Carbon Black Logs
Connecting Carbon Black logs in your Panther Console
Overview
Panther supports the following methods of ingesting logs from Carbon Black:
Carbon Black Audit Logs API: Panther can fetch Carbon Black audit logs by directly querying the the Carbon Black API.
Carbon Black Data Streaming: Panther can ingest Carbon Black data regarding alerts, endpoint events, and watchlist hits using Carbon Black's data streaming feature via AWS S3.
How to onboard Carbon Black Audit logs to Panther
To set up Carbon Black as a log source in Panther, you will create a new log source in Panther using a Carbon Black API key.
This Carbon Black Audit Logs integration only supports CarbonBlack.Audit logs. To ingest other log types, see How to onboard Carbon Black Data Streaming logs to Panther.
Step 1: Generate a Carbon Black API key
Do not use the Carbon Black API key attached to your Panther integration with any other application, as doing so may result in log loss.
In your Carbon Black instance, click Settings > API Access.
Click the Access Levels tab.
Click Add Access Level.
Enter values for the required fields.
Choose the
org.audits READpermission, within Audit Logs > View and Export Audits.Click Save.
Click the API Keys tab.
Click Add API Key.
In the Name field, enter a descriptive name, like
Panther.In the Access Level Type field, select
Custom.In the Custom Access Level field, select the access level you created earlier in this process.
(Optional) In the Authorized IP Addresses field, enter Panther's IP address to restrict access to only Panther.
Find Panther's IP address in your Console, on the Settings > General page.
Click Save.
Copy the API ID and API Secret Key and store them in a secure location, as you will need these values in the next step.
Step 2: Create a new Carbon Black Audit Logs source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Carbon Black Audit Logs," then click its tile.
In the slide-out panel, click Start Setup.
On the next screen, enter a descriptive name for the source, such as
My Carbon Black Audit logs.Click Setup.
On the Set Credentials page, fill in the form:
Carbon Black Domain: Enter the URL of your Carbon Black domain.
API ID: Enter the Carbon Black API ID generated in Step 1.
API Secret Key: Enter the API Secret Key generated in Step 1.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
How to onboard Carbon Black Data Streaming logs to Panther
To configure Carbon Black log streaming for ingestion in Panther, you will first set up Data Forwarders in Carbon Black, then create a Carbon Black Data Streaming source in Panther.
This Carbon Black Data Streaming integration supports CarbonBlack.AlertV2, CarbonBlack.EndpointEvent, and CarbonBlack.WatchlistHit log types. To ingest CarbonBlack.Audit logs, see How to onboard Carbon Black Audit logs to Panther.
Step 1: Set up Carbon Black Data Forwarders to an S3 bucket
For each of the Data Streaming log types you would like to ingest, follow the Carbon Black instructions to set up a Data Forwarder to an AWS S3 bucket.
It's recommended to configure each Data Forwarder to send logs to a different folder in your S3 bucket. This will ensure all data is parsed correctly in Panther.
When creating the Alert Data Forwarder, for Schema, select 2.0.0.
After completing this process, your Data Forwarders will look similar to the below:
Step 2: Create a new Carbon Black Data Streaming source in Panther
In the left-hand navigation bar of the Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Carbon Black," then click the Carbon Black Data Streaming tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS S3 Bucket option.
Click Start Setup.
Follow Panther's instructions for configuring an S3 Source, with the below modifications:
On the Basic Info page, click Configure Prefixes & Schemas (Optional).
For each Data Forwarder you created in Step 1 of this process, create an S3 Prefix and schema pair. If you are using all three log types, this will look like:
Click Apply Changes.
Audit Log source log types
These are audit logs of events in a Carbon Black tenant. For more information, see the Carbon Black Audit Log Events documentation.
CarbonBlack.Audit
schema: CarbonBlack.Audit
description: Audit logs from CarbonBlack
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/
fields:
- name: verbose
description: Whether the event is verbose or not
type: boolean
- name: eventId
description: The ID of the event
required: true
type: string
- name: eventTime
description: The time the event occurred
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: description
description: A description of the event
type: string
- name: orgName
description: The name of the organization
type: string
- name: clientIp
description: The IP address of the client
type: string
indicators:
- ip
- name: requestUrl
description: The URL of the request
type: string
indicators:
- hostname
- name: loginName
description: The name of the user who logged in
type: string
indicators:
- username
- name: flagged
description: Whether the event is flagged or not
type: booleanData Streaming source log types
For more information, see the Carbon Black Data Forwarder schema documentation.
CarbonBlack.AlertV2
schema: CarbonBlack.AlertV2
description: Alert logs generated by the Carbon Black Cloud
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/alert-2.0.0/
fields:
- name: additional_events_present
description: Indicator to let API and forwarder users know that they should look up other associated events related to this alert
type: boolean
- name: alert_notes_present
description: True if notes are present on the alert ID. False if notes are not present.
type: boolean
- name: alert_url
description: Link to the alerts page for this alert. Does not vary by alert type
type: string
required: true
indicators:
- url
- name: backend_timestamp
description: Timestamp when the Carbon Black Cloud processed and enabled the alert for searching. Corresponds to the Created column on the Alerts page.
type: timestamp
timeFormat: rfc3339
- name: backend_update_timestamp
description: Timestamp when the Carbon Black Cloud initiated and processed an update to an alert. Corresponds to the Updated column on the Alerts page.
type: timestamp
timeFormat: rfc3339
- name: blocked_effective_reputation
description: Effective reputation of the blocked file or process; applied by the sensor at the time the block occurred
type: string
- name: blocked_md5
description: MD5 hash of the child process binary; for any process terminated by the sensor
type: string
indicators:
- md5
- name: blocked_name
description: Tokenized file path of the files blocked by sensor action
type: string
- name: blocked_sha256
description: SHA-256 hash of the child process binary; for any process terminated by the sensor
type: string
indicators:
- sha256
- name: childproc_cmdline
description: Command line for the child process
type: string
- name: childproc_effective_reputation
description: Effective reputation of the child process; applied by the sensor at the time the event occurred
type: string
- name: childproc_guid
description: Unique process identifier assigned to the child process
type: string
- name: childproc_md5
description: Hash of the child process' binary (Enterprise EDR)
type: string
indicators:
- md5
- name: childproc_name
description: Filesystem path of the child process' binary
type: string
- name: childproc_sha256
description: Hash of the child process' binary (Endpoint Standard)
type: string
indicators:
- sha256
- name: childproc_username
description: User context in which the child process was executed
type: string
indicators:
- username
- name: detection_timestamp
description: Timestamp when the alert was first detected. For sensor-sent alerts, this is the time of the event on the sensor. For alerts generated on the backend, this is the time the backend system triggered the alert.
type: timestamp
timeFormat: rfc3339
required: true
isEventTime: true
- name: determination
description: User-updatable determination of the alert
type: object
fields:
- name: change_timestamp
description: Timestamp when the determination was updated
type: timestamp
timeFormat: rfc3339
- name: changed_by
description: User the determination was changed by
type: string
indicators:
- username
- name: changed_by_type
description: Type of user who changed the determination
type: string
- name: value
description: Determination value of the alert set by a user
type: string
- name: device_external_ip
description: IP address of the endpoint according to the Carbon Black Cloud; can differ from device_internal_ip due to network proxy or NAT; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
type: string
indicators:
- ip
- name: device_id
description: ID of devices
type: string
- name: device_internal_ip
description: IP address of the endpoint reported by the sensor; either IPv4 (dotted decimal notation) or IPv6 (proprietary format)
type: string
indicators:
- ip
- name: device_location
description: Whether the device was on or off premises when the alert started, based on the current IP address and the device’s registered DNS domain suffix
type: string
- name: device_name
description: Device name
type: string
- name: device_os
description: Device Operating Systems
type: string
- name: device_os_version
description: The operating system and version of the endpoint. Requires Windows CBC sensor version 3.5 or later.
type: string
- name: device_policy
description: Device policy
type: string
- name: device_policy_id
description: Device policy id
type: string
- name: device_target_value
description: Target value assigned to the device, set from the policy
type: string
- name: device_uem_id
description: Device correlation with WS1/EUC, required for our Workspace ONE Intelligence integration to function
type: string
- name: device_username
description: Users or device owners of alerts
type: string
indicators:
- username
- name: first_event_timestamp
description: Timestamp when the first event in the alert occurred
type: timestamp
timeFormat: rfc3339
- name: id
description: Unique ID of alert
type: string
required: true
- name: is_updated
description: Set to true if this is an updated copy of the alert initiated by the Carbon Black Cloud backend. User workflow updates, such as adding a note, will generate a new copy of the alert, but is_updated will be set to false.
type: boolean
- name: last_event_timestamp
description: Timestamp when the last event in the alert occurred
type: timestamp
timeFormat: rfc3339
- name: netconn_local_ip
description: IP address of the remote side of the network connection; stored as dotted decimal
type: string
indicators:
- ip
- name: netconn_local_ipv4
description: IPv4 address of the local side of the network connection; stored as a dotted decimal. Only one of ipv4 and ipv6 fields will be populated.
type: string
indicators:
- ip
- name: netconn_local_ipv6
description: IPv6 address of the local side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.
type: string
indicators:
- ip
- name: netconn_local_port
description: TCP or UDP port used by the local side of the network connection
type: int
- name: netconn_protocol
description: Network protocol of the network connection
type: string
- name: netconn_remote_domain
description: Domain name (FQDN) associated with the remote end of the network connection, if available
type: string
indicators:
- domain
- name: netconn_remote_ip
description: IP address of the local side of the network connection; stored as dotted decimal
type: string
indicators:
- ip
- name: netconn_remote_ipv4
description: IPv4 address of the remote side of the network connection; stored as dotted decimal. Only one of ipv4 and ipv6 fields will be populated.
type: string
indicators:
- ip
- name: netconn_remote_ipv6
description: IPv6 address of the remote side of the network connection; stored as a string without octet-separating colon characters. Only one of ipv4 and ipv6 fields will be populated.
type: string
indicators:
- ip
- name: netconn_remote_port
description: TCP or UDP port used by the remote side of the network connection; same as netconn_port and event_network_remote_port
type: int
- name: org_key
description: Unique alphanumeric string that identifies your organization in the Carbon Black Cloud
type: string
- name: parent_cmdline
description: Command line of the parent process
type: string
- name: parent_effective_reputation
description: Effective reputation of the parent process; applied by the sensor when the event occurred
type: string
- name: parent_guid
description: Unique process identifier assigned to the parent process
type: string
- name: parent_md5
description: MD5 hash of the parent process binary
type: string
indicators:
- md5
- name: parent_name
description: Filesystem path of the parent process binary
type: string
- name: parent_pid
description: Identifier assigned by the operating system to the parent process
type: string
- name: parent_reputation
description: Reputation of the parent process; applied by the Carbon Black Cloud when the event is initially processed
type: string
- name: parent_sha256
description: SHA-256 hash of the parent process binary
type: string
indicators:
- sha256
- name: parent_username
description: User context in which the parent process was executed
type: string
indicators:
- username
- name: policy_applied
description: Indicates whether or not a policy has been applied to any event associated with this alert
type: string
- name: primary_event_id
description: ID of the primary event in the alert
type: string
- name: process_cmdline
description: Command line executed by the actor process
type: string
- name: process_effective_reputation
description: Effective reputation of the actor hash
type: string
- name: process_guid
description: Guid of the process that has fired the alert (optional)
type: string
- name: process_issuer
description: The certificate authority associated with the process’s certificate
type: array
element:
type: string
- name: process_md5
description: MD5 hash of the actor process binary
type: string
indicators:
- md5
- name: process_name
description: Process names of an alert
type: string
- name: process_pid
description: PID of the process that has fired the alert (optional)
type: string
- name: process_publisher
description: Publisher name on the certificate used to sign the Windows or macOS process binary
type: array
element:
type: string
- name: process_reputation
description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud
type: string
- name: process_sha256
description: SHA-256 hash of the actor process binary
type: string
indicators:
- sha256
- name: process_username
description: User context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid()
type: string
indicators:
- username
- name: reason
description: A spoken language written explanation of the what and why the alert occurred and any action taken, usually consisting of 1 to 3 sentences.
type: string
- name: reason_code
description: A unique short-hand code or GUID identifying the particular alert reason
type: string
- name: run_state
description: Whether the threat in the alert actually ran
type: string
- name: sensor_action
description: Actions taken by the sensor, according to the rules of a policy
type: string
- name: severity
description: Integer representation of the impact of alert if true positive
type: int
- name: threat_id
description: ID assigned to a group of alerts with common criteria, based on alert type
type: string
- name: type
description: Type of alert generated
type: string
required: true
- name: user_update_timestamp
description: Timestamp of the last property of an alert changed by a user, such as the alert workflow or determination
type: timestamp
timeFormat: rfc3339
- name: version
description: The version of the schema being emitted. e.g. 2.0.0
type: string
- name: workflow
description: Current workflow state of an alert. The workflow represents the flow from OPEN to IN_PROGRESS to CLOSED and captures who moved the alert into the current state. The history of these state transitions is available via the alert history route.
type: object
fields:
- name: change_timestamp
description: When the last status change occurred
type: timestamp
timeFormat: rfc3339
- name: changed_by
description: Who (or what) made the last status change
type: string
- name: changed_by_type
description: Type of user or system that made the last status change
type: string
- name: changed_by_autoclose_rule_id
description: The ID of the autoclose rule that closed the alert
type: string
- name: closure_reason
description: A more detailed description of why the alert was resolved
type: string
- name: status
type: string
- name: attack_tactic
description: A tactic from the MITRE ATT&CK framework; defines a reason for an adversary’s action, such as achieving credential access
type: string
- name: attack_technique
description: A technique from the MITRE ATT&CK framework; defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential access
type: string
- name: rule_category_id
description: ID representing the category of the rule_id for certain alert types
type: string
- name: rule_id
description: ID of the rule that triggered an alert; applies to Intrusion Detection System, Host-Based Firewall, TAU Intelligence, and USB Device Control alerts
type: string
- name: threat_category
description: Categories of threats which we were able to take action on
type: string
- name: ttps
description: Other potential malicious activities involved in a threat
type: array
element:
type: string
- name: connection_type
description: Connection Type
type: string
- name: egress_group_id
description: Unique identifier for the egress group
type: string
- name: egress_group_name
description: Name of the egress group
type: string
- name: ip_reputation
description: Range of reputations to accept for the remote IP
type: int
- name: k8s_cluster
description: K8s Cluster name
type: string
- name: k8s_kind
description: K8s Workload kind
type: string
- name: k8s_namespace
description: K8s namespace
type: string
- name: k8s_pod_name
description: Name of the pod within a workload
type: string
- name: k8s_policy
description: Name of the K8s policy
type: string
- name: k8s_policy_id
description: Unique identifier for the K8s policy
type: string
- name: k8s_rule
description: Name of the K8s policy rule
type: string
- name: k8s_rule_id
description: Unique identifier for the K8s policy rule
type: string
- name: k8s_workload_name
description: K8s Workload Name
type: string
- name: remote_is_private
description: Is the remote information private true or false
type: boolean
- name: remote_k8s_kind
description: Kind of remote workload; set if the remote side is another workload in the same cluster
type: string
- name: remote_k8s_namespace
description: Namespace within the remote workload’s cluster; set if the remote side is another workload in the same cluster
type: string
- name: remote_k8s_pod_name
description: Remote workload pod name; set if the remote side is another workload in the same cluster
type: string
- name: remote_k8s_workload_name
description: Name of the remote workload; set if the remote side is another workload in the same cluster
type: string
- name: external_device_friendly_name
description: Human-readable external device names
type: string
- name: product_id
description: IDs of the product that identifies USB devices
type: string
- name: product_name
description: Names of the product that identifies USB devices
type: string
- name: serial_number
description: Serial numbers of USB devices
type: string
- name: vendor_id
description: IDs of the vendor that identifies USB devices
type: string
- name: vendor_name
description: Names of the vendors who produced the devices
type: string
- name: threat_name
description: Name of the threat
type: string
- name: tms_rule_id
description: Detection id
type: string
- name: ioc_field
description: The field the indicator of comprise (IOC) hit contains
type: string
- name: ioc_hit
description: IOC field value or IOC query that matches
type: string
- name: ioc_id
description: Unique identifier of the IOC that generated the watchlist hit
type: string
- name: ml_classification_final_verdict
description: Final verdict of the alert, based on the ML models that were used to make the prediction.
type: string
- name: ml_classification_global_prevalence
description: Categories (low/medium/high) used to describe the prevalence of alerts across all regional organizations.
type: string
- name: ml_classification_org_prevalence
description: Categories (low/medium/high) used to describe the prevalence of alerts within an organization.
type: string
- name: report_description
description: Description of the report
type: string
- name: report_id
description: Report IDs that contained the IOC that caused a hit
type: string
- name: report_link
description: Link of reports that contained the IOC that caused a hit
type: string
indicators:
- url
- name: report_name
description: Name of the watchlist report
type: string
- name: report_tags
description: Tags associated with the watchlist report
type: array
element:
type: string
- name: watchlists
description: List of watchlists associated with an alert. Alerts are batched hourly
type: array
element:
type: object
fields:
- name: id
description: Unique identifier of the watchlist
type: string
- name: name
description: Name of the watchlist
type: string
- name: mdr_alert
description: Is the alert eligible for review by Carbon Black MDR Analysts?
type: boolean
- name: mdr_alert_notes_present
description: Customer visible notes at the alert level that were added by an MDR analyst
type: boolean
- name: mdr_determination
description: MDR updatable classification of the alert
type: object
fields:
- name: change_timestamp
description: When the MDR determination was last changed
type: timestamp
timeFormat: rfc3339
- name: value
description: A record that identifies the whether the alert was determined to represent a likely or unlikely threat.
type: string
- name: mdr_workflow
description: MDR-updatable workflow of the alert
type: object
fields:
- name: change_timestamp
description: When the MDR workflow was last changed
type: timestamp
timeFormat: rfc3339
- name: status
type: string
description: Primary value used to capture status change during MD Analyst’s alert triage
- name: is_assigned
type: boolean
description: Indicates whether the alert is assigned or notCarbonBlack.EndpointEvent
schema: CarbonBlack.EndpointEvent
description: Endpoint events from CarbonBlack
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.0.0/
fields:
- name: action
description: Specific endpoint action observed by sensor during this event.
type: string
required: true
- name: backend_timestamp
description: Time when the backend received the batch of events, based on Carbon Black Cloud backend’s clock as an RFC 3339 formatted time string based on UTC to the seconds; may differ from device_timestamp by a few minutes due to asynchronous processing
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S %z %Z'
- name: device_group
description: Sensor group to which the endpoint was assigned when the sensor recorded the event data
type: string
- name: device_id
description: ID of the device that created this event
type: string
- name: device_name
description: Hostname of the device that created this event
type: string
- name: device_os
description: OS Type of device (Windows/OSX/Linux)
type: string
- name: device_timestamp
description: Time seen on sensor, based on sensor’s clock in RFC 3339 UTC format to seconds
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S.%N %z %Z'
- '%Y-%m-%d %H:%M:%S %z %Z'
required: true
isEventTime: true
- name: event_origin
description: Indicates which product the event came from.
type: string
- name: org_key
description: The organization key associated with the console instance. Can be used to disambiguate events from different Carbon Black Cloud tenant organizations.
type: string
- name: parent_guid
description: Unique ID of parent process.
type: string
- name: parent_hash
description: Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash
type: array
element:
type: string
indicators:
- md5
- sha256
- name: parent_path
description: Full path to the executable file backing the parent process on the device’s file system
type: string
- name: parent_pid
description: OS-reported Process ID of the parent process
type: string
- name: parent_reputation
description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
type: string
- name: process_cmdline
description: Command line executed by the actor process
type: string
- name: process_fork_pid
description: The PID of a process forked from the actor on *nix systems. If process_pid != process_fork_pid, the current process was forked from original process_pid.
type: string
- name: process_guid
description: Unique ID of process.
type: string
- name: process_hash
description: Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash
type: array
element:
type: string
indicators:
- md5
- sha256
- name: process_path
description: Full path to the executable file backing this process on the device’s file system
type: string
- name: process_pid
description: OS-reported Process ID of the current process
type: string
- name: process_reputation
description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
type: string
- name: process_username
description: The username associated with the user context that this process was started under
type: string
indicators:
- username
- name: schema
description: The schema version. The current schema version is 1.
type: string
- name: sensor_action
description: Included if the sensor blocked the event or terminated the application due to security policy
type: string
- name: target_cmdline
description: Process command line associated with the target process
type: string
- name: type
description: The event type. Use this field to determine which fields should be expected per the specs below.
type: string
required: true
- name: alert_id
description: The ID of the Alert this event is associated with
type: string
- name: device_external_ip
description: IP address of the host as seen by the backend (the public IPv4 or IPv6 address used to contact the Carbon Black Cloud)
type: string
indicators:
- ip
- name: event_description
description: Long textual description of the event as seen in the Carbon Black Cloud web console
type: string
- name: event_id
description: Internal Endpoint Standard event ID associated with this specific event — this event ID can be used to find the specific event in the Carbon Black Cloud web console
type: string
- name: process_terminated
description: True if process was terminated. Always FALSE for Endpoint Standard events
type: boolean
- name: parent_cmdline
description: Process command line associated with the parent process
type: string
- name: process_duration
description: The time difference in seconds between the process start and process terminate event
type: float
- name: process_publisher
description: Array with objects of two keys, “name” and “state”. Each array entry is a signature entry for the process as reported by the endpoint
type: array
element:
type: object
fields:
- name: name
description: Name of the publisher
type: string
- name: state
description: State of the publisher
type: string
- name: crossproc_api
description: Name of the operating system API called by the actor process. In cases where that call targets another process, that process is reported as crossproc_name. In cases where there is no target process, this field represents a system API call.
type: string
- name: crossproc_action
description: The action taken by the operating system API called by the actor process
type: string
- name: crossproc_guid
description: Unique ID of the cross process
type: string
- name: crossproc_hash
description: Cryptographic hashes of the target of the crossproc event — this is represented as an array of two elements, MD5 and SHA-256 hash
type: array
element:
type: string
indicators:
- md5
- sha256
- name: crossproc_name
description: Full path to the target of the crossproc event on the device’s local file system
type: string
- name: crossproc_publisher
description: Each array entry is a signature entry for the crossproc as reported by the endpoint
type: array
element:
type: object
fields:
- name: name
description: Name of the publisher
type: string
- name: state
description: State of the publisher
type: string
- name: crossproc_reputation
description: Carbon Black Cloud Reputation string for the crossproc.
type: string
- name: crossproc_target
description: True if the process was the target of the cross-process event; false if the process was the actor
type: boolean
- name: filemod_hash
description: Cryptographic hashes of the file modified — this is represented as an array of two elements, MD5 and SHA-256 hash
type: array
element:
type: string
indicators:
- md5
- sha256
- name: filemod_name
description: Full path to the file being modified on the device’s file system
type: string
- name: fileless_scriptload_cmdline
description: Command line executed by the actor process
type: string
- name: fileless_scriptload_cmdline_length
description: Character count of the deobfuscated script content run in a fileless context
type: bigint
- name: fileless_scriptload_hash
description: SHA-256 hash(es) of the deobfuscated script content run by the process in a fileless context
type: json
- name: modload_count
description: Count of modload events reported by the sensor since last initialization
type: bigint
- name: modload_effective_reputation
description: Effective reputation(s) of the loaded module(s); applied by the sensor when the event occurred
type: json
- name: modload_hash
description: MD5 or SHA-256 hash(es) of the module(s) loaded by the process
type: json
- name: modload_md5
description: MD5 hash of the module loaded by the process
type: string
indicators:
- md5
- name: modload_name
description: Full path to the module being loaded on the device’s file system
type: string
- name: modload_publisher
description: Each array entry is a signature entry for the moduleload as reported by the endpoint
type: array
element:
type: object
fields:
- name: name
description: Name of the publisher
type: string
- name: state
description: State of the publisher
type: string
- name: modload_sha256
description: SHA-256 hash of the module loaded by the process
type: string
indicators:
- sha256
- name: local_ip
description: Pv4 or IPv6 address in string format associated with the “local” end of this network connection
type: string
indicators:
- ip
- name: local_port
description: UDP/TCP port number associated with the “local” end of this network connection
type: int
- name: netconn_domain
description: DNS name associated with the “remote” end of this network connection
type: string
indicators:
- hostname
- name: netconn_inbound
description: Set to true if the netconn is inbound
type: boolean
- name: netconn_protocol
description: String UDP or TCP protocol identifier
type: string
- name: remote_ip
description: IPv4 or IPv6 address in string format associated with the “remote” end of this network connection
type: string
indicators:
- ip
- name: remote_port
description: UDP/TCP port number associated with the “remote” end of this network connection
type: int
- name: netconn_proxy_domain
description: DNS name associated with the “proxy” end of this network connection
type: string
indicators:
- hostname
- name: netconn_proxy_ip
description: Pv4 or IPv6 address in string format associated with the “proxy” end of this network connection
type: string
indicators:
- ip
- name: netconn_proxy_port
description: UDP/TCP port number associated with the “proxy” end of this network connection
type: int
- name: childproc_guid
description: Unique ID of the child process.
type: string
- name: childproc_hash
description: Cryptographic hashes of the executable file backing the child process, represented as an array of two elements - MD5 and SHA-256 hash
type: array
element:
type: string
indicators:
- md5
- sha256
- name: childproc_name
description: Full path to the target application for the child process on the device’s local file system
type: string
- name: childproc_pid
description: OS-reported Process ID of the child process
type: string
- name: childproc_publisher
description: Each array entry is a signature entry for the childproc as reported by the endpoint
type: array
element:
type: object
fields:
- name: name
description: Name of the childproc publisher
type: string
- name: state
description: State of the childproc publisher
type: string
- name: childproc_reputation
description: Carbon Black Cloud Reputation string for the childproc
type: string
- name: childproc_username
description: The username associated with the user context that the child process was started under
type: string
indicators:
- username
- name: regmod_name
description: Full path to the registry key, including the hive, being modified on the Windows device’s registry
type: string
- name: scriptload_effective_reputation
description: Effective reputation(s) of the loaded script(s); applied by the sensor when the event occurred
type: json
- name: scriptload_hash
description: MD5 and/or SHA-256 hash(es) of the filesystem script file loaded at process launch
type: json
- name: scriptload_name
description: Filesystem path of script file(s) loaded at process launch
type: string
- name: scriptload_publisher
description: Each array entry is a signature entry for the scriptload as reported by the endpoint
type: array
element:
type: object
fields:
- name: name
description: Name of the scriptload publisher
type: string
- name: state
description: State of the scriptload publisher
type: string
- name: scriptload_reputation
description: Reputation(s) of the loaded script(s); applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
type: json
- name: process_loaded_script_hash
description: SHA-256 hash(es) of any script loaded from the filesystem through the duration of the process; compare with fileless_scriptload_hash
type: json
- name: process_loaded_script_name
description: Filesystem path(s) of any script content loaded from the filesystem through the duration of the process; compare with fileless_scriptload_cmdline, scriptload_content
type: string
- name: scriptload_content
description: Deobfuscated script content (string, binary, or raw executable image) loaded from the filesystem at process launch; compare with fileless_scriptload_cmdline, process_loaded_script_name
type: string
- name: scriptload_count
description: Count of scriptload events across all processes reported by the sensor since the last initialization
type: bigint
- name: scriptload_content_length
description: Character count of the deobfuscated filesystem script; compare with fileless_scriptload_cmdline_length
type: bigintCarbonBlack.WatchlistHit
schema: CarbonBlack.WatchlistHit
description: Watchlist hits from CarbonBlack
referenceURL: https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/watchlist.hit-1.0.0/
fields:
- name: alert_id
description: The ID of the Alert this watchlist hit is associated with
type: string
- name: create_time
description: The time the watchlist hit was created in ISO 8601 UTC timestamp format to milliseconds
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
required: true
- name: device_external_ip
description: IP address of the endpoint from the perspective of the Carbon Black Cloud. Can differ from device_internal_ip due to network proxy or NAT. Can be either IPv4 or IPv6.
type: string
indicators:
- ip
- name: device_id
description: Integer ID of the device that created this watchlist hit
type: string
required: true
- name: device_internal_ip
description: IP address of the endpoint as reported by the sensor. Can be either IPv4 or IPv6.
type: string
indicators:
- ip
- name: device_name
description: Hostname of the device that created this watchlist hit
type: string
- name: device_os
description: OS Type of device (Windows/OSX/Linux)
type: string
- name: device_uem_id
description: Unified Endpoint Management identifier assigned by VMware Workspace ONE Intelligence, only populated if the Workspace ONE integration is configured.
type: string
- name: ioc_field
description: Field the IOC hit contains
type: string
- name: ioc_hit
description: IOC field value, or IOC query that matches
type: string
- name: ioc_id
description: ID of the IOC that caused the hit
type: string
required: true
- name: schema
description: The schema version. The current schema version is 1.
type: string
- name: org_key
description: The organization key associated with the console instance. Can be used to disambiguate alerts from different customers/organizations.
type: string
- name: parent_cmdline
description: Command line executed by the parent process
type: string
- name: parent_guid
description: Unique ID of parent process.
type: string
- name: parent_hash
description: Cryptographic hashes of the executable file backing the parent process, represented as an array of two elements - MD5 and SHA-256 hash
type: array
element:
type: string
indicators:
- md5
- sha256
- name: parent_path
description: Full path to the executable file backing the parent process on the device’s file system
type: string
- name: parent_pid
description: OS-reported Process ID of the parent process
type: string
- name: parent_publisher
description: Each array entry is a signature entry for the parent process as reported by the endpoint
type: array
element:
type: object
fields:
- name: name
description: Name of the publisher
type: string
- name: state
description: State of the publisher
type: string
- name: parent_reputation
description: Reputation of the parent process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
type: string
- name: parent_username
description: The username associated with the user context that the parent process was started under
type: string
indicators:
- username
- name: process_cmdline
description: Command line executed by the actor process
type: string
- name: process_guid
description: Unique ID of process.
type: string
- name: process_hash
description: Cryptographic hashes of the executable file backing this process, represented as an array of two elements - MD5 and SHA-256 hash
type: array
element:
type: string
indicators:
- md5
- sha256
- name: process_path
description: Full path to the executable file backing this process on the device’s file system
type: string
- name: process_pid
description: OS-reported Process ID of the current process
type: string
- name: process_publisher
description: Each array entry is a signature entry for the actor process as reported by the endpoint
type: array
element:
type: object
fields:
- name: name
description: Name of the publisher
type: string
- name: state
description: State of the publisher
type: string
- name: process_reputation
description: Reputation of the actor process; applied when event is processed by the Carbon Black Cloud i.e. after sensor delivers event to the cloud
type: string
- name: process_username
description: The username associated with the user context that this process was started under
type: string
indicators:
- username
- name: report_id
description: ID of the watchlist report(s) that detected a hit on the process
type: string
- name: report_name
description: Name of the watchlist report(s) that detected a hit on the process
type: string
- name: report_tags
description: List of tags associated with the report(s) that detected a hit on the process
type: array
element:
type: string
- name: severity
description: The severity of the watchlist hit
type: int
- name: type
description: The watchlist hit type
type: string
- name: watchlists
description: List of watchlists that contain the report of the ioc hit
type: array
element:
type: object
fields:
- name: id
description: ID of the watchlist
type: string
- name: name
description: Name of the watchlist
type: stringLast updated
