Search Fields - Investigate

Version: v2

The following table lists the fields that can be returned in the response or used for searching with the Carbon Black Cloud using any of

Note: For Auth Events, certain fields have recently been removed from the offical list of fields that would be returned, because they would never have been populated with data.

Using the Schema

View the definition of each field, default values, whether it is required, searchable and/or tokenized. You can also see accepted values and routes supported per each field.

Possible routes

Clicking these icons will take you to the relevant API.

PROCESS - Returns data about instances where a program was executed on an endpoint
PROCESS DETAILS - Returns the full set of data for Processes
EVENT - Returns data about an observable occurrence on an endpoint
OBSERVATION - Returns data about Observations, which are the noteworthy, searchable findings across your whole fleet.
OBSERVATION DETAILS - Returns the full set of data for Observations.
AUTH_EVENT - Returns data about authentication events that occur on Windows endpoints.
AUTH_EVENT DETAILS - Returns the full set of data for Auth Events.
FACET - These fields can be used for sorting and filtering search queries or returning most prevalent values.
SUMMARY / TREE - Returns fields from a process summary search

Note: For fields where the Routes Supported column contains no entries, this means this field is not returned by any API route - it is only usable in the search request.

Additional indicators

TOKENIZED - Can be searched by a partial phrase
Searchable - Indicates that the field can be used in the criteria, exclusion or query elements of search requests e.g. process_name:chrome.exe
Value-Searchable - Indicates that the field’s value is searchable though a value based query e.g. chrome.exe
Rather than having to explicitly search process_name:chrome.exe OR childproc_name:chrome.exe OR filemod_name:chrome.exe, a search for chrome.exe will find that String in any of those three fields for you as well as in other value search enabled fields
Aggregation Only - Indicates that the field is only returned for the Aggregation endpoint for Enriched Events
Processes Only - Indicates that the field is only searchable for Processes
*** - Indicates that the field needs to be requested in the fields property of a search job

Searching across both Endpoint Standard and Enterprise EDR data? See below for limitations.

Schema

Note: Additional details and examples can be found in the Carbon Black Cloud console search guide.

Field Name	Definition	Datatype	Routes Supported



`alert_category`	Searchable. A Carbon Black Cloud classification for events tagged to an alert indicating whether the event is a “threat” or “observed” Requires Endpoint Standard	String[] `THREAT`, `OBSERVED`	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`alert_id`	Searchable. ID of the alert(s) associated with the process or event. Note: 'id' or 'legacy_alert_id' will work for searching events or processes associated with a CB_ANALYTIC alert.	TOKENIZED String[]	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`asset_group_id`	Searchable. The ID of the asset group the device is part of.	TOKENIZED String
`asset_group_name`	Searchable. The name of the asset group the device is part of.	TOKENIZED String	FACET
`asset_id`	Searchable. Asset id that is guaranteed to be unique within each PSC environment, which is a set of organizations.	String	AUTH_EVENT AUTH_EVENT DETAILS
`attack_tactic`	Searchable. A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access	String	OBSERVATION OBSERVATION DETAILS FACET
`attack_technique`	Searchable. A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access	String	OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`attack_tid`	Searchable. Allows searching for a specific combination of MITRE ATT&CK tactic and technique; use the format `tactic:technique.subtechnique`	TOKENIZED String	FACET
`auth_cleartext_credentials_logon`	Searchable. True if the logon attempt occurred using cleartext credentials; false if the logon attempt occurred using encrypted credentials	Boolean	AUTH_EVENT DETAILS FACET
`auth_credential_provider`	The logon process that validated the credentials in Event ID 4611. Common processes include Winlogon, Schannell, KSecDD, Secondary Logon Service (runas), IKE, HTTP.SYS, SspTest, dsRole, DS Replication CredProvConsent (user account control)	String	AUTH_EVENT DETAILS
`auth_daemon_logon`	Searchable. Identifies if the logon attempt is attributed to a service (Windows) or daemon (macOS/Linux)	Boolean	AUTH_EVENT DETAILS FACET
`auth_domain_name`	Searchable. Domain name of the user the authentication event is attributed to	String	AUTH_EVENT AUTH_EVENT DETAILS FACET
`auth_elevated_token_logon`	Searchable. True if the logon attempt occurred using an elevated token; false if the logon attempt occurred without the use of an elevated token	Boolean	AUTH_EVENT DETAILS FACET
`auth_event_action`	Searchable. Action that results from an authentication attempt	String Values: `INVALID`, `LOGON_SUCCESS`, `LOGON_FAILED`, `LOGOFF_SUCCESS`, `PRIVILEGES_GRANTED`, `ACCOUNT_LOCKED`, `LOGON_DISCOVERED`	AUTH_EVENT AUTH_EVENT DETAILS
`auth_failed_logon_count`	Searchable. Number of failed logon attempts since last successful logon	Integer	AUTH_EVENT AUTH_EVENT DETAILS
`auth_failure_reason`	Only used with ACTION_LOGON_FAILED event. The fields are documented at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625	String	AUTH_EVENT DETAILS
`auth_failure_status`	Searchable. Only used with ACTION_LOGON_FAILED event. The fields are documented at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625	String	AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`auth_failure_sub_status`	Searchable. Hexadecimal code that identifies the logon failure reason	String	AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`auth_impersonation_level`	Values are: `IMPERSONATION_INVALID` `IMPERSONATION_NONE` - Default, No impersonation `IMPERSONATION_ANONYMOUS` - Security Anonymous: The server cannot impersonate or identify the client. `IMPERSONATION_CLIENT` - Security Identification: The server can get the identity and privileges of the client, but cannot impersonate the client. `IMPERSONATION_LOCAL_ONLY` - Security Impersonation: The server can impersonate the client’s security context on the local system. `IMPERSONATION_LOCAL_OR_REMOTE` - Security Delegation: The server can impersonate the client’s security context on remote systems	String	AUTH_EVENT DETAILS
`auth_interactive_logon`	Searchable. True if the logon attempt was interactive; false if the logon attempt was non-interactive	Boolean	AUTH_EVENT DETAILS FACET
`auth_key_length`	For non-kerberos authentication this is the length of the key used to secure the authentication channel	Integer	AUTH_EVENT DETAILS
`auth_last_failed_logon_time`	Time of last failed logon	date	AUTH_EVENT DETAILS
`auth_linked_logon_id`	When UAC (User Account Control) is enabled and an administrator logs on there are 2 logon sessions created, one with admin privileges and a split token without. This is the linked LUID in 00000000-00000000 format	String	AUTH_EVENT DETAILS
`auth_logon_id`	Searchable. Locally unique identifier of the user the authentication event is attributed to. Unique per logon session per machine	String	AUTH_EVENT* AUTH_EVENT* AUTH_EVENT DETAILS FACET
`auth_logon_type`	Searchable. Identifies the logon type initiated by the authentication connection	Integer	AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`auth_package`	Populated for Event id 4610 Events and identifies the authorization package that was loaded	String	AUTH_EVENT DETAILS
`auth_package_version`	The version of the authorization package identified in `auth_package` that was used	String	AUTH_EVENT DETAILS
`auth_privileges`	Searchable. Privilege(s) assigned to the logon session	String[]	AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`auth_remote_device`	Searchable. Name of the remote device the remote authentication attempt is made from	TOKENIZED String	AUTH_EVENT AUTH_EVENT DETAILS FACET
`auth_remote_ipv4`	Searchable. IP address of the remote device the remote authentication attempt is made from	String	AUTH_EVENT AUTH_EVENT DETAILS FACET
`auth_remote_ipv6`	Where the user was when they logged on - remote ip v6 address	String	AUTH_EVENT AUTH_EVENT DETAILS FACET
`auth_remote_location`	Searchable. Where the user was when they logged on in this format; `city, region, country`	TOKENIZED String	AUTH_EVENT AUTH_EVENT DETAILS FACET
`auth_remote_logon`	Searchable. True if the logon attempt was remote; false if the logon attempt was local	Boolean	AUTH_EVENT DETAILS FACET
`auth_remote_port`	Searchable. Port number the remote authentication attempt is made from	Integer	AUTH_EVENT AUTH_EVENT DETAILS FACET
`auth_restricted_admin_logon`	Searchable. True if the logon attempt occurred using Restricted Admin mode for Remote Desktop Connection; false if the logon attempt occurred without the use of Restricted Admin Mode	Boolean	AUTH_EVENT DETAILS FACET
`auth_server`	The server name that authenticated the logon	String	AUTH_EVENT DETAILS
`auth_user_id`	Searchable. Security ID (SID) of the user on a Windows machine. SID is a unique value of variable length used to identify a trustee (security principal)	String	AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`auth_user_principal_name`	Searchable. User Principal Name (UPN) of the user associated with the authentication event	TOKENIZED String	AUTH_EVENT AUTH_EVENT DETAILS
`auth_username`	Searchable. Name of the user the authentication event is attributed to	TOKENIZED String	AUTH_EVENT AUTH_EVENT DETAILS FACET
`auth_virtual_account_logon`	Searchable. True if the logon attempt occurred using a virtual account; false if the logon attempt occurred without the use of a virtual account	Boolean	AUTH_EVENT DETAILS FACET
`backend_timestamp`	Searchable. Timestamp when the Carbon Black Cloud processed and enabled the data for searching; occurs after ingress_time; may differ from `device_timestamp` by a few minutes due to asynchronous processing	ISO 8601 UTC timestamp	PROCESS PROCESS DETAILS AUTH_EVENT AUTH_EVENT DETAILS OBSERVATION OBSERVATION DETAILS FACET SUMMARY / TREE
`blocked_effective_reputation`	Searchable. Value-Searchable. Effective reputation of the blocked file; applied by the sensor when the event occurs	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS
`blocked_hash`	Searchable. MD5 and SHA-256 hash(es) of the child process(es) binary; for any process(es) terminated by the sensor	String[]	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS
`blocked_name`	Searchable. Value-Searchable. Tokenized file path of the files blocked by sensor action	TOKENIZED String	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS
`childproc_childproc_count`	Searchable. Number of childprocs made by the child process	Integer	EVENT FACET
`childproc_cmdline`	Searchable. Value-Searchable. Command line of the child process	TOKENIZED String	EVENT OBSERVATION DETAILS
`childproc_cmdline_length`	Searchable. Character count of the child process' command line Requires Endpoint Standard	Integer	OBSERVATION DETAILS
`childproc_cmdline_raw`	Searchable. Command lines related to child processes Note: This field's value is untokenized	String[]	PROCESS OBSERVATION AUTH_EVENT
`childproc_count`	Searchable. Count of childproc events reported by the sensor since last initialization Requires Enterprise EDR	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS FACET SUMMARY / TREE
`childproc_crossproc_actor_count`	Searchable. The number of cross-procedure actors made by the child process.	Integer	EVENT FACET
`childproc_crossproc_target_count`	Searchable. The number of cross-procedure targets made by the child process.	Integer	EVENT FACET
`childproc_effective_reputation`	Searchable. Value-Searchable. Effective reputation of the child process; applied by the sensor when the event occurs	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	EVENT OBSERVATION DETAILS
`childproc_effective_reputation_source`	Source of the effective reputation for the child process	String `IGNORE`, `CLOUD`, `PRE_EXISTING`, `AV`, `IT_TOOLS`, `CERT`, `HASH_REP`, `APPROVED_DATABASE`	OBSERVATION DETAILS
`childproc_excluded_count`	Childproc excluded event counts	Integer	AUTH_EVENT DETAILS OBSERVATION DETAILS PROCESS DETAILS
`childproc_filemod_count`	Searchable. Number of filemods made by the child process	Integer	EVENT FACET
`childproc_guid`	Searchable. Unique identifier for the child process; same as childproc_process_guid	String	OBSERVATION* OBSERVATION DETAILS AUTH_EVENT* FACET
`childproc_hash`	Searchable. Hash(es) of the child process(es)' binary (MD5 or SHA-256 for Enterprise EDR, SHA-256 for Endpoint Standard)	String[]	OBSERVATION DETAILS
`childproc_issuer`	Childproc certificate issuer names	String[]	OBSERVATION DETAILS
`childproc_md5`	Searchable. MD5 hash of the binary executed by the child process	String	EVENT FACET
`childproc_modload_count`	Searchable. The number of module loads made by the child process.	Integer	EVENT FACET
`childproc_name`	Searchable. Value-Searchable. Filesystem path of the child process' binary	TOKENIZED String	EVENT OBSERVATION DETAILS
`childproc_netconn_count`	Searchable. Number of netconns made by the child process	Integer	EVENT FACET
`childproc_pid`	Process identifier assigned by the operating system to the child process	Integer	OBSERVATION DETAILS
`childproc_process_guid`	Searchable. Unique identifier for the child process; same as childproc_guid	String	EVENT FACET
`childproc_product_name`	Product name associated with the child executable (from the binary resource)	String	OBSERVATION DETAILS
`childproc_publisher`	Publisher name on the certificate used to sign the Windows or macOS binary of child process(es) Requires Enterprise EDR	String[]	OBSERVATION DETAILS
`childproc_publisher_state`	Searchable. Value-Searchable. State of the digital signature(s) of the child processes' binaries Requires Enterprise EDR	String[] Combine any: `FILE_SIGNATURE_STATE_INVALID`, `FILE_SIGNATURE_STATE_SIGNED`, `FILE_SIGNATURE_STATE_VERIFIED`, `FILE_SIGNATURE_STATE_CHAINED`, `FILE_SIGNATURE_STATE_TRUSTED`, `FILE_SIGNATURE_STATE_OS`, `FILE_SIGNATURE_STATE_CATALOG_SIGNED` Use One: `FILE_SIGNATURE_STATE_NOT_SIGNED`, `FILE_SIGNATURE_STATE_UNKNOWN`	OBSERVATION DETAILS
`childproc_regmod_count`	Searchable. Number of registry modifications made by the child process.	Integer	EVENT FACET
`childproc_reputation`	Searchable. Value-Searchable. Reputation of the child process; applied by the Carbon Black Cloud when the event was processed	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	OBSERVATION DETAILS
`childproc_sha256`	Searchable. SHA-256 hash of the binary executed by the child process in the event	String	EVENT FACET
`childproc_suppressed`	True if the Carbon Black Cloud suppressed one or more childproc process records; not present if false (suppressed if the child process shows no interesting activity after the process is created); Linux sensors only	Boolean	EVENT FACET
`childproc_username`	Searchable. The user context in which the child process was executed	TOKENIZED String	EVENT
`chrome_device_id`	Searchable. An ID which points to the Chrome datastore within a device.	String	AUTH_EVENT AUTH_EVENT DETAILS
`cloud_provider_account_id`	Searchable. The account ID with the cloud provider.	String	AUTH_EVENT*** AUTH_EVENT DETAILS
`cloud_provider_resource_id`	Searchable. The resource ID with the cloud provider.	String	AUTH_EVENT*** AUTH_EVENT DETAILS
`cloud_provider_scale_group`	Searchable. The automatic scaling group name within the cloud provider.	String	AUTH_EVENT*** AUTH_EVENT DETAILS
`cloud_provider_tags`	Searchable. Tags used for the cloud provider.	TOKENIZED String	AUTH_EVENT*** AUTH_EVENT DETAILS
`container_cgroup`	Searchable. A control group on linux that manages resources and which the container must interact with.	String	PROCESS DETAILS AUTH_EVENT DETAILS
`container_id`	Searchable. ID of the container	String	PROCESS PROCESS DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`container_image_hash`	Searchable. SHA-256 hash of the container image	String	PROCESS* PROCESS DETAILS AUTH_EVENT* AUTH_EVENT DETAILS FACET
`container_image_name`	Searchable. Name of the container image; images are static files with executable code than can create containers	TOKENIZED String	PROCESS* PROCESS DETAILS AUTH_EVENT* AUTH_EVENT DETAILS FACET
`container_name`	Searchable. Name of the container; names are typically generated by runtime engines or by platforms, e.g. K8s	TOKENIZED String	PROCESS* PROCESS DETAILS AUTH_EVENT* AUTH_EVENT DETAILS FACET
`created_timestamp`	Searchable. Timestamp of when the event document was created.	Date	EVENT FACET
`crossproc_action`	Searchable. Value-Searchable. The cross-process action initiated by the actor process	String `ACTION_API_CALL`, `ACTION_DUP_PROCESS_HANDLE`, `ACTION_OPEN_THREAD_HANDLE`, `ACTION_DUP_THREAD_HANDLE`, `ACTION_CREATE_REMOTE_THREAD`	EVENT OBSERVATION DETAILS
`crossproc_api`	Searchable. Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call. Available with: all sensors with Endpoint Standard Windows 3.8 or later sensor with Enterprise EDR macOS sensors with Enterprise EDR (only reporting the PEP_CREATE_PHANDLE_API call made in task_for_pid() requests)	String	EVENT OBSERVATION DETAILS
`crossproc_cmdline`	Command line of the cross-process command	TOKENIZED String	OBSERVATION DETAILS
`crossproc_cmdline_length`	Character count of the cross-process command line executed	String	OBSERVATION DETAILS
`crossproc_count`	Searchable. Count of crossproc events reported by the sensor since last initialization Requires Enterprise EDR	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS FACET SUMMARY / TREE
`crossproc_effective_reputation`	Effective reputation of the binary on one side of the cross-process action; if crossproc_target=true, it is the effective reputation of the process targeted in the cross-process action; if crossproc_target=false, it is of the actor process (applied by the sensor when the event occurred)	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	EVENT OBSERVATION DETAILS
`crossproc_effective_reputation_source`	Source of the effective reputation for the cross-process	String `IGNORE`, `CLOUD`, `PRE_EXISTING`, `AV`, `IT_TOOLS`, `CERT`, `HASH_REP`, `APPROVED_DATABASE`	OBSERVATION DETAILS
`crossproc_excluded_count`	Crossproc excluded event counts	Integer	AUTH_EVENT DETAILS OBSERVATION DETAILS PROCESS DETAILS
`crossproc_guid`	Unique process identifier of one of the cross-process members; if crossproc_target=true, it is the GUID of the process targeted in the cross-process action; if crossproc_target=false, it is the GUID of the actor process (same as crossproc_process_guid)	String	OBSERVATION DETAILS
`crossproc_hash`	Searchable. MD5 and/or SHA-256 hash(es) of the binaries whose processes are running on one side of the cross-process action; if crossproc_target=true, the hash(es) are of the process targeted in the cross-process action; if crossproc_target=false, the hash(es) are of the actor process	String[]	OBSERVATION DETAILS
`crossproc_issuer`	Crossproc certificate issuer names	String[]	OBSERVATION DETAILS
`crossproc_md5`	Searchable. MD5 hash of the binary on one side of the cross-process action; if crossproc_target=true, it is the MD5 of the process targeted in the cross-process action; if crossproc_target=false, it is the MD5 of the actor process	String	EVENT FACET
`crossproc_name`	Searchable. Value-Searchable. Filesystem path of the binary of one side of the cross-process action (can be missing for certain crossproc actions); if crossproc_target=true, it is the path of the process targeted in the cross-process action; if crossproc_target=false, it is the path of the actor process	TOKENIZED String	EVENT OBSERVATION DETAILS
`crossproc_pid`	Process identifier assigned by the operating system to one of the cross-process members; if crossproc_target=true, it is the PID of the process targeted in the cross-process action; if crossproc_target=false, it is the PID of the actor process	Integer	OBSERVATION DETAILS
`crossproc_process_guid`	Searchable. Unique identifer of the process on one side of the cross-process action; if crossproc_target=true, it is the GUID of the process targeted in the cross-process action; if crossproc_target=false, it is the GUID of the actor process (same as crossproc_guid)	String	EVENT FACET
`crossproc_product_name`	Product name associated with the crossproc executable (from the binary resource)	String	OBSERVATION DETAILS
`crossproc_publisher`	Crossproc certificate signer names	String[]	OBSERVATION DETAILS
`crossproc_publisher_state`	Certificate signature state of the crossproc as string. Can be combination of `FILE_SIGNATURE_STATE_INVALID`, `FILE_SIGNATURE_STATE_SIGNED`, `FILE_SIGNATURE_STATE_VERIFIED`, `FILE_SIGNATURE_STATE_NOT_SIGNED`, `FILE_SIGNATURE_STATE_UNKNOWN`, `FILE_SIGNATURE_STATE_CHAINED`, `FILE_SIGNATURE_STATE_TRUSTED`, `FILE_SIGNATURE_STATE_OS`, `FILE_SIGNATURE_STATE_CATALOG_SIGNED` or `FILE_SIGNATURE_STATE_NOT_SIGNED` if not signed	String[]	OBSERVATION DETAILS
`crossproc_reputation`	Reputation of crossproc as provided by the CDC	String	OBSERVATION DETAILS
`crossproc_sha256`	Searchable. SHA-256 hash of the binary on one side of the cross-process action; if crossproc_target=true, it is the SHA-256 of the process targeted in the cross-process action; if crossproc_target=false, it is the SHA-256 of the actor process	String	EVENT FACET
`crossproc_target`	Searchable. True if the process was the target of the cross-process event; false if the process was the actor	Boolean	EVENT OBSERVATION DETAILS FACET
`crossproc_username`	Username associated with the crossproc process	String	OBSERVATION DETAILS
`device_external_ip`	Searchable. Value-Searchable. IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format documented below)	String	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET SUMMARY / TREE
`device_group`	Searchable. Value-Searchable. Sensor group to which the endpoint was assigned when the sensor recorded the event data	String	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`device_group_id`	Searchable. ID assigned to the device_group by Carbon Black Cloud; will match on the ad_group_id on the Devices API	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS SUMMARY / TREE
`device_id`	Searchable. ID assigned to the endpoint by Carbon Black Cloud; unique across all Carbon Black Cloud environments	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET SUMMARY / TREE
`device_installed_by`	Searchable. The Carbon Black Cloud user who was logged in to the endpoint when the sensor was installed (e.g. pat.malarkey@email.com, DOMAIN\pmalarkey or pmalarkey)	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`device_internal_ip`	Searchable. Value-Searchable. IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format, documented below)	String	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`device_location`	The endpoint’s current location relative to the organization’s network, based on the current IP address and the device’s registered DNS domain suffix	String `ONSITE`, `OFFSITE`, `UNKNOWN`	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`device_name`	Searchable. Value-Searchable. Hostname of the endpoint recorded by the sensor when last initialized	TOKENIZED String	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT DETAILS FACET
`device_os`	Searchable. Value-Searchable. The operating system of the endpoint	String `WINDOWS`, `MAC`, `LINUX`	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`device_os_version`	Searchable. Value-Searchable. The operating system and version of the endpoint Requires Windows CBC sensor version 3.5 or later	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`device_policy`	Searchable. Value-Searchable. Policy applied to the endpoint in the Carbon Black Cloud	String	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`device_policy_id`	Searchable. ID assigned to the device_policy by the Carbon Black Cloud	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`device_sensor_version`	Searchable. Version of the sensor installed on the device	String	PROCESS* OBSERVATION* OBSERVATION DETAILS AUTH_EVENT* AUTH_EVENT* AUTH_EVENT DETAILS FACET
`device_target_priority`	The “Target value” configured in the policy assigned to the sensor Requires Endpoint Standard	String `MISSION_CRITICAL`, `HIGH`, `MEDIUM`, `LOW`	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`device_timestamp`	Searchable. Sensor-reported timestamp of the batch of events in which this record was submitted to Carbon Black Cloud	ISO 8601 UTC timestamp	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET SUMMARY / TREE
`document_guid`	Searchable. Unique id of solr document. Built as process_guid+server-side timestamp in epoch milliseconds (1/1/1970 based).	String	AUTH_EVENT*** AUTH_EVENT DETAILS
`enriched`	Searchable. True if the result includes data from the Endpoint Standard product. Not present if false. Requires Endpoint Standard	Boolean	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`enriched_event_type`	Searchable. Event type(s) as determined by the Carbon Black Cloud Requires Endpoint Standard	String `CREATE_PROCESS`, `DATA_ACCESS`, `FILE_CREATE`, `INJECT_CODE`, `NETWORK`, `OTHER_BEHAVIOR`, `POLICY_ACTION`, `REGISTRY_ACCESS`, `STATIC_SCAN`, `SYSTEM_API_CALL` Note: enriched_event_type will be a String[] on Process Search.	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS FACET
`event_attack_stage`	Searchable. Stage(s) of the cyber kill chain when an attack was terminated by sensor Requires Endpoint Standard	String `BREACH`, `COMMAND_AND_CONTROL`, `DELIVER_EXPLOIT`, `EXECUTE_GOAL`, `INSTALL_RUN`, `RECONNAISSANCE`, `WEAPONIZE` Note: Event_attack_stage will be a String[] on Process Search.	PROCESS* PROCESS DETAILS OBSERVATION* FACET
`event_description`	Searchable. Value-Searchable. Event description calculated by the Carbon Black Cloud Requires Endpoint Standard	TOKENIZED String	EVENT OBSERVATION OBSERVATION DETAILS
`event_guid`	Searchable. A globally unique identifier for this event document	String	EVENT FACET
`event_hash`	Hash of the event to allow for deduplication of events	String	EVENT FACET
`event_id`	Searchable. Unique event identifier assigned by the Carbon Black Cloud	String Formats: `b74addedf22511eaa5b90997e383f3bf`, `21EF16B0-AB2E-413A-ABD0-9697C9FD0211`	OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`event_threat_score`	Searchable. Score(s) assigned by Carbon Black Cloud for the detected threat (Returns values 0-8) Requires Endpoint Standard	Integer[]	PROCESS DETAILS OBSERVATION DETAILS
`event_timestamp`	Searchable. Timestamp reported by the sensor when the event occurred	ISO 8601 UTC timestamp	EVENT FACET
`event_type`	Searchable. Type of event observed	String `filemod`, `netconn`, `regmod`, `modload`, `crossproc`, `childproc`, `scriptload`, `fileless_scriptload` Note: event_type will be a String[] on Process Search.	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS FACET
`file_scan_result`	Searchable. Classification of malware detected during a background scan performed by the Endpoint Standard sensor i.e. enriched_event_type=STATIC_SCAN; returned value is the /-separated combination of malware family and malware name (e.g. TROJAN/TR/PowerShell.Gen, where malware family = TROJAN) Requires Endpoint Standard	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS
`fileless_scriptload_cmdline`	Searchable. Deobfuscated script content run in a fileless context by the process Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR For more information see here	TOKENIZED String[]	EVENT
`fileless_scriptload_cmdline_length`	Searchable. Character count of the deobfuscated script content run in a fileless context. Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR For more information see here	Integer[]	EVENT
`fileless_scriptload_cmdline_raw`	Searchable. Deobfuscated command lines of fileless scripts Note: This field's value is untokenized.	String[]	PROCESS OBSERVATION AUTH_EVENT
`fileless_scriptload_hash`	Searchable. SHA-256 hash(es) of the deobfuscated script content run by the process in a fileless context. Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR For more information see here	String[]	OBSERVATION DETAILS
`fileless_scriptload_sha256`	Searchable. Deprecated. Use fileless_scriptload_hash SHA-256 hash of the deobfuscated script content run by the process in a fileless context Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR For more information see here	String	EVENT FACET
`filemod_action`	Action(s) associated with the filemod operation	String `ACTION_INVALID`, `ACTION_FILE_CREATE`, `ACTION_FILE_WRITE`, `ACTION_FILE_DELETE`, `ACTION_FILE_LAST_WRITE`, `ACTION_FILE_MOD_OPEN`, `ACTION_FILE_RENAME`, `ACTION_FILE_UNDELETE`, `ACTION_FILE_TRUNCATE`, `ACTION_FILE_OPEN_READ`, `ACTION_FILE_OPEN_WRITE`, `ACTION_FILE_OPEN_DELETE`, `ACTION_FILE_OPEN_EXECUTE`, `ACTION_FILE_READ`	EVENT OBSERVATION DETAILS
`filemod_count`	Searchable. Count of filemod events reported by the sensor since last initialization Requires Enterprise EDR	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS FACET SUMMARY / TREE
`filemod_effective_reputation`	Reputation of the actor that modified the file	String	EVENT FACET
`filemod_excluded_count`	Count of excluded filemod events reported by the server	Integer	AUTH_EVENT DETAILS
`filemod_file_type`	Searchable. The type of file e.g. `EXECUTABLE_IMAGE`, `EXECUTABLE_LIBRARY` or `SCRIPT`	String	EVENT FACET
`filemod_hash`	Searchable. MD5 and/or SHA-256 hash(es) of the file(s) modified by the actor process	String[]	OBSERVATION DETAILS
`filemod_issuer`	Filemod certificate issuer names	String[]	OBSERVATION DETAILS
`filemod_md5`	Searchable. MD5 hash of the file modified by the actor process	String	EVENT FACET
`filemod_name`	Searchable. Value-Searchable. Filesystem path of the file modified by the process	TOKENIZED String	EVENT OBSERVATION DETAILS AUTH_EVENT DETAILS
`filemod_new_name`	Searchable. Filesystem path of the new file modified by the process during `ACTION_FILE_RENAME`	String	EVENT
`filemod_old_name`	Searchable. Filesystem path of the old file modified by the process during `ACTION_FILE_RENAME`	String	EVENT
`filemod_publisher`	Searchable. Publisher name on the certificate(s) used to sign the target file of the filemod	String[]	OBSERVATION DETAILS
`filemod_publisher_state`	Searchable. Value-Searchable. State of the digital signature(s) of the target file of the filemod; checks signatures on Powershell scripts and .MSI/.MSP files	String[] Combine any: `FILE_SIGNATURE_STATE_INVALID`, `FILE_SIGNATURE_STATE_SIGNED`, `FILE_SIGNATURE_STATE_VERIFIED`, `FILE_SIGNATURE_STATE_CHAINED`, `FILE_SIGNATURE_STATE_TRUSTED`, `FILE_SIGNATURE_STATE_OS`, `FILE_SIGNATURE_STATE_CATALOG_SIGNED` Use One: `FILE_SIGNATURE_STATE_NOT_SIGNED`, `FILE_SIGNATURE_STATE_UNKNOWN`	OBSERVATION DETAILS
`filemod_reputation`	Reputation of the target file	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	OBSERVATION DETAILS
`filemod_sha256`	Searchable. SHA-256 hash of the file modified by the actor process	String	EVENT FACET
`filemod_tlsh`	tlsh hashes of the files modified by the process	String	OBSERVATION*** OBSERVATION DETAILS EVENT FACET
`filemod_type`	Type of file involved in the filemod operation Requires Enterprise EDR	String `FILE_TYPE_EXECUTABLE_IMAGE`, `FILE_TYPE_EXECUTABLE_DLL`, `FILE_TYPE_NOT_SET`, `FILE_TYPE_UNIDENTIFIED`	OBSERVATION DETAILS
`hash`	Searchable. Value-Searchable. Aggregate set of MD5 and SHA-256 hashes associated with the process (including childproc_hash, crossproc_hash, filemod_hash, modload_hash, process_hash); enables one-step search for any matches on the specified hashes	String[]
`ingress_time`	Searchable. Timestamp of when the Carbon Black Cloud receives data for initial processing (Unix format)	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS SUMMARY / TREE
`k8s_cluster`	Searchable. Name of the K8s cluster	TOKENIZED String	PROCESS* PROCESS DETAILS AUTH_EVENT* AUTH_EVENT DETAILS FACET
`k8s_kind`	Searchable. Type of K8s workload; DaemonSet, Deployment, Job, etc.	String	PROCESS* PROCESS DETAILS AUTH_EVENT* AUTH_EVENT DETAILS FACET
`k8s_namespace`	Searchable. Namespace within the K8s cluster	TOKENIZED String	PROCESS* PROCESS DETAILS AUTH_EVENT* AUTH_EVENT DETAILS FACET
`k8s_pod_name`	Searchable. Name of the K8s pod within a workload	TOKENIZED String	PROCESS* PROCESS DETAILS AUTH_EVENT* AUTH_EVENT DETAILS FACET
`k8s_workload_name`	Searchable. Name of the K8s workload; names are typically generated by a Deployment, DaemonSet, Job, etc.	TOKENIZED String	PROCESS* PROCESS DETAILS AUTH_EVENT* AUTH_EVENT DETAILS FACET
`legacy`	Searchable. Deprecated; see enriched field (true if the record includes data from the Endpoint Standard; not present if false)	boolean	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`legacy_description`	Searchable. Deprecated; see the `event_description` field	TOKENIZED String
`modload_action`	Searchable. Action associated with the modload operation Requires Enterprise EDR	String `ACTION_LOAD_MODULE`	EVENT FACET
`modload_count`	Searchable. Count of modload events reported by the sensor since last initialization Requires Enterprise EDR	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS FACET SUMMARY / TREE
`modload_effective_reputation`	Searchable. Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred Requires Enterprise EDR	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	EVENT FACET
`modload_excluded_count`	Count of excluded modload events reported by the sensor since last initialization	Integer	AUTH_EVENT DETAILS
`modload_file_type`	Searchable. The type of file	String `EXECUTABLE_IMAGE`, `EXECUTABLE_LIBRARY`, `SCRIPT`	EVENT FACET
`modload_hash`	Searchable. MD5 or SHA-256 hash(es) of the module(s) loaded by the process Requires Enterprise EDR	String[]	OBSERVATION DETAILS
`modload_issuer`	Modload certificate issuer names	String[]	OBSERVATION DETAILS
`modload_md5`	Searchable. MD5 hash of the module loaded by the process Requires Enterprise EDR	String	EVENT FACET
`modload_name`	Searchable. Value-Searchable. Filesystem path(s) of the module(s) loaded by the process Requires Enterprise EDR	TOKENIZED String[]	EVENT
`modload_publisher`	Searchable. Publisher name on the certificate(s) used to sign the Windows or macOS module binary Requires Enterprise EDR	String	EVENT
`modload_publisher_state`	Searchable. Value-Searchable. Digital signature state(s) of the loaded modules' binaries Requires Enterprise EDR	String[] Combine any: `FILE_SIGNATURE_STATE_INVALID`, `FILE_SIGNATURE_STATE_SIGNED`, `FILE_SIGNATURE_STATE_VERIFIED`, `FILE_SIGNATURE_STATE_CHAINED`, `FILE_SIGNATURE_STATE_TRUSTED`, `FILE_SIGNATURE_STATE_OS`, `FILE_SIGNATURE_STATE_CATALOG_SIGNED` Use One: `FILE_SIGNATURE_STATE_NOT_SIGNED`, `FILE_SIGNATURE_STATE_UNKNOWN`	EVENT
`modload_sha256`	Searchable. SHA-256 hash of the module loaded by the process Requires Enterprise EDR	String	EVENT FACET
`netconn_action`	Searchable. Deprecated; use netconn_actions instead. Action(s) associated with the netconn operation	String `ACTION_CONNECTION_CREATE`, `ACTION_CONNECTION_CLOSE`, `ACTION_CONNECTION_ESTABLISHED`, `ACTION_CONNECTION_CREATE_FAILED`, `ACTION_CONNECTION_LISTEN`	EVENT OBSERVATION DETAILS AUTH_EVENT DETAILS FACET
`netconn_actions`	Searchable. Netconn operation actions such as `ACTION_CONNECTION_CREATE`, plus XDR actions like `ACTION_HTTP`	String[] `ACTION_CONNECTION_CREATE`, `ACTION_CONNECTION_CLOSE`, `ACTION_CONNECTION_ESTABLISHED`, `ACTION_CONNECTION_CREATE_FAILED`, `ACTION_CONNECTION_LISTEN` XDR: `ACTION_HTTP`, `ACTION_TLS_HANDSHAKE`, `ACTION_IDS_ALERT`, `ACTION_INBOUND_PACKET_INSPECTED`, `ACTION_OUTBOUND_PACKET_INSPECTED`	OBSERVATION DETAILS AUTH_EVENT DETAILS FACET
`netconn_application_protocol`	Searchable. Protocol detected in the application layer of the network session; does not necessarily correspond to the port listed in IANA service registry. Requires XDR	String	EVENT OBSERVATION OBSERVATION DETAILS FACET
`netconn_bytes_received`	Searchable. Final byte count for all traffic received by the sensor’s endpoint during the netconn session. Requires XDR	Integer	EVENT OBSERVATION DETAILS
`netconn_bytes_sent`	Searchable. Final byte count for all traffic sent by the sensor’s endpoint during the netconn session. Requires XDR	Integer	EVENT OBSERVATION DETAILS
`netconn_community_id`	Searchable. Community ID of the network session, calculated according to the convention documented in https://github.com/corelight/community-id-spec. Requires Enterprise EDR	String	EVENT OBSERVATION DETAILS
`netconn_count`	Searchable. Count of netconn events reported by the sensor since last initialization Requires Enterprise EDR	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS FACET SUMMARY / TREE
`netconn_dns_answer_class`	Searchable. The set of resource class in the query answer (aka answer_class). Requires XDR	String[]	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_answer_count`	Searchable. The total number of resource records in a reply message’s answer section. Requires XDR	Integer	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_answer_data`	Searchable. The set of data in the query answer. Requires XDR	String[]	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_answer_data_length`	Searchable. The length of the data in a reply message’s answer section. Requires XDR	Integer[]	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_answer_name`	Searchable. The set of resource descriptions in the query answer (aka answer_name). Requires XDR	TOKENIZED String[]	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_answer_ttl`	Searchable. The set of resource ttl in the query answer. Requires XDR	Long[]	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_answer_type`	Searchable. The set of resource type in the query answer (aka answer_type). Requires XDR	String[]	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_flags`	Searchable. A set of DNS flags. Requires XDR	String[]	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_query_class`	Searchable. A descriptive name for the class of the query. Requires XDR	String	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_query_name`	Searchable. The domain name that is the subject of the DNS query. Requires XDR	TOKENIZED String	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_query_type`	Searchable. A descriptive name for the type of the query. Requires XDR	String	EVENT PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_dns_response_code`	Searchable. DNS response code. Requires XDR	Integer	EVENT FACET
`netconn_domain`	Searchable. Value-Searchable. Domain name (FQDN) associated with the remote end of the network connection, if available Note: 'netconn_domain' is searchable for PROCESSES but not returnable.	TOKENIZED String	EVENT OBSERVATION DETAILS
`netconn_excluded_count`	Count of excluded netconn events reported by the sensor since last initialization	Integer	AUTH_EVENT DETAILS
`netconn_failed`	Searchable. True if the outbound network connection attempt failed; if successful, the field is not set	Boolean	OBSERVATION DETAILS FACET
`netconn_first_packet_timestamp`	Searchable. Timestamp when the sensor detected the first packet in the network session (ISO 8601 format, in UTC). Requires XDR	ISO 8601 UTC timestamp	EVENT OBSERVATION DETAILS
`netconn_inbound`	Searchable. True if the network connection was inbound; false if outbound	Boolean	EVENT OBSERVATION OBSERVATION DETAILS FACET
`netconn_ipv4`	Searchable. Value-Searchable. IPv4 address of the remote side of the network connection; stored as integer (not dotted decimal); searchable using either format	String	OBSERVATION OBSERVATION DETAILS FACET
`netconn_ipv6`	Searchable. Value-Searchable. IPv6 address of the remote side of the network connection; stored as a String without octet-separating colon characters	String	OBSERVATION OBSERVATION DETAILS FACET
`netconn_ja3_local_fingerprint`	Searchable. JA3 hash of the client side of the TLS session; can be JA3 or JA3S depending on which side initiated the TLS session. Requires XDR	String	EVENT OBSERVATION DETAILS
`netconn_ja3_local_fingerprint_fields`	Searchable. Decimal values of the bytes used to calculate the JA3 hash for the local side of the TLS session. Requires XDR	TOKENIZED String	EVENT OBSERVATION DETAILS
`netconn_ja3_remote_fingerprint`	Searchable. JA3 hash of the remote side of the TLS session; can be JA3 or JA3S depending on which side initiated the TLS session. Requires XDR	String	EVENT OBSERVATION DETAILS
`netconn_ja3_remote_fingerprint_fields`	Searchable. Decimal values of the bytes used to calculate the JA3 hash for the remote side of the TLS session. Requires XDR	TOKENIZED String	EVENT OBSERVATION DETAILS
`netconn_last_packet_timestamp`	Searchable. Timestamp when the sensor detected the last packet in the network session. Requires XDR	ISO 8601 UTC timestamp	EVENT OBSERVATION DETAILS
`netconn_listen`	True if the process opened a socket to listen for incoming connections (i.e. where netconn_action = ACTION_CONNECTION_LISTEN); not present if false	Boolean	OBSERVATION DETAILS FACET
`netconn_local_ipv4`	Searchable. Value-Searchable. IPv4 address of the local side of the network connection; stored as an integer (not dotted decimal); searchable by either format	String	EVENT OBSERVATION OBSERVATION DETAILS
`netconn_local_ipv6`	Searchable. Value-Searchable. IPv6 address of the local side of the network connection; stored as a String without octet-separating colon characters	String	EVENT OBSERVATION OBSERVATION DETAILS
`netconn_local_location`	Geolocation of the local side of the network connection	TOKENIZED String Format: `City,Region/State,Country` Note: One or more of the three sections will be included in a comma separated list.	OBSERVATION OBSERVATION DETAILS
`netconn_local_port`	TCP or UDP port used by the local side of the network connection	Integer	EVENT OBSERVATION DETAILS
`netconn_location`	Searchable. Value-Searchable. Geolocation of the remote side of the network connection; same as netconn_remote_location	TOKENIZED String Format: `City,Region/State,Country` If the geolocation of the remote IP address is unknown, the value is `,,Unknown`. If the remote IP address is in a special-purpose, reserved range, the value is `,,Reserved`. Note: One or more of the three sections will be included in a comma separated list.	EVENT OBSERVATION OBSERVATION DETAILS PROCESS FACET
`netconn_port`	Searchable. TCP or UDP port used by the interesting side of the network connection (when netconn_inbound = “true”, this represents the local port; otherwise, this represents the port on the remote side of the network connection); compare with netconn_remote_port, event_network_remote_port and event_network_local_port	Integer	OBSERVATION OBSERVATION DETAILS FACET
`netconn_protocol`	Searchable. Value-Searchable. Network protocol of the network connection	String `PROTO_TCP`, `PROTO_UDP`,`PROTO_ICMP`, `PROTO_ICMPV6`	EVENT OBSERVATION OBSERVATION DETAILS
`netconn_proxy_domain`	Searchable. Domain name (FQDN) associated with the remote side of the connection with an intermediary HTTP network device, usually a proxy server Requires Windows CBC sensor version 3.6 or later and Enterprise EDR Unencrypted intermediary network devices only	TOKENIZED String	EVENT
`netconn_proxy_ipv4`	Searchable. IPv4 address of the remote side of the connection with an intermediary HTTP network device, usually a proxy server. Stored as integer not dotted decimal, but searchable using either format Requires Windows CBC sensor version 3.6 or later and Enterprise EDR Unencrypted intermediary network devices only	String	EVENT
`netconn_proxy_ipv6`	Searchable. IPv6 address of the remote side of the connection with an intermediary HTTP network device, usually a proxy server; stored as String without octet-separating colon characters Requires Windows CBC sensor version 3.6 or later and Enterprise EDR Unencrypted intermediary network devices only	String	EVENT
`netconn_proxy_port`	Searchable. TCP or UDP port used by the remote side of the connection with an intermediary HTTP network device, usually a proxy server Requires Windows CBC sensor version 3.6 or later and Enterprise EDR Unencrypted intermediary network devices only	Integer	EVENT
`netconn_remote_device_id`	Searchable. The device_id of the remote side of the network session, if a Carbon Black Cloud sensor is installed on the remote asset. Requires XDR	Integer	EVENT OBSERVATION DETAILS
`netconn_remote_device_name`	Searchable. The device_name of the remote side of the network session, if a Carbon Black Cloud sensor is installed on the remote asset. Requires XDR	String	EVENT OBSERVATION DETAILS
`netconn_remote_ipv4`	Searchable. IPv4 address of the remote side of the network connection; stored as integer, not dotted decimal, but searchable as either	String	EVENT FACET
`netconn_remote_ipv6`	Searchable. IPv6 address of the remote side of the network connection; stored as String without octet-separating colon characters	String	EVENT FACET
`netconn_remote_location`	Geolocation of the remote side of the network connection	TOKENIZED String Format: `City,Region/State,Country` If the geolocation of the remote IP address is unknown, the value is `,,Unknown`. If the remote IP address is in a special-purpose, reserved range, the value is `,,Reserved`. Note: One or more of the three sections will be included in a comma separated list.
`netconn_remote_port`	Searchable. TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port	Integer	EVENT
`netconn_request_headers`	Searchable. List of HTTP request headers captured from the start of the HTTP session. Represented as key:value pairs for each header. Requires XDR	String	EVENT OBSERVATION DETAILS
`netconn_request_method`	Searchable. HTTP request method submitted as part of the HTTP session request. Requires XDR	String	EVENT OBSERVATION DETAILS
`netconn_request_url`	Searchable. The URL path and HTTP version requested in the HTTP session. Requires XDR	TOKENIZED String	PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_response_headers`	Searchable. List of HTTP response headers captured from the start of the HTTP session. Represented as key:value pairs for each header. Requires XDR	String	EVENT OBSERVATION DETAILS
`netconn_response_status_code`	Searchable. The numeric code included in the HTTP response, signifying status of the requested operation. Requires XDR	Integer	EVENT OBSERVATION DETAILS FACET
`netconn_server_name_indication`	Searchable. Hostname requested by the TLS client, used to help server distinguish between multiple TLS-protected services listening on the same IP:port binding. Requires XDR	String	EVENT OBSERVATION DETAILS
`netconn_tls_certificate_issuer_name`	Searchable. Name reported in the TLS certificate for the entity which issued the TLS certificate. Requires XDR	String	EVENT OBSERVATION DETAILS
`netconn_tls_certificate_subject_name`	Searchable. Name reported in the TLS certificate for the entity to which the TLS certificate was issued. Requires XDR	String	EVENT OBSERVATION DETAILS FACET
`netconn_tls_certificate_subject_not_valid_after`	Searchable. Timestamp after which the TLS certificate asserts it is no longer valid. Requires XDR	ISO 8601 UTC timestamp	EVENT OBSERVATION DETAILS
`netconn_tls_certificate_subject_not_valid_before`	Searchable. Timestamp before which the TLS certificate asserts it is not yet valid. Requires XDR	ISO 8601 UTC timestamp	EVENT OBSERVATION DETAILS
`netconn_tls_cipher`	Searchable. Netconn TLS cipher suite (see the IANA TLS cipher suites registry for the full list of possible values TLS Cipher Suites)	String `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` and more	PROCESS OBSERVATION OBSERVATION DETAILS
`netconn_tls_version`	Searchable. TLS protocol version used in this session Requires XDR	TOKENIZED String	EVENT OBSERVATION DETAILS
`network_traffic_analysis_action`	Type of the anomaly detection. Requires XDR	String `CLASSIFICATION`, `CLUSTERING`, `OUTLIER`	OBSERVATION DETAILS
`network_traffic_analysis_behavior`	Specific values which caused the anomaly detection. The content of this field is a serialized json. The structure is specific to each detector identifier (`network_traffic_analysis_identifier`). E.g. “{"DetectorStateType":"OUTLIER"}” Requires XDR	String	OBSERVATION DETAILS
`network_traffic_analysis_identifier`	Identifier contains a string friendly name that uniquely identifies the detector. The identifier is used by alert aggregation to fetch additional metadata about the detector from the threat metadata service. It then enriches the `threat_name` and `tms_rule_id` to the proto. E.g. `anomaly:portscan` Requires XDR	String	OBSERVATION DETAILS
`network_traffic_analysis_is_client_relevant`	If true, the client is relevant to the attack. It might be part of the attack. Requires XDR	Boolean	OBSERVATION DETAILS FACET
`network_traffic_analysis_is_client_target`	If true, the client is the target of the attack, otherwise it’s the server. Requires XDR	Boolean	OBSERVATION DETAILS FACET
`network_traffic_analysis_primary_alert`	If true, then this is the primary alert of all alerts, otherwise is not. Requires XDR	Boolean	OBSERVATION DETAILS FACET
`num_devices`	Count of devices where application is reported for the requested search population Requires Endpoint Standard	Integer	Aggregation Only
`num_events`	Count of events attributed to the device or application running on the requested search population Requires Endpoint Standard	Integer	Aggregation Only
`observation_description`	Searchable. Description of the activity that generated the observation	tokenized	OBSERVATION OBSERVATION DETAILS
`observation_id`	Searchable. Unique ID of the observation	String	OBSERVATION OBSERVATION DETAILS
`observation_type`	Searchable. Type of observation generated	String `OBSERVATION_TYPE_UNKNOWN` `CB_ANALYTICS` `INDICATOR_OF_ATTACK` `TAMPER` `TAU_INTELLIGENCE` `USB_DEVICE_CONTROL` `BLOCKED_HASH` `INTRUSION_DETECTION_SYSTEM` `CONTAINER_RUNTIME` `HOST_BASED_FIREWALL` `NETWORK_TRAFFIC_ANALYSIS` `CONTEXTUAL_ACTIVITY`	OBSERVATION OBSERVATION DETAILS FACET
`org_id`	Searchable. Organization identifer; unique across all environments and equivalent to org_key in other Carbon Black Cloud APIs	String	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET SUMMARY / TREE
`parent_cmdline`	Searchable. Value-Searchable. Command line of the parent process	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`parent_cmdline_length`	Searchable. Character count of the parent process' command line	Integer	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`parent_cmdline_raw`	Searchable. Command line related to parent process Note: This field's value is untokenized.	String	PROCESS OBSERVATION AUTH_EVENT
`parent_effective_reputation`	Searchable. Value-Searchable. Effective reputation of the parent process; applied by the sensor when the event occurred	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET SUMMARY / TREE
`parent_effective_reputation_source`	Searchable Source of the effective reputation for the parent process	String `IGNORE`, `CLOUD`, `PRE_EXISTING`, `AV`, `IT_TOOLS`, `CERT`, `HASH_REP`, `APPROVED_DATABASE`	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`parent_guid`	Searchable. Value-Searchable. Unique process identifier assigned to the parent process	String	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET SUMMARY / TREE
`parent_hash`	Searchable. MD5 and/or SHA-256 hash of the parent process binary	String[]	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`parent_issuer`	Searchable. Parent certificate issuer names	String[]	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`parent_name`	Searchable. Value-Searchable. Filesystem path of the parent process binary	TOKENIZED String	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`parent_pid`	Searchable. Identifier assigned by the operating system to the parent process	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`parent_product_name`	Product name associated with the parent executable (from the binary resource)	String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`parent_publisher`	Publisher name(s) on the certificate(s) used to sign the Windows or macOS binary of the parent process Requires Enterprise EDR	String[]	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`parent_publisher_state`	Searchable. Value-Searchable. State of the digital signature(s) of the parent process' binary Requires Enterprise EDR	String[] Combine any: `FILE_SIGNATURE_STATE_INVALID`, `FILE_SIGNATURE_STATE_SIGNED`, `FILE_SIGNATURE_STATE_VERIFIED`, `FILE_SIGNATURE_STATE_CHAINED`, `FILE_SIGNATURE_STATE_TRUSTED`, `FILE_SIGNATURE_STATE_OS`, `FILE_SIGNATURE_STATE_CATALOG_SIGNED` Use One: `FILE_SIGNATURE_STATE_NOT_SIGNED`, `FILE_SIGNATURE_STATE_UNKNOWN`	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`parent_reputation`	Searchable. Value-Searchable. Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`parent_user_id`	Searchable. The user ID of the parent process.	String	AUTH_EVENT*** AUTH_EVENT DETAILS
`parent_username`	Username of the parent process	String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_cmdline`	Searchable. Value-Searchable. Command line executed by the actor process	TOKENIZED String[]	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_cmdline_length`	Searchable. Character count of the actor process command line	Integer[]	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_cmdline_raw`	Searchable. Command lines related to process Note: This field's value is untokenized.	String[]	PROCESS OBSERVATION AUTH_EVENT
`process_company_name`	Searchable. Company name embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_container_pid`	Searchable. Container process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux	String	PROCESS PROCESS DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`process_copyright`	Copyright notice embedded in the process binary.	String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_duration`	Searchable. Duration of the process (in milliseconds); available after sensor reports the process has terminated; equal to (process_end_time - process_start_time)	Integer	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_effective_reputation`	Searchable. Value-Searchable. Effective reputation of the actor process; applied by the sensor when the event occurred	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_effective_reputation_source`	Searchable Source of the effective reputation for the actor process	String `IGNORE`, `CLOUD`, `PRE_EXISTING`, `AV`, `IT_TOOLS`, `CERT`, `HASH_REP`, `APPROVED_DATABASE`	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_elevated`	Searchable. “True” if the process was running with elevated privileges; not present if “False” Requires Windows CBC sensor version 3.5 or later and Enterprise EDR	Boolean	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS FACET
`process_end_time`	Sensor timestamp when the process terminated; available after sensor reports the process has terminated (only for processes whose start times the sensor captured)	ISO 8601 UTC timestamp	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_file_description`	Searchable. File description embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_file_size`	Size of the binary executed by the process, in bytes.	Integer	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_guid`	Searchable. Value-Searchable. Unique process identifier for the actor process	String	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`process_hash`	Searchable. MD5 and/or SHA-256 hash of the actor process binary; order may vary when two hashes are reported	String[]	PROCESS PROCESS DETAILS SUMMARY / TREE OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`process_integrity_level`	Searchable. Windows Mandatory Integrity Control (MIC) level of the process Requires Windows CBC sensor version 3.5 or later and Enterprise EDR	String `LOW`, `MEDIUM`, `HIGH`, `SYSTEM`, `PROTECTED`	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_internal_name`	Searchable. Internal name embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_issuer`	Searchable. The process certificate issuer names	String[]	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`process_loaded_script_hash`	Searchable. Deprecated. Use scriptload_hash SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process. Requires Endpoint Standard	String[]	OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_loaded_script_name`	Searchable. Value-Searchable. Deprecated. Use scriptload_name Filesystem path(s) of any script content loaded from the filesystem through the duration of the process. Requires Endpoint Standard	TOKENIZED String[]	OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_name`	Searchable. Value-Searchable. Filesystem path of the actor process binary!	TOKENIZED String	PROCESS PROCESS DETAILS SUMMARY / TREE OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`process_original_filename`	Searchable. Original filename embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_pid`	Searchable. Process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux and macOS	Integer[]	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET SUMMARY / TREE
`process_private_build`	Text that describes a private version of a process binary; typically specified if the file was not built using standard release procedures.	String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_privileges`	Searchable. Windows privileges associated wth the process (see Microsoft documentation for complete list privilege-constants) Requires Windows CBC sensor version 3.5 or later and Enterprise EDR	String[]	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_product_name`	Searchable. Product name embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_product_version`	Searchable. Product version embedded in the portable executable header of the Windows process binary Requires Windows CBC sensor and Enterprise EDR	TOKENIZED String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_publisher`	Searchable. Publisher name on the certificate used to sign the Windows or macOS process binary Requires Enterprise EDR	TOKENIZED String[]	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_publisher_state`	Searchable. Value-Searchable. State of the digital signature(s) of a Windows or macOS process binary Requires Enterprise EDR	String[] Combine any: `FILE_SIGNATURE_STATE_INVALID`, `FILE_SIGNATURE_STATE_SIGNED`, `FILE_SIGNATURE_STATE_VERIFIED`, `FILE_SIGNATURE_STATE_CHAINED`, `FILE_SIGNATURE_STATE_TRUSTED`, `FILE_SIGNATURE_STATE_OS`, `FILE_SIGNATURE_STATE_CATALOG_SIGNED` Use One: `FILE_SIGNATURE_STATE_NOT_SIGNED`, `FILE_SIGNATURE_STATE_UNKNOWN`	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_reputation`	Searchable. Value-Searchable. Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET SUMMARY / TREE
`process_service_name`	Searchable. Windows service name(s) assigned to the process Requires Windows CBC sensor version 3.5 or later and Enterprise EDR	String[]	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_sha256`	SHA-256 hash of the actor process binary	String	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET
`process_special_build`	Text that describes how this version of the process binary differs from the standard version; typically specified for private builds.	String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_start_time`	Searchable. Sensor reported timestamp of when the process started; not available for processes running before the sensor starts	ISO 8601 UTC timestamp	PROCESS* PROCESS DETAILS OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET SUMMARY / TREE
`process_terminated`	Searchable. “True” indicates the process has terminated; always “false” for enriched events (process termination not recorded) Requires Enterprise EDR	Boolean	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`process_trademark`	Trademark text embedded in the process binary.	String	PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
`process_tlsh`	Searchable. tlsh hash of process' main module	String	AUTH_EVENT* AUTH_EVENT DETAILS OBSERVATION* OBSERVATION DETAILS PROCESS*** PROCESS DETAILS FACET
`process_trademark`	Trademark information from process binary	String	AUTH_EVENT DETAILS
`process_user_id`	Searchable. The user ID under which the actor process was executed. Equals SID for Windows endpoints.	String	AUTH_EVENT* AUTH_EVENT DETAILS OBSERVATION* OBSERVATION DETAILS PROCESS*** PROCESS DETAILS FACET
`process_username`	Searchable. Value-Searchable. User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions, Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid()"	TOKENIZED String[]	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`regmod_action`	Action associated with the regmod operation	String `ACTION_INVALID`, `ACTION_CREATE_KEY`, `ACTION_WRITE_VALUE`, `ACTION_DELETE_KEY`, `ACTION_DELETE_VALUE`, `ACTION_RENAME_KEY`, `ACTION_RESTORE_KEY`, `ACTION_REPLACE_KEY`, `ACTION_SET_SECURITY`	EVENT OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`regmod_count`	Searchable. Count of regmod events reported by the sensor since last initialization Requires Enterprise EDR	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS FACET SUMMARY / TREE
`regmod_excluded_count`	Count of excluded regmod events reported by the sensor since last initialization	Integer	AUTH_EVENT DETAILS
`regmod_name`	Searchable. Value-Searchable. Full path of the registry key(s) modified by the process	TOKENIZED String	EVENT OBSERVATION DETAILS
`regmod_new_name`	Searchable. New registry key name; renamed keys only (regmod_action=“ACTION_RENAME_KEY”)	String	EVENT
`regmod_old_name`	Searchable. Old registry key name; renamed keys only (regmod_action=“ACTION_RENAME_KEY”)	String	EVENT
`report_id`	Searchable. ID of the watchlist report(s) that detected a hit on the process Requires Enterprise EDR	String	Processes Only
`report_severity`	Searchable. Severity rating of the watchlist report; ranges 1-10, where 10 is “severe” Requires Enterprise EDR	Integer
`report_watchlist_id`	Searchable. Deprecated; use watchlist_id instead	String
`rule_config_id`	Searchable. The GUID of the policy rule config associated with the Observation or Alert	String	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`rule_config_name`	Searchable. The name of the policy rule config associated with the Observation or Alert, such as Defense Evasion or Advanced Scripting Prevention	String	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS
`rule_id`	Searchable. ID of the rule that triggered an alert or observation; applies to INDICATOR_OF_ATTACK, INTRUSION_DETECTION_SYSTEM, HOST_BASED_FIREWALL, TAU_INTELLIGENCE, USB_DEVICE_CONTROL alerts and observations	String	OBSERVATION OBSERVATION DETAILS
`scriptload_content`	Searchable. Deobfuscated script content of script(s) loaded from the filesystem. Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later For more information see here	TOKENIZED String[]	EVENT OBSERVATION DETAILS
`scriptload_content_length`	Searchable. Character count of the deobfuscated script content of script(s) loaded from the filesystem. Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later For more information see here	Integer[]	EVENT OBSERVATION DETAILS
`scriptload_content_raw`	Searchable. Raw script content of the script loaded from the filesystem without tokenization of special characters. Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later For more information see here	TOKENIZED String
`scriptload_count`	Searchable. Count of scriptload events reported by the sensor since last initialization. Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR	Integer	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS FACET SUMMARY / TREE
`scriptload_effective_reputation`	Searchable. Effective reputation of the script file loaded by the process; applied by the sensor when the event occurred. Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR	String `ADAPTIVE_WHITE_LIST`, `ADWARE`, `COMMON_WHITE_LIST`, `COMPANY_BLACK_LIST`, `COMPANY_WHITE_LIST`, `HEURISTIC`, `IGNORE`, `KNOWN_MALWARE`, `LOCAL_WHITE`, `NOT_LISTED`, `PUP`, `RESOLVING`, `SUSPECT_MALWARE`, `TRUSTED_WHITE_LIST`	EVENT FACET
`scriptload_file_type`	Searchable. The type of file.	String[] `EXECUTABLE_IMAGE`, `EXECUTABLE_LIBRARY`, `SCRIPT`	EVENT FACET
`scriptload_hash`	Searchable. MD5 and/or SHA-256 hash(es) of the script file loaded by the process. Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later	String[]	OBSERVATION DETAILS
`scriptload_issuer`	Scriptload certificate issuer names	String[]	OBSERVATION DETAILS
`scriptload_md5`	Searchable. Deprecated. Use scriptload_hash MD5 hash of the filesystem script file loaded at process launch Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR	String	EVENT FACET
`scriptload_name`	Searchable. Value-Searchable. Filesystem path of the script file loaded by the process. Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later, Linux CBC sensor version 2.9 or later	TOKENIZED String	EVENT OBSERVATION DETAILS
`scriptload_publisher`	Searchable. Publisher name on the certificate used to sign the script file; reports signatures on Powershell scripts and .MSI/.MSP files. Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR	String	EVENT
`scriptload_publisher_state`	Searchable. Value-Searchable. State of the loaded script(s)' digital signature(s); checks signatures on Powershell scripts and .MSI/.MSP files Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR	String[] Combine any: `FILE_SIGNATURE_STATE_INVALID`, `FILE_SIGNATURE_STATE_SIGNED`, `FILE_SIGNATURE_STATE_VERIFIED`, `FILE_SIGNATURE_STATE_CHAINED`, `FILE_SIGNATURE_STATE_TRUSTED`, `FILE_SIGNATURE_STATE_OS`, `FILE_SIGNATURE_STATE_CATALOG_SIGNED` Use One: `FILE_SIGNATURE_STATE_NOT_SIGNED`, `FILE_SIGNATURE_STATE_UNKNOWN`	EVENT OBSERVATION DETAILS
`scriptload_sha256`	Searchable. Deprecated. Use scriptload_hash SHA-256 hash of the filesystem script file loaded by the process. Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR	String	EVENT FACET
`scriptload_type`	The type of the scriptload operation	String
`sensor_action`	Searchable. Value-Searchable. An action performed by the sensor on the process	String[] `TERMINATE`, `DENY`, `SUSPEND`	PROCESS PROCESS DETAILS EVENT OBSERVATION OBSERVATION DETAILS AUTH_EVENT AUTH_EVENT DETAILS FACET
`threat_hunt_id`	ID of the MDR threat hunt	String
`threat_hunt_name`	Name of the MDR threat hunt	String
`threat_name`	Name of the threat related to the observation	String	OBSERVATION DETAILS
`tms_rule_id`	ID of the rule that triggered an Intrusion Detection System or Network Traffic Analysis alert Requires XDR	String	OBSERVATION DETAILS
`triggered_alert_id`	Triggered alert IDs associated with the process (including silent alerts)	TOKENIZED String	AUTH_EVENT
`ttp`	Searchable. Value-Searchable. Patterns of behavior (i.e. tactics, techniques, procedures) associated with specific threat actor(s) attributed to events of the process	String[]	PROCESS* EVENT OBSERVATION* OBSERVATION DETAILS AUTH_EVENT*** AUTH_EVENT DETAILS FACET PROCESS DETAILS
`virtual_private_cloud_id`	Searchable. ID of the virtual private cloud.	String	AUTH_EVENT*** AUTH_EVENT DETAILS
`watchlist_hit`	Identifier for specific hit record(s) generated by a watchlist, from report metadata; format “<watchlist_id>:<report_id>:<report_severity>” Requires Enterprise EDR	String[]	PROCESS PROCESS DETAILS OBSERVATION OBSERVATION DETAILS FACET
`watchlist_id`	Searchable. ID of the watchlist that generated a hit on the process Requires Enterprise EDR	String	Processes Only
`watchlist_name`	Searchable. Name of the watchlist that generated a hit on the process Requires Enterprise EDR	TOKENIZED String	Processes Only
`windows_event_id`	Searchable. Identifier of the Windows event type, specified by Windows OS	int	AUTH_EVENT AUTH_EVENT DETAILS FACET

Limitations

As with standard AND queries when searching for field_1 = X and field_2 = Y, an event with only one field populated will not be returned.

A special case of this is when searching across both Endpoint Standard and Enterprise EDR data; if you combine any fields that are each available in only one product, you will receive zero results. For example:

If you search event_attack_stage:BREACH you will get results on both the “Enriched Events” and “Processes” search endpoints (requires Endpoint Standard)
If you search netconn_count:[1 TO *], you will only get results on “Processes” search endpoint (requires Enterprise EDR)
If you perform the search event_attack_stage:BREACH AND netconn_count:[1 TO *], you will get no results because NO events have both Endpoint Standard-only event_attack_stage and Enterprise EDR-only netconn_count fields
Any field can be searched on individually

Data Conversions

IPv6 data format to standard IPv6 notation

Use this if you are migrating from Endpoint Standard fields (used in integrationServices API routes) to Platform Search fields (including Process, Process Events and Enriched Event searches). The IPv6 netconn fields in Platform Search do not return in API responses using a standard IPv6 notation (it does not include colons) in order to make it easier to sort, use the big integer library, and perform subnet searches.

Example return value for fields like netconn_ipv6, netconn_remote_ipv6, netconn_local_ipv6: FF0200000000000000000000000000FB
To convert the notation to standard IPv6, you must insert a colon character between every four alphanumeric characters, or run the following function:

const StringIP = d.replace(/(.{4})/g, '$1:').slice(0, -1);

Result: FF02:0000:0000:0000:0000:0000:0000:00FB

However, when searching on these IPv6 fields, you must use escaped colon-separated notation e.g. netconn_ipv6:"2607:F8B0:4006:081B:0000:0000:0000:200E"

IPv4 integer format to dotted decimal notation

IPv4 netconn fields return their value in “integer” format rather than the more common “dotted decimal” notation.
The conversion from IPv4 integers to dotted decimal is common and can be validated with tools like this converter
Example: If you received netconn_remote_ipv4 = 911598478, the dotted decimal equivalent would be 54.85.227.142

Special Tokenizations

Some fields are tokenized to allow more efficient searches

File Path Tokenization

Fields: process_name, parent_name, filemod_name, childproc_name, crossproc_name, modload_name, scriptload_name, regmod_name

Search for path hierarchies. Use slash (/) character or escaped backslash (\\) characters and enclose in double quotes if path contains colon or space characters. Exclude any leading path separator. File extension searching also supported.

Search examples: process_name:"c:/windows/system32/cmd.exe" filemod_name:.wcry regmod_name:myregkey/myregvalue modload_name:downloads\\myfile.exe parent_name:"c:/program files"

Domain name Tokenization

Fields: netconn_domain

Search for any part of the domain. Start or end with ‘.’ to only look for a prefix or suffix.

Search examples: netconn_domain:.google.com netconn_domain:.ru netconn_domain:www.google.com

IPv4 Address Tokenization

Fields: netconn_ipv4

Search examples: netconn_ipv4:192.168.0.10 netconn_ipv4:192.168.0.0/24

IPv6 Address Tokenization

Fields: netconn_ipv6

Search examples: netconn_ipv6:"2001:0db8:85a3:0000:0000:8a2e:0370:7334" netconn_ipv6:"2001:db8::/127"

Command Line Tokenization

Fields: process_cmdline

Words in the command line can be searched, along with switches (-x /x) and file extensions.

Search examples: process_cmdline:"d:/path/myprogram.vbs /v" process_cmdline:"d:" process_cmdline:.vbs process_cmdline:"/v"

Last modified on April 18, 2025

Carbon Black Cloud

Page Contents