT*** FACET ENRICHED_EVENT DETAILS |
childproc_hash |
Searchable.
Hash(es) of the child process(es)' binary (MD5 or SHA-256 for Enterprise EDR, SHA-256 for Endpoint Standard) |
String[] | ENRICHED_EVENT DETAILS |
childproc_md5 |
Searchable.
MD5 hash of the binary executed by the child process |
String | EVENT |
childproc_name |
Searchable.
Value-Searchable. Filesystem path of the child process' binary |
TOKENIZED
String |
ENRICHED_EVENT DETAILS EVENT |
childproc_pid |
Process identifier assigned by the operating system to the child process | Integer | ENRICHED_EVENT DETAILS |
childproc_process_guid |
Searchable.
Unique identifier for the child process; same as childproc_guid |
String | EVENT |
childproc_publisher |
Publisher name on the certificate used to sign the Windows or macOS binary of child process(es)
Requires Enterprise EDR |
String[] | ENRICHED_EVENT DETAILS |
childproc_publisher_state |
Searchable.
Value-Searchable. State of the digital signature(s) of the child processes' binaries Requires Enterprise EDR |
String[]
Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED
Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN |
ENRICHED_EVENT DETAILS |
childproc_reputation |
Searchable.
Value-Searchable. Reputation of the child process; applied by the Carbon Black Cloud when the event was processed |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT DETAILS |
childproc_sha256 |
Searchable.
SHA-256 hash of the binary executed by the child process in the event |
String | EVENT |
childproc_suppressed |
True if the Carbon Black Cloud suppressed one or more childproc process records; not present if false (suppressed if the child process shows no interesting activity after the process is created); Linux sensors only | Boolean | EVENT |
childproc_username |
Searchable.
The user context in which the child process was executed |
TOKENIZED
String |
EVENT |
crossproc_action |
Searchable.
Value-Searchable. The cross-process action initiated by the actor process |
String
ACTION_API_CALL, ACTION_DUP_PROCESS_HANDLE, ACTION_OPEN_THREAD_HANDLE, ACTION_DUP_THREAD_HANDLE, ACTION_CREATE_REMOTE_THREAD |
ENRICHED_EVENT DETAILS EVENT |
crossproc_api |
Searchable.
Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call. Available with:
|
String | ENRICHED_EVENT DETAILS EVENT |
crossproc_cmdline |
Command line of the cross-process command | TOKENIZED
String |
ENRICHED_EVENT DETAILS |
crossproc_cmdline_length |
Character count of the cross-process command line executed | String | ENRICHED_EVENT DETAILS |
crossproc_count |
Searchable.
Count of crossproc events reported by the sensor since last initialization Requires Enterprise EDR |
Integer | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
crossproc_effective_reputation |
Effective reputation of the binary on one side of the cross-process action; if crossproc_target=true, it is the effective reputation of the process targeted in the cross-process action; if crossproc_target=false, it is of the actor process (applied by the sensor when the event occurred) | String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT DETAILS EVENT |
crossproc_effective_reputation_source |
Source of the effective reputation for the cross-process | String
IGNORE, CLOUD, PRE_EXISTING, AV, IT_TOOLS, CERT, HASH_REP, APPROVED_DATABASE |
ENRICHED_EVENT DETAILS |
crossproc_guid |
Unique process identifier of one of the cross-process members; if crossproc_target=true, it is the GUID of the process targeted in the cross-process action; if crossproc_target=false, it is the GUID of the actor process (same as crossproc_process_guid) | String | ENRICHED_EVENT DETAILS |
crossproc_hash |
Searchable.
MD5 and/or SHA-256 hash(es) of the binaries whose processes are running on one side of the cross-process action; if crossproc_target=true, the hash(es) are of the process targeted in the cross-process action; if crossproc_target=false, the hash(es) are of the actor process |
String[] | ENRICHED_EVENT DETAILS |
crossproc_md5 |
Searchable.
MD5 hash of the binary on one side of the cross-process action; if crossproc_target=true, it is the MD5 of the process targeted in the cross-process action; if crossproc_target=false, it is the MD5 of the actor process |
String | EVENT |
crossproc_name |
Searchable.
Value-Searchable. Filesystem path of the binary of one side of the cross-process action (can be missing for certain crossproc actions); if crossproc_target=true, it is the path of the process targeted in the cross-process action; if crossproc_target=false, it is the path of the actor process |
TOKENIZED
String |
ENRICHED_EVENT DETAILS EVENT |
crossproc_pid |
Process identifier assigned by the operating system to one of the cross-process members; if crossproc_target=true, it is the PID of the process targeted in the cross-process action; if crossproc_target=false, it is the PID of the actor process | Integer | ENRICHED_EVENT DETAILS |
crossproc_process_guid |
Searchable.
Unique identifer of the process on one side of the cross-process action; if crossproc_target=true, it is the GUID of the process targeted in the cross-process action; if crossproc_target=false, it is the GUID of the actor process (same as crossproc_guid) |
String | EVENT |
crossproc_sha256 |
Searchable.
SHA-256 hash of the binary on one side of the cross-process action; if crossproc_target=true, it is the SHA-256 of the process targeted in the cross-process action; if crossproc_target=false, it is the SHA-256 of the actor process |
String | EVENT |
crossproc_target |
Searchable.
True if the process was the target of the cross-process event; false if the process was the actor |
Boolean | ENRICHED_EVENT DETAILS EVENT |
device_external_ip |
Searchable.
Value-Searchable. IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format documented below) |
String | ENRICHED_EVENT*** PROCESS*** FACET DETAILS SUMMARY / TREE |
device_group |
Searchable.
Value-Searchable. Sensor group to which the endpoint was assigned when the sensor recorded the event data |
String | ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
device_group_id |
Searchable.
ID assigned to the device_group by Carbon Black Cloud |
Integer | ENRICHED_EVENT PROCESS DETAILS SUMMARY / TREE |
device_id |
Searchable.
ID assigned to the endpoint by Carbon Black Cloud; unique across all Carbon Black Cloud environments |
Integer | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
device_installed_by |
Searchable.
The Carbon Black Cloud user who was logged in to the endpoint when the sensor was installed (e.g. pat.malarkey@email.com, DOMAIN\pmalarkey or pmalarkey) |
TOKENIZED
String |
DETAILS |
device_internal_ip |
Searchable.
Value-Searchable. IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format, documented below) |
String | ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
device_location |
The endpoint’s current location relative to the organization’s network, based on the current IP address and the device’s registered DNS domain suffix | String
ONSITE, OFFSITE, UNKNOWN |
DETAILS |
device_name |
Searchable.
Value-Searchable. Hostname of the endpoint recorded by the sensor when last initialized |
TOKENIZED
String |
ENRICHED_EVENT PROCESS FACET DETAILS |
device_os |
Searchable.
Value-Searchable. The operating system of the endpoint |
String
WINDOWS, MAC, LINUX |
ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
device_os_version |
Searchable.
Value-Searchable. The operating system and version of the endpoint Requires Windows CBC sensor version 3.5 or later |
TOKENIZED
String |
DETAILS |
device_policy |
Searchable.
Value-Searchable. Policy applied to the endpoint in the Carbon Black Cloud |
String | ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
device_policy_id |
Searchable.
ID assigned to the device_policy by the Carbon Black Cloud |
Integer | ENRICHED_EVENT PROCESS DETAILS |
device_target_priority |
The “Target value” configured in the policy assigned to the sensor
Requires Endpoint Standard |
String
MISSION_CRITICAL, HIGH, MEDIUM, LOW |
DETAILS |
device_timestamp |
Searchable.
Sensor-reported timestamp of the batch of events in which this record was submitted to Carbon Black Cloud |
ISO 8601 UTC timestamp | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
enriched |
Searchable.
True if the result includes data from the Endpoint Standard product. Not present if false. Requires Endpoint Standard |
Boolean | ENRICHED_EVENT PROCESS EVENT FACET DETAILS |
enriched_event_type |
Searchable.
Event type(s) as determined by the Carbon Black Cloud Requires Endpoint Standard |
String
CREATE_PROCESS, DATA_ACCESS, FILE_CREATE, INJECT_CODE, NETWORK, OTHER_BEHAVIOR, POLICY_ACTION, REGISTRY_ACCESS, STATIC_SCAN, SYSTEM_API_CALL
Note: enriched_event_type will be a String[] on Process Search |
ENRICHED_EVENT PROCESS EVENT FACET DETAILS |
event_attack_stage |
Searchable.
Stage(s) of the cyber kill chain when an attack was terminated by sensor Requires Endpoint Standard |
String
BREACH, COMMAND_AND_CONTROL, DELIVER_EXPLOIT, EXECUTE_GOAL, INSTALL_RUN, RECONNAISSANCE, WEAPONIZE
Note: event_attack_stage will be a String[] on Process Search |
ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
event_description |
Searchable.
Value-Searchable. Event description calculated by the Carbon Black Cloud Requires Endpoint Standard |
TOKENIZED
String |
ENRICHED_EVENT EVENT ENRICHED_EVENT DETAILS |
event_hash |
Hash of the event to allow for deduplication of events. | String | EVENT |
event_id |
Searchable.
Unique event identifier assigned by the Carbon Black Cloud |
String
Formats: b74addedf22511eaa5b90997e383f3bf, 21EF16B0-AB2E-413A-ABD0-9697C9FD0211 |
ENRICHED_EVENT FACET ENRICHED_EVENT DETAILS |
event_network_local_ipv4 |
IPv4 address of the local side of the network connection (stored as dotted decimal); similar to netconn_local_ipv4
Requires Endpoint Standard |
String | ENRICHED_EVENT ENRICHED_EVENT DETAILS |
event_network_location |
Geolocation of the remote side of the network connection; same as netconn_location and netconn_remote_location
Requires Endpoint Standard |
TOKENIZED
String Format: City,Region/State,Country
Note: One or more of the three sections will be included in a comma separated list |
ENRICHED_EVENT ENRICHED_EVENT DETAILS |
event_network_protocol |
Network protocol of the network connection; similar to netconn_protocol
Requires Endpoint Standard |
String
TCP, UDP |
ENRICHED_EVENT ENRICHED_EVENT DETAILS |
event_network_remote_ipv4 |
IPv4 address of the remote side of the network connection (stored as dotted decimal); similar to netconn_ipv4 and netconn_remote_ipv4
Requires Endpoint Standard |
String | ENRICHED_EVENT ENRICHED_EVENT DETAILS |
event_network_remote_port |
TCP or UDP port used by the remote side of the network connection; same as netconn_port and netconn_remote_port
Requires Endpoint Standard |
Integer | ENRICHED_EVENT ENRICHED_EVENT DETAILS |
event_threat_score |
Searchable.
Score(s) assigned by Carbon Black Cloud for the detected threat (Returns values 0-8) Requires Endpoint Standard |
Integer[] | DETAILS |
event_timestamp |
Searchable.
Timestamp reported by the sensor when the event occured |
ISO 8601 UTC timestamp | EVENT |
event_type |
Searchable.
Type of event observed |
String
filemod,
netconn,
regmod,
modload,
crossproc,
childproc,
scriptload,
fileless_scriptload
Note: event_type will be a String[] on Process Search |
ENRICHED_EVENT PROCESS EVENT FACET DETAILS |
file_scan_result |
Searchable.
Classification of malware detected during a background scan performed by the Endpoint Standard sensor i.e. enriched_event_type=STATIC_SCAN; returned value is the /-separated combination of malware family and malware name (e.g. TROJAN/TR/PowerShell.Gen, where malware family = TROJAN) Requires Endpoint Standard |
TOKENIZED
String |
DETAILS |
fileless_scriptload_cmdline |
Searchable.
Deobfuscated script content run in a fileless context by the process; compare with process_loaded_script_name, scriptload_content Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR For more information see here |
TOKENIZED
String[] |
EVENT |
fileless_scriptload_cmdline_length |
Searchable.
Character count of the deobfuscated script content run in a fileless context; compare with scriptload_content_length Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR For more information see here |
Integer[] | EVENT |
fileless_scriptload_hash |
Searchable.
SHA-256 hash(es) of the deobfuscated script content run by the process in a fileless context; compare with fileless_scriptload_sha256, process_loaded_script_hash, scriptload_hash, scriptload_md5, scriptload_sha256 Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR For more information see here |
String[] | |
fileless_scriptload_sha256 |
Searchable.
SHA-256 hash of the deobfuscated script content run by the process in a fileless context Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR For more information see here |
String | EVENT |
filemod_action |
Action(s) associated with the filemod operation | String
ACTION_INVALID, ACTION_FILE_CREATE, ACTION_FILE_WRITE, ACTION_FILE_DELETE, ACTION_FILE_LAST_WRITE, ACTION_FILE_MOD_OPEN, ACTION_FILE_RENAME, ACTION_FILE_UNDELETE, ACTION_FILE_TRUNCATE, ACTION_FILE_OPEN_READ, ACTION_FILE_OPEN_WRITE, ACTION_FILE_OPEN_DELETE, ACTION_FILE_OPEN_EXECUTE, ACTION_FILE_READ |
ENRICHED_EVENT DETAILS EVENT |
filemod_count |
Searchable.
Count of filemod events reported by the sensor since last initialization Requires Enterprise EDR |
Integer | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
filemod_hash |
Searchable.
MD5 and/or SHA-256 hash(es) of the file(s) modified by the actor process |
String[] | ENRICHED_EVENT DETAILS |
filemod_md5 |
Searchable.
MD5 hash of the file modified by the actor process |
String | EVENT |
filemod_name |
Searchable.
Value-Searchable. Filesystem path of the file modified by the process |
TOKENIZED
String |
ENRICHED_EVENT DETAILS EVENT |
filemod_new_name |
Searchable.
Filesystem path of the new file modified by the process during ACTION_FILE_RENAME |
String | EVENT |
filemod_old_name |
Searchable.
Filesystem path of the old file modified by the process during ACTION_FILE_RENAME |
String | EVENT |
filemod_publisher |
Searchable.
Publisher name on the certificate(s) used to sign the target file of the filemod |
String[] | ENRICHED_EVENT DETAILS |
filemod_publisher_state |
Searchable.
Value-Searchable. State of the digital signature(s) of the target file of the filemod; checks signatures on Powershell scripts and .MSI/.MSP files |
String[]
Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED
Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN |
ENRICHED_EVENT DETAILS |
filemod_reputation |
Reputation of the target file. | String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT DETAILS |
filemod_sha256 |
Searchable.
SHA-256 hash of the file modified by the actor process |
String | EVENT |
filemod_type |
Type of file involved in the filemod operation
Requires Enterprise EDR |
String
FILE_TYPE_EXECUTABLE_IMAGE, FILE_TYPE_EXECUTABLE_DLL, FILE_TYPE_NOT_SET, FILE_TYPE_UNIDENTIFIED |
ENRICHED_EVENT DETAILS |
hash |
Searchable.
Value-Searchable. Aggregate set of MD5 and SHA-256 hashes associated with the process (including childproc_hash, crossproc_hash, filemod_hash, modload_hash, process_hash); enables one-step search for any matches on the specified hashes |
String[] | |
ingress_time |
Searchable.
Timestamp of when the Carbon Black Cloud receives data for initial processing (Unix format) |
Integer | ENRICHED_EVENT PROCESS DETAILS SUMMARY / TREE |
legacy |
Searchable.
Deprecated; see enriched field (true if the record includes data from the Endpoint Standard; not present if false) |
boolean | ENRICHED_EVENT PROCESS EVENT FACET DETAILS |
modload_action |
Searchable.
Action associated with the modload operation Requires Enterprise EDR |
String
ACTION_LOAD_MODULE |
EVENT |
modload_count |
Searchable.
Count of modload events reported by the sensor since last initialization Requires Enterprise EDR |
Integer | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
modload_effective_reputation |
Searchable.
Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred Requires Enterprise EDR |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
EVENT |
modload_hash |
Searchable.
MD5 or SHA-256 hash(es) of the module(s) loaded by the process Requires Enterprise EDR |
String[] | |
modload_md5 |
Searchable.
MD5 hash of the module loaded by the process Requires Enterprise EDR |
String | EVENT |
modload_name |
Searchable.
Value-Searchable. Filesystem path(s) of the module(s) loaded by the process Requires Enterprise EDR |
TOKENIZED
String[] |
EVENT |
modload_publisher |
Searchable.
Publisher name on the certificate(s) used to sign the Windows or macOS module binary Requires Enterprise EDR |
String | EVENT |
modload_publisher_state |
Searchable.
Value-Searchable. Digital signature state(s) of the loaded modules' binaries Requires Enterprise EDR |
String[]
Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED
Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN |
EVENT |
modload_sha256 |
Searchable.
SHA-256 hash of the module loaded by the process Requires Enterprise EDR |
String | EVENT |
netconn_action |
Searchable.
Action(s) associated with the netconn operation |
String
ACTION_CONNECTION_CREATE, ACTION_CONNECTION_CLOSE, ACTION_CONNECTION_ESTABLISHED, ACTION_CONNECTION_CREATE_FAILED, ACTION_CONNECTION_LISTEN |
EVENT |
netconn_count |
Searchable.
Count of netconn events reported by the sensor since last initialization Requires Enterprise EDR |
Integer | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
netconn_domain |
Searchable.
Value-Searchable. Domain name (FQDN) associated with the remote end of the network connection, if available Note: netconn_domain is searchable for PROCESSES but not returnable |
TOKENIZED
String |
ENRICHED_EVENT DETAILS EVENT |
netconn_failed |
Searchable.
True if the outbound network connection attempt failed; if successful, the field is not set |
Boolean | ENRICHED_EVENT DETAILS |
netconn_inbound |
Searchable.
True if the network connection was inbound; false if outbound |
Boolean | ENRICHED_EVENT DETAILS EVENT |
netconn_ipv4 |
Searchable.
Value-Searchable. IPv4 address of the remote side of the network connection; stored as integer (not dotted decimal); searchable using either format |
String | FACET ENRICHED_EVENT DETAILS |
netconn_ipv6 |
Searchable.
Value-Searchable. IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters |
String | FACET ENRICHED_EVENT DETAILS |
netconn_listen |
True if the process opened a socket to listen for incoming connections (i.e. where netconn_action = ACTION_CONNECTION_LISTEN); not present if false | Boolean | ENRICHED_EVENT DETAILS |
netconn_local_ipv4 |
Searchable.
Value-Searchable. IPv4 address of the local side of the network connection; stored as an integer (not dotted decimal); searchable by either format |
String | ENRICHED_EVENT DETAILS EVENT |
netconn_local_ipv6 |
Searchable.
Value-Searchable. IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters |
String | ENRICHED_EVENT DETAILS EVENT |
netconn_local_location |
Geolocation of the local side of the network connection | TOKENIZED
String Format: City,Region/State,Country
Note: One or more of the three sections will be included in a comma separated list |
ENRICHED_EVENT DETAILS |
netconn_local_port |
TCP or UDP port used by the local side of the network connection | Integer | ENRICHED_EVENT DETAILS EVENT |
netconn_location |
Searchable.
Value-Searchable. Geolocation of the remote side of the network connection; same as netconn_remote_location and event_network_location |
TOKENIZED
String Format: City,Region/State,Country
Note: One or more of the three sections will be included in a comma separated list |
EVENT FACET ENRICHED_EVENT DETAILS |
netconn_port |
Searchable.
TCP or UDP port used by the interesting side of the network connection (when netconn_inbound = “true”, this represents the local port; otherwise, this represents the port on the remote side of the network connection); compare with netconn_remote_port, event_network_remote_port and event_network_local_port |
Integer | FACET ENRICHED_EVENT DETAILS |
netconn_protocol |
Searchable.
Value-Searchable. Network protocol of the network connection |
String
PROTO_TCP, PROTO_UDP |
EVENT ENRICHED_EVENT DETAILS |
netconn_proxy_domain |
Searchable.
Domain name (FQDN) associated with the remote side of the connection with an intermediary HTTP network device, usually a proxy server Requires Windows CBC sensor version 3.6 or later and Enterprise EDR Unencrypted intermediary network devices only |
TOKENIZED
String |
EVENT |
netconn_proxy_ipv4 |
Searchable.
IPv4 address of the remote side of the connection with an intermediary HTTP network device, usually a proxy server. Stored as integer not dotted decimal, but searchable using either format Requires Windows CBC sensor version 3.6 or later and Enterprise EDR Unencrypted intermediary network devices only |
String | EVENT |
netconn_proxy_ipv6 |
Searchable.
IPv6 address of the remote side of the connection with an intermediary HTTP network device, usually a proxy server; stored as string without octet-separating colon characters Requires Windows CBC sensor version 3.6 or later and Enterprise EDR Unencrypted intermediary network devices only |
String | EVENT |
netconn_proxy_port |
Searchable.
TCP or UDP port used by the remote side of the connection with an intermediary HTTP network device, usually a proxy server Requires Windows CBC sensor version 3.6 or later and Enterprise EDR Unencrypted intermediary network devices only |
Integer | EVENT |
netconn_remote_ipv4 |
Searchable.
IPv4 address of the remote side of the network connection; stored as integer, not dotted decimal, but searchable as either |
String | EVENT |
netconn_remote_ipv6 |
Searchable.
IPv6 address of the remote side of the network connection; stored as string without octet-separating colon characters |
String | EVENT |
netconn_remote_port |
Searchable.
TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port |
Integer | EVENT |
num_devices |
Count of devices where application is reported for the requested search population
Requires Endpoint Standard |
Integer | Aggregation Only |
num_events |
Count of events attributed to the device or application running on the requested search population
Requires Endpoint Standard |
Integer | Aggregation Only |
org_id |
Searchable.
Organization identifer; unique across all environments and equivalent to org_key in other Carbon Black Cloud APIs |
String | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
parent_cmdline |
Searchable.
Value-Searchable. Command line of the parent process |
TOKENIZED
String |
DETAILS |
parent_cmdline_length |
Searchable.
Character count of the parent process' command line |
Integer | DETAILS |
parent_effective_reputation |
Searchable.
Value-Searchable. Effective reputation of the parent process; applied by the sensor when the event occurred |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT*** PROCESS*** FACET DETAILS SUMMARY / TREE |
parent_effective_reputation_source |
Searchable
Source of the effective reputation for the parent process |
String
IGNORE, CLOUD, PRE_EXISTING, AV, IT_TOOLS, CERT, HASH_REP, APPROVED_DATABASE |
DETAILS |
parent_guid |
Searchable.
Value-Searchable. Unique process identifier assigned to the parent process |
String | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
parent_hash |
Searchable.
MD5 and/or SHA-256 hash of the parent process binary |
String[] | ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
parent_name |
Searchable.
Value-Searchable. Filesystem path of the parent process binary |
TOKENIZED
String |
ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
parent_pid |
Searchable.
Identifier assigned by the operating system to the parent process |
Integer | ENRICHED_EVENT PROCESS DETAILS |
parent_publisher |
Publisher name(s) on the certificate(s) used to sign the Windows or macOS binary of the parent process
Requires Enterprise EDR |
String[] | DETAILS |
parent_publisher_state |
Searchable.
Value-Searchable. State of the digital signature(s) of the parent process' binary Requires Enterprise EDR |
String[]
Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED
Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN |
DETAILS |
parent_reputation |
Searchable.
Value-Searchable. Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
process_cmdline |
Searchable.
Value-Searchable. Command line executed by the actor process |
TOKENIZED
String[] |
ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
process_cmdline_length |
Searchable.
Character count of the actor process command line |
Integer[] | DETAILS |
process_company_name |
Searchable.
Company name embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR |
TOKENIZED
String |
DETAILS |
process_duration |
Searchable.
Duration of the process (in milliseconds); available after sensor reports the process has terminated; equal to (process_end_time - process_start_time) |
Integer | DETAILS |
process_effective_reputation |
Searchable.
Value-Searchable. Effective reputation of the actor process; applied by the sensor when the event occurred |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
process_effective_reputation_source |
Searchable
Source of the effective reputation for the actor process |
String
IGNORE, CLOUD, PRE_EXISTING, AV, IT_TOOLS, CERT, HASH_REP, APPROVED_DATABASE |
DETAILS |
process_elevated |
Searchable.
“True” if the process was running with elevated privileges; not present if “False” Requires Windows CBC sensor version 3.5 or later and Enterprise EDR |
Boolean | DETAILS |
process_end_time |
Sensor timestamp when the process terminated; available after sensor reports the process has terminated (only for processes whose start times the sensor captured) | ISO 8601 UTC timestamp | DETAILS |
process_file_description |
Searchable.
File description embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR |
TOKENIZED
String |
DETAILS |
process_guid |
Searchable.
Value-Searchable. Unique process identifier for the actor process |
String | ENRICHED_EVENT PROCESS EVENT FACET DETAILS |
process_hash |
Searchable.
MD5 and/or SHA-256 hash of the actor process binary; order may vary when two hashes are reported |
String[] | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
process_integrity_level |
Searchable.
Windows Mandatory Integrity Control (MIC) level of the process Requires Windows CBC sensor version 3.5 or later and Enterprise EDR |
String
LOW, MEDIUM, HIGH, SYSTEM, PROTECTED |
DETAILS |
process_internal_name |
Searchable.
Internal name embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR |
TOKENIZED
String |
DETAILS |
process_loaded_script_hash |
Searchable.
SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process; compare with fileless_scriptload_hash Requires Endpoint Standard |
String[] | ENRICHED_EVENT DETAILS |
process_loaded_script_name |
Searchable.
Value-Searchable. Filesystem path(s) of any script content loaded from the filesystem through the duration of the process; compare with fileless_scriptload_cmdline, scriptload_content Requires Endpoint Standard |
TOKENIZED
String[] |
ENRICHED_EVENT DETAILS |
process_name |
Searchable.
Value-Searchable. Filesystem path of the actor process binary |
TOKENIZED
String |
ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
process_original_filename |
Searchable.
Original filename embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR |
TOKENIZED
String |
DETAILS |
process_pid |
Searchable.
Process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux and macOS |
Integer[] | ENRICHED_EVENT PROCESS EVENT FACET DETAILS SUMMARY / TREE |
process_privileges |
Searchable.
Windows privileges associated wth the process (see Microsoft documentation for complete list privilege-constants) Requires Windows CBC sensor version 3.5 or later and Enterprise EDR |
String[] | DETAILS |
process_product_name |
Searchable.
Product name embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR |
TOKENIZED
String |
DETAILS |
process_product_version |
Searchable.
Product version embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR |
TOKENIZED
String |
DETAILS |
process_publisher |
Searchable.
Publisher name on the certificate used to sign the Windows or macOS process binary Requires Enterprise EDR |
TOKENIZED
String[] |
DETAILS |
process_publisher_state |
Searchable.
Value-Searchable. State of the digital signature(s) of a Windows or macOS process binary Requires Enterprise EDR |
String[]
Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED
Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN |
DETAILS |
process_reputation |
Searchable.
Value-Searchable. Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
ENRICHED_EVENT*** PROCESS*** FACET DETAILS SUMMARY / TREE |
process_service_name |
Searchable.
Windows service name(s) assigned to the process Requires Windows CBC sensor version 3.5 or later and Enterprise EDR |
String[] | ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
process_sha256 |
SHA-256 hash of the actor process binary | String | ENRICHED_EVENT*** PROCESS*** FACET DETAILS |
process_start_time |
Searchable.
Sensor reported timestamp of when the process started; not available for processes running before the sensor starts |
ISO 8601 UTC timestamp | ENRICHED_EVENT*** PROCESS*** FACET DETAILS SUMMARY / TREE |
process_terminated |
Searchable.
“True” indicates the process has terminated; always “false” for enriched events (process termination not recorded) Requires Enterprise EDR |
Boolean | ENRICHED_EVENT PROCESS DETAILS |
process_username |
Searchable.
Value-Searchable. User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions, Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid()" |
TOKENIZED
String[] |
ENRICHED_EVENT PROCESS FACET DETAILS |
regmod_action |
Action associated with the regmod operation | String
ACTION_INVALID, ACTION_CREATE_KEY, ACTION_WRITE_VALUE, ACTION_DELETE_KEY, ACTION_DELETE_VALUE, ACTION_RENAME_KEY, ACTION_RESTORE_KEY, ACTION_REPLACE_KEY, ACTION_SET_SECURITY |
EVENT ENRICHED_EVENT DETAILS |
regmod_count |
Searchable.
Count of regmod events reported by the sensor since last initialization Requires Enterprise EDR |
Integer | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
regmod_name |
Searchable.
Value-Searchable. Full path of the registry key(s) modified by the process |
TOKENIZED
String |
EVENT ENRICHED_EVENT DETAILS |
regmod_new_name |
Searchable.
New registry key name; renamed keys only (regmod_action=“ACTION_RENAME_KEY”). |
String | EVENT |
regmod_old_name |
Searchable.
Old registry key name; renamed keys only (regmod_action=“ACTION_RENAME_KEY”). |
String | EVENT |
report_id |
Searchable.
ID of the watchlist report(s) that detected a hit on the process Requires Enterprise EDR |
String | Processes Only |
report_severity |
Searchable.
Severity rating of the watchlist report; ranges 1-10, where 10 is “severe” Requires Enterprise EDR |
Integer | |
report_watchlist_id |
Searchable.
Deprecated; use watchlist_id instead |
String | |
scriptload_content |
Searchable.
Deobfuscated script content (string, binary, or raw executable image) loaded from the filesystem at process launch; compare with fileless_scriptload_cmdline, process_loaded_script_name Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later and Endpoint Standard product For more information see here |
TOKENIZED
String[] |
EVENT |
scriptload_content_length |
Searchable.
Character count of the deobfuscated filesystem script; compare with fileless_scriptload_cmdline_length Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later and Endpoint Standard product For more information see here |
Integer[] | |
scriptload_count |
Searchable.
Count of scriptload events across all processes reported by the sensor since last initialization Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR |
Integer | ENRICHED_EVENT PROCESS FACET DETAILS SUMMARY / TREE |
scriptload_effective_reputation |
Searchable.
Effective reputation(s) of the loaded script(s); applied by the sensor when the event occurred Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR |
String
ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST |
EVENT |
scriptload_hash |
Searchable.
MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch; compare with fileless_scriptload_hash, fileless_scriptload_sha256 Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later |
String[] | ENRICHED_EVENT DETAILS |
scriptload_md5 |
Searchable.
MD5 hash of the filesystem script file loaded at process launch Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR |
String | EVENT |
scriptload_name |
Searchable.
Value-Searchable. Filesystem path of script file(s) loaded at process launch (compare with process_loaded_script_name) Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later, Linux CBC sensor version 2.9 or later |
TOKENIZED
String |
EVENT ENRICHED_EVENT DETAILS |
scriptload_publisher |
Searchable.
Publisher name on the certificate used to sign the script file from the filesystem (checks signatures on Powershell scripts and .MSI/.MSP files) Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR |
String | EVENT |
scriptload_publisher_state |
Searchable.
Value-Searchable. State of the loaded script(s)' digital signature(s); checks signatures on Powershell scripts and .MSI/.MSP files Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR |
String[]
Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED
Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN |
EVENT ENRICHED_EVENT DETAILS |
scriptload_sha256 |
Searchable.
SHA-256 hash of the filesystem script file loaded at process launch; compare with fileless_scriptload_hash, fileless_scriptload_sha256 Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR |
String | EVENT |
sensor_action |
Searchable.
Value-Searchable. An action performed by the sensor on the process |
String[]
TERMINATE, DENY, SUSPEND |
ENRICHED_EVENT PROCESS EVENT FACET DETAILS |
sensor_action_reason |
Searchable.
Reason(s) why the sensor performed a specific action on the process Requires Windows CBC sensor version 3.5 or later |
String[]
Examples are POLICY_ENFORCEMENT, POLICY_DENY, etc. |
ENRICHED_EVENT PROCESS EVENT DETAILS |
ttp |
Searchable.
Value-Searchable. Patterns of behavior (i.e. tactics, techniques, procedures) associated with specific threat actor(s) attributed to events of the process |
String[] | ENRICHED_EVENT*** PROCESS*** EVENT FACET DETAILS |
watchlist_hit |
Identifier for specific hit record(s) generated by a watchlist, from report metadata; format “<watchlist_id>:<report_id>:<report_severity>”
Requires Enterprise EDR |
String[] | ENRICHED_EVENT PROCESS FACET DETAILS |
watchlist_id |
Searchable.
ID of the watchlist that generated a hit on the process Requires Enterprise EDR |
String | Processes Only |
watchlist_name |
Searchable.
Name of the watchlist that generated a hit on the process Requires Enterprise EDR |
TOKENIZED
String |
Processes Only |
Limitations
As with standard AND queries when searching for field_1 = X and field_2 = Y, an event with only one field populated
will not be returned.
A special case of this is when searching across both Endpoint Standard and Enterprise EDR data; if you combine any fields that are each available in only one product, you will receive zero results. For example:
- If you search
event_attack_stage:BREACHyou will get results on both the “Enriched Events” and “Processes” search endpoints (requires Endpoint Standard) - If you search
netconn_count:[1 TO *], you will only get results on “Processes” search endpoint (requires Enterprise EDR) - If you perform the search
event_attack_stage:BREACH AND netconn_count:[1 TO *], you will get no results because NO events have both Endpoint Standard-onlyevent_attack_stageand Enterprise EDR-onlynetconn_countfields - Any field can be searched on individually
Data Conversions
IPv6 data format to standard IPv6 notation
Use this if you are migrating from Endpoint Standard fields (used in integrationServices API routes) to Platform Search fields (including Process, Process Events and Enriched Event searches). The IPv6 netconn fields in Platform Search do not return in API responses using a standard IPv6 notation (it does not include colons) in order to make it easier to sort, use the big integer library, and perform subnet searches.
-
Example return value for fields like netconn_ipv6, netconn_remote_ipv6, netconn_local_ipv6:
FF0200000000000000000000000000FB -
To convert the notation to standard IPv6, you must insert a colon character between every four alphanumeric characters, or run the following function:
const stringIP = d.replace(/(.{4})/g, '$1:').slice(0, -1); -
Result:
FF02:0000:0000:0000:0000:0000:0000:00FB
However, when searching on these IPv6 fields, you must use escaped colon-separated notation e.g. netconn_ipv6:"2607:F8B0:4006:081B:0000:0000:0000:200E"
IPv4 integer format to dotted decimal notation
- IPv4 netconn fields return their value in “integer” format rather than the more common “dotted decimal” notation.
- The conversion from IPv4 integers to dotted decimal is common and can be validated with tools like this converter
- Example: If you received netconn_remote_ipv4 = 911598478, the dotted decimal equivalent would be 54.85.227.142
Special Tokenizations
Some fields are tokenized to allow more efficient searches
File Path Tokenization
Fields: process_name, parent_name, filemod_name, childproc_name, crossproc_name, modload_name, scriptload_name, regmod_name
Search for path hierarchies. Use slash (/) character or escaped backslash (\\) characters and enclose in double quotes if path contains colon or space characters. Exclude any leading path separator. File extension searching also supported.
Search examples: process_name:"c:/windows/system32/cmd.exe" filemod_name:.wcry regmod_name:myregkey/myregvalue modload_name:downloads\\myfile.exe parent_name:"c:/program files"
Domain name Tokenization
Fields: netconn_domain
Search for any part of the domain. Start or end with ‘.’ to only look for a prefix or suffix.
Search examples: netconn_domain:.google.com netconn_domain:.ru netconn_domain:www.google.com
IPv4 Address Tokenization
Fields: netconn_ipv4
Search examples: netconn_ipv4:192.168.0.10 netconn_ipv4:192.168.0.0/24
IPv6 Address Tokenization
Fields: netconn_ipv6
Search examples: netconn_ipv6:"2001:0db8:85a3:0000:0000:8a2e:0370:7334" netconn_ipv6:"2001:db8::/127"
Command Line Tokenization
Fields: process_cmdline
Words in the command line can be searched, along with switches (-x /x) and file extensions.
Search examples: process_cmdline:"d:/path/myprogram.vbs /v" process_cmdline:"d:" process_cmdline:.vbs process_cmdline:"/v"