EDR Event Forwarder Data Formats

Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.

This document catalogs the different event types emitted by the cb-event-forwarder and the common key/value pairs that will be seen in the JSON or LEEF output from the tool.

Carbon Black events can be generalized into two categories: events generated by the server and raw endpoint events. Server-generated events include watchlist and feed hits, notifications of new binary uploads, and alert notifications. Server-generated events are relatively low volume and are minimally processed by the cb-event-forwarder as the data is already sent to the event-forwarder in JSON format.

Raw endpoint events, on the other hand, can be extremely high volume - especially file modification, module load and registry modification messages. These messages are encoded in a compact binary format and specific fields from each message are pulled by the cb-event-forwarder to populate the output JSON or LEEF format.

Server generated events

Event ID Description
alert.watchlist.hit.ingress.host This event happens when an alert is triggered as a result of a watchlist indicator matching a host
alert.watchlist.hit.ingress.binary This event happens when an alert is triggered as a result of a watchlist indicator matching a binary
alert.watchlist.hit.ingress.process This event happens when an alert is triggered as a result of a watchlist indicator matching a process
alert.watchlist.hit.query.binary This event happens when an alert is triggered as a result of a watchlist query matching a binary
alert.watchlist.hit.query.process This event happens when an alert is triggered as a result of a watchlist query matching a process
binaryinfo.host.observed This event happens when a new binary is observed for the first time on a specific host
binaryinfo.group.observed This event happens when a new binary is observed for the first time in a sensor group
binaryinfo.observed This event happens when a new binary is observed for the first time anywhere in the environment
binarystore.file.added This event happens when a copy of a new binary has arrived at the Carbon Black server. It can be used to trigger external services, such as binary analysis or signature matching
feed.ingress.hit.host This event happens when an intelligence feed indicator matches a host. This triggers on 3 IOCs IPv4 addresses, domain names, and md5s described in the feed documentation
feed.ingress.hit.binary This event happens when an intelligence feed indicator matches a new binary upon ingest. Note that the binary may not be visible in the Carbon Black UI or searches until it’s been committed in SOLR (may take ~15 minutes). As above, this triggers 3 IOCs IPv4 addresses, domain names, and md5s
feed.ingress.hit.process This event occurs when an intelligence feed indicator matches a new process upon ingest. Note that the process may not be visible in the Carbon Black UI or searches until it’s been committed in SOLR (may take ~15 minutes)
feed.query.hit.binary This event happens when an intelligence feed query matches a binary. The process is visible in Carbon Black UI immediately. This covers the query IOC only described in the feed documentation
feed.query.hit.process This event happens when an intelligence feed query matches a process. This is the same as above in terms of triggers and IOCs
feed.storage.hit.binary Same as feed.ingress.hit.binary, but now the data has been committed to disk by Cb and the data is available via the Cb UI or API
feed.storage.hit.process Same as feed.ingress.hit.process, but now the data has been committed to disk by Cb and the data is available via the Cb UI or API
task.error.logged This event occurs when a background task reports an error.
watchlist.hit.process This event occurs when the watchlist first matches the document. Note that the process may not be visible in the Carbon Black UI or searches until it’s been committed in SOLR (may take ~15 minutes)
watchlist.hit.binary This event happens when the watchlist first matches the document. Note that the binary may not be visible in the Carbon Black UI or searches until it’s been committed in SOLR (may take ~15 minutes)
watchlist.storage.hit.binary This event occurs when the match that was found in watchlist.hit.binary is committed in SOLR. The data has been committed to disk by Cb and the data is available via the Cb UI or API
watchlist.storage.hit.process This event occurs when the match that was found in watchlist.hit.process is committed in SOLR. The data has been committed to disk by Cb and the data is available via the Cb UI or API

Watchlist Hit

There are two types of watchlists:

  • Process Watchlists
  • Binary Watchlists

On watchlist “hit” (match), an event is published. The bulk of the contents of the event is pulled from the underlying process or binary document. As such, the event fields are different between the two event types.

Process Watchlist Hit

Name: watchlist.hit.process

watchlist.hit.process is a JSON structure with the following entries:

name type description
cb_version string Carbon Black server version
event_timestamp string Timestamp when event was published
watchlist_id int32 Identifier of the watchlist that matched
watchlist_name string Name of watchlist that matched
server_name string Name of the Carbon Black Server
docs list List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name type description
childproc_count int32 Total count of child processes created by this process
cmdline string Process command line
filemod_count int32 Total count of file modifications made by this process
group string Sensor group this sensor was assigned to at time of process execution
host_type string Type of the computer: server, workstation, domain controller
hostname string Hostname of the computer on which the process executed (at time of execution)
last_update string Last activity in this process is endpoint local time. Example: 2014-02-04T16:23:22.547Z
modload_count int32 Total count of module loads in this process.
netconn_count int32 Total count of network connections made and received by this process.
os_type string Operating system type of the endpoint, e.g. Windows, Linux, Osx.
parent_name string Name of the parent process.
parent_md5 string MD5 of the parent process.
parent_pid int32 PID of parent process.
parent_unique_id string Parent process unique identifer.
path string Full path to the executable file backing this process.
process_md5 string MD5 of the executable file backing this process.
process_name string Filename of the executable backing this process.
process_pid int32 PID of this process.
regmod_count int32 total count of registry modifications made by this process.
segment_id int32 For internal use
sensor_id int32 Endpoint identifier.
start string Start time of this process in endpoint local time. Example: 2014-02-04T16:23:22.516Z
unique_id string Process unique Id
username string User context in which the process executed.

Example:

  {
    "server_name": "cb-enterprise-testing.local",
    "docs": [
        {"process_md5": "a3ccfd0aa0b17fd23aa9fd0d84b86c05",
         "sensor_id": 1,
         "modload_count": 49,
         "parent_unique_id": "00000001-0000-09e4-01cf-a5dee70168f2-00000001",
         "cmdline": "\"c:\\users\\admin\\desktop\\putty.exe\" ",
         "filemod_count": 0,
         "id": "00000001-0000-afbc-01cf-b31b9e83777f",
         "parent_name": "explorer.exe",
         "parent_md5": "332feab1435662fc6c672e25beb37be3",
         "group": "Default Group",
         "hostname": "WIN8-TEST",
         "last_update": "2014-08-08T15:15:47.544Z",
         "start": "2014-08-08T15:15:42.193Z",
         "regmod_count": 6,
         "process_pid": 44988,
         "username": "win8-test\\admin",
         "process_name": "putty.exe",
         "path": "c:\\users\\admin\\desktop\\putty.exe",
         "netconn_count": 1,
         "parent_pid": 2532,
         "segment_id": 1,
         "host_type": "workstation",
         "os_type": "windows",
         "childproc_count": 0,
         "unique_id": "00000001-0000-afbc-01cf-b31b9e83777f-00000001"}
     ],
     "event_timestamp": 1407362104.19,
     "watchlist_id": 10,
     "cb_version": "4.2.1.140808.1059",
     "watchlist_name": "Tor Feed"
  }

Binary Watchlist Hit

Name: watchlist.hit.binary

watchlist.hit.binary is a JSON structure with the following entries:

name type description
cb_version string Carbon Black server version
event_timestamp string Timestamp when event was published
watchlist_id int32 Identifier of the watchlist that matched
watchlist_name string Name of watchlist that matched
server_name string Name of the Carbon Black Server
docs list List of one or more matching process documents; see next table

Each matching binary document is a JSON structure with the following entries:

name type description
copied_mod_len int32 Number of bytes copied to server
endpoint string Hostname and sensor ID of the first endpoint on which this binary was observed.
group string First sensor group on which this binary was observed
digsig_issuer string If digitally signed, the issuer.
digsig_publisher string If digitally signed, the publisher.
digsig_result string If digitally signed, the human-readable status. See notes.
digsig_result_code in32 For internal use.
digsig_sign_time string If digitally signed, the sign time.
digsig_subject string If digitally signed, the subject.
is_executable_image bool True if the binary is a standalone executable (as compared to a library).
is_64bit bool True if architecture is x64 (versus x86)
md5 string MD5 of the binary
observed_filename string Full path to the executable backing the process
orig_mod_len int32 Size in bytes of the binary at the time of observation on the endpoint.
os_type string Operating system type, e.g. Windows, Linux, Osx.
server_added_timestamp string The time this binary was first seen by the server.
timestamp string Time binary was first observed (in endpoint time)
watchlists list List of matching watchlists.
file_version string File Version (Windows Only)
product_name string Product Name (Windows Only)
company_name string Company Name (Windows Only)
internal_name string Internal Name (Windows Only)
original_filename string Internal Original Filename (Windows Only)
file_desc string File Description (Windows only)
product_version string Product Description (Windows only)
comments string Comment String (Windows only)
legal_copyright string Legal copyright string (Windows only)
legal_trademark string Legal trademark string (Windows only)
private_build string Private build string (Windows only)

Example:

  {
    "server_name": "cb-enterprise-testing.local",
    "docs": [
        {"digsig_result": "Signed",
         "observed_filename": ["c:\\windows\\system32\\prncache.dll"],
         "product_version": "6.1.7601.17514",
         "signed": "Signed",
         "digsig_sign_time": "2010-11-21T00:37:00Z",
         "is_executable_image": false,
         "orig_mod_len": 183808,
         "is_64bit": true,
         "digsig_publisher": "Microsoft Corporation",
         "group": ["Default Group"],
         "file_version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)",
         "company_name": "Microsoft Corporation",
         "internal_name": "PrintCache",
         "product_name": "Microsoft\u00ae Windows\u00ae Operating System",
         "digsig_result_code": "0",
         "timestamp": "2014-08-09T11:19:04.009Z",
         "copied_mod_len": 183808,
         "server_added_timestamp": "2014-08-09T11:19:04.009Z",
         "md5": "A1CDE92DDC170D307DB3C5BAA348811B",
         "endpoint": ["WIN8-TEST|1"],
         "legal_copyright": "\u00a9 Microsoft Corporation. All rights reserved.",
         "original_filename": "PrnCache.dll",
         "os_type": "Windows",
         "file_desc": "Print UI Cache"}
     ],
     "event_timestamp": 1407583203.5,
     "watchlist_id": 10,
     "cb_version": "4.2.1.140811.29",
     "watchlist_name": "SRS Trust"
  }

Notes:

The digsig_status field can be one of eight values:

  • Signed
  • Unsigned
  • Bad Signature
  • Invalid Signature
  • Expired
  • Invalid Chain
  • Untrusted Root
  • Explicit Distrust

Feed Hit

There are three types of feed events:

  • Ingress
  • Storage
  • Query

Ingress feed events are published as the matching endpoint data arrives from the sensor. These ingress feed events therefore provide the earliest available notification of the endpoint activity. Ingress events are published prior to updating the data to the backend data store (SOLR), and therefore it may be up to fifteen minutes before the data is discoverable via search. The latency is partially dependent on the configured SOLR soft-commit (auto-commit) interval.

Storage feed events are published as the data is committed to the backend data store (SOLR). As compared to ingress feed events, storage feed events happen later in time, but when all data is fully indexed and searchable via SOLR and therefore the CB client API.

Query feed events are published when a query string provided by a query feed matches committed data.

Ingress Feed Hit

Process Ingress Feed Hit

Name: feed.ingress.hit.process

feed.ingress.hit.process is a JSON structure with the following entries:

name type description
process_id string CB process key. See Notes.
report_id string Identifier of the report which included the matching IOC. See notes.
ioc_type string One of “md5”, “dns”, “ipv4”
ioc_value string The matching IOC.
ioc_attr JSON Key value pairs of additional attributes related to the hit (if present).
sensor_id int32 Sensor Id of the endpoint on which the event matching the feed occurred.
hostname string Hostname of the endpoint on which the event matching the feed occurred
cb_version string Carbon Black server version.
server_name string Name of Carbon Black server.
feed_id int32 Identifier of the feed that included the matching report. See notes.
feed_name string The name of the feed that included the matching report.
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch

Example Event:

  {
    "process_id":"00000001-0000-afbc-01cf-b31b9e83777f",
    "report_id":"TOR-Node-38.229.70.52",
    "ioc_type":"ipv4",
    "ioc_value":"38.229.70.52",
    "ioc_attr":{"port":22,"protocol":"TCP","direction":"Outbound"},
    "hostname":"FS-NYC-1",
    "sensor_id":1,
    "cb_version":"4.2.1.140808.1059",
    "server_name":"localhost.localdomain",
    "feed_id":14,
    "feed_name":"tor",
    "event_timestamp":1407362000
  }

Notes:

  • The process_id field is the process key used to uniquely identify a process on the Carbon Black server. For ingress feed hits, the process segment is not known. The key can be used with the Carbon Black client API to query for the entire process document.

Binary Ingress Feed Hit

Name: feed.ingress.hit.binary

feed.ingress.hit.binary is a JSON structure with the following entries:

name type description
md5 string MD5 of the binary.
report_id string Identifier of the report which included the matching IOC.
ioc_type string One of “md5”, “dns”, “ipv4”
ioc_value string The matching IOC.
ioc_attr JSON Key value pairs of additional attributes related to the hit (if present).
sensor_id int32 Sensor Id of the endpoint on which the event matching the feed occurred
hostname string Hostname of the endpoint on which the event matching the feed occurred
cb_version string Carbon Black server version.
server_name string Name of Carbon Black server.
feed_id int32 Identifier of the feed that included the matching report.
feed_name string The name of the feed that included the matching report.
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch

Example Event:

    {
      "md5": "506708142BC63DABA64F2D3AD1DCD5BF",
      "report_id": "dxmtest1_04",
      "ioc_type": "md5",
      "ioc_value":"506708142bc63daba64f2d3ad1dcd5bf",
      "ioc_attr": {},
      "feed_id":7,
      "hostname": "FS-SEA-529",
      "sensor_id": 3321,
      "cb_version":"4.2.1.140808.1059",
      "server_name":"localhost.localdomain",
      "feed_name": "dxmtest1",
      "event_timestamp": 1397244093.682
    }

Notes:

  • It may be as much as 60 seconds from the time of the event generation until the full binary document is queryable via the CBAPI or raw SOLR.

Storage Feed Hit

Process Storage Feed Hit

Name: feed.storage.hit.process

feed.storage.hit.process is a JSON structure with the following entries:

name type description
process_id string CB process key. See Notes.
segment_id int32 Process segment identifier. See Notes.
report_id string Identifier of the report which included the matching IOC. See notes.
ioc_type string One of “md5”, “dns”, “ipv4”
ioc_value string The matching IOC.
ioc_attr JSON Key value pairs of additional attributes related to the hit (if present).
sensor_id int32 Sensor Id of the endpoint on which the event matching the feed occurred
hostname string Hostname of the endpoint on which the event matching the feed occurred
cb_version string Carbon Black server version.
server_name string Name of Carbon Black server.
feed_id int32 Identifier of the feed that included the matching report. See notes.
feed_name string The name of the feed that included the matching report.
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch
docs list List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name type description
childproc_count int32 Total count of child processes created by this process
cmdline string Process command line
filemod_count int32 Total count of file modifications made by this process
group string Sensor group this sensor was assigned to at time of process execution
host_type string Type of the computer: server, workstation, domain controller
last_update string Last activity in this process is endpoint local time. Example: 2014-02-04T16:23:22.547Z
modload_count int32 Total count of module loads in this process.
netconn_count int32 Total count of network connections made and received by this process.
os_type string Operating system type, e.g. Windows, Linux, Osx.
parent_name string Name of the parent process.
parent_md5 string MD5 of the parent process.
parent_pid int32 PID of parent process.
parent_unique_id string Parent process unique identifer.
path string Full path to the executable file backing this process.
process_md5 string MD5 of the executable file backing this process.
process_name string Filename of the executable backing this process.
process_pid int32 PID of this process.
regmod_count int32 total count of registry modifications made by this process.
segment_id int32 For internal use
start string Start time of this process in endpoint local time. Example: 2014-02-04T16:23:22.516Z
unique_id string Process unique Id
username string User context in which the process executed.

Example Event:

  {
    "process_id":"00000001-0000-afbc-01cf-b31b9e83777f",
    "segment_id":1,
    "docs":[
        {"modload_count":0,
         "host_type":"workstation",
         "netconn_count":"1",
         "os_type":"windows",
         "unique_id":"00000001-0000-afbc-01cf-b31b9e83777f-00000001",
         "username":"win8-test\\admin",
         "last_update":"2014-08-08T15:15:47.544Z",
         "parent_md5":"332feab1435662fc6c672e25beb37be3",
         "path":"c:\\users\\admin\\desktop\\putty.exe",
         "filemod_count":0,
         "regmod_count":6,
         "process_name":"putty.exe",
         "cmdline":"\"c:\\users\\admin\\desktop\\putty.exe\" ",
         "parent_unique_id":"00000001-0000-09e4-01cf-a5dee70168f2-00000001",
         "childproc_count":0,
         "process_pid":"44988",
         "start":"2014-08-08T15:15:42.193Z",
         "process_md5":"a3ccfd0aa0b17fd23aa9fd0d84b86c05",
         "parent_name":"explorer.exe",
         "parent_pid":"2532",
         "group":"Default Group"}
     ],
     "report_id":"TOR-Node-38.229.70.52",
     "ioc_type":"ipv4",
     "ioc_value":"38.229.70.52",
     "ioc_attr":{"port":"22","protocol":"TCP","direction":"Outbound"},
     "hostname":"WIN8-TEST",
     "sensor_id":1,
     "cb_version":"4.2.1.140808.1059",
     "server_name":"localhost",
     "feed_id":14,
     "feed_name":"tor",
     "event_timestamp":1407362099.567
  }

Notes:

  • The process_id and segment_id fields can be used to construct a request for complete process segment information, including events such as netconns, modloads, and similar, using the Carbon Black Client API.

Binary Storage Feed Hit

Name: feed.storage.hit.binary

feed.storage.hit.binary is a JSON structure with the following entries:

name type description
md5 string MD5 of the binary.
report_id string Identifier of the report which included the matching IOC.
ioc_type string One of “md5”, “dns”, “ipv4”
ioc_value string The matching IOC.
ioc_attr JSON Key value pairs of additional attributes related to the hit (if present).
sensor_id int32 Sensor Id of the endpoint on which the event matching the feed occurred
hostname string Hostname of the endpoint on which the event matching the feed occurred
cb_version string Carbon Black server version.
server_name string Name of Carbon Black server.
feed_id int32 Identifier of the feed that included the matching report.
feed_name string The name of the feed that included the matching report.
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch
docs list List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name type description
copied_mod_len int32 Number of bytes copied to server
endpoint string Hostname and sensor ID of the endpoint on which this binary was observed.
group string First sensor group on which this binary was observed
digsig_issuer string If digitally signed, the issuer.
digsig_publisher string If digitally signed, the publisher.
digsig_result string If digitally signed, the human-readable status. See notes.
digsig_result_code in32 For internal use.
digsig_sign_time string If digitally signed, the sign time.
digsig_subject string If digitally signed, the subject.
is_executable_image bool True if the binary is a standalone executable (as compared to a library).
is_64bit bool True if architecture is x64 (versus x86)
md5 string MD5 of the binary
observed_filename string Full path to the executable backing the process
orig_mod_len int32 Size in bytes of the binary at the time of observation on the endpoint.
os_type string Operating system type of the endpoint, e.g. Windows, Linux, Osx.
server_added_timestamp string The time this binary was first seen by the server.
file_version string File Version (Windows Only)
product_name string Product Name (Windows Only)
company_name string Company Name (Windows Only)
internal_name string Internal Name (Windows Only)
original_filename string Internal Original Filename (Windows Only)
file_desc string File Description (Windows only)
product_version string Product Description (Windows only)
comments string Comment String (Windows only)
legal_copyright string Legal copyright string (Windows only)
legal_trademarkt string Legal trademark string (Windows only)
private_build string Private build string (Windows only)

Example Event:

  {
    "md5":"C3489639EC8E181044F6C6BFD3D01AC9",
    "docs":[
        {"file_version":"6.1.7601.17514 (win7sp1_rtm.101119-1850)",
        "product_name":"Microsoft Windows Operating System",
        "is_executable_image":"false",
        "digsig_result":"Signed",
        "observed_filename":["c:\\windows\\system32\\sndvol.exe","C:\\Windows\\system32\\sndvol.exe"],
        "os_type":"Windows",
        "orig_mod_len":"273920",
        "company_name":"Microsoft Corporation",
        "server_added_timestamp":"Aug 9, 2014 5:27:56 PM",
        "internal_name":"Volume Control Applet",
        "copied_mod_len":"0",
        "product_version":"6.1.7601.17514",
        "digsig_sign_time":"2010-11-21T00:37:00.000Z",
        "alliance_score_srstrust":"-100",
        "digsig_result_code":"0",
        "file_desc":"Volume Mixer",
        "endpoint":"WIN8-TEST|1",
        "legal_copyright":"Microsoft Corporation. All rights reserved.",
        "original_filename":"SndVol.exe",
        "is_64bit":"true",
        "md5":"C3489639EC8E181044F6C6BFD3D01AC9",
        "digsig_publisher":"Microsoft Corporation",
        "group":"Default Group"}
    ],
    "report_id":"c3489639ec8e181044f6c6bfd3d01ac9",
    "ioc_type":"md5",
    "ioc_value":"c3489639ec8e181044f6c6bfd3d01ac9",
    "ioc_attr":{},
    "hostname":"WIN8-TEST",
    "sensor_id":1,
    "cb_version":"4.2.1.140811.1054",
    "server_name":"localhost",
    "feed_id":2,
    "feed_name":"srstrust",
    "event_timestamp":1407621575.945
  }

Notes: It can be up to 15 seconds from the time of the event generation until the document is visible via CBAPI or raw SOLR query.

Query Feed Hit

Process Query Feed Hit

Name: feed.query.hit.process

feed.query.hit.process is a JSON structure with the following entries:

name type description
process_id string CB process key. See Notes.
sensor_id string Always 0 for event. See process document for matching values.
segment_id int32 Process segment identifier. See Notes.
report_id string Identifier of the report which included the matching IOC. See notes.
ioc_type string Always the value “query”
ioc_value string The query string used to look for matches
ioc_attr JSON Key value pairs of additional attributes related to the hit (if present).
sensor_id int32 Sensor Id of the endpoint on which the event matching the feed occurred
hostname string Hostname of the endpoint on which the event matching the feed occurred
cb_version string Carbon Black server version.
server_name string Name of Carbon Black server.
feed_id int32 Identifier of the feed that included the matching report. See notes.
feed_name string The name of the feed that included the matching report.
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch
docs list List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name type description
childproc_count int32 Total count of child processes created by this process
cmdline string Process command line
filemod_count int32 Total count of file modifications made by this process
group string Sensor group this sensor was assigned to at time of process execution
host_type string Type of the computer: server, workstation, domain controller
hostname string Hostname of the endpoint on which the event matching the feed occurred
last_update string Last activity in this process is endpoint local time. Example: 2014-02-04T16:23:22.547Z
modload_count int32 Total count of module loads in this process.
netconn_count int32 Total count of network connections made and received by this process.
os_type string Operating system type, e.g. Windows, Linux, Osx.
parent_name string Name of the parent process.
parent_md5 string MD5 of the parent process.
parent_pid int32 PID of parent process.
parent_unique_id string Parent process unique identifer.
path string Full path to the executable file backing this process.
process_md5 string MD5 of the executable file backing this process.
process_name string Filename of the executable backing this process.
process_pid int32 PID of this process.
regmod_count int32 total count of registry modifications made by this process.
segment_id int32 For internal use
sensor_id int32 Endpoint identifier.
start string Start time of this process in endpoint local time. Example: 2014-02-04T16:23:22.516Z
unique_id string Process unique Id
username string User context in which the process executed.

Example Event:

{
  "process_id": "00000001-0000-1098-01cf-cc5fea563f8f",
  "sensor_id": 1,
  "segment_id": 1,
  "docs": [
    {
      "username": "WIN7X64-BUILDER\\User",
      "process_md5": "f2c7bb8acc97f92e987a2d4087d021b1",
      "modload_count": 20,
      "parent_unique_id": "00000001-0000-0a84-01cf-c240c9d1f378-00000001",
      "process_name": "notepad.exe",
      "cmdline": "\"c:\\windows\\system32\\notepad.exe\" ",
      "os_type": "windows",
      "path": "c:\\windows\\system32\\notepad.exe",
      "last_update": "2014-09-09T18:57:34.267Z",
      "parent_pid": 2692,
      "crossproc_count": 0,
      "parent_name": "explorer.exe",
      "parent_md5": "000000000000000000000000000000",
      "group": "Default Group",
      "netconn_count": 0,
      "hostname": "WIN7X64-BUILDER",
      "host_type": "workstation",
      "filemod_count": 0,
      "start": "2014-09-09T18:57:34.251Z",
      "unique_id": "00000001-0000-1098-01cf-cc5fea563f8f-00000001",
      "regmod_count": 0,
      "childproc_count": 0,
      "process_pid": 4248
    }
  ],
  "hostname": "DXM021-VM1",
  "event_timestamp": 1410289221.38,
  "feed_name": "dxmtest2",
  "feed_id": 12,
  "ioc_value": "cb.urlver=1&cb.q.process_name=notepad.exe&sort=start%20desc&rows=10&start=0",
  "ioc_type": "query",
  "ioc_attrs": {
    "highlights": [
      "PREPREPREnotepad.exePOSTPOSTPOST",
      "c:\\windows\\system32\\PREPREPREnotepad.exePOSTPOSTPOST"
    ]
  },
  "report_id": "notepad_proc"
}

Notes:

  • The process_id and segment_id fields can be used to construct a request for complete process segment information, including events such as netconns, modloads, and similar, using the Carbon Black Client API.

Binary Query Feed Hit

Name: feed.query.hit.binary

feed.query.hit.binary is a JSON structure with the following entries:

name type description
md5 string MD5 of the binary.
report_id string Identifier of the report which included the matching IOC.
ioc_type string Always the value “query”
ioc_value string The query string used to look for matches
ioc_attr JSON Key value pairs of additional attributes related to the hit (if present).
sensor_id int32 Sensor Id of the endpoint on which the event matching the feed occurred
hostname string Hostname of the endpoint on which the event matching the feed occurred
cb_version string Carbon Black server version.
server_name string Name of Carbon Black server.
feed_id int32 Identifier of the feed that included the matching report.
feed_name string The name of the feed that included the matching report.
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch
docs list List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name type description
comments string Comment String (Windows only)
company_name string Company Name (Windows Only)
copied_mod_len int32 Number of bytes copied to server
endpoint string Hostname and sensor ID of the endpoint on which this binary was observed.
file_desc string File Description (Windows only)
file_version string File Version (Windows Only)
group string First sensor group on which this binary was observed
host_count int32 Number of hosts containing this file
digsig_issuer string If digitally signed, the issuer.
digsig_publisher string If digitally signed, the publisher.
digsig_result string If digitally signed, the human-readable status. See notes.
digsig_result_code in32 For internal use.
digsig_sign_time string If digitally signed, the sign time.
digsig_subject string If digitally signed, the subject.
internal_name string Internal Name (Windows Only)
is_executable_image bool True if the binary is a standalone executable (as compared to a library).
is_64bit bool True if architecture is x64 (versus x86)
last_seen string Time last seen
legal_copyright string Legal copyright string (Windows only)
legal_trademark string Legal trademark string (Windows only)
md5 string MD5 of the binary
observed_filename string Full path to the executable backing the process
orig_mod_len int32 Size in bytes of the binary at the time of observation on the endpoint.
original_filename string Internal Original Filename (Windows Only)
os_type string Operating system type of the endpoint, e.g. Windows, Linux, Osx.
private_build string Private build string (Windows only)
product_name string Product Name (Windows Only)
product_version string Product Description (Windows only)
server_added_timestamp string The time this binary was first seen by the server.
signed string If digitally signed
timestamp string The time this binary was first seen by the server.

Example Event:

{
  "sensor_id": 1,
  "docs": [
    {
      "host_count": 1,
      "digsig_result": "Unsigned",
      "observed_filename": [
        "c:\\program files (x86)\\programmer's notepad\\pn.exe"
      ],
      "product_version": "2.3.4.0-charles",
      "signed": "Unsigned",
      "is_executable_image": false,
      "orig_mod_len": 3092992,
      "is_64bit": false,
      "group": [
        "Default Group"
      ],
      "file_version": "2.3.4.0",
      "company_name": "Simon Steele (Echo Software)",
      "internal_name": "PNWTL",
      "product_name": "Programmer's Notepad",
      "digsig_result_code": "2148204800",
      "timestamp": "2014-09-09T21:00:29.875Z",
      "copied_mod_len": 3092992,
      "server_added_timestamp": "2014-09-09T21:00:29.875Z",
      "md5": "EFA7ECAF4468E0106E8B1041C5CE450E",
      "endpoint": [
        "WIN7X64-BUILDER|1"
      ],
      "legal_copyright": "Copyright \u00a9 2002-2010 Simon Steele (Echo Software)",
      "original_filename": "pn.exe",
      "os_type": "Windows",
      "file_desc": "Programmer's Notepad 2",
      "last_seen": "2014-09-09T21:00:29.875Z"
    }
  ],
  "hostname": "DXM021-VM1",
  "event_timestamp": 1410296635.26,
  "feed_name": "dxmtest2",
  "feed_id": 12,
  "ioc_value": "cb.urlver=1&cb.q.process_name=notepad.exe&sort=start%20desc&rows=10&start=0",
  "ioc_type": "query",
  "md5": "EFA7ECAF4468E0106E8B1041C5CE450E",
  "report_id": "Newly Loaded Modules"
}

Notes: It can be up to 15 seconds from the time of the event generation until the document is visible via CBAPI or raw SOLR query.

New Binary Instance

The Carbon Black server publishes events the first time an executable file (binary) is observed in each of three scenarios:

  1. First time it is observed on any endpoint
  2. First time it is observed on an individual endpoint for the first time
  3. First time it is observed on a sensor group for the first time

Scenario 1: Observed for the first time on any endpoint

Name: binaryinfo.observed

binaryinfo.observed is a JSON structure with the following entries:

name type description
md5 string MD5 of the binary
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch
scores dict Dictionary of Alliance feed scores

Example Event:

{
    "md5": "9E4B0E7472B4CEBA9E17F440B8CB0AB8",
    "event_timestamp": 1397248033.914,
    "scores":
      {
        "alliance_score_virustotal": 16
      }
}

Scenario 2: Observed on an individual endpoint for the first time

Name: binaryinfo.host.observed

binaryinfo.host.observed is a JSON structure with the following entries:

name type description
md5 string MD5 of the binary.
hostname string Hostname of endpoint on which binary was observed
sensor_id int32 Sensor Id of endpoint on which binary was observed
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch
scores dict Dictionary of Alliance feed scores
watchlists dict Dictionary of already-matched watchlists

Example Event:

{
    "md5": "9E4B0E7472B4CEBA9E17F440B8CB0AB8",
    "hostname": "FS-HQ",
    "sensor_id": 1021,
    "event_timestamp": 1397248033.914,
    "scores":
      {
        "alliance_score_virustotal": 16
      },
    "watchlists":
      {
        "watchlist_7": "2014-02-13T00:30:11.247Z"
        "watchlist_9": "2014-02-13T00:21:13.009Z"
      }
}

Scenario 3: Observed within a sensor group for the first time

Name: binaryinfo.group.observed

binaryinfo.group.observed is a JSON structure with the following entries:

name type description
md5 string MD5 of the binary
group string Sensor group name on which the binary was observed
event_timestamp float Timestamp of the feed match, measured in number of seconds since the epoch
scores dict Dictionary of Alliance feed scores
watchlists dict Dictionary of already-matched watchlists

Example Event:

{
    "md5": "9E4B0E7472B4CEBA9E17F440B8CB0AB8",
    "group": "Default Group",
    "event_timestamp": 1397248033.914
    "scores":
      {
        "alliance_score_virustotal": 16
      },
    "watchlists":
      {
        "watchlist_7": "2014-02-13T00:30:11.247Z"
        "watchlist_9": "2014-02-13T00:21:13.009Z"
      }
}

New Binary File Arrival

The Carbon Black server can be configured to store a copy of all unique binary (executable) files observed on endpoints. This includes Windows PE files such as EXEs and DLLs, Linux ELF files, and similar. Upon the arrival of a new binary file, a binarystore event is published.

This event provides an easy way to trigger custom analysis of a binary, including static or dynamic anaysis, integration with a third-party analysis system, or custom archiving.

Name: binarystore.file.added

binarystore.file.added is a JSON structure with the following entries:

name type description
md5 string MD5 sum of the binary file.
size int32 Size of the original binary, in bytes.
compressed_size int32 Size of the zip archive containing the binary file on the Carbon Black server
event_timestamp float Timestamp of the binary file addtion, measured in number of seconds since the epoch
file_path string Path, on the server disk, of the copied binary file (zipped).

Example Event:

{
    "md5": "9E4B0E7472B4CEBA9E17F440B8CB0AB8",
    "file_path": "/var/cb/data/modulestore/FE2/AFA/FE2AFACC396DC37F51421DE4A08DA8A7.zip"
    "size": 320000,
    "compressed_size": 126857,
    "event_timestamp": 1397248033.914
}

Notes:

  • The Carbon Black Server can be configured to delete binary store files from the Carbon Black server after uploading to the Alliance Server. These files are still retrievable via the Carbon Black API, although there may be bandwidth or transfer time concerns. See the AllianceClientNoDeleteOnUpload configuration option in cb.conf.
  • The Carbon Black Server can be configured to automatically delete binary store files from the Carbon Black server due to disk space constraints. See the KeepAllModuleFiles configuration option in cb.conf.

Raw endpoint events

Event ID Description
ingress.event.regmod A registry key has been created, deleted, or modified on an endpoint monitored by Carbon Black
ingress.event.filemod A file on the filesystem has been created, deleted, or modified on an endpoint monitored by Carbon Black
ingress.event.netconn A network connection has been received or initiated by an endpoint monitored by Carbon Black
ingress.event.module This event contains the digital signature information for a new binary executed on an endpoint monitored by Carbon Black
ingress.event.childproc A process has spawned another process on an endpoint monitored by Carbon Black
ingress.event.process A new process has started (or exited) on an endpoint monitored by Carbon Black
ingress.event.crossprocopen A process has attempted to open a handle into another process
ingress.event.remotethread A process has attempted to inject a thread into another process
ingress.event.emetmitigation Microsoft EMET has killed a process on an endpoint monitored by Carbon Black
ingress.event.processblock A process was blocked from executing on an endpoint monitored by Carbon Black because the process MD5 has been banned
ingress.event.tamper A process tampered with a critical Carbon Black userspace process or kernel driver

ingress.event.regmod (Registry Modification)

Below is an example of an ingress.event.regmod JSON event.

{
    "action": "writeval",
    "actiontype": 2,
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "regmod",
    "link_process": "https://cbtests/#analyze/00000001-0000-0484-01d1-1e951b7c000b/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "0E7196981EDE614F1F54FFF2C3843ADF",
    "path": "\\registry\\user\\s-1-5-21-2709706146-4189370754-997381202-1001\\software\\microsoft\\vscommon\\12.0\\sqm\\pids\\1156\\stillalive",
    "pid": 1156,
    "process_guid": "00000001-0000-0484-01d1-1e951b7c000b",
    "sensor_id": 1,
    "timestamp": 1447696798,
    "type": "ingress.event.regmod"
}
Key Value Description
action writeval Type of registry modification. This can be one of: createkey, writeval, delkey, or delval
actiontype 2 Enum value of the registry modification: 1=createkey, 2=writeval, 4=delkey, 8=delval
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name JASON-WIN81-VM hostname of the sensor
event_type regmod The type of event
link_process https://cbtests/#analyze… Deep link to EDR UI for process
link_sensor https://cbtests/#/host/1 Deep link to EDR UI for sensor
md5 0E7196981EDE614F1F54FFF2C3843ADF md5 of process executable
path \registry\user\s-1-5-21… Full registry path
pid 1156 Endpoint OS Process id of process
process_guid 00000001-0000-0484-01d1-1e951b7c000b Cb Process GUID of process
sensor_id 1 Sensor ID of associated sensor
timestamp 1447696798 Endpoint timestamp of this event since epoch
type ingress.event.regmod The full type of event

ingress.event.filemod (File Modification)

Below is an example of an ingress.event.filemod JSON event.

{
    "action": "create",
    "actiontype": 1,
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "filemod",
    "filetype": 0,
    "filetype_name": "Unknown",
    "link_process": "https://cbtests/#analyze/00000001-0000-0c70-01d1-1e951aae7e2f/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "7A2870C2A8283B3630BF7670D0362B94",
    "path": "c:\\users\\admin\\appdata\\local\\google\\chrome\\user data\\b5e2.tmp",
    "pid": 3184,
    "process_guid": "00000001-0000-0c70-01d1-1e951aae7e2f",
    "sensor_id": 1,
    "timestamp": 1447696804,
    "type": "ingress.event.filemod"
}
Key Value Description
action writeval Type of file modification: create, write, delete, lastwrite
actiontype 2 Enum value of the file modification: 1=create, 2=write, 4=delete, 8=lastwrite
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name JASON-WIN81-VM hostname of the sensor
event_type filemod The type of event
filetype 0 Enum value of the detected file type of this file. Only valid for “lastwrite” actions. See the CbFileType protobuf definition for the available values.
filetype_name Unknown The detected file type of this file. Only valid for “lastwrite” actions. Currently supported file types: PE, ELF, UniversalBin, Eicar, OfficeLegacy, OfficeOpenXml, PDF, PKZIP, LZH, LZW, RAR, TAR, and 7zip.
link_process https://cbtests/#analyze… Deep link to EDR UI for process
link_sensor https://cbtests/#/host/1 Deep link to EDR UI for sensor
md5 7A2870C2A8283B3630BF7670D0362B94 md5 of process executable
path c:\users\admin\appdata\… Full file path
pid 3184 Endpoint OS Process id of process
process_guid 00000001-0000-0c70-01d1-1e951aae7e2f Cb Process GUID of process
sensor_id 1 sensor ID of associated sensor
timestamp 1447696804 Endpoint timestamp of this event since epoch
type ingress.event.filemod The full type of event

ingress.event.netconn (Network Connection)

Below is an example of an ingress.event.netconn JSON event.

{
    "cb_server": "cbserver",
    "computer_name": "WIN-OTEMNUTBS23",
    "direction": "outbound",
    "domain": "",
    "event_type": "netconn",
    "ipv4": "23.4.187.27",
    "link_process": "https://cbtests/#analyze/00000007-0000-090c-01d1-2099b8f18a82/1",
    "link_sensor": "https://cbtests/#/host/7",
    "local_ip": "172.31.30.0",
    "local_port": 49352,
    "md5": "C10A66189DC8C090E7C84873EDCEBC88",
    "pid": 2316,
    "port": 80,
    "process_guid": "00000007-0000-090c-01d1-2099b8f18a82",
    "protocol": 6,
    "remote_ip": "23.4.187.27",
    "remote_port": 80,
    "sensor_id": 7,
    "timestamp": 1447697666,
    "type": "ingress.event.netconn"
}
Key Value Description
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name WIN-OTEMNUTBS23 hostname of the sensor
direction outbound Direction of the netconn event: inbound or outbound
domain carbonblack.com The DNS name of the network peer, if available.
event_type netconn The type of event
ipv4 23.4.187.27 remote ipv4 address of network connection. Maintained for backward compatibility for earlier versions of the event forwarder. See local_ip and remote_ip.
link_process https://cbtests/#analyze… Deep link to EDR UI for process
link_sensor https://cbtests/#/host/1 Deep link to EDR UI for sensor
local_ip 172.31.30.0 Local IP address of network connection (network interface on the endpoint)
local_port 49352 Local port of the network connection
md5 C10A66189DC8C090E7C84873EDCEBC88 md5 of process executable
pid 2316 Endpoint OS Process id of process
port 80 remote port of the network connection. Maintained for backward compatibility for earlier versions of the event forwarder. See local_port and remote_port.
process_guid 00000007-0000-090c-01d1-2099b8f18a82 Cb Process GUID of process
protocol 6 6=TCP, 17=UDP
remote_ip 23.4.187.27 IP address of the remote system (peer)
remote_port 80 Remote port of the network connection
sensor_id 7 sensor ID of associated sensor
timestamp 1447697666 Endpoint timestamp of this event since epoch
type ingress.event.netconn The full type of event

Web Proxy Note: If a web proxy is being used, the field domain or remote_ip and remote_port will be empty. When the traffic flows out of the endpoint via a web proxy, the name resolution to IP happens at the proxy, and not on the endpoint. When this happens, the output will be augmented with a different set of fields listed below.

Key Value Description
proxy true A boolean field for proxy status
proxy_ip 129.22.253.78 IP address of the web proxy connection
proxy_port 443 Port of the web proxy connection
proxy_domain carbonblack.com Domain of the web proxy connection, if available

ingress.event.moduleload (Module Load)

Below is an example of an ingress.event.moduleload JSON event.

{
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "modload",
    "link_process": "https://cbtests/#analyze/00000001-0000-07b4-01d1-209a100bc217/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "3D136E8D4C0407D9C40FD8BDD649B587",
    "path": "c:\\windows\\system32\\ntdll.dll",
    "pid": 1972,
    "process_guid": "00000001-0000-07b4-01d1-209a100bc217",
    "sensor_id": 1,
    "timestamp": 1447697423,
    "type": "ingress.event.moduleload"
}
Key Value Description
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name JASON-WIN81-VM hostname of the sensor
event_type modload The type of event
link_process https://cbtests/#analyze… Deep link to EDR UI for process
link_sensor https://cbtests/#/host/1 Deep link to EDR UI for sensor
md5 D6021013D7C4E248AEB8BED12D3DCC88 md5 of the module
path c:\windows\system32\ntdll.dll Path of the module loaded into the current process
pid 1972 Endpoint OS Process id of process
process_guid 00000001-0000-07b4-01d1-209a100bc217 Cb Process GUID of process
sensor_id 1 sensor ID of associated sensor
timestamp 1447697423 Endpoint timestamp of this event since epoch
type ingress.event.moduleload The full type of event

ingress.event.childproc (Child Process)

Below is an example of an ingress.event.childproc JSON event.

{
    "cb_server": "cbserver",
    "child_process_guid": "00000001-0000-07b4-01d1-209a100bc217",
    "computer_name": "JASON-WIN81-VM",
    "created": true,
    "event_type": "childproc",
    "link_child": "https://cbtests/#analyze/00000001-0000-07b4-01d1-209a100bc217/1",
    "link_process": "https://cbtests/#analyze/00000001-0000-0af4-01d1-1e444bf4c3dd/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "D6021013D7C4E248AEB8BED12D3DCC88",
    "pid": 2804,
    "process_guid": "00000001-0000-0af4-01d1-1e444bf4c3dd",
    "sensor_id": 1,
    "timestamp": 1447697423,
    "type": "ingress.event.childproc"
}
Key Value Description
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
child_process_guid 00000001-0000-07b4-01d1-209a100bc217 process guid of the child process
computer_name JASON-WIN81-VM hostname of the sensor
created true Specifies whether this process_guid is the child or the parent
event_type childproc The type of event
link_child https://cbtests/#analyze… Deep link to EDR UI for child process
link_process https://cbtests/#analyze… Deep link to EDR UI for parent process
link_sensor https://cbtests/#/host/1 Deep link to EDR UI for sensor
md5 D6021013D7C4E248AEB8BED12D3DCC88 md5 of the module
pid 2804 Endpoint OS Process id of process
process_guid 00000001-0000-0af4-01d1-1e444bf4c3dd Cb Process GUID of parent process
sensor_id 1 sensor ID of associated sensor
timestamp 1447697423 Endpoint timestamp of this event since epoch
type ingress.event.childproc The full type of event

ingress.event.procstart (Process Start)

Below is an example of an ingress.event.procstart JSON event.

{
    "cb_server": "cbserver",
    "command_line": "\"C:\\Windows\\system32\\SearchProtocolHost.exe\" Global\\UsGthrFltPipeMssGthrPipe253_ Global\\UsGthrCtrlFltPipeMssGthrPipe253 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)\" \"C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\usgthrsvc\" \"DownLevelDaemon\" ",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "proc",
    "expect_followon_w_md5": false,
    "link_parent": "https://cbtests/#analyze/00000001-0000-0af4-01d1-1e444bf4c3dd/1",
    "link_process": "https://cbtests/#analyze/00000001-0000-07b4-01d1-209a100bc217/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "D6021013D7C4E248AEB8BED12D3DCC88",
    "parent_create_time": 1447440685,
    "parent_md5": "79227C1E2225DE455F365B607A6D46FB",
    "parent_path": "c:\\windows\\system32\\searchindexer.exe",
    "parent_process_guid": "00000001-0000-0af4-01d1-1e444bf4c3dd",
    "path": "c:\\windows\\system32\\searchprotocolhost.exe",
    "pid": 1972,
    "process_guid": "00000001-0000-07b4-01d1-209a100bc217",
    "sensor_id": 1,
    "timestamp": 1447697423,
    "type": "ingress.event.procstart",
    "username": "SYSTEM"
}
Key Value Description
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
command_line "C:\Windows\system32\SearchProtocolHost.exe"… Command Line of the new process
computer_name JASON-WIN81-VM hostname of the sensor
event_type proc type of event
expect_followon_w_md5 false If the md5 could not be calculated in time then EDR will send another procstart with the process md5
link_parent https://cbtests/#analyze… Deep link to EDR UI for parent process
link_process https://cbtests/#analyze… Deep link to EDR UI for this process
link_sensor https://cbtests/#/host/1 Deep link to EDR UI for sensor
md5 D6021013D7C4E248AEB8BED12D3DCC88 MD5 of the executable binary associated with this process
parent_create_time 1447440685 seconds since epoch of parent process create time
parent_md5 79227C1E2225DE455F365B607A6D46FB MD5 of parent’s executable image
parent_path c:\windows\system32\searchindexer.exe file path of parent’s executable image
parent_process_guid 00000001-0000-0af4-01d1-1e444bf4c3dd Cb Process GUID of parent process
path c:\windows\system32\searchprotocolhost.exe file path of the child processes' executable image
pid 1972 OS Process id of child process
process_guid 00000001-0000-07b4-01d1-209a100bc217 Cb Process GUID of child process
sensor_id 1 sensor ID of associated sensor
timestamp 1447697423 Endpoint timestamp of this event since epoch
type ingress.event.procstart The full type of event
username SYSTEM Username used to create child process
logon_type 4 Describes the logon type of the logon session associated with a process. Here value ‘4’ corresponds to ‘Batch’ which indicates that the process is executed on behalf of a user without their direct intervention (possibly a scheduled task). Possible valid values are 0 and 2 to 13 as per https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-logonsession.

ingress.event.crossprocopen (Cross Process Open)

Below is an example of an ingress.event.crossprocopen JSON event.

{
    "cb_server": "cbserver",
    "computer_name": "WIN-OTEMNUTBS23",
    "cross_process_type": "open_process",
    "event_type": "cross_process",
    "is_target": false,
    "link_process": "https://cbtests/#analyze/00000007-0000-0ccc-01d1-209ab5339f45/1",
    "link_sensor": "https://cbtests/#/host/7",
    "link_target": "https://cbtests/#analyze/00000007-0000-02c4-01d1-20982cef85d3/1",
    "md5": "053EEEE1ABAE53F044F1E386E22AE525",
    "pid": 3276,
    "process_guid": "00000007-0000-0ccc-01d1-209ab5339f45",
    "requested_access": 5136,
    "sensor_id": 7,
    "target_create_time": 130921702131467731,
    "target_md5": "382100E75B6F4668AEAEF228C6CEFFAD",
    "target_path": "c:\\windows\\system32\\lsass.exe",
    "target_pid": 708,
    "target_process_guid": "00000007-0000-02c4-01d1-20982cef85d3",
    "timestamp": 1447697702,
    "type": "ingress.event.crossprocopen"
}
Key Value Description
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name WIN-OTEMNUTBS23 hostname of the sensor
cross_process_type open_process The type of cross process event: either open_process (opening a handle to another process) or open_thread
event_type cross_process type of event
is_target false specifies whether process_guid is the target of the cross process event
link_target https://cbtests/#analyze… Deep link to EDR UI for target process
link_process https://cbtests/#analyze… Deep link to EDR UI for this process
link_sensor https://cbtests/#/host/1 Deep link to EDR UI for sensor
md5 053EEEE1ABAE53F044F1E386E22AE525 md5 of process_guid executable image
pid 3276 Endpoint OS Process id of process that generated the crossprocopen event
process_guid 00000007-0000-0ccc-01d1-209ab5339f45 Process guid of child process
requested_access 5136 Windows bitfield representing the requested access for this process or thread handle (decimal)
sensor_id 7 sensor ID of associated sensor
target_create_time 130921702131467731 Target Process create time represented as a 64-bit Windows FILETIME
target_md5 382100E75B6F4668AEAEF228C6CEFFAD md5 of target process executable image
target_path c:\windows\system32\lsass.exe Path of the target process' executable image
target_pid 708 Process ID of the target process
target_process_guid 00000007-0000-02c4-01d1-20982cef85d3 process_guid of the target process
timestamp 1447697702 Endpoint timestamp of this event since epoch
type ingress.event.crossprocopen The full type of event

ingress.event.emetmitigation (EMET Mitigation)

Below is an example of an ingress.event.emetmitigation JSON event.

{
    "blocked": true,
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "emet_timestamp": 130949318600000000,
    "event_type": "emet_mitigation",
    "link_process": "https://cbtests/#analyze/00000001-0000-0d10-01d1-39b621f894f9/1",
    "link_sensor": "https://cbtests/#/host/1",
    "log_id": 1032,
    "log_message": "EMET detected EAF mitigation and will close the application: EMET_Test64.exe\r\n\r\nEAF check failed:\n  Application \t: C:\\Users\\dan\\Desktop\\EMET_TEST\\EMET_Test64.exe\n  User Name \t: DANWIN764\\dan\n  Session ID \t: 1\n  PID \t\t: 0xD10 (3344)\n  TID \t\t: 0xDB4 (3508)\n  Module \t: N/A\n  Mod Base \t: 0x0000000000000000\n  Mod Address \t: 0x000000000297000D\n  Mem Address \t: 0x0000000000000000\n\r\n",
    "md5": "053EEEE1ABAE53F044F1E386E22AE525",
    "mitigation": "Eaf",
    "pid": 3344,
    "process_guid": "00000001-0000-0d10-01d1-39b621f894f9",
    "sensor_id": 1,
    "timestamp": 1450458260,
    "type": "ingress.event.emetmitigation"
}
Key Value Description
blocked true boolean value describing if the action was successfully blocked by EMET
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name JASON-WIN81-VM hostname of the sensor
emet_timestamp 130949318600000000 timestamp of EMET event represented by a 64-bit Windows FILETIME
event_type emet_mitigation type of event
link_process https://cbtests/#analyze… Deep link to EDR UI for process
link_sensor https://cbtests/#/host/1 Deep link to EDR UI for sensor
log_id 1032 EMET log ID associated with this emetmitigation event
log_message EMET detected EAF mitigation… The full log message generated by EMET
md5 053EEEE1ABAE53F044F1E386E22AE525 md5 of process_guid executable image
mitigation Eaf The type of EMET mitigation performed to block the operation. Possible values are Dep, Sehop, Asr, Aslr, NullPage, HeapSpray, MandatoryAslr, Eaf, EafPlus, BottomUpAslr, LoadLibrary, MemoryProtection, SimulateExecFlow, StackPivot, CallerChecks, BannedFunctions, DeepHooks, AntiDetours.
pid 3344 Endpoint OS Process id of process that generated the emetmitigation event
process_guid 00000001-0000-0d10-01d1-39b621f894f9 Process GUID of offending process
sensor_id 1 sensor ID of associated sensor
timestamp 1450458260 Endpoint timestamp of this event since epoch
type ingress.event.emetmitigation The full type of event

ingress.event.processblock (Process Block)

Below is an example of an ingress.event.processblock JSON event.

{
    "blocked_event": "ProcessCreate",
    "blocked_reason": "Md5Hash",
    "blocked_result": "ProcessTerminated",
    "cb_server": "cbserver",
    "command_line": "\"C:\\Program Files\\Microsoft Games\\hearts\\hearts.exe\" ",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "blocked_process",
    "md5": "A8524F6C3AFF774911BCA26AB8322602",
    "path": "c:\\program files\\microsoft games\\hearts\\hearts.exe",
    "sensor_id": 1,
    "timestamp": 1450470603,
    "type": "ingress.event.processblock",
    "uid": "S-1-5-21-3382350439-2970772701-2583938045-1000",
    "username": "DANWIN764\\dan"
}
Key Value Description
blocked_event ProcessCreate The type of event that was blocked: either ProcessCreate (the process was terminated immediately upon execution) or RunningProcess (the process was already running on the endpoint when the block was applied).
blocked_reason Md5Hash The reason for block action (Md5Hash is the only possible value)
blocked_result ProcessTerminated The result of the blocked action: ProcessTerminated, NotTerminatedCBProcess, NotTerminatedSystemProcess, NotTerminatedCriticalSystemProcess, NotTerminatedWhitelistPath, NotTerminatedOpenProcessError, or NotTerminatedTerminateError.
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
command_line "C:\Program Files\Microsoft Games\hearts\hearts.exe" Command line associated with the blocked process
computer_name JASON-WIN81-VM hostname of the sensor
event_type blocked_process type of event
md5 A8524F6C3AFF774911BCA26AB8322602 md5 of the blocked executable
path c:\program files\microsoft games\hearts\hearts.exe Path of the blocked executable on disk
sensor_id 1 sensor ID of associated sensor
timestamp 1450458260 Endpoint timestamp of this event since epoch
type ingress.event.processblock The full type of event
uid S-1-5-21-3382350439-2970772701-2583938045-1000 Security Identifier of the username name used for process creation
username DANWIN764\dan Username that initiated the process creation

ingress.event.tamper (EDR Tamper)

Below is an example of an ingress.event.tamper JSON event.

{
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "tamper",
    "sensor_id": 1,
    "tamper_type": "CbProcessTerminated",
    "timestamp": 1450470455,
    "type": "ingress.event.tamper"
}
Key Value Description
cb_server cbserver Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name JASON-WIN81-VM hostname of the sensor
event_type tamper type of event
sensor_id 1 sensor ID of associated sensor
tamper_type CbProcessTerminated The activity which triggered this tamper event: CoreDriverUnloaded, NetworkDriverUnloaded, CbServiceStopped, CbProcessTerminated, or CbCodeInjection
timestamp 1450458260 Endpoint timestamp of this event since epoch
type ingress.event.tamper The full type of event

task.error.logged

Below is an example of a task.error.logged JSON event.

{
    "error_text": "Error during synchronization of feed somename(23): bad query field: '#47'",
    "task_name": "FeedSynchronizer",
    "task_type": "Task",
    "timestamp": "2020-12-08 15:28:15.999581-05:00"
}
Key Value Description
error_text Error during synchronization of feed somename(23): bad query field: ‘#47’ The text describing the error.
task_name FeedSynchonizer The name of the task that generated the error.
task_type Task The type of task: “Task” refers to a background task in cb-enterprised; “Job” refers to a cron job.
timestamp 2020-12-08 15:28:15.999581-05:00 The timestamp of the occurence of the error.

LEEF Event format

Below is an example of a watchlist.hit.process event. The following table breaks up the key value pairs and gives a description.

Note that the LEEF output generated by the Carbon Black event forwarder is encoded in UTF-8. Tabs and newlines included as part of a field value are escaped as “\t” and “\n” respectively. Single backslashes in any field’s value are transmitted as “\”. Note that the sample output you have may not include this escape mechanism; we have added this in the latest code base to avoid parsing ambiguity when newlines and tabs are encountered in the input data. I have adjusted the example data below to reflect the backslash

LEEF:1.0|CB|CB|5.1.0.150625.500|watchlist.hit.process|cb_server=None    childproc_count=0
cmdline="C:\\Program Files\\Bit9\\Parity Agent\\Parity.exe" /service /server bit9server.bit9se.com /port 41002
comms_ip=-1062672891    crossproc_count=0   filemod_count=5 group=Default Group host_type=workstation
hostname=W7-LOW id=00000016-0000-0608-01d1-171453a78ab2 interface_ip=192.168.230.5
last_update=2015-11-04T15:20:56.939Z    modload_count=371   netconn_count=1 os_type=windows
parent_guid=00000016-0000-0210-01d1-1714513a9f24    parent_md5=000000000000000000000000000000
parent_name=services.exe    parent_pid=528  parent_unique_id=00000016-0000-0210-01d1-1714513a9f24-00000001
path=c:\\program files\\bit9\\parity agent\\parity.exe  process_guid=00000016-0000-0608-01d1-171453a78ab2
process_md5=15785fcb9495aa518c8c751e80ab9bf7    process_name=parity.exe process_pid=1544    regmod_count=8
segment_id=1    sensor_id=22    server_name=cbserver    start=2015-11-04T15:20:24.072Z  timestamp=1446092826.89
type=watchlist.hit.process  unique_id=00000016-0000-0608-01d1-171453a78ab2-00000001 username=SYSTEM
watchlist_id=7  watchlist_name=Non-System Filemods to system32
Key Value Description
cb_server None Used to distinguish between multiple Carbon Black servers when their event source is merged into a single event source. This is reflected from the cb-event-forwarder configuration file
childproc_count 0 Total count of child processes created by this process
cmdline "C:\\Program Files\\Bit9\\Parity Agent\\Parity.exe" /service /server bit9server.bit9se.com /port 41002 Process command line. After unescaping, this command line is “C:\Program Files\Bit9\Parity Agent\Parity.exe" /service /server bit9server.bit9se.com /port 41002”
comms_ip -1062672891 (192.168.230.5) IP address that the Cb server received the events on. If the endpoint is behind a NAT, for example, this will be the external IP of the network the endpoint lives on NOTE: your output has this field as an integer. The final cb-event-forwarder code will reformat this as the IP address (seen here in parentheses)
crossproc_count 0 Number of cross process events (process injection or opening a handle to another process).
filemod_count 5 Total count of file modifications made by this process
group Default Group Sensor group this sensor was assigned to at time of process execution
host_type workstation Type of the computer: server, workstation, domain controller
hostname W7-LOW Hostname of the computer on which the process executed (at time of execution)
id 00000016-0000-0608-01d1-171453a78ab2 Process unique identifier. Note: within the CB Web UI you can view the process by going to https://<cbserverurl>/#analyze/<guid>/1.
interface_ip 192.168.230.5 The IP address of the network interface(s) on the endpoint that generated this message
last_update 2015-11-04T15:20:56.939Z Last activity in this process in endpoint local time. Example: 2014-02-04T16:23:22.547Z
modload_count 371 Total count of module loads in this process.
netconn_count 1 Total count of network connections made and received by this process.
os_type windows Operating system type of the endpoint, e.g. Windows, Linux, Osx.
parent_guid 00000016-0000-0210-01d1-1714513a9f24 Parent process unique identifier. Note: within the CB Web UI you can view the process by going to https://<cbserverurl>/#analyze/<guid>/1.
parent_md5 000000000000000000000000000000 MD5 of the parent process.
parent_name services.exe Name of the parent process.
parent_pid 528 Process ID of parent process.
parent_unique_id 00000016-0000-0210-01d1-1714513a9f24-00000001 Parent process unique identifier.
path c:\\program files\\bit9\\parity agent\\parity.exe Full path to the executable file backing this process.
process_guid 00000016-0000-0608-01d1-171453a78ab2 Process unique identifier. Note: within the CB Web UI you can view the process by going to https://<cbserverurl>/#analyze/<guid>/1.
process_md5 15785fcb9495aa518c8c751e80ab9bf7 MD5 of process
process_name parity.exe Name of the process
process_pid 1544 Process ID of the process
regmod_count 8 Total count of registry modifications made by this process.
sensor_id 22 Endpoint identifier. Within the Cb Web UI you can view this sensor by going to https://<cbserver>/#/host/<sensor_id>
server_name cbserver Name of the Carbon Black server
start 2015-11-04T15:20:24.072Z Start time of this process in endpoint local time. Example: 2014-02-04T16:23:22.516Z
timestamp 1446092826.89 Date/Time of when the event occurred since epoch
type watchlist.hit.process The Event type
unique_id 00000016-0000-0608-01d1-171453a78ab2-00000001 Process unique identifier.
username SYSTEM User context in which the process executed.
watchlist_id 7 Watchlist Unique Identifier
watchlist_name Non-System Filemods to system32 Watchlist Name

LEEF and netconn (Network Connection) Events

The LEEF encoder in the EDR Event Forwarder normalizes the data in the ingress.event.netconn event type to match the expected schema in the LEEF format. When the associated network connection is outbound, then the local_ip and local_port keys are mapped to the src and srcPort fields respectively, and the remote_ip and remote_port keys are mapped to the dst and dstPort fields in the LEEF output. The reverse is done when the associated network connection is inbound. This should cause the netconns to map correctly in IBM QRadar or other tools that can read LEEF formatted event logs.


Last modified on February 15, 2023