Search Fields - Investigate

Version: v2

The following table lists the fields that can be returned in the response or used for searching with the Carbon Black Cloud using any of

Note: For Auth Events, certain fields have recently been removed from the offical list of fields that would be returned, because they would never have been populated with data.

Using the Schema

View the definition of each field, default values, whether it is required, searchable and/or tokenized. You can also see accepted values and routes supported per each field.

Possible routes

Clicking these icons will take you to the relevant API.

  • ENRICHED_EVENT - Returns endpoint data that has been analyzed against typical attacker behavior and flagged as potentially malicious
  • ENRICHED_EVENT DETAILS - Returns the full set of data for Enriched Events
  • PROCESS - Returns data about instances where a program was executed on an endpoint
  • PROCESS DETAILS - Returns the full set of data for Processes
  • EVENT - Returns data about an observable occurrence on an endpoint
  • OBSERVATION - Returns data about Observations, which are the noteworthy, searchable findings across your whole fleet.
  • OBSERVATION DETAILS - Returns the full set of data for Observations.
  • AUTH_EVENT - Returns data about authentication events that occur on Windows endpoints.
  • AUTH_EVENT DETAILS - Returns the full set of data for Auth Events.
  • FACET - These fields can be used for sorting and filtering search queries or returning most prevalent values.
  • SUMMARY / TREE - Returns fields from a process summary search
Note: For fields where the Routes Supported column contains no entries, this means this field is not returned by any API route - it is only usable in the search request.

Additional indicators

  • TOKENIZED - Can be searched by a partial phrase
  • Searchable - Indicates that the field can be used in the criteria, exclusion or query elements of search requests e.g. process_name:chrome.exe
  • Value-Searchable - Indicates that the field’s value is searchable though a value based query e.g. chrome.exe
  • Rather than having to explicitly search process_name:chrome.exe OR childproc_name:chrome.exe OR filemod_name:chrome.exe, a search for chrome.exe will find that String in any of those three fields for you as well as in other value search enabled fields
  • Aggregation Only - Indicates that the field is only returned for the Aggregation endpoint for Enriched Events
  • Processes Only - Indicates that the field is only searchable for Processes
  • *** - Indicates that the field needs to be requested in the fields property of a search job

Searching across both Endpoint Standard and Enterprise EDR data? See below for limitations.

Schema

Note: Additional details and examples can be found in the Carbon Black Cloud console search guide.
Field Name Definition Datatype Routes Supported
alert_category Searchable.
A Carbon Black Cloud classification for events tagged to an alert indicating whether the event is a “threat” or “observed”

Requires Endpoint Standard
String[]

THREAT, OBSERVED
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
alert_id Searchable.
ID of the alert(s) associated with the process or event.

Note: 'id' or 'legacy_alert_id' will work for searching events or processes associated with a CB_ANALYTIC alert.
TOKENIZED
String[]
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
asset_group_id Searchable.
The ID of the asset group the device is part of.
TOKENIZED
String
asset_group_name Searchable.
The name of the asset group the device is part of.
TOKENIZED
String
asset_id Searchable.
Asset id that is guaranteed to be unique within each PSC environment, which is a set of organizations.
String AUTH_EVENT
AUTH_EVENT DETAILS
attack_tactic Searchable.
A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access
String OBSERVATION
OBSERVATION DETAILS FACET
attack_technique Searchable.
A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access
String OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
attack_tid Searchable.

Allows searching for a specific combination of MITRE ATT&CK tactic and technique; use the format tactic:technique.subtechnique
TOKENIZED
String
FACET
auth_cleartext_credentials_logon Searchable.
True if the logon attempt occurred using cleartext credentials; false if the logon attempt occurred using encrypted credentials
Boolean AUTH_EVENT DETAILS FACET
auth_credential_provider The logon process that validated the credentials in Event ID 4611. Common processes include Winlogon, Schannell, KSecDD, Secondary Logon Service (runas), IKE, HTTP.SYS, SspTest, dsRole, DS Replication CredProvConsent (user account control) String AUTH_EVENT DETAILS
auth_daemon_logon Searchable.
Identifies if the logon attempt is attributed to a service (Windows) or daemon (macOS/Linux)
Boolean AUTH_EVENT DETAILS FACET
auth_domain_name Searchable.
Domain name of the user the authentication event is attributed to
String AUTH_EVENT
AUTH_EVENT DETAILS FACET
auth_elevated_token_logon Searchable.
True if the logon attempt occurred using an elevated token; false if the logon attempt occurred without the use of an elevated token
Boolean AUTH_EVENT DETAILS FACET
auth_event_action Searchable.
Action that results from an authentication attempt
String

Values: INVALID, LOGON_SUCCESS, LOGON_FAILED, LOGOFF_SUCCESS, PRIVILEGES_GRANTED, ACCOUNT_LOCKED, LOGON_DISCOVERED
AUTH_EVENT
AUTH_EVENT DETAILS
auth_failed_logon_count Searchable.
Number of failed logon attempts since last successful logon
Integer AUTH_EVENT
AUTH_EVENT DETAILS
auth_failure_reason Only used with ACTION_LOGON_FAILED event. The fields are documented at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 String AUTH_EVENT DETAILS
auth_failure_status Searchable.
Only used with ACTION_LOGON_FAILED event. The fields are documented at https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
String AUTH_EVENT***
AUTH_EVENT DETAILS FACET
auth_failure_sub_status Searchable.
Hexadecimal code that identifies the logon failure reason
String AUTH_EVENT***
AUTH_EVENT DETAILS FACET
auth_impersonation_level Values are:
IMPERSONATION_INVALID
IMPERSONATION_NONE - Default, No impersonation
IMPERSONATION_ANONYMOUS - Security Anonymous: The server cannot impersonate or identify the client.
IMPERSONATION_CLIENT - Security Identification: The server can get the identity and privileges of the client, but cannot impersonate the client.
IMPERSONATION_LOCAL_ONLY - Security Impersonation: The server can impersonate the client’s security context on the local system.
IMPERSONATION_LOCAL_OR_REMOTE - Security Delegation: The server can impersonate the client’s security context on remote systems
String AUTH_EVENT DETAILS
auth_interactive_logon Searchable.
True if the logon attempt was interactive; false if the logon attempt was non-interactive
Boolean AUTH_EVENT DETAILS FACET
auth_key_length For non-kerberos authentication this is the length of the key used to secure the authentication channel Integer AUTH_EVENT DETAILS
auth_last_failed_logon_time Time of last failed logon date AUTH_EVENT DETAILS
auth_linked_logon_id When UAC (User Account Control) is enabled and an administrator logs on there are 2 logon sessions created, one with admin privileges and a split token without. This is the linked LUID in 00000000-00000000 format String AUTH_EVENT DETAILS
auth_logon_id Searchable.
Locally unique identifier of the user the authentication event is attributed to. Unique per logon session per machine
String AUTH_EVENT***
AUTH_EVENT***
AUTH_EVENT DETAILS FACET
auth_logon_type Searchable.
Identifies the logon type initiated by the authentication connection
Integer AUTH_EVENT***
AUTH_EVENT DETAILS FACET
auth_package Populated for Event id 4610 Events and identifies the authorization package that was loaded String AUTH_EVENT DETAILS
auth_package_version The version of the authorization package identified in auth_package that was used String AUTH_EVENT DETAILS
auth_privileges Searchable.
Privilege(s) assigned to the logon session
String[] AUTH_EVENT***
AUTH_EVENT DETAILS FACET
auth_remote_device Searchable.
Name of the remote device the remote authentication attempt is made from
TOKENIZED
String
AUTH_EVENT
AUTH_EVENT DETAILS FACET
auth_remote_ipv4 Searchable.
IP address of the remote device the remote authentication attempt is made from
String AUTH_EVENT
AUTH_EVENT DETAILS FACET
auth_remote_ipv6 Where the user was when they logged on - remote ip v6 address String AUTH_EVENT
AUTH_EVENT DETAILS FACET
auth_remote_location Searchable.
Where the user was when they logged on in this format; city, region, country
TOKENIZED
String
AUTH_EVENT
AUTH_EVENT DETAILS FACET
auth_remote_logon Searchable.
True if the logon attempt was remote; false if the logon attempt was local
Boolean AUTH_EVENT DETAILS FACET
auth_remote_port Searchable.
Port number the remote authentication attempt is made from
Integer AUTH_EVENT
AUTH_EVENT DETAILS FACET
auth_restricted_admin_logon Searchable.
True if the logon attempt occurred using Restricted Admin mode for Remote Desktop Connection; false if the logon attempt occurred without the use of Restricted Admin Mode
Boolean AUTH_EVENT DETAILS FACET
auth_server The server name that authenticated the logon String AUTH_EVENT DETAILS
auth_user_id Searchable.
Security ID (SID) of the user on a Windows machine. SID is a unique value of variable length used to identify a trustee (security principal)
String AUTH_EVENT***
AUTH_EVENT DETAILS FACET
auth_user_principal_name Searchable.
User Principal Name (UPN) of the user associated with the authentication event
TOKENIZED
String
AUTH_EVENT
AUTH_EVENT DETAILS
auth_username Searchable.
Name of the user the authentication event is attributed to
TOKENIZED
String
AUTH_EVENT
AUTH_EVENT DETAILS FACET
auth_virtual_account_logon Searchable.
True if the logon attempt occurred using a virtual account; false if the logon attempt occurred without the use of a virtual account
Boolean AUTH_EVENT DETAILS FACET
backend_timestamp Searchable.
Timestamp when the Carbon Black Cloud processed and enabled the data for searching; occurs after ingress_time; may differ from device_timestamp by a few minutes due to asynchronous processing
ISO 8601 UTC timestamp ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS AUTH_EVENT
AUTH_EVENT DETAILS OBSERVATION
OBSERVATION DETAILS FACET SUMMARY / TREE
blocked_effective_reputation Searchable.
Value-Searchable.
Effective reputation of the blocked file; applied by the sensor when the event occurs
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS
blocked_hash Searchable.
MD5 and SHA-256 hash(es) of the child process(es) binary; for any process(es) terminated by the sensor
String[] ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS
blocked_name Searchable.
Value-Searchable.
Tokenized file path of the files blocked by sensor action
TOKENIZED
String
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS
childproc_cmdline Searchable.
Value-Searchable.
Command line of the child process
TOKENIZED
String
ENRICHED_EVENT DETAILS EVENT OBSERVATION DETAILS
childproc_cmdline_length Searchable.
Character count of the child process' command line

Requires Endpoint Standard
Integer ENRICHED_EVENT DETAILS OBSERVATION DETAILS
childproc_cmdline_raw Raw command line of the child process without tokenization of special characters. String PROCESS
ENRICHED_EVENT
OBSERVATION
EVENT
childproc_count Searchable.
Count of childproc events reported by the sensor since last initialization

Requires Enterprise EDR
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS FACET SUMMARY / TREE
childproc_crossproc_actor_count The number of cross-procedure actors made by the child process. Integer
childproc_crossproc_target_count The number of cross-procedure targets made by the child process. Integer
childproc_effective_reputation Searchable.
Value-Searchable.
Effective reputation of the child process; applied by the sensor when the event occurs
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT DETAILS EVENT OBSERVATION DETAILS
childproc_effective_reputation_source Source of the effective reputation for the child process String

IGNORE, CLOUD, PRE_EXISTING, AV, IT_TOOLS, CERT, HASH_REP, APPROVED_DATABASE
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
childproc_guid Searchable.
Unique identifier for the child process; same as childproc_process_guid
String ENRICHED_EVENT***
ENRICHED_EVENT DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT*** FACET
childproc_hash Searchable.
Hash(es) of the child process(es)' binary (MD5 or SHA-256 for Enterprise EDR, SHA-256 for Endpoint Standard)
String[] ENRICHED_EVENT DETAILS OBSERVATION DETAILS
childproc_issuer Certificate authority, signing authority or company that issued the certificate for the binary that is executed by the childproc String[] OBSERVATION DETAILS
childproc_md5 Searchable.
MD5 hash of the binary executed by the child process
String EVENT FACET
childproc_modload_count The number of module loads made by the child process. Integer
childproc_name Searchable.
Value-Searchable.
Filesystem path of the child process' binary
TOKENIZED
String
ENRICHED_EVENT DETAILS EVENT OBSERVATION DETAILS
childproc_pid Process identifier assigned by the operating system to the child process Integer ENRICHED_EVENT DETAILS OBSERVATION DETAILS
childproc_process_guid Searchable.
Unique identifier for the child process; same as childproc_guid
String EVENT FACET
childproc_product_name Product name embedded in the portable executable header of the binary for the child process. Windows only. String OBSERVATION DETAILS
childproc_publisher Publisher name on the certificate used to sign the Windows or macOS binary of child process(es)

Requires Enterprise EDR
String[] ENRICHED_EVENT DETAILS OBSERVATION DETAILS
childproc_publisher_state Searchable.
Value-Searchable.
State of the digital signature(s) of the child processes' binaries

Requires Enterprise EDR
String[]

Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED

Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN
OBSERVATION DETAILS
childproc_regmod_count Number of registry modifications made by the child process. Integer
childproc_reputation Searchable.
Value-Searchable.
Reputation of the child process; applied by the Carbon Black Cloud when the event was processed
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
childproc_sha256 Searchable.
SHA-256 hash of the binary executed by the child process in the event
String EVENT FACET
childproc_suppressed True if the Carbon Black Cloud suppressed one or more childproc process records; not present if false (suppressed if the child process shows no interesting activity after the process is created); Linux sensors only Boolean EVENT FACET
childproc_username Searchable.
The user context in which the child process was executed
TOKENIZED
String
EVENT
chrome_device_id Searchable.
An ID which points to the Chrome datastore within a device.
String AUTH_EVENT
AUTH_EVENT DETAILS
cloud_provider_account_id Searchable.
The account ID with the cloud provider.
String AUTH_EVENT***
AUTH_EVENT DETAILS
cloud_provider_resource_id Searchable.
The resource ID with the cloud provider.
String AUTH_EVENT***
AUTH_EVENT DETAILS
cloud_provider_scale_group Searchable.
The automatic scaling group name within the cloud provider.
String AUTH_EVENT***
AUTH_EVENT DETAILS
cloud_provider_tags Searchable.
Tags used for the cloud provider.
TOKENIZED
String
AUTH_EVENT***
AUTH_EVENT DETAILS
container_cgroup Searchable.
A control group on linux that manages resources and which the container must interact with.
String PROCESS DETAILS AUTH_EVENT DETAILS
container_id Searchable.
ID of the container
String PROCESS PROCESS DETAILS AUTH_EVENT
AUTH_EVENT DETAILS
container_image_hash Searchable.
SHA-256 hash of the container image
String PROCESS***
PROCESS DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
container_image_name Searchable.
Name of the container image; images are static files with executable code than can create containers
TOKENIZED
String
PROCESS***
PROCESS DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
container_name Searchable.
Name of the container; names are typically generated by runtime engines or by platforms, e.g. K8s
TOKENIZED
String
PROCESS***
PROCESS DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
created_timestamp Timestamp of when the event document was created. Date
crossproc_action Searchable.
Value-Searchable.
The cross-process action initiated by the actor process
String

ACTION_API_CALL, ACTION_DUP_PROCESS_HANDLE, ACTION_OPEN_THREAD_HANDLE, ACTION_DUP_THREAD_HANDLE, ACTION_CREATE_REMOTE_THREAD
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
crossproc_api Searchable.
Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call.

Available with:
  • all sensors with Endpoint Standard
  • Windows 3.8 or later sensor with Enterprise EDR
  • macOS sensors with Enterprise EDR (only reporting the PEP_CREATE_PHANDLE_API call made in task_for_pid() requests)
String ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
crossproc_cmdline Command line of the cross-process command TOKENIZED
String
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
crossproc_cmdline_length Character count of the cross-process command line executed String ENRICHED_EVENT DETAILS OBSERVATION DETAILS
crossproc_count Searchable.
Count of crossproc events reported by the sensor since last initialization

Requires Enterprise EDR
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS FACET SUMMARY / TREE
crossproc_effective_reputation Effective reputation of the binary on one side of the cross-process action; if crossproc_target=true, it is the effective reputation of the process targeted in the cross-process action; if crossproc_target=false, it is of the actor process (applied by the sensor when the event occurred) String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT DETAILS EVENT OBSERVATION DETAILS
crossproc_effective_reputation_source Source of the effective reputation for the cross-process String

IGNORE, CLOUD, PRE_EXISTING, AV, IT_TOOLS, CERT, HASH_REP, APPROVED_DATABASE
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
crossproc_guid Unique process identifier of one of the cross-process members; if crossproc_target=true, it is the GUID of the process targeted in the cross-process action; if crossproc_target=false, it is the GUID of the actor process (same as crossproc_process_guid) String ENRICHED_EVENT DETAILS OBSERVATION DETAILS
crossproc_hash Searchable.
MD5 and/or SHA-256 hash(es) of the binaries whose processes are running on one side of the cross-process action; if crossproc_target=true, the hash(es) are of the process targeted in the cross-process action; if crossproc_target=false, the hash(es) are of the actor process
String[] ENRICHED_EVENT DETAILS OBSERVATION DETAILS
crossproc_md5 Searchable.
MD5 hash of the binary on one side of the cross-process action; if crossproc_target=true, it is the MD5 of the process targeted in the cross-process action; if crossproc_target=false, it is the MD5 of the actor process
String EVENT FACET
crossproc_name Searchable.
Value-Searchable.
Filesystem path of the binary of one side of the cross-process action (can be missing for certain crossproc actions); if crossproc_target=true, it is the path of the process targeted in the cross-process action; if crossproc_target=false, it is the path of the actor process
TOKENIZED
String
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
crossproc_pid Process identifier assigned by the operating system to one of the cross-process members; if crossproc_target=true, it is the PID of the process targeted in the cross-process action; if crossproc_target=false, it is the PID of the actor process Integer ENRICHED_EVENT DETAILS OBSERVATION DETAILS
crossproc_process_guid Searchable.
Unique identifer of the process on one side of the cross-process action; if crossproc_target=true, it is the GUID of the process targeted in the cross-process action; if crossproc_target=false, it is the GUID of the actor process (same as crossproc_guid)
String EVENT FACET
crossproc_product_name Product name associated with the cross-process executable (from the binary resource). String
crossproc_publisher Cross-process certificate signer names. TOKENIZED
String
crossproc_publisher_state Certificate signature state of the cross-process executable as a string. Can be a combination of FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED or FILE_SIGNATURE_STATE_NOT_SIGNED if not signed. TOKENIZED
String
crossproc_reputation Reputation of cross-process executable as provided by the CDC. String
crossproc_sha256 Searchable.
SHA-256 hash of the binary on one side of the cross-process action; if crossproc_target=true, it is the SHA-256 of the process targeted in the cross-process action; if crossproc_target=false, it is the SHA-256 of the actor process
String EVENT FACET
crossproc_target Searchable.
True if the process was the target of the cross-process event; false if the process was the actor
Boolean ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS FACET
crossproc_username User name associated with the cross-process process. String
device_external_ip Searchable.
Value-Searchable.
IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format documented below)
String ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS
OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET SUMMARY / TREE
device_group Searchable.
Value-Searchable.
Sensor group to which the endpoint was assigned when the sensor recorded the event data
String ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
device_group_id Searchable.
ID assigned to the device_group by Carbon Black Cloud; will match on the ad_group_id on the Devices API
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS SUMMARY / TREE
device_id Searchable.
ID assigned to the endpoint by Carbon Black Cloud; unique across all Carbon Black Cloud environments
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET SUMMARY / TREE
device_installed_by Searchable.
The Carbon Black Cloud user who was logged in to the endpoint when the sensor was installed (e.g. pat.malarkey@email.com, DOMAIN\pmalarkey or pmalarkey)
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
device_internal_ip Searchable.
Value-Searchable.
IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format, documented below)
String ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
device_location The endpoint’s current location relative to the organization’s network, based on the current IP address and the device’s registered DNS domain suffix String

ONSITE, OFFSITE, UNKNOWN
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
device_name Searchable.
Value-Searchable.
Hostname of the endpoint recorded by the sensor when last initialized
TOKENIZED
String
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS
AUTH_EVENT DETAILS FACET
device_os Searchable.
Value-Searchable.
The operating system of the endpoint
String

WINDOWS, MAC, LINUX
ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
device_os_version Searchable.
Value-Searchable.
The operating system and version of the endpoint

Requires Windows CBC sensor version 3.5 or later
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS
OBSERVATION DETAILS
AUTH_EVENT AUTH_EVENT DETAILS
device_policy Searchable.
Value-Searchable.
Policy applied to the endpoint in the Carbon Black Cloud
String ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
device_policy_id Searchable.
ID assigned to the device_policy by the Carbon Black Cloud
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS
device_sensor_version Searchable.
Version of the sensor installed on the device
String ENRICHED_EVENT*** PROCESS*** OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT***
AUTH_EVENT DETAILS FACET
device_target_priority The “Target value” configured in the policy assigned to the sensor

Requires Endpoint Standard
String

MISSION_CRITICAL, HIGH, MEDIUM, LOW
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
device_timestamp Searchable.
Sensor-reported timestamp of the batch of events in which this record was submitted to Carbon Black Cloud
ISO 8601 UTC timestamp ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET SUMMARY / TREE
document_guid Searchable.
Unique id of solr document. Built as process_guid+server-side timestamp in epoch milliseconds (1/1/1970 based).
String AUTH_EVENT***
AUTH_EVENT DETAILS
enriched Searchable.
True if the result includes data from the Endpoint Standard product. Not present if false.

Requires Endpoint Standard
Boolean ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
enriched_event_type Searchable.
Event type(s) as determined by the Carbon Black Cloud

Requires Endpoint Standard
String

CREATE_PROCESS, DATA_ACCESS, FILE_CREATE, INJECT_CODE, NETWORK, OTHER_BEHAVIOR, POLICY_ACTION, REGISTRY_ACCESS, STATIC_SCAN, SYSTEM_API_CALL

Note: enriched_event_type will be a String[] on Process Search.
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS FACET
event_attack_stage Searchable.
Stage(s) of the cyber kill chain when an attack was terminated by sensor

Requires Endpoint Standard
String

BREACH, COMMAND_AND_CONTROL, DELIVER_EXPLOIT, EXECUTE_GOAL, INSTALL_RUN, RECONNAISSANCE, WEAPONIZE

Note: Event_attack_stage will be a String[] on Process Search.
ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION*** FACET
event_description Searchable.
Value-Searchable.
Event description calculated by the Carbon Black Cloud

Requires Endpoint Standard
TOKENIZED
String
ENRICHED_EVENT
ENRICHED_EVENT DETAILS EVENT OBSERVATION
OBSERVATION DETAILS
event_guid A globally unique identifier for this event document String
event_hash Hash of the event to allow for deduplication of events String EVENT FACET
event_id Searchable.
Unique event identifier assigned by the Carbon Black Cloud
String

Formats: b74addedf22511eaa5b90997e383f3bf, 21EF16B0-AB2E-413A-ABD0-9697C9FD0211
ENRICHED_EVENT
ENRICHED_EVENT DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
event_network_inbound True if the network connection was inbound. False if the network connection was outbound. Boolean
event_network_local_ipv4 IPv4 address of the local side of the network connection (stored as dotted decimal); similar to netconn_local_ipv4

Requires Endpoint Standard
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS

Requires Endpoint Standard
event_network_local_ipv6 IPv6 address of the local side of the network connection

Requires Endpoint Standard
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS

Requires Endpoint Standard
event_network_location Geolocation of the remote side of the network connection; same as netconn_location and netconn_remote_location

Requires Endpoint Standard
TOKENIZED
String

Format: City,Region/State,Country

Note: One or more of the three sections will be included in a comma separated list.
ENRICHED_EVENT
ENRICHED_EVENT DETAILS
event_network_protocol Network protocol of the network connection; similar to netconn_protocol

Requires Endpoint Standard
String

TCP, UDP
ENRICHED_EVENT
ENRICHED_EVENT DETAILS
event_network_remote_ipv4 IPv4 address of the remote side of the network connection (stored as dotted decimal); similar to netconn_ipv4 and netconn_remote_ipv4

Requires Endpoint Standard
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS
event_network_remote_ipv6 IPv6 address of the remote side of the network connection

Requires Endpoint Standard
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS
event_network_remote_port TCP or UDP port used by the remote side of the network connection; same as netconn_port and netconn_remote_port

Requires Endpoint Standard
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS
event_threat_score Searchable.
Score(s) assigned by Carbon Black Cloud for the detected threat (Returns values 0-8)

Requires Endpoint Standard
Integer[] ENRICHED_EVENT DETAILS PROCESS DETAILS
OBSERVATION DETAILS
event_timestamp Searchable.
Timestamp reported by the sensor when the event occurred
ISO 8601 UTC timestamp EVENT FACET
event_type Searchable.
Type of event observed
String

filemod,
netconn,
regmod,
modload,
crossproc,
childproc,
scriptload,
fileless_scriptload

Note: event_type will be a String[] on Process Search.
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS FACET
file_scan_result Searchable.
Classification of malware detected during a background scan performed by the Endpoint Standard sensor i.e. enriched_event_type=STATIC_SCAN; returned value is the /-separated combination of malware family and malware name (e.g. TROJAN/TR/PowerShell.Gen, where malware family = TROJAN)

Requires Endpoint Standard
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS
OBSERVATION DETAILS
fileless_scriptload_cmdline Searchable.
Deobfuscated script content run in a fileless context by the process

Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR

For more information see here
TOKENIZED
String[]
EVENT
fileless_scriptload_cmdline_length Searchable.
Character count of the deobfuscated script content run in a fileless context.

Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR

For more information see here
Integer[] EVENT
fileless_scriptload_cmdline_raw Raw script content run in a fileless context by the process without tokenization of special characters. String PROCESS
ENRICHED_EVENT
OBSERVATION
EVENT
fileless_scriptload_hash Searchable.
SHA-256 hash(es) of the deobfuscated script content run by the process in a fileless context.

Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR

For more information see here
String[]
fileless_scriptload_sha256 Searchable.
Deprecated. Use fileless_scriptload_hash

SHA-256 hash of the deobfuscated script content run by the process in a fileless context

Requires Windows CBC sensor 3.5 or later, Windows 10/Server version 1703 or later and Enterprise EDR

For more information see here
String EVENT FACET
filemod_action Action(s) associated with the filemod operation String

ACTION_INVALID, ACTION_FILE_CREATE, ACTION_FILE_WRITE, ACTION_FILE_DELETE, ACTION_FILE_LAST_WRITE, ACTION_FILE_MOD_OPEN, ACTION_FILE_RENAME, ACTION_FILE_UNDELETE, ACTION_FILE_TRUNCATE, ACTION_FILE_OPEN_READ, ACTION_FILE_OPEN_WRITE, ACTION_FILE_OPEN_DELETE, ACTION_FILE_OPEN_EXECUTE, ACTION_FILE_READ
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
filemod_count Searchable.
Count of filemod events reported by the sensor since last initialization

Requires Enterprise EDR
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS FACET SUMMARY / TREE
filemod_effective_reputation Reputation of the actor that modified the file String
filemod_excluded_count Count of excluded filemod events reported by the server Integer AUTH_EVENT DETAILS
filemod_file_type The type of file e.g. EXECUTABLE_IMAGE, EXECUTABLE_LIBRARY or SCRIPT String
filemod_hash Searchable.
MD5 and/or SHA-256 hash(es) of the file(s) modified by the actor process
String[] ENRICHED_EVENT DETAILS OBSERVATION DETAILS
filemod_issuer Certificate authority, signing authority or company that issued the certificate of the file modified by the process String[] OBSERVATION DETAILS
filemod_md5 Searchable.
MD5 hash of the file modified by the actor process
String EVENT FACET
filemod_name Searchable.
Value-Searchable.
Filesystem path of the file modified by the process
TOKENIZED
String
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
AUTH_EVENT DETAILS
filemod_new_name Searchable.
Filesystem path of the new file modified by the process during ACTION_FILE_RENAME
String EVENT
filemod_old_name Searchable.
Filesystem path of the old file modified by the process during ACTION_FILE_RENAME
String EVENT
filemod_publisher Searchable.
Publisher name on the certificate(s) used to sign the target file of the filemod
String[] ENRICHED_EVENT DETAILS OBSERVATION DETAILS
filemod_publisher_state Searchable.
Value-Searchable.
State of the digital signature(s) of the target file of the filemod; checks signatures on Powershell scripts and .MSI/.MSP files
String[]

Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED

Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
filemod_reputation Reputation of the target file String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
filemod_sha256 Searchable.
SHA-256 hash of the file modified by the actor process
String EVENT FACET
filemod_tlsh tlsh hashes of the files modified by the process String
filemod_type Type of file involved in the filemod operation

Requires Enterprise EDR
String

FILE_TYPE_EXECUTABLE_IMAGE, FILE_TYPE_EXECUTABLE_DLL, FILE_TYPE_NOT_SET, FILE_TYPE_UNIDENTIFIED
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
hash Searchable.
Value-Searchable.
Aggregate set of MD5 and SHA-256 hashes associated with the process (including childproc_hash, crossproc_hash, filemod_hash, modload_hash, process_hash); enables one-step search for any matches on the specified hashes
String[]
ingress_time Searchable.
Timestamp of when the Carbon Black Cloud receives data for initial processing (Unix format)
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS
SUMMARY / TREE
k8s_cluster Searchable.
Name of the K8s cluster
TOKENIZED
String
PROCESS***
PROCESS DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
k8s_kind Searchable.
Type of K8s workload; DaemonSet, Deployment, Job, etc.
String PROCESS***
PROCESS DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
k8s_namespace Searchable.
Namespace within the K8s cluster
TOKENIZED
String
PROCESS***
PROCESS DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
k8s_pod_name Searchable.
Name of the K8s pod within a workload
TOKENIZED
String
PROCESS***
PROCESS DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
k8s_workload_name Searchable.
Name of the K8s workload; names are typically generated by a Deployment, DaemonSet, Job, etc.
TOKENIZED
String
PROCESS***
PROCESS DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
legacy Searchable.
Deprecated; see enriched field (true if the record includes data from the Endpoint Standard; not present if false)
boolean ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
legacy_description Searchable.
Deprecated; see the event_description field
TOKENIZED
String
modload_action Searchable.
Action associated with the modload operation

Requires Enterprise EDR
String

ACTION_LOAD_MODULE
EVENT FACET
modload_count Searchable.
Count of modload events reported by the sensor since last initialization

Requires Enterprise EDR
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS FACET SUMMARY / TREE
modload_effective_reputation Searchable.
Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred

Requires Enterprise EDR
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
EVENT FACET
modload_excluded_count Count of excluded modload events reported by the sensor since last initialization Integer AUTH_EVENT DETAILS
modload_hash Searchable.
MD5 or SHA-256 hash(es) of the module(s) loaded by the process

Requires Enterprise EDR
String[]
modload_issuer Certificate authority, signing authority or company that issued the certificate used to sign the Windows or macOS module binary String[] OBSERVATION DETAILS
modload_md5 Searchable.
MD5 hash of the module loaded by the process

Requires Enterprise EDR
String EVENT FACET
modload_name Searchable.
Value-Searchable.
Filesystem path(s) of the module(s) loaded by the process

Requires Enterprise EDR
TOKENIZED
String[]
EVENT
modload_publisher Searchable.
Publisher name on the certificate(s) used to sign the Windows or macOS module binary

Requires Enterprise EDR
String EVENT
modload_publisher_state Searchable.
Value-Searchable.
Digital signature state(s) of the loaded modules' binaries

Requires Enterprise EDR
String[]

Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED

Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN
EVENT
modload_sha256 Searchable.
SHA-256 hash of the module loaded by the process

Requires Enterprise EDR
String EVENT FACET
netconn_action Searchable.
Deprecated; use netconn_actions instead. Action(s) associated with the netconn operation
String

ACTION_CONNECTION_CREATE, ACTION_CONNECTION_CLOSE, ACTION_CONNECTION_ESTABLISHED, ACTION_CONNECTION_CREATE_FAILED, ACTION_CONNECTION_LISTEN
EVENT
OBSERVATION DETAILS
AUTH_EVENT DETAILS FACET
netconn_actions Searchable.
Netconn operation action(s) such as ACTION_CONNECTION_CREATE, plus XDR actions such as ACTION_HTTP
String[]

ACTION_CONNECTION_CREATE, ACTION_CONNECTION_CLOSE, ACTION_CONNECTION_ESTABLISHED, ACTION_CONNECTION_CREATE_FAILED, ACTION_CONNECTION_LISTEN

XDR:
ACTION_HTTP, ACTION_TLS_HANDSHAKE, ACTION_IDS_ALERT, ACTION_INBOUND_PACKET_INSPECTED, ACTION_OUTBOUND_PACKET_INSPECTED
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS FACET
netconn_application_protocol Searchable.
Protocol detected in the application layer of the network session; does not necessarily correspond to the port listed in IANA service registry.

Requires XDR
String EVENT OBSERVATION
OBSERVATION DETAILS FACET
netconn_bytes_received Searchable.
Final byte count for all traffic received by the sensor’s endpoint during the netconn session.

Requires XDR
Integer EVENT
OBSERVATION DETAILS
netconn_bytes_sent Searchable.
Final byte count for all traffic sent by the sensor’s endpoint during the netconn session.

Requires XDR
Integer EVENT
OBSERVATION DETAILS
netconn_community_id Searchable.
Community ID of the network session, calculated according to the convention documented in https://github.com/corelight/community-id-spec.

Requires Enterprise EDR
String EVENT
OBSERVATION DETAILS
netconn_count Searchable.
Count of netconn events reported by the sensor since last initialization

Requires Enterprise EDR
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS FACET SUMMARY / TREE
netconn_dns_answer_class Searchable.
The set of resource class in the query answer (aka answer_class).

Requires XDR
String[] EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_answer_count Searchable.
The total number of resource records in a reply message’s answer section.

Requires XDR
Integer EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_answer_data Searchable.
The set of data in the query answer.

Requires XDR
String[] EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_answer_data_length Searchable.
The length of the data in a reply message’s answer section.

Requires XDR
Integer[] EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_answer_name Searchable.
The set of resource descriptions in the query answer (aka answer_name).

Requires XDR
TOKENIZED
String[]
EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_answer_ttl Searchable.
The set of resource ttl in the query answer.

Requires XDR
Long[] EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_answer_type Searchable.
The set of resource type in the query answer (aka answer_type).

Requires XDR
String[] EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_flags Searchable.
A set of DNS flags.

Requires XDR
String[] EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_query_class Searchable.
A descriptive name for the class of the query.

Requires XDR
String EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_query_name Searchable.
The domain name that is the subject of the DNS query.

Requires XDR
TOKENIZED
String
EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_query_type Searchable.
A descriptive name for the type of the query.

Requires XDR
String EVENT PROCESS OBSERVATION
OBSERVATION DETAILS
netconn_dns_response_code Searchable.
DNS response code.

Requires XDR
Integer EVENT FACET
netconn_domain Searchable.
Value-Searchable.
Domain name (FQDN) associated with the remote end of the network connection, if available

Note: 'netconn_domain' is searchable for PROCESSES but not returnable.
TOKENIZED
String
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
netconn_excluded_count Count of excluded netconn events reported by the sensor since last initialization Integer AUTH_EVENT DETAILS
netconn_failed Searchable.
True if the outbound network connection attempt failed; if successful, the field is not set
Boolean ENRICHED_EVENT DETAILS OBSERVATION DETAILS FACET
netconn_first_packet_timestamp Searchable.
Timestamp when the sensor detected the first packet in the network session (ISO 8601 format, in UTC).

Requires XDR
ISO 8601 UTC timestamp EVENT
OBSERVATION DETAILS
netconn_inbound Searchable.
True if the network connection was inbound; false if outbound
Boolean ENRICHED_EVENT
ENRICHED_EVENT DETAILS EVENT OBSERVATION
OBSERVATION DETAILS FACET
netconn_ipv4 Searchable.
Value-Searchable.
IPv4 address of the remote side of the network connection; stored as integer (not dotted decimal); searchable using either format
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS OBSERVATION
OBSERVATION DETAILS FACET
netconn_ipv6 Searchable.
Value-Searchable.
IPv6 address of the remote side of the network connection; stored as a String without octet-separating colon characters
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS OBSERVATION
OBSERVATION DETAILS FACET
netconn_ja3_local_fingerprint Searchable.
JA3 hash of the client side of the TLS session; can be JA3 or JA3S depending on which side initiated the TLS session.

Requires XDR
String EVENT
OBSERVATION DETAILS
netconn_ja3_local_fingerprint_fields Searchable.
Decimal values of the bytes used to calculate the JA3 hash for the local side of the TLS session.

Requires XDR
EVENT
OBSERVATION DETAILS
netconn_ja3_remote_fingerprint Searchable.
JA3 hash of the remote side of the TLS session; can be JA3 or JA3S depending on which side initiated the TLS session.

Requires XDR
String EVENT
OBSERVATION DETAILS
netconn_ja3_remote_fingerprint_fields Searchable.
Decimal values of the bytes used to calculate the JA3 hash for the remote side of the TLS session.

Requires XDR
EVENT
OBSERVATION DETAILS
netconn_last_packet_timestamp Searchable.
Timestamp when the sensor detected the last packet in the network session.

Requires XDR
ISO 8601 UTC timestamp EVENT
OBSERVATION DETAILS
netconn_listen True if the process opened a socket to listen for incoming connections (i.e. where netconn_action = ACTION_CONNECTION_LISTEN); not present if false Boolean ENRICHED_EVENT DETAILS OBSERVATION DETAILS FACET
netconn_local_ipv4 Searchable.
Value-Searchable.
IPv4 address of the local side of the network connection; stored as an integer (not dotted decimal); searchable by either format
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS EVENT OBSERVATION
OBSERVATION DETAILS
netconn_local_ipv6 Searchable.
Value-Searchable.
IPv6 address of the local side of the network connection; stored as a String without octet-separating colon characters
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS EVENT OBSERVATION
OBSERVATION DETAILS
netconn_local_location Geolocation of the local side of the network connection TOKENIZED
String

Format: City,Region/State,Country

Note: One or more of the three sections will be included in a comma separated list.
ENRICHED_EVENT DETAILS OBSERVATION
OBSERVATION DETAILS
netconn_local_port TCP or UDP port used by the local side of the network connection Integer ENRICHED_EVENT DETAILS EVENT OBSERVATION DETAILS
netconn_location Searchable.
Value-Searchable.
Geolocation of the remote side of the network connection; same as netconn_remote_location
TOKENIZED
String

Format: City,Region/State,Country

If the geolocation of the remote IP address is unknown, the value is ,,Unknown. If the remote IP address is in a special-purpose, reserved range, the value is ,,Reserved.

Note: One or more of the three sections will be included in a comma separated list.
EVENT ENRICHED_EVENT
ENRICHED_EVENT DETAILS OBSERVATION
OBSERVATION DETAILS
PROCESS FACET
netconn_port Searchable.
TCP or UDP port used by the interesting side of the network connection (when netconn_inbound = “true”, this represents the local port; otherwise, this represents the port on the remote side of the network connection); compare with netconn_remote_port, event_network_remote_port and event_network_local_port
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS OBSERVATION
OBSERVATION DETAILS FACET
netconn_protocol Searchable.
Value-Searchable.
Network protocol of the network connection
String

PROTO_TCP, PROTO_UDP,PROTO_ICMP, PROTO_ICMPV6
EVENT ENRICHED_EVENT
ENRICHED_EVENT DETAILS OBSERVATION
OBSERVATION DETAILS
netconn_proxy_domain Searchable.
Domain name (FQDN) associated with the remote side of the connection with an intermediary HTTP network device, usually a proxy server

Requires Windows CBC sensor version 3.6 or later and Enterprise EDR

Unencrypted intermediary network devices only
TOKENIZED
String
EVENT
netconn_proxy_ipv4 Searchable.
IPv4 address of the remote side of the connection with an intermediary HTTP network device, usually a proxy server. Stored as integer not dotted decimal, but searchable using either format

Requires Windows CBC sensor version 3.6 or later and Enterprise EDR

Unencrypted intermediary network devices only
String EVENT
netconn_proxy_ipv6 Searchable.
IPv6 address of the remote side of the connection with an intermediary HTTP network device, usually a proxy server; stored as String without octet-separating colon characters

Requires Windows CBC sensor version 3.6 or later and Enterprise EDR

Unencrypted intermediary network devices only
String EVENT
netconn_proxy_port Searchable.
TCP or UDP port used by the remote side of the connection with an intermediary HTTP network device, usually a proxy server

Requires Windows CBC sensor version 3.6 or later and Enterprise EDR

Unencrypted intermediary network devices only
Integer EVENT
netconn_remote_device_id Searchable.
The device_id of the remote side of the network session, if a Carbon Black Cloud sensor is installed on the remote asset.

Requires XDR
Integer EVENT
OBSERVATION DETAILS
netconn_remote_device_name Searchable.
The device_name of the remote side of the network session, if a Carbon Black Cloud sensor is installed on the remote asset.

Requires XDR
String EVENT
OBSERVATION DETAILS
netconn_remote_ipv4 Searchable.
IPv4 address of the remote side of the network connection; stored as integer, not dotted decimal, but searchable as either
String EVENT FACET
netconn_remote_ipv6 Searchable.
IPv6 address of the remote side of the network connection; stored as String without octet-separating colon characters
String EVENT FACET
netconn_remote_location Geolocation of the remote side of the network connection TOKENIZED
String

Format: City,Region/State,Country

If the geolocation of the remote IP address is unknown, the value is ,,Unknown. If the remote IP address is in a special-purpose, reserved range, the value is ,,Reserved.

Note: One or more of the three sections will be included in a comma separated list.
netconn_remote_port Searchable.
TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port
Integer EVENT
netconn_request_headers Searchable.
List of HTTP request headers captured from the start of the HTTP session. Represented as key:value pairs for each header.

Requires XDR
String EVENT
OBSERVATION DETAILS
netconn_request_method Searchable.
HTTP request method submitted as part of the HTTP session request.

Requires XDR
String EVENT
OBSERVATION DETAILS
netconn_request_url Searchable.
The URL path and HTTP version requested in the HTTP session.

Requires XDR
TOKENIZED
String
PROCESS OBSERVATION OBSERVATION DETAILS
netconn_response_headers Searchable.
List of HTTP response headers captured from the start of the HTTP session. Represented as key:value pairs for each header.

Requires XDR
String EVENT
OBSERVATION DETAILS
netconn_response_status_code Searchable.
The numeric code included in the HTTP response, signifying status of the requested operation.

Requires XDR
Integer EVENT
OBSERVATION DETAILS FACET
netconn_server_name_indication Searchable.
Hostname requested by the TLS client, used to help server distinguish between multiple TLS-protected services listening on the same IP:port binding.

Requires XDR
String EVENT
OBSERVATION DETAILS
netconn_tls_certificate_issuer_name Searchable.
Name reported in the TLS certificate for the entity which issued the TLS certificate.

Requires XDR
String EVENT
OBSERVATION DETAILS
netconn_tls_certificate_subject_name Searchable.
Name reported in the TLS certificate for the entity to which the TLS certificate was issued.

Requires XDR
String EVENT
OBSERVATION DETAILS FACET
netconn_tls_certificate_subject_not_valid_after Searchable.
Timestamp after which the TLS certificate asserts it is no longer valid.

Requires XDR
ISO 8601 UTC timestamp EVENT
OBSERVATION DETAILS
netconn_tls_certificate_subject_not_valid_before Searchable.
Timestamp before which the TLS certificate asserts it is not yet valid.

Requires XDR
ISO 8601 UTC timestamp EVENT
OBSERVATION DETAILS
netconn_tls_cipher Searchable.
Netconn TLS cipher suite (see the IANA TLS cipher suites registry for the full list of possible values TLS Cipher Suites)
String

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and more
PROCESS OBSERVATION OBSERVATION DETAILS
netconn_tls_version Searchable.
TLS protocol version used in this session

Requires XDR
TOKENIZED
String
EVENT
OBSERVATION DETAILS
network_traffic_analysis_action Type of the anomaly detection.

Requires XDR
String

CLASSIFICATION, CLUSTERING, OUTLIER
OBSERVATION DETAILS
network_traffic_analysis_behavior Specific values which caused the anomaly detection. The content of this field is a serialized json. The structure is specific to each detector identifier (network_traffic_analysis_identifier).

E.g. “{"DetectorStateType":"OUTLIER"}”

Requires XDR
String OBSERVATION DETAILS
network_traffic_analysis_identifier Identifier contains a string friendly name that uniquely identifies the detector. The identifier is used by alert aggregation to fetch additional metadata about the detector from the threat metadata service. It then enriches the threat_name and tms_rule_id to the proto.

E.g. anomaly:portscan

Requires XDR
String OBSERVATION DETAILS
network_traffic_analysis_is_client_relevant If true, the client is relevant to the attack. It might be part of the attack.

Requires XDR
Boolean OBSERVATION DETAILS FACET
network_traffic_analysis_is_client_target If true, the client is the target of the attack, otherwise it’s the server.

Requires XDR
Boolean OBSERVATION DETAILS FACET
network_traffic_analysis_primary_alert If true, then this is the primary alert of all alerts, otherwise is not.

Requires XDR
Boolean OBSERVATION DETAILS FACET
num_devices Count of devices where application is reported for the requested search population

Requires Endpoint Standard
Integer Aggregation Only
num_events Count of events attributed to the device or application running on the requested search population

Requires Endpoint Standard
Integer Aggregation Only
observation_description Searchable.
Description of the activity that generated the observation
tokenized OBSERVATION
OBSERVATION DETAILS
observation_id Searchable.
Unique ID of the observation
String OBSERVATION
OBSERVATION DETAILS
observation_type Searchable.
Type of observation generated
String

OBSERVATION_TYPE_UNKNOWN
CB_ANALYTICS
INDICATOR_OF_ATTACK
TAMPER
TAU_INTELLIGENCE
USB_DEVICE_CONTROL
WATCHLIST
BLOCKED_HASH
INTRUSION_DETECTION_SYSTEM
CONTAINER_RUNTIME
HOST_BASED_FIREWALL
NETWORK_TRAFFIC_ANALYSIS
CONTEXTUAL_ACTIVITY
OBSERVATION
OBSERVATION DETAILS FACET
org_id Searchable.
Organization identifer; unique across all environments and equivalent to org_key in other Carbon Black Cloud APIs
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET SUMMARY / TREE
parent_cmdline Searchable.
Value-Searchable.
Command line of the parent process
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
parent_cmdline_length Searchable.
Character count of the parent process' command line
Integer ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
parent_cmdline_raw Raw command line of the parent process without tokenization of special characters. String PROCESS
ENRICHED_EVENT
OBSERVATION
parent_effective_reputation Searchable.
Value-Searchable.
Effective reputation of the parent process; applied by the sensor when the event occurred
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET SUMMARY / TREE
parent_effective_reputation_source Searchable
Source of the effective reputation for the parent process
String

IGNORE, CLOUD, PRE_EXISTING, AV, IT_TOOLS, CERT, HASH_REP, APPROVED_DATABASE
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
parent_guid Searchable.
Value-Searchable.
Unique process identifier assigned to the parent process
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET SUMMARY / TREE
parent_hash Searchable.
MD5 and/or SHA-256 hash of the parent process binary
String[] ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
parent_issuer Certificate authority, signing authority or company that issued the certificate for the binary that is executed by the parent process String[] ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
parent_name Searchable.
Value-Searchable.
Filesystem path of the parent process binary
TOKENIZED
String
ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
parent_pid Searchable.
Identifier assigned by the operating system to the parent process
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS
parent_product_name Product name embedded in the portable executable header of the binary for the parent process. Windows only. String ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
parent_publisher Publisher name(s) on the certificate(s) used to sign the Windows or macOS binary of the parent process

Requires Enterprise EDR
String[] ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
parent_publisher_state Searchable.
Value-Searchable.
State of the digital signature(s) of the parent process' binary

Requires Enterprise EDR
String[]

Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED

Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT DETAILS
parent_reputation Searchable.
Value-Searchable.
Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
parent_user_id Searchable.
The user ID of the parent process.
String AUTH_EVENT***
AUTH_EVENT DETAILS
parent_username The user context in which the parent process was executed String ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_cmdline Searchable.
Value-Searchable.
Command line executed by the actor process
TOKENIZED
String[]
ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_cmdline_length Searchable.
Character count of the actor process command line
Integer[] ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_cmdline_raw Raw command line of the actor process without tokenization of special characters. String[] PROCESS
ENRICHED_EVENT
OBSERVATION
process_company_name Searchable.
Company name embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_container_pid Searchable.
Container process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux
String PROCESS PROCESS DETAILS AUTH_EVENT
AUTH_EVENT DETAILS
process_duration Searchable.
Duration of the process (in milliseconds); available after sensor reports the process has terminated; equal to (process_end_time - process_start_time)
Integer ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_effective_reputation Searchable.
Value-Searchable.
Effective reputation of the actor process; applied by the sensor when the event occurred
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_effective_reputation_source Searchable
Source of the effective reputation for the actor process
String

IGNORE, CLOUD, PRE_EXISTING, AV, IT_TOOLS, CERT, HASH_REP, APPROVED_DATABASE
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_elevated Searchable.
“True” if the process was running with elevated privileges; not present if “False”

Requires Windows CBC sensor version 3.5 or later and Enterprise EDR
Boolean ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS FACET
process_end_time Sensor timestamp when the process terminated; available after sensor reports the process has terminated (only for processes whose start times the sensor captured) ISO 8601 UTC timestamp ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_file_description Searchable.
File description embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_file_size Size of the process' binary file. Long AUTH_EVENT DETAILS
process_guid Searchable.
Value-Searchable.
Unique process identifier for the actor process
String ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
process_hash Searchable.
MD5 and/or SHA-256 hash of the actor process binary; order may vary when two hashes are reported
String[] ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS SUMMARY / TREE OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
process_integrity_level Searchable.
Windows Mandatory Integrity Control (MIC) level of the process

Requires Windows CBC sensor version 3.5 or later and Enterprise EDR
String

LOW, MEDIUM, HIGH, SYSTEM, PROTECTED
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_internal_name Searchable.
Internal name embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_issuer Searchable.
Certificate authority, signing authority or company that issued the certificate for the binary that is executed by the process
String[] ENRICHED_EVENT
ENRICHED_EVENT DETAILS
PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_loaded_script_hash Searchable.
Deprecated. Use scriptload_hash

SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process.

Requires Endpoint Standard
String[] ENRICHED_EVENT DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_loaded_script_name Searchable.
Value-Searchable.
Deprecated. Use scriptload_name

Filesystem path(s) of any script content loaded from the filesystem through the duration of the process.

Requires Endpoint Standard
TOKENIZED
String[]
ENRICHED_EVENT DETAILS OBSERVATION DETAILS
AUTH_EVENT DETAILS
process_name Searchable.
Value-Searchable.
Filesystem path of the actor process binary!
TOKENIZED
String
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS SUMMARY / TREE OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
process_original_filename Searchable.
Original filename embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_pid Searchable.
Process identifier assigned by the operating system; can be multi-valued in case of fork() or exec() process operations on Linux and macOS
Integer[] ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET SUMMARY / TREE
process_privileges Searchable.
Windows privileges associated wth the process (see Microsoft documentation for complete list privilege-constants)

Requires Windows CBC sensor version 3.5 or later and Enterprise EDR
String[] ENRICHED_EVENT DETAILS PROCESS DETAILS
OBSERVATION DETAILS AUTH_EVENT DETAILS
process_product_name Searchable.
Product name embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_product_version Searchable.
Product version embedded in the portable executable header of the Windows process binary

Requires Windows CBC sensor and Enterprise EDR
TOKENIZED
String
ENRICHED_EVENT DETAILS PROCESS DETAILS
OBSERVATION DETAILS AUTH_EVENT DETAILS
process_publisher Searchable.
Publisher name on the certificate used to sign the Windows or macOS process binary

Requires Enterprise EDR
TOKENIZED
String[]
ENRICHED_EVENT DETAILS PROCESS DETAILS
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_publisher_state Searchable.
Value-Searchable.
State of the digital signature(s) of a Windows or macOS process binary

Requires Enterprise EDR
String[]

Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED

Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN
ENRICHED_EVENT DETAILS PROCESS DETAILS
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_reputation Searchable.
Value-Searchable.
Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET SUMMARY / TREE
process_service_name Searchable.
Windows service name(s) assigned to the process

Requires Windows CBC sensor version 3.5 or later and Enterprise EDR
String[] ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_sha256 SHA-256 hash of the actor process binary String ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET
process_special_build Special build indicator from the process binary. String AUTH_EVENT DETAILS
process_start_time Searchable.
Sensor reported timestamp of when the process started; not available for processes running before the sensor starts
ISO 8601 UTC timestamp ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS***
PROCESS DETAILS OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET SUMMARY / TREE
process_terminated Searchable.
“True” indicates the process has terminated; always “false” for enriched events (process termination not recorded)

Requires Enterprise EDR
Boolean ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
process_tlsh Searchable.
tlsh hash of process' main module
String AUTH_EVENT***
AUTH_EVENT DETAILS
process_trademark Trademark information from process binary String AUTH_EVENT DETAILS
process_user_id Searchable.
The user ID under which the actor process was executed.
String AUTH_EVENT***
AUTH_EVENT DETAILS
process_username Searchable.
Value-Searchable.
User context in which the actor process was executed.
MacOS - all users for the PID for fork() and exec() transitions,
Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid()"
TOKENIZED
String[]
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
regmod_action Action associated with the regmod operation String

ACTION_INVALID, ACTION_CREATE_KEY, ACTION_WRITE_VALUE, ACTION_DELETE_KEY, ACTION_DELETE_VALUE, ACTION_RENAME_KEY, ACTION_RESTORE_KEY, ACTION_REPLACE_KEY, ACTION_SET_SECURITY
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
AUTH_EVENT
AUTH_EVENT DETAILS
regmod_count Searchable.
Count of regmod events reported by the sensor since last initialization

Requires Enterprise EDR
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS FACET SUMMARY / TREE
regmod_excluded_count Count of excluded regmod events reported by the sensor since last initialization Integer AUTH_EVENT DETAILS
regmod_name Searchable.
Value-Searchable.
Full path of the registry key(s) modified by the process
TOKENIZED
String
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
regmod_new_name Searchable.
New registry key name; renamed keys only (regmod_action=“ACTION_RENAME_KEY”)
String EVENT
regmod_old_name Searchable.
Old registry key name; renamed keys only (regmod_action=“ACTION_RENAME_KEY”)
String EVENT
report_id Searchable.
ID of the watchlist report(s) that detected a hit on the process

Requires Enterprise EDR
String Processes Only
report_severity Searchable.
Severity rating of the watchlist report; ranges 1-10, where 10 is “severe”

Requires Enterprise EDR
Integer
report_watchlist_id Searchable.
Deprecated; use watchlist_id instead
String
rule_config_id Searchable.
The ID of the rule configuration in effect for this device.
String AUTH_EVENT DETAILS
rule_config_name Searchable.
The ID of the rule configuration in effect for this device.
String AUTH_EVENT DETAILS
rule_id Searchable.
ID of the rule that triggered an alert or observation; applies to INDICATOR_OF_ATTACK, INTRUSION_DETECTION_SYSTEM, HOST_BASED_FIREWALL, TAU_INTELLIGENCE, USB_DEVICE_CONTROL alerts and observations
String OBSERVATION
OBSERVATION DETAILS
scriptload_content Searchable.
Deobfuscated script content of script(s) loaded from the filesystem.

Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later

For more information see here
TOKENIZED
String[]
EVENT
OBSERVATION DETAILS
scriptload_content_length Searchable.
Character count of the deobfuscated script content of script(s) loaded from the filesystem.

Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later

For more information see here
Integer[] EVENT
OBSERVATION DETAILS
scriptload_content_raw Searchable.
Raw script content of the script loaded from the filesystem without tokenization of special characters.

Requires Windows CBC sensor 3.6 or later, AMSI support via Windows 10/Server version 1703 or later

For more information see here
TOKENIZED
String
scriptload_count Searchable.
Count of scriptload events reported by the sensor since last initialization.

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR
Integer ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS FACET SUMMARY / TREE
scriptload_effective_reputation Searchable.
Effective reputation of the script file loaded by the process; applied by the sensor when the event occurred.

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR
String

ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST
EVENT FACET
scriptload_excluded_count Count of excluded scriptload events reported by the sensor since last initialization. Integer
scriptload_file_type The type of file. String[]

EXECUTABLE_IMAGE, EXECUTABLE_LIBRARY, SCRIPT
EVENT
scriptload_hash Searchable.
MD5 and/or SHA-256 hash(es) of the script file loaded by the process.

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later
String[] ENRICHED_EVENT DETAILS OBSERVATION DETAILS
scriptload_issuer Certificate authority, signing authority or company that issued the certificate for the file executed by the scriptload String[] OBSERVATION DETAILS
scriptload_md5 Searchable.
Deprecated. Use scriptload_hash

MD5 hash of the filesystem script file loaded at process launch

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR
String EVENT FACET
scriptload_name Searchable.
Value-Searchable.
Filesystem path of the script file loaded by the process.

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later, Linux CBC sensor version 2.9 or later
TOKENIZED
String
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
scriptload_publisher Searchable.
Publisher name on the certificate used to sign the script file; reports signatures on Powershell scripts and .MSI/.MSP files.

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR
String EVENT
scriptload_publisher_state Searchable.
Value-Searchable.
State of the loaded script(s)' digital signature(s); checks signatures on Powershell scripts and .MSI/.MSP files

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR
String[]

Combine any: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, FILE_SIGNATURE_STATE_CATALOG_SIGNED

Use One: FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN
ENRICHED_EVENT DETAILS EVENT
OBSERVATION DETAILS
scriptload_sha256 Searchable.
Deprecated. Use scriptload_hash

SHA-256 hash of the filesystem script file loaded by the process.

Requires Windows CBC sensor version 3.5 or later, macOS CBC sensor version 3.4 or later and Enterprise EDR
String EVENT FACET
scriptload_type The type of the scriptload operation String
sensor_action Searchable.
Value-Searchable.
An action performed by the sensor on the process
String[]

TERMINATE, DENY, SUSPEND
ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION
OBSERVATION DETAILS AUTH_EVENT
AUTH_EVENT DETAILS FACET
threat_hunt_id ID of the MDR threat hunt String
threat_hunt_name Name of the MDR threat hunt String
threat_name Name of the threat related to the observation String OBSERVATION DETAILS
tms_rule_id ID of the rule that triggered an Intrusion Detection System or Network Traffic Analysis alert

Requires XDR
String OBSERVATION DETAILS
triggered_alert_id Triggered alert IDs associated with the process (including silent alerts) TOKENIZED
String
AUTH_EVENT
ttp Searchable.
Value-Searchable.
Patterns of behavior (i.e. tactics, techniques, procedures) associated with specific threat actor(s) attributed to events of the process
String[] ENRICHED_EVENT***
ENRICHED_EVENT DETAILS PROCESS*** EVENT OBSERVATION***
OBSERVATION DETAILS AUTH_EVENT***
AUTH_EVENT DETAILS FACET PROCESS DETAILS
virtual_private_cloud_id Searchable.
ID of the virtual private cloud.
String AUTH_EVENT***
AUTH_EVENT DETAILS
watchlist_hit Identifier for specific hit record(s) generated by a watchlist, from report metadata; format “<watchlist_id>:<report_id>:<report_severity>”

Requires Enterprise EDR
String[] ENRICHED_EVENT
ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS OBSERVATION
OBSERVATION DETAILS FACET
watchlist_id Searchable.
ID of the watchlist that generated a hit on the process

Requires Enterprise EDR
String Processes Only
watchlist_name Searchable.
Name of the watchlist that generated a hit on the process

Requires Enterprise EDR
TOKENIZED
String
Processes Only
windows_event_id Searchable.
Identifier of the Windows event type, specified by Windows OS
int AUTH_EVENT
AUTH_EVENT DETAILS FACET

Limitations

As with standard AND queries when searching for field_1 = X and field_2 = Y, an event with only one field populated will not be returned.

A special case of this is when searching across both Endpoint Standard and Enterprise EDR data; if you combine any fields that are each available in only one product, you will receive zero results. For example:

  • If you search event_attack_stage:BREACH you will get results on both the “Enriched Events” and “Processes” search endpoints (requires Endpoint Standard)
  • If you search netconn_count:[1 TO *], you will only get results on “Processes” search endpoint (requires Enterprise EDR)
  • If you perform the search event_attack_stage:BREACH AND netconn_count:[1 TO *], you will get no results because NO events have both Endpoint Standard-only event_attack_stage and Enterprise EDR-only netconn_count fields
  • Any field can be searched on individually

Data Conversions

IPv6 data format to standard IPv6 notation

Use this if you are migrating from Endpoint Standard fields (used in integrationServices API routes) to Platform Search fields (including Process, Process Events and Enriched Event searches). The IPv6 netconn fields in Platform Search do not return in API responses using a standard IPv6 notation (it does not include colons) in order to make it easier to sort, use the big integer library, and perform subnet searches.

  • Example return value for fields like netconn_ipv6, netconn_remote_ipv6, netconn_local_ipv6: FF0200000000000000000000000000FB

  • To convert the notation to standard IPv6, you must insert a colon character between every four alphanumeric characters, or run the following function:

const StringIP = d.replace(/(.{4})/g, '$1:').slice(0, -1);

  • Result: FF02:0000:0000:0000:0000:0000:0000:00FB

However, when searching on these IPv6 fields, you must use escaped colon-separated notation e.g. netconn_ipv6:"2607:F8B0:4006:081B:0000:0000:0000:200E"

IPv4 integer format to dotted decimal notation

  • IPv4 netconn fields return their value in “integer” format rather than the more common “dotted decimal” notation.
  • The conversion from IPv4 integers to dotted decimal is common and can be validated with tools like this converter
  • Example: If you received netconn_remote_ipv4 = 911598478, the dotted decimal equivalent would be 54.85.227.142

Special Tokenizations

Some fields are tokenized to allow more efficient searches

File Path Tokenization

Fields: process_name, parent_name, filemod_name, childproc_name, crossproc_name, modload_name, scriptload_name, regmod_name

Search for path hierarchies. Use slash (/) character or escaped backslash (\\) characters and enclose in double quotes if path contains colon or space characters. Exclude any leading path separator. File extension searching also supported.

Search examples: process_name:"c:/windows/system32/cmd.exe" filemod_name:.wcry regmod_name:myregkey/myregvalue modload_name:downloads\\myfile.exe parent_name:"c:/program files"

Domain name Tokenization

Fields: netconn_domain

Search for any part of the domain. Start or end with ‘.’ to only look for a prefix or suffix.

Search examples: netconn_domain:.google.com netconn_domain:.ru netconn_domain:www.google.com

IPv4 Address Tokenization

Fields: netconn_ipv4

Search examples: netconn_ipv4:192.168.0.10 netconn_ipv4:192.168.0.0/24

IPv6 Address Tokenization

Fields: netconn_ipv6

Search examples: netconn_ipv6:"2001:0db8:85a3:0000:0000:8a2e:0370:7334" netconn_ipv6:"2001:db8::/127"

Command Line Tokenization

Fields: process_cmdline

Words in the command line can be searched, along with switches (-x /x) and file extensions.

Search examples: process_cmdline:"d:/path/myprogram.vbs /v" process_cmdline:"d:" process_cmdline:.vbs process_cmdline:"/v"


Last modified on July 17, 2024