Process Search Fields API for Enterprise EDR
Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.
Process search fields
This page describes fields that can be used for searching, with following additional information:
-
Data typedescribes type of data returned. Special typetokenizedindicates that it is a string that is tokenized and can be searched by a partial phrase. If type is followed by [], it means that field contains an array of elements. -
Returnedindicates that the given field will be returned in the search results. If not, given field can only be used as a query term, but will not be returned as part of the result -
DocValuesindicates that the given field is stored as docvalues, and can be sorted on. In addition, if field is not marked as “returned”, but has docvalues, it can be returned through the explicit fl=field_name Solr syntax -
Searchableindicates that field can be searched. Some fields can only be used as a query term, while others will only be returned in search results -
Supports Facetsindicates that the field can be used for faceting expressions
| Field Name | Data Type | Returned | DocValues | Searchable | Supports Facets | Description |
|---|---|---|---|---|---|---|
| document_guid | string | Yes | No | Yes | Yes | Unique id of solr document. Built as process_guid+server-side timestamp in epoch ms (1/1/1970 based) |
| process_guid | string | Yes | Yes | Yes | Yes | Unique id of process (same as document_guid above but without the timestamp suffix). |
| parent_guid | string | Yes | No | Yes | No | process_guid of parent process |
| backend_timestamp | date | No | Yes | Yes | No | Time when backend received the batch of events in this document, based on backend’s clock. ISO 8601 formatted time string based on UTC |
| org_id | string | Yes | Yes | Yes | Yes | Globally unique organization key (will likely be Carbon Black Cloud organization id + environment id or some other unique token used across environments) |
| legacy | boolean | Yes | No | Yes | No | True if process document came from the legacy data stream |
| ttp | string[] | No | Yes | Yes | Yes | Patterns of behavior (i.e., tactics, techniques, procedures) associated with a specific threat actor or group of threat actors |
| alert_id | string[] | Yes | No | Yes | No | Alert IDs associated with the process |
| sensor_action | string[] | Yes | No | Yes | No | Sensor actions associated with the process. This field is set only if one of the following actions have been performed: BLOCK (child process execution was blocked by the CB Sensor), TERMINATE (process was terminated by the CB Sensor) |
| blocked_hash | string[] | Yes | No | Yes | No | Hashes of child processes blocked by the CB Sensor |
| device_id | long | Yes | Yes | Yes | Yes | Device id that is guaranteed to be unique within each Carbon Black Cloud environment, which is a set of organizations |
| device_name | string | Yes | Yes | Yes | Yes | Name of device |
| device_external_ip | string | No | Yes | Yes | No | IP address of the host (as reported by the backend - could be different than self_reported_device_ip due to proxying, NATing, etc.). Can be either IPv4 or IPv6 |
| device_os | string | No | Yes | Yes | Yes | OS Type of device (Windows/OSX/Linux) |
| device_group | string | No | Yes | Yes | Yes | Policy group where device belongs |
| device_group_id | string | No | Yes | Yes | Yes | Id of policy group where device belongs |
| device_timestamp | date | Yes | Yes | Yes | No | Time seen on sensor, based on sensor’s clock. ISO 8601 formatted time string based on UTC |
| device_internal_ip | string | No | Yes | No | No | IP address of the host (as reported by the host). Can be either IPv4 or IPv6 |
| process_terminated | boolean | Yes | No | Yes | No | True if process was terminated |
| process_reputation | string | No | Yes | Yes | No | Reputation of given process as provided by the CDC |
| process_effective_reputation | string | No | Yes | Yes | No | Reputation of given process as calculated by the sensor. |
| parent_reputation | string | No | Yes | Yes | No | Reputation of parent process as provided by the CDC |
| modload_count ¹ | int | Yes | Yes | Yes | No | Cumulative counts of module loads since process tracking started |
| filemod_count ¹ | int | Yes | Yes | Yes | No | Cumulative counts of file modifications since process tracking started |
| regmod_count ¹ | int | Yes | Yes | Yes | No | Cumulative counts of registry modifications since process tracking started |
| netconn_count ¹ | int | Yes | Yes | Yes | No | Cumulative counts of network connections since process tracking started |
| childproc_count ¹ | int | Yes | Yes | Yes | No | Cumulative counts of child process creations since process tracking started |
| crossproc_count ¹ | int | Yes | Yes | Yes | No | Cumulative counts of cross-process events since process tracking started |
| process_pid | int[] | Yes | No | Yes | No | PID of a process. Can be multi-valued in case of exec/fork on Linux/OSX |
| parent_pid | int | Yes | No | Yes | No | PID of parent process |
| process_publisher_state | string[] | No | No | Yes | No | Certificate signature state as string (from protobuf) |
| process_publisher | tokenized[] | No | No | Yes | No | Certificate signer names |
| process_product_version | tokenized[] | No | No | Yes | No | Product version associated with the process executable (from the binary resource) |
| process_original_filename | tokenized[] | No | No | Yes | No | Original file name of the process executable (from the binary resource) |
| process_file_description | tokenized[] | No | No | Yes | No | File description of the process executable (from the binary resource) |
| process_product_name | tokenized[] | No | No | Yes | No | Product name associated with the process executable (from the binary resource) |
| process_name | tokenized | Yes | Yes | Yes | Yes | Tokenized file path of the process' main module |
| parent_name | tokenized | No | Yes | Yes | Yes | Tokenized file path of the parent process' main module |
| process_hash | string[] | Yes | Yes | Yes | Yes | MD5 and SHA-256 hashes of process' main module |
| parent_hash | string[] | No | Yes | Yes | No | MD5 and SHA-256 hashes of parent process' main module |
| process_cmdline | tokenized[] | No | Yes | Yes | No | Cmdlines related to process. It uses special tokenization algorithm |
| process_username | string[] | Yes | Yes | Yes | No | Usernames related to process. It uses special tokenization algorithm |
| hash | string[] | No | No | Yes | No | Aggregate set of all MD5 and SHA-256 hashes associated with the process (process_hash, childproc_hash, crossproc_hash, filemod_hash and hash of the modload event) - useful for searching by hash |
| childproc_name | tokenized[] | No | No | Yes | No | Tokenized file path of the child process' main module |
| childproc_hash | string[] | No | No | Yes | No | MD5 and SHA-256 hashes of child process' main module |
| crossproc_name | tokenized[] | No | No | Yes | No | Tokenized file paths of the main module of the other processes from the crossproc action |
| crossproc_hash | string[] | No | No | Yes | No | MD5 and SHA-256 hashes of the main module of the other processes from the crossproc action |
| crossproc_action | string | No | No | Yes | No | Type of crossproc actions, as defined in protobuf schema |
| crossproc_target | boolean | No | No | Yes | No | True if the process was a target of the crossproc action. False if it was an actor. |
| crossproc_api | string | No | No | Yes | No | Name of system API call made by the process. API calls will in some cases have a target |
| filemod_hash | string[] | No | No | Yes | No | MD5 and SHA-256 hashes of the files modified by the process |
| filemod_name | tokenized[] | No | No | Yes | No | Tokenized paths of the files modified by the process |
| modload_name | tokenized[] | No | No | Yes | No | Tokenized paths of the modules loaded by the process |
| scriptload_path | tokenized[] | No | No | Yes | No | Tokenized paths of the scripts loaded by the process |
| regmod_name | tokenized[] | No | No | Yes | No | Tokenized paths of the registry keys modified by the process |
| netconn_port | int | No | No | Yes | No | Port of the network connection attempted by the process (remote port for outgoing connection, local port for incoming connection) |
| netconn_ipv4 | tokenized | No | No | Yes | Yes | IPv4 address related to the network connection of the process as integer, so that it can be easily filtered by range |
| netconn_ipv6 | tokenized | No | No | Yes | Yes | IPv6 address related to the network connection of the process as strings |
| netconn_domain | tokenized | No | No | Yes | No | Domain name (target FQDN) related to the outbound network connection of the process (if available) |
| netconn_inbound | boolean | No | No | Yes | No | True if the network connection was inbound. False if the network connection was outbound. |
| netconn_failed | boolean | No | No | Yes | No | True if the network connection attempt failed. If successful, this field is not set |
| netconn_location | tokenized | No | No | No | No | Geo location of the remote network connection. Geo location is tokenized to contain City, Region/State and Country |
| report_id | int | No | No | Yes | No | Id of the report that tagged the process |
| report_watchlist_id | int[] | No | No | Yes | No | Id of the watchlists related to the report that tagged the process |
| report_severity | int | No | No | Yes | No | Severity of the report that tagged the process [1..10] |
| watchlist_hit | string[] | Yes | Yes | No | No | Aggregated values of other report tag fields in following format: “<report_watchlist_id>:<report_id>:<report_severity>”. There will be one value for each watchlist hit. |
Notes:
- ¹ Counts are from either process start or discovery time. Also, the sensor doesn’t persist this info on restart. Therefore, counts will start back from zero if sensor is restarted.
Special String Field Values
Some search fields can have only specific values and they should be treated as ‘enums’
Reputation
Fields: process_reputation, parent_reputation
Reputation level from CDC. Possible values:
- UNKNOWN
- COMPROMISED
- DLP
- IGNORE
- TRUSTED_WHITE_LIST
- ADAPTIVE_WHITE_LIST
- PUP
- ADWARE
- HEURISTIC
- SUSPECT_MALWARE
- KNOWN_MALWARE
- ADMIN_RESTRICTED
- COMPANY_BLACK_LIST
- NOT_LISTED
- COMMON_WHITE_LIST
- COMPANY_GREY_LIST
- NOT_COMPANY_WHITE_LIST
- COMPANY_WHITE_LIST
Cross-process Action
Fields: crossproc_action
Cross-process action that was recorded for the process. Possible values:
- ACTION_DUP_PROCESS_HANDLE - Process has initiated cross-process process handle duplication in the target process
- ACTION_OPEN_THREAD_HANDLE - Process has initiated cross-process thread handle open in the target process
- ACTION_DUP_THREAD_HANDLE - Process has initiated cross-process thread handle duplication in the target process
- ACTION_CREATE_REMOTE_THREAD - Process has initiated remote thread creation in the target process
Publisher States
Fields: process_publisher_state
State of one or more of the publishers associated with the main module of the process
Field is of type Integer containing OR-ed flags that indicate signature state. Possible values:
- 1 - FILE_SIGNATURE_STATE_SIGNED - File is signed but signature is not guaranteed to be valid
- 2 - FILE_SIGNATURE_STATE_VERIFIED - the signature is valid, signed will always be set
- 4 - FILE_SIGNATURE_STATE_NOT_SIGNED - File is not signed
- 8 - FILE_SIGNATURE_STATE_UNKNOWN - Initial state of all files, is also used when signature verification does not succeed
- 16 - FILE_SIGNATURE_STATE_CHAINED - The signature chains to a locally trusted root certificate
- 32 - FILE_SIGNATURE_STATE_TRUSTED - Signature state is Trusted
- 64 - FILE_SIGNATURE_STATE_OS - File is signed as a component of the OS
- 128 - FILE_SIGNATURE_STATE_CATALOG_SIGNED - File is signed through the catalog
Special Tokenizations
Some fields are tokenized to allow more efficient searches
File Path Tokenization
Fields: process_name, parent_name, filemod_name, childproc_name, crossproc_name, modload_name, scriptload_name, regmod_name
Search for path hierarchies. Use slash (/) character or escaped backslash (\\) characters and enclose in double quotes if path contains colon or space characters. Exclude any leading path separator. File extension searching also supported.
Search examples: process_name:"c:/windows/system32/cmd.exe" filemod_name:.wcry regmod_name:myregkey/myregvalue modload_name:downloads\\myfile.exe parent_name:"c:/program files"
Domain Name Tokenization
Fields: netconn_domain
Search for any part of the domain. Start or end with ‘.’ to only look for a prefix or suffix.
Search examples: netconn_domain:.google.com netconn_domain:.ru netconn_domain:www.google.com
IPv4 Address Tokenization
Fields: netconn_ipv4
Search examples: netconn_ipv4:192.168.0.10 netconn_ipv4:192.168.0.0/24
IPv6 Address Tokenization
Fields: netconn_ipv6
Search examples: netconn_ipv6:"2001:0db8:85a3:0000:0000:8a2e:0370:7334" netconn_ipv6:"2001:db8::/127"
Command Line Tokenization
Fields: process_cmdline
Words in the command line can be searched, along with switches (-x /x) and file extensions.
Search examples: process_cmdline:"d:/path/myprogram.vbs /v" process_cmdline:"d:" process_cmdline:.vbs process_cmdline:"/v"
Other Field Types
Boolean
Fields: process_terminated
Boolean value with possible values: true and false
Search Example: process_terminated:true
Date
Fields: device_timestamp, backend_timestamp
Date/time field formatted as ISO 8601 string based on UTC timezone
Search Examples: device_timestamp:2018-03-14T21:06:45.183Z
Last modified on January 18, 2022