Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.

This document catalogs the different event types emitted by the cb-event-forwarder and the common key/value pairs that will be seen in the JSON or LEEF output from the tool.

Carbon Black events can be generalized into two categories: events generated by the server and raw endpoint events. Server-generated events include watchlist and feed hits, notifications of new binary uploads, and alert notifications. Server-generated events are relatively low volume and are minimally processed by the cb-event-forwarder as the data is already sent to the event-forwarder in JSON format.

Raw endpoint events, on the other hand, can be extremely high volume - especially file modification, module load and registry modification messages. These messages are encoded in a compact binary format and specific fields from each message are pulled by the cb-event-forwarder to populate the output JSON or LEEF format.

Server generated events

Event ID	Description
alert.watchlist.hit.ingress.host	This event happens when an alert is triggered as a result of a watchlist indicator matching a host
alert.watchlist.hit.ingress.binary	This event happens when an alert is triggered as a result of a watchlist indicator matching a binary
alert.watchlist.hit.ingress.process	This event happens when an alert is triggered as a result of a watchlist indicator matching a process
alert.watchlist.hit.query.binary	This event happens when an alert is triggered as a result of a watchlist query matching a binary
alert.watchlist.hit.query.process	This event happens when an alert is triggered as a result of a watchlist query matching a process
binaryinfo.host.observed	This event happens when a new binary is observed for the first time on a specific host
binaryinfo.group.observed	This event happens when a new binary is observed for the first time in a sensor group
binaryinfo.observed	This event happens when a new binary is observed for the first time anywhere in the environment
binarystore.file.added	This event happens when a copy of a new binary has arrived at the Carbon Black server. It can be used to trigger external services, such as binary analysis or signature matching
feed.ingress.hit.host	This event happens when an intelligence feed indicator matches a host. This triggers on 3 IOCs IPv4 addresses, domain names, and md5s described in the feed documentation
feed.ingress.hit.binary	This event happens when an intelligence feed indicator matches a new binary upon ingest. Note that the binary may not be visible in the Carbon Black UI or searches until it’s been committed in SOLR (may take ~15 minutes). As above, this triggers 3 IOCs IPv4 addresses, domain names, and md5s
feed.ingress.hit.process	This event occurs when an intelligence feed indicator matches a new process upon ingest. Note that the process may not be visible in the Carbon Black UI or searches until it’s been committed in SOLR (may take ~15 minutes)
feed.query.hit.binary	This event happens when an intelligence feed query matches a binary. The process is visible in Carbon Black UI immediately. This covers the query IOC only described in the feed documentation
feed.query.hit.process	This event happens when an intelligence feed query matches a process. This is the same as above in terms of triggers and IOCs
feed.storage.hit.binary	Same as feed.ingress.hit.binary, but now the data has been committed to disk by Cb and the data is available via the Cb UI or API
feed.storage.hit.process	Same as feed.ingress.hit.process, but now the data has been committed to disk by Cb and the data is available via the Cb UI or API
task.error.logged	This event occurs when a background task reports an error.
watchlist.hit.process	This event occurs when the watchlist first matches the document. Note that the process may not be visible in the Carbon Black UI or searches until it’s been committed in SOLR (may take ~15 minutes)
watchlist.hit.binary	This event happens when the watchlist first matches the document. Note that the binary may not be visible in the Carbon Black UI or searches until it’s been committed in SOLR (may take ~15 minutes)
watchlist.storage.hit.binary	This event occurs when the match that was found in watchlist.hit.binary is committed in SOLR. The data has been committed to disk by Cb and the data is available via the Cb UI or API
watchlist.storage.hit.process	This event occurs when the match that was found in watchlist.hit.process is committed in SOLR. The data has been committed to disk by Cb and the data is available via the Cb UI or API

Watchlist Hit

There are two types of watchlists:

• Process Watchlists
• Binary Watchlists

On watchlist “hit” (match), an event is published. The bulk of the contents of the event is pulled from the underlying process or binary document. As such, the event fields are different between the two event types.

Process Watchlist Hit

Name: watchlist.hit.process

watchlist.hit.process is a JSON structure with the following entries:

name	type	description
cb_version	string	Carbon Black server version
event_timestamp	string	Timestamp when event was published
watchlist_id	int32	Identifier of the watchlist that matched
watchlist_name	string	Name of watchlist that matched
server_name	string	Name of the Carbon Black Server
docs	list	List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name	type	description
childproc_count	int32	Total count of child processes created by this process
cmdline	string	Process command line
filemod_count	int32	Total count of file modifications made by this process
group	string	Sensor group this sensor was assigned to at time of process execution
host_type	string	Type of the computer: server, workstation, domain controller
hostname	string	Hostname of the computer on which the process executed (at time of execution)
last_update	string	Last activity in this process is endpoint local time. Example: 2014-02-04T16:23:22.547Z
modload_count	int32	Total count of module loads in this process.
netconn_count	int32	Total count of network connections made and received by this process.
os_type	string	Operating system type of the endpoint, e.g. Windows, Linux, Osx.
parent_name	string	Name of the parent process.
parent_md5	string	MD5 of the parent process.
parent_pid	int32	PID of parent process.
parent_unique_id	string	Parent process unique identifer.
path	string	Full path to the executable file backing this process.
process_md5	string	MD5 of the executable file backing this process.
process_name	string	Filename of the executable backing this process.
process_pid	int32	PID of this process.
regmod_count	int32	total count of registry modifications made by this process.
segment_id	int32	For internal use
sensor_id	int32	Endpoint identifier.
start	string	Start time of this process in endpoint local time. Example: 2014-02-04T16:23:22.516Z
unique_id	string	Process unique Id
username	string	User context in which the process executed.

Example:

  {
    "server_name": "cb-enterprise-testing.local",
    "docs": [
        {"process_md5": "a3ccfd0aa0b17fd23aa9fd0d84b86c05",
         "sensor_id": 1,
         "modload_count": 49,
         "parent_unique_id": "00000001-0000-09e4-01cf-a5dee70168f2-00000001",
         "cmdline": "\"c:\\users\\admin\\desktop\\putty.exe\" ",
         "filemod_count": 0,
         "id": "00000001-0000-afbc-01cf-b31b9e83777f",
         "parent_name": "explorer.exe",
         "parent_md5": "332feab1435662fc6c672e25beb37be3",
         "group": "Default Group",
         "hostname": "WIN8-TEST",
         "last_update": "2014-08-08T15:15:47.544Z",
         "start": "2014-08-08T15:15:42.193Z",
         "regmod_count": 6,
         "process_pid": 44988,
         "username": "win8-test\\admin",
         "process_name": "putty.exe",
         "path": "c:\\users\\admin\\desktop\\putty.exe",
         "netconn_count": 1,
         "parent_pid": 2532,
         "segment_id": 1,
         "host_type": "workstation",
         "os_type": "windows",
         "childproc_count": 0,
         "unique_id": "00000001-0000-afbc-01cf-b31b9e83777f-00000001"}
     ],
     "event_timestamp": 1407362104.19,
     "watchlist_id": 10,
     "cb_version": "4.2.1.140808.1059",
     "watchlist_name": "Tor Feed"
  }

Binary Watchlist Hit

Name: watchlist.hit.binary

watchlist.hit.binary is a JSON structure with the following entries:

name	type	description
cb_version	string	Carbon Black server version
event_timestamp	string	Timestamp when event was published
watchlist_id	int32	Identifier of the watchlist that matched
watchlist_name	string	Name of watchlist that matched
server_name	string	Name of the Carbon Black Server
docs	list	List of one or more matching process documents; see next table

Each matching binary document is a JSON structure with the following entries:

name	type	description
copied_mod_len	int32	Number of bytes copied to server
endpoint	string	Hostname and sensor ID of the first endpoint on which this binary was observed.
group	string	First sensor group on which this binary was observed
digsig_issuer	string	If digitally signed, the issuer.
digsig_publisher	string	If digitally signed, the publisher.
digsig_result	string	If digitally signed, the human-readable status. See notes.
digsig_result_code	in32	For internal use.
digsig_sign_time	string	If digitally signed, the sign time.
digsig_subject	string	If digitally signed, the subject.
is_executable_image	bool	True if the binary is a standalone executable (as compared to a library).
is_64bit	bool	True if architecture is x64 (versus x86)
md5	string	MD5 of the binary
observed_filename	string	Full path to the executable backing the process
orig_mod_len	int32	Size in bytes of the binary at the time of observation on the endpoint.
os_type	string	Operating system type, e.g. Windows, Linux, Osx.
server_added_timestamp	string	The time this binary was first seen by the server.
timestamp	string	Time binary was first observed (in endpoint time)
watchlists	list	List of matching watchlists.
file_version	string	File Version (Windows Only)
product_name	string	Product Name (Windows Only)
company_name	string	Company Name (Windows Only)
internal_name	string	Internal Name (Windows Only)
original_filename	string	Internal Original Filename (Windows Only)
file_desc	string	File Description (Windows only)
product_version	string	Product Description (Windows only)
comments	string	Comment String (Windows only)
legal_copyright	string	Legal copyright string (Windows only)
legal_trademark	string	Legal trademark string (Windows only)
private_build	string	Private build string (Windows only)

Example:

  {
    "server_name": "cb-enterprise-testing.local",
    "docs": [
        {"digsig_result": "Signed",
         "observed_filename": ["c:\\windows\\system32\\prncache.dll"],
         "product_version": "6.1.7601.17514",
         "signed": "Signed",
         "digsig_sign_time": "2010-11-21T00:37:00Z",
         "is_executable_image": false,
         "orig_mod_len": 183808,
         "is_64bit": true,
         "digsig_publisher": "Microsoft Corporation",
         "group": ["Default Group"],
         "file_version": "6.1.7601.17514 (win7sp1_rtm.101119-1850)",
         "company_name": "Microsoft Corporation",
         "internal_name": "PrintCache",
         "product_name": "Microsoft\u00ae Windows\u00ae Operating System",
         "digsig_result_code": "0",
         "timestamp": "2014-08-09T11:19:04.009Z",
         "copied_mod_len": 183808,
         "server_added_timestamp": "2014-08-09T11:19:04.009Z",
         "md5": "A1CDE92DDC170D307DB3C5BAA348811B",
         "endpoint": ["WIN8-TEST|1"],
         "legal_copyright": "\u00a9 Microsoft Corporation. All rights reserved.",
         "original_filename": "PrnCache.dll",
         "os_type": "Windows",
         "file_desc": "Print UI Cache"}
     ],
     "event_timestamp": 1407583203.5,
     "watchlist_id": 10,
     "cb_version": "4.2.1.140811.29",
     "watchlist_name": "SRS Trust"
  }

Notes:

The digsig_status field can be one of eight values:

• Signed
• Unsigned
• Bad Signature
• Invalid Signature
• Expired
• Invalid Chain
• Untrusted Root
• Explicit Distrust

Feed Hit

There are three types of feed events:

• Ingress
• Storage
• Query

Ingress feed events are published as the matching endpoint data arrives from the sensor. These ingress feed events therefore provide the earliest available notification of the endpoint activity. Ingress events are published prior to updating the data to the backend data store (SOLR), and therefore it may be up to fifteen minutes before the data is discoverable via search. The latency is partially dependent on the configured SOLR soft-commit (auto-commit) interval.

Storage feed events are published as the data is committed to the backend data store (SOLR). As compared to ingress feed events, storage feed events happen later in time, but when all data is fully indexed and searchable via SOLR and therefore the CB client API.

Query feed events are published when a query string provided by a query feed matches committed data.

Ingress Feed Hit

Process Ingress Feed Hit

Name: feed.ingress.hit.process

feed.ingress.hit.process is a JSON structure with the following entries:

name	type	description
process_id	string	CB process key. See Notes.
report_id	string	Identifier of the report which included the matching IOC. See notes.
ioc_type	string	One of “md5”, “dns”, “ipv4”
ioc_value	string	The matching IOC.
ioc_attr	JSON	Key value pairs of additional attributes related to the hit (if present).
sensor_id	int32	Sensor Id of the endpoint on which the event matching the feed occurred.
hostname	string	Hostname of the endpoint on which the event matching the feed occurred
cb_version	string	Carbon Black server version.
server_name	string	Name of Carbon Black server.
feed_id	int32	Identifier of the feed that included the matching report. See notes.
feed_name	string	The name of the feed that included the matching report.
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch

Example Event:

  {
    "process_id":"00000001-0000-afbc-01cf-b31b9e83777f",
    "report_id":"TOR-Node-38.229.70.52",
    "ioc_type":"ipv4",
    "ioc_value":"38.229.70.52",
    "ioc_attr":{"port":22,"protocol":"TCP","direction":"Outbound"},
    "hostname":"FS-NYC-1",
    "sensor_id":1,
    "cb_version":"4.2.1.140808.1059",
    "server_name":"localhost.localdomain",
    "feed_id":14,
    "feed_name":"tor",
    "event_timestamp":1407362000
  }

Notes:

• The process_id field is the process key used to uniquely identify a process on the Carbon Black server. For ingress feed hits, the process segment is not known. The key can be used with the Carbon Black client API to query for the entire process document.

Binary Ingress Feed Hit

Name: feed.ingress.hit.binary

feed.ingress.hit.binary is a JSON structure with the following entries:

name	type	description
md5	string	MD5 of the binary.
report_id	string	Identifier of the report which included the matching IOC.
ioc_type	string	One of “md5”, “dns”, “ipv4”
ioc_value	string	The matching IOC.
ioc_attr	JSON	Key value pairs of additional attributes related to the hit (if present).
sensor_id	int32	Sensor Id of the endpoint on which the event matching the feed occurred
hostname	string	Hostname of the endpoint on which the event matching the feed occurred
cb_version	string	Carbon Black server version.
server_name	string	Name of Carbon Black server.
feed_id	int32	Identifier of the feed that included the matching report.
feed_name	string	The name of the feed that included the matching report.
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch

Example Event:

    {
      "md5": "506708142BC63DABA64F2D3AD1DCD5BF",
      "report_id": "dxmtest1_04",
      "ioc_type": "md5",
      "ioc_value":"506708142bc63daba64f2d3ad1dcd5bf",
      "ioc_attr": {},
      "feed_id":7,
      "hostname": "FS-SEA-529",
      "sensor_id": 3321,
      "cb_version":"4.2.1.140808.1059",
      "server_name":"localhost.localdomain",
      "feed_name": "dxmtest1",
      "event_timestamp": 1397244093.682
    }

Notes:

• It may be as much as 60 seconds from the time of the event generation until the full binary document is queryable via the CBAPI or raw SOLR.

Storage Feed Hit

Process Storage Feed Hit

Name: feed.storage.hit.process

feed.storage.hit.process is a JSON structure with the following entries:

name	type	description
process_id	string	CB process key. See Notes.
segment_id	int32	Process segment identifier. See Notes.
report_id	string	Identifier of the report which included the matching IOC. See notes.
ioc_type	string	One of “md5”, “dns”, “ipv4”
ioc_value	string	The matching IOC.
ioc_attr	JSON	Key value pairs of additional attributes related to the hit (if present).
sensor_id	int32	Sensor Id of the endpoint on which the event matching the feed occurred
hostname	string	Hostname of the endpoint on which the event matching the feed occurred
cb_version	string	Carbon Black server version.
server_name	string	Name of Carbon Black server.
feed_id	int32	Identifier of the feed that included the matching report. See notes.
feed_name	string	The name of the feed that included the matching report.
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch
docs	list	List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name	type	description
childproc_count	int32	Total count of child processes created by this process
cmdline	string	Process command line
filemod_count	int32	Total count of file modifications made by this process
group	string	Sensor group this sensor was assigned to at time of process execution
host_type	string	Type of the computer: server, workstation, domain controller
last_update	string	Last activity in this process is endpoint local time. Example: 2014-02-04T16:23:22.547Z
modload_count	int32	Total count of module loads in this process.
netconn_count	int32	Total count of network connections made and received by this process.
os_type	string	Operating system type, e.g. Windows, Linux, Osx.
parent_name	string	Name of the parent process.
parent_md5	string	MD5 of the parent process.
parent_pid	int32	PID of parent process.
parent_unique_id	string	Parent process unique identifer.
path	string	Full path to the executable file backing this process.
process_md5	string	MD5 of the executable file backing this process.
process_name	string	Filename of the executable backing this process.
process_pid	int32	PID of this process.
regmod_count	int32	total count of registry modifications made by this process.
segment_id	int32	For internal use
start	string	Start time of this process in endpoint local time. Example: 2014-02-04T16:23:22.516Z
unique_id	string	Process unique Id
username	string	User context in which the process executed.

Example Event:

  {
    "process_id":"00000001-0000-afbc-01cf-b31b9e83777f",
    "segment_id":1,
    "docs":[
        {"modload_count":0,
         "host_type":"workstation",
         "netconn_count":"1",
         "os_type":"windows",
         "unique_id":"00000001-0000-afbc-01cf-b31b9e83777f-00000001",
         "username":"win8-test\\admin",
         "last_update":"2014-08-08T15:15:47.544Z",
         "parent_md5":"332feab1435662fc6c672e25beb37be3",
         "path":"c:\\users\\admin\\desktop\\putty.exe",
         "filemod_count":0,
         "regmod_count":6,
         "process_name":"putty.exe",
         "cmdline":"\"c:\\users\\admin\\desktop\\putty.exe\" ",
         "parent_unique_id":"00000001-0000-09e4-01cf-a5dee70168f2-00000001",
         "childproc_count":0,
         "process_pid":"44988",
         "start":"2014-08-08T15:15:42.193Z",
         "process_md5":"a3ccfd0aa0b17fd23aa9fd0d84b86c05",
         "parent_name":"explorer.exe",
         "parent_pid":"2532",
         "group":"Default Group"}
     ],
     "report_id":"TOR-Node-38.229.70.52",
     "ioc_type":"ipv4",
     "ioc_value":"38.229.70.52",
     "ioc_attr":{"port":"22","protocol":"TCP","direction":"Outbound"},
     "hostname":"WIN8-TEST",
     "sensor_id":1,
     "cb_version":"4.2.1.140808.1059",
     "server_name":"localhost",
     "feed_id":14,
     "feed_name":"tor",
     "event_timestamp":1407362099.567
  }

Notes:

• The process_id and segment_id fields can be used to construct a request for complete process segment information, including events such as netconns, modloads, and similar, using the Carbon Black Client API.

Binary Storage Feed Hit

Name: feed.storage.hit.binary

feed.storage.hit.binary is a JSON structure with the following entries:

name	type	description
md5	string	MD5 of the binary.
report_id	string	Identifier of the report which included the matching IOC.
ioc_type	string	One of “md5”, “dns”, “ipv4”
ioc_value	string	The matching IOC.
ioc_attr	JSON	Key value pairs of additional attributes related to the hit (if present).
sensor_id	int32	Sensor Id of the endpoint on which the event matching the feed occurred
hostname	string	Hostname of the endpoint on which the event matching the feed occurred
cb_version	string	Carbon Black server version.
server_name	string	Name of Carbon Black server.
feed_id	int32	Identifier of the feed that included the matching report.
feed_name	string	The name of the feed that included the matching report.
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch
docs	list	List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name	type	description
copied_mod_len	int32	Number of bytes copied to server
endpoint	string	Hostname and sensor ID of the endpoint on which this binary was observed.
group	string	First sensor group on which this binary was observed
digsig_issuer	string	If digitally signed, the issuer.
digsig_publisher	string	If digitally signed, the publisher.
digsig_result	string	If digitally signed, the human-readable status. See notes.
digsig_result_code	in32	For internal use.
digsig_sign_time	string	If digitally signed, the sign time.
digsig_subject	string	If digitally signed, the subject.
is_executable_image	bool	True if the binary is a standalone executable (as compared to a library).
is_64bit	bool	True if architecture is x64 (versus x86)
md5	string	MD5 of the binary
observed_filename	string	Full path to the executable backing the process
orig_mod_len	int32	Size in bytes of the binary at the time of observation on the endpoint.
os_type	string	Operating system type of the endpoint, e.g. Windows, Linux, Osx.
server_added_timestamp	string	The time this binary was first seen by the server.
file_version	string	File Version (Windows Only)
product_name	string	Product Name (Windows Only)
company_name	string	Company Name (Windows Only)
internal_name	string	Internal Name (Windows Only)
original_filename	string	Internal Original Filename (Windows Only)
file_desc	string	File Description (Windows only)
product_version	string	Product Description (Windows only)
comments	string	Comment String (Windows only)
legal_copyright	string	Legal copyright string (Windows only)
legal_trademarkt	string	Legal trademark string (Windows only)
private_build	string	Private build string (Windows only)

Example Event:

  {
    "md5":"C3489639EC8E181044F6C6BFD3D01AC9",
    "docs":[
        {"file_version":"6.1.7601.17514 (win7sp1_rtm.101119-1850)",
        "product_name":"Microsoft Windows Operating System",
        "is_executable_image":"false",
        "digsig_result":"Signed",
        "observed_filename":["c:\\windows\\system32\\sndvol.exe","C:\\Windows\\system32\\sndvol.exe"],
        "os_type":"Windows",
        "orig_mod_len":"273920",
        "company_name":"Microsoft Corporation",
        "server_added_timestamp":"Aug 9, 2014 5:27:56 PM",
        "internal_name":"Volume Control Applet",
        "copied_mod_len":"0",
        "product_version":"6.1.7601.17514",
        "digsig_sign_time":"2010-11-21T00:37:00.000Z",
        "alliance_score_srstrust":"-100",
        "digsig_result_code":"0",
        "file_desc":"Volume Mixer",
        "endpoint":"WIN8-TEST|1",
        "legal_copyright":"Microsoft Corporation. All rights reserved.",
        "original_filename":"SndVol.exe",
        "is_64bit":"true",
        "md5":"C3489639EC8E181044F6C6BFD3D01AC9",
        "digsig_publisher":"Microsoft Corporation",
        "group":"Default Group"}
    ],
    "report_id":"c3489639ec8e181044f6c6bfd3d01ac9",
    "ioc_type":"md5",
    "ioc_value":"c3489639ec8e181044f6c6bfd3d01ac9",
    "ioc_attr":{},
    "hostname":"WIN8-TEST",
    "sensor_id":1,
    "cb_version":"4.2.1.140811.1054",
    "server_name":"localhost",
    "feed_id":2,
    "feed_name":"srstrust",
    "event_timestamp":1407621575.945
  }

Notes: It can be up to 15 seconds from the time of the event generation until the document is visible via CBAPI or raw SOLR query.

Query Feed Hit

Process Query Feed Hit

Name: feed.query.hit.process

feed.query.hit.process is a JSON structure with the following entries:

name	type	description
process_id	string	CB process key. See Notes.
sensor_id	string	Always 0 for event. See process document for matching values.
segment_id	int32	Process segment identifier. See Notes.
report_id	string	Identifier of the report which included the matching IOC. See notes.
ioc_type	string	Always the value “query”
ioc_value	string	The query string used to look for matches
ioc_attr	JSON	Key value pairs of additional attributes related to the hit (if present).
sensor_id	int32	Sensor Id of the endpoint on which the event matching the feed occurred
hostname	string	Hostname of the endpoint on which the event matching the feed occurred
cb_version	string	Carbon Black server version.
server_name	string	Name of Carbon Black server.
feed_id	int32	Identifier of the feed that included the matching report. See notes.
feed_name	string	The name of the feed that included the matching report.
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch
docs	list	List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name	type	description
childproc_count	int32	Total count of child processes created by this process
cmdline	string	Process command line
filemod_count	int32	Total count of file modifications made by this process
group	string	Sensor group this sensor was assigned to at time of process execution
host_type	string	Type of the computer: server, workstation, domain controller
hostname	string	Hostname of the endpoint on which the event matching the feed occurred
last_update	string	Last activity in this process is endpoint local time. Example: 2014-02-04T16:23:22.547Z
modload_count	int32	Total count of module loads in this process.
netconn_count	int32	Total count of network connections made and received by this process.
os_type	string	Operating system type, e.g. Windows, Linux, Osx.
parent_name	string	Name of the parent process.
parent_md5	string	MD5 of the parent process.
parent_pid	int32	PID of parent process.
parent_unique_id	string	Parent process unique identifer.
path	string	Full path to the executable file backing this process.
process_md5	string	MD5 of the executable file backing this process.
process_name	string	Filename of the executable backing this process.
process_pid	int32	PID of this process.
regmod_count	int32	total count of registry modifications made by this process.
segment_id	int32	For internal use
sensor_id	int32	Endpoint identifier.
start	string	Start time of this process in endpoint local time. Example: 2014-02-04T16:23:22.516Z
unique_id	string	Process unique Id
username	string	User context in which the process executed.

Example Event:

{
  "process_id": "00000001-0000-1098-01cf-cc5fea563f8f",
  "sensor_id": 1,
  "segment_id": 1,
  "docs": [
    {
      "username": "WIN7X64-BUILDER\\User",
      "process_md5": "f2c7bb8acc97f92e987a2d4087d021b1",
      "modload_count": 20,
      "parent_unique_id": "00000001-0000-0a84-01cf-c240c9d1f378-00000001",
      "process_name": "notepad.exe",
      "cmdline": "\"c:\\windows\\system32\\notepad.exe\" ",
      "os_type": "windows",
      "path": "c:\\windows\\system32\\notepad.exe",
      "last_update": "2014-09-09T18:57:34.267Z",
      "parent_pid": 2692,
      "crossproc_count": 0,
      "parent_name": "explorer.exe",
      "parent_md5": "000000000000000000000000000000",
      "group": "Default Group",
      "netconn_count": 0,
      "hostname": "WIN7X64-BUILDER",
      "host_type": "workstation",
      "filemod_count": 0,
      "start": "2014-09-09T18:57:34.251Z",
      "unique_id": "00000001-0000-1098-01cf-cc5fea563f8f-00000001",
      "regmod_count": 0,
      "childproc_count": 0,
      "process_pid": 4248
    }
  ],
  "hostname": "DXM021-VM1",
  "event_timestamp": 1410289221.38,
  "feed_name": "dxmtest2",
  "feed_id": 12,
  "ioc_value": "cb.urlver=1&cb.q.process_name=notepad.exe&sort=start%20desc&rows=10&start=0",
  "ioc_type": "query",
  "ioc_attrs": {
    "highlights": [
      "PREPREPREnotepad.exePOSTPOSTPOST",
      "c:\\windows\\system32\\PREPREPREnotepad.exePOSTPOSTPOST"
    ]
  },
  "report_id": "notepad_proc"
}

Notes:

• The process_id and segment_id fields can be used to construct a request for complete process segment information, including events such as netconns, modloads, and similar, using the Carbon Black Client API.

Binary Query Feed Hit

Name: feed.query.hit.binary

feed.query.hit.binary is a JSON structure with the following entries:

name	type	description
md5	string	MD5 of the binary.
report_id	string	Identifier of the report which included the matching IOC.
ioc_type	string	Always the value “query”
ioc_value	string	The query string used to look for matches
ioc_attr	JSON	Key value pairs of additional attributes related to the hit (if present).
sensor_id	int32	Sensor Id of the endpoint on which the event matching the feed occurred
hostname	string	Hostname of the endpoint on which the event matching the feed occurred
cb_version	string	Carbon Black server version.
server_name	string	Name of Carbon Black server.
feed_id	int32	Identifier of the feed that included the matching report.
feed_name	string	The name of the feed that included the matching report.
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch
docs	list	List of one or more matching process documents; see next table

Each matching process document is a JSON structure with the following entries:

name	type	description
comments	string	Comment String (Windows only)
company_name	string	Company Name (Windows Only)
copied_mod_len	int32	Number of bytes copied to server
endpoint	string	Hostname and sensor ID of the endpoint on which this binary was observed.
file_desc	string	File Description (Windows only)
file_version	string	File Version (Windows Only)
group	string	First sensor group on which this binary was observed
host_count	int32	Number of hosts containing this file
digsig_issuer	string	If digitally signed, the issuer.
digsig_publisher	string	If digitally signed, the publisher.
digsig_result	string	If digitally signed, the human-readable status. See notes.
digsig_result_code	in32	For internal use.
digsig_sign_time	string	If digitally signed, the sign time.
digsig_subject	string	If digitally signed, the subject.
internal_name	string	Internal Name (Windows Only)
is_executable_image	bool	True if the binary is a standalone executable (as compared to a library).
is_64bit	bool	True if architecture is x64 (versus x86)
last_seen	string	Time last seen
legal_copyright	string	Legal copyright string (Windows only)
legal_trademark	string	Legal trademark string (Windows only)
md5	string	MD5 of the binary
observed_filename	string	Full path to the executable backing the process
orig_mod_len	int32	Size in bytes of the binary at the time of observation on the endpoint.
original_filename	string	Internal Original Filename (Windows Only)
os_type	string	Operating system type of the endpoint, e.g. Windows, Linux, Osx.
private_build	string	Private build string (Windows only)
product_name	string	Product Name (Windows Only)
product_version	string	Product Description (Windows only)
server_added_timestamp	string	The time this binary was first seen by the server.
signed	string	If digitally signed
timestamp	string	The time this binary was first seen by the server.

Example Event:

{
  "sensor_id": 1,
  "docs": [
    {
      "host_count": 1,
      "digsig_result": "Unsigned",
      "observed_filename": [
        "c:\\program files (x86)\\programmer's notepad\\pn.exe"
      ],
      "product_version": "2.3.4.0-charles",
      "signed": "Unsigned",
      "is_executable_image": false,
      "orig_mod_len": 3092992,
      "is_64bit": false,
      "group": [
        "Default Group"
      ],
      "file_version": "2.3.4.0",
      "company_name": "Simon Steele (Echo Software)",
      "internal_name": "PNWTL",
      "product_name": "Programmer's Notepad",
      "digsig_result_code": "2148204800",
      "timestamp": "2014-09-09T21:00:29.875Z",
      "copied_mod_len": 3092992,
      "server_added_timestamp": "2014-09-09T21:00:29.875Z",
      "md5": "EFA7ECAF4468E0106E8B1041C5CE450E",
      "endpoint": [
        "WIN7X64-BUILDER|1"
      ],
      "legal_copyright": "Copyright \u00a9 2002-2010 Simon Steele (Echo Software)",
      "original_filename": "pn.exe",
      "os_type": "Windows",
      "file_desc": "Programmer's Notepad 2",
      "last_seen": "2014-09-09T21:00:29.875Z"
    }
  ],
  "hostname": "DXM021-VM1",
  "event_timestamp": 1410296635.26,
  "feed_name": "dxmtest2",
  "feed_id": 12,
  "ioc_value": "cb.urlver=1&cb.q.process_name=notepad.exe&sort=start%20desc&rows=10&start=0",
  "ioc_type": "query",
  "md5": "EFA7ECAF4468E0106E8B1041C5CE450E",
  "report_id": "Newly Loaded Modules"
}

Notes: It can be up to 15 seconds from the time of the event generation until the document is visible via CBAPI or raw SOLR query.

New Binary Instance

The Carbon Black server publishes events the first time an executable file (binary) is observed in each of three scenarios:

1. First time it is observed on any endpoint
2. First time it is observed on an individual endpoint for the first time
3. First time it is observed on a sensor group for the first time

Scenario 1: Observed for the first time on any endpoint

Name: binaryinfo.observed

binaryinfo.observed is a JSON structure with the following entries:

name	type	description
md5	string	MD5 of the binary
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch
scores	dict	Dictionary of Alliance feed scores

Example Event:

{
    "md5": "9E4B0E7472B4CEBA9E17F440B8CB0AB8",
    "event_timestamp": 1397248033.914,
    "scores":
      {
        "alliance_score_virustotal": 16
      }
}

Scenario 2: Observed on an individual endpoint for the first time

Name: binaryinfo.host.observed

binaryinfo.host.observed is a JSON structure with the following entries:

name	type	description
md5	string	MD5 of the binary.
hostname	string	Hostname of endpoint on which binary was observed
sensor_id	int32	Sensor Id of endpoint on which binary was observed
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch
scores	dict	Dictionary of Alliance feed scores
watchlists	dict	Dictionary of already-matched watchlists

Example Event:

{
    "md5": "9E4B0E7472B4CEBA9E17F440B8CB0AB8",
    "hostname": "FS-HQ",
    "sensor_id": 1021,
    "event_timestamp": 1397248033.914,
    "scores":
      {
        "alliance_score_virustotal": 16
      },
    "watchlists":
      {
        "watchlist_7": "2014-02-13T00:30:11.247Z"
        "watchlist_9": "2014-02-13T00:21:13.009Z"
      }
}

Scenario 3: Observed within a sensor group for the first time

Name: binaryinfo.group.observed

binaryinfo.group.observed is a JSON structure with the following entries:

name	type	description
md5	string	MD5 of the binary
group	string	Sensor group name on which the binary was observed
event_timestamp	float	Timestamp of the feed match, measured in number of seconds since the epoch
scores	dict	Dictionary of Alliance feed scores
watchlists	dict	Dictionary of already-matched watchlists

Example Event:

{
    "md5": "9E4B0E7472B4CEBA9E17F440B8CB0AB8",
    "group": "Default Group",
    "event_timestamp": 1397248033.914
    "scores":
      {
        "alliance_score_virustotal": 16
      },
    "watchlists":
      {
        "watchlist_7": "2014-02-13T00:30:11.247Z"
        "watchlist_9": "2014-02-13T00:21:13.009Z"
      }
}

New Binary File Arrival

The Carbon Black server can be configured to store a copy of all unique binary (executable) files observed on endpoints. This includes Windows PE files such as EXEs and DLLs, Linux ELF files, and similar. Upon the arrival of a new binary file, a binarystore event is published.

This event provides an easy way to trigger custom analysis of a binary, including static or dynamic anaysis, integration with a third-party analysis system, or custom archiving.

Name: binarystore.file.added

binarystore.file.added is a JSON structure with the following entries:

name	type	description
md5	string	MD5 sum of the binary file.
size	int32	Size of the original binary, in bytes.
compressed_size	int32	Size of the zip archive containing the binary file on the Carbon Black server
event_timestamp	float	Timestamp of the binary file addtion, measured in number of seconds since the epoch
file_path	string	Path, on the server disk, of the copied binary file (zipped).

Example Event:

{
    "md5": "9E4B0E7472B4CEBA9E17F440B8CB0AB8",
    "file_path": "/var/cb/data/modulestore/FE2/AFA/FE2AFACC396DC37F51421DE4A08DA8A7.zip"
    "size": 320000,
    "compressed_size": 126857,
    "event_timestamp": 1397248033.914
}

Notes:

• The Carbon Black Server can be configured to delete binary store files from the Carbon Black server after uploading to the Alliance Server. These files are still retrievable via the Carbon Black API, although there may be bandwidth or transfer time concerns. See the AllianceClientNoDeleteOnUpload configuration option in cb.conf.
• The Carbon Black Server can be configured to automatically delete binary store files from the Carbon Black server due to disk space constraints. See the KeepAllModuleFiles configuration option in cb.conf.

Raw endpoint events

Event ID	Description
ingress.event.regmod	A registry key has been created, deleted, or modified on an endpoint monitored by Carbon Black
ingress.event.filemod	A file on the filesystem has been created, deleted, or modified on an endpoint monitored by Carbon Black
ingress.event.netconn	A network connection has been received or initiated by an endpoint monitored by Carbon Black
ingress.event.module	This event contains the digital signature information for a new binary executed on an endpoint monitored by Carbon Black
ingress.event.childproc	A process has spawned another process on an endpoint monitored by Carbon Black
ingress.event.process	A new process has started (or exited) on an endpoint monitored by Carbon Black
ingress.event.crossprocopen	A process has attempted to open a handle into another process
ingress.event.remotethread	A process has attempted to inject a thread into another process
ingress.event.emetmitigation	Microsoft EMET has killed a process on an endpoint monitored by Carbon Black
ingress.event.processblock	A process was blocked from executing on an endpoint monitored by Carbon Black because the process MD5 has been banned
ingress.event.tamper	A process tampered with a critical Carbon Black userspace process or kernel driver

ingress.event.regmod (Registry Modification)

Below is an example of an ingress.event.regmod JSON event.

{
    "action": "writeval",
    "actiontype": 2,
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "regmod",
    "link_process": "https://cbtests/#analyze/00000001-0000-0484-01d1-1e951b7c000b/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "0E7196981EDE614F1F54FFF2C3843ADF",
    "path": "\\registry\\user\\s-1-5-21-2709706146-4189370754-997381202-1001\\software\\microsoft\\vscommon\\12.0\\sqm\\pids\\1156\\stillalive",
    "pid": 1156,
    "process_guid": "00000001-0000-0484-01d1-1e951b7c000b",
    "sensor_id": 1,
    "timestamp": 1447696798,
    "type": "ingress.event.regmod"
}

Key	Value	Description
action	writeval	Type of registry modification. This can be one of: createkey, writeval, delkey, or delval
actiontype	2	Enum value of the registry modification: 1=createkey, 2=writeval, 4=delkey, 8=delval
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name	JASON-WIN81-VM	hostname of the sensor
event_type	regmod	The type of event
link_process	https://cbtests/#analyze…	Deep link to EDR UI for process
link_sensor	https://cbtests/#/host/1	Deep link to EDR UI for sensor
md5	0E7196981EDE614F1F54FFF2C3843ADF	md5 of process executable
path	\registry\user\s-1-5-21…	Full registry path
pid	1156	Endpoint OS Process id of process
process_guid	00000001-0000-0484-01d1-1e951b7c000b	Cb Process GUID of process
sensor_id	1	Sensor ID of associated sensor
timestamp	1447696798	Endpoint timestamp of this event since epoch
type	ingress.event.regmod	The full type of event

ingress.event.filemod (File Modification)

Below is an example of an ingress.event.filemod JSON event.

{
    "action": "create",
    "actiontype": 1,
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "filemod",
    "filetype": 0,
    "filetype_name": "Unknown",
    "link_process": "https://cbtests/#analyze/00000001-0000-0c70-01d1-1e951aae7e2f/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "7A2870C2A8283B3630BF7670D0362B94",
    "path": "c:\\users\\admin\\appdata\\local\\google\\chrome\\user data\\b5e2.tmp",
    "pid": 3184,
    "process_guid": "00000001-0000-0c70-01d1-1e951aae7e2f",
    "sensor_id": 1,
    "timestamp": 1447696804,
    "type": "ingress.event.filemod"
}

Key	Value	Description
action	writeval	Type of file modification: create, write, delete, lastwrite
actiontype	2	Enum value of the file modification: 1=create, 2=write, 4=delete, 8=lastwrite
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name	JASON-WIN81-VM	hostname of the sensor
event_type	filemod	The type of event
filetype	0	Enum value of the detected file type of this file. Only valid for “lastwrite” actions. See the CbFileType protobuf definition for the available values.
filetype_name	Unknown	The detected file type of this file. Only valid for “lastwrite” actions. Currently supported file types: PE, ELF, UniversalBin, Eicar, OfficeLegacy, OfficeOpenXml, PDF, PKZIP, LZH, LZW, RAR, TAR, and 7zip.
link_process	https://cbtests/#analyze…	Deep link to EDR UI for process
link_sensor	https://cbtests/#/host/1	Deep link to EDR UI for sensor
md5	7A2870C2A8283B3630BF7670D0362B94	md5 of process executable
path	c:\users\admin\appdata\…	Full file path
pid	3184	Endpoint OS Process id of process
process_guid	00000001-0000-0c70-01d1-1e951aae7e2f	Cb Process GUID of process
sensor_id	1	sensor ID of associated sensor
timestamp	1447696804	Endpoint timestamp of this event since epoch
type	ingress.event.filemod	The full type of event

ingress.event.netconn (Network Connection)

Below is an example of an ingress.event.netconn JSON event.

{
    "cb_server": "cbserver",
    "computer_name": "WIN-OTEMNUTBS23",
    "direction": "outbound",
    "domain": "",
    "event_type": "netconn",
    "ipv4": "23.4.187.27",
    "link_process": "https://cbtests/#analyze/00000007-0000-090c-01d1-2099b8f18a82/1",
    "link_sensor": "https://cbtests/#/host/7",
    "local_ip": "172.31.30.0",
    "local_port": 49352,
    "md5": "C10A66189DC8C090E7C84873EDCEBC88",
    "pid": 2316,
    "port": 80,
    "process_guid": "00000007-0000-090c-01d1-2099b8f18a82",
    "protocol": 6,
    "remote_ip": "23.4.187.27",
    "remote_port": 80,
    "sensor_id": 7,
    "timestamp": 1447697666,
    "type": "ingress.event.netconn"
}

Key	Value	Description
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name	WIN-OTEMNUTBS23	hostname of the sensor
direction	outbound	Direction of the netconn event: inbound or outbound
domain	carbonblack.com	The DNS name of the network peer, if available.
event_type	netconn	The type of event
ipv4	23.4.187.27	remote ipv4 address of network connection. Maintained for backward compatibility for earlier versions of the event forwarder. See local_ip and remote_ip.
link_process	https://cbtests/#analyze…	Deep link to EDR UI for process
link_sensor	https://cbtests/#/host/1	Deep link to EDR UI for sensor
local_ip	172.31.30.0	Local IP address of network connection (network interface on the endpoint)
local_port	49352	Local port of the network connection
md5	C10A66189DC8C090E7C84873EDCEBC88	md5 of process executable
pid	2316	Endpoint OS Process id of process
port	80	remote port of the network connection. Maintained for backward compatibility for earlier versions of the event forwarder. See local_port and remote_port.
process_guid	00000007-0000-090c-01d1-2099b8f18a82	Cb Process GUID of process
protocol	6	6=TCP, 17=UDP
remote_ip	23.4.187.27	IP address of the remote system (peer)
remote_port	80	Remote port of the network connection
sensor_id	7	sensor ID of associated sensor
timestamp	1447697666	Endpoint timestamp of this event since epoch
type	ingress.event.netconn	The full type of event

Web Proxy Note: If a web proxy is being used, the field domain or remote_ip and remote_port will be empty. When the traffic flows out of the endpoint via a web proxy, the name resolution to IP happens at the proxy, and not on the endpoint. When this happens, the output will be augmented with a different set of fields listed below.

Key	Value	Description
proxy	true	A boolean field for proxy status
proxy_ip	129.22.253.78	IP address of the web proxy connection
proxy_port	443	Port of the web proxy connection
proxy_domain	carbonblack.com	Domain of the web proxy connection, if available

ingress.event.moduleload (Module Load)

Below is an example of an ingress.event.moduleload JSON event.

{
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "modload",
    "link_process": "https://cbtests/#analyze/00000001-0000-07b4-01d1-209a100bc217/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "3D136E8D4C0407D9C40FD8BDD649B587",
    "path": "c:\\windows\\system32\\ntdll.dll",
    "pid": 1972,
    "process_guid": "00000001-0000-07b4-01d1-209a100bc217",
    "sensor_id": 1,
    "timestamp": 1447697423,
    "type": "ingress.event.moduleload"
}

Key	Value	Description
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name	JASON-WIN81-VM	hostname of the sensor
event_type	modload	The type of event
link_process	https://cbtests/#analyze…	Deep link to EDR UI for process
link_sensor	https://cbtests/#/host/1	Deep link to EDR UI for sensor
md5	D6021013D7C4E248AEB8BED12D3DCC88	md5 of the module
path	c:\windows\system32\ntdll.dll	Path of the module loaded into the current process
pid	1972	Endpoint OS Process id of process
process_guid	00000001-0000-07b4-01d1-209a100bc217	Cb Process GUID of process
sensor_id	1	sensor ID of associated sensor
timestamp	1447697423	Endpoint timestamp of this event since epoch
type	ingress.event.moduleload	The full type of event

ingress.event.childproc (Child Process)

Below is an example of an ingress.event.childproc JSON event.

{
    "cb_server": "cbserver",
    "child_process_guid": "00000001-0000-07b4-01d1-209a100bc217",
    "computer_name": "JASON-WIN81-VM",
    "created": true,
    "event_type": "childproc",
    "link_child": "https://cbtests/#analyze/00000001-0000-07b4-01d1-209a100bc217/1",
    "link_process": "https://cbtests/#analyze/00000001-0000-0af4-01d1-1e444bf4c3dd/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "D6021013D7C4E248AEB8BED12D3DCC88",
    "pid": 2804,
    "process_guid": "00000001-0000-0af4-01d1-1e444bf4c3dd",
    "sensor_id": 1,
    "timestamp": 1447697423,
    "type": "ingress.event.childproc"
}

Key	Value	Description
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
child_process_guid	00000001-0000-07b4-01d1-209a100bc217	process guid of the child process
computer_name	JASON-WIN81-VM	hostname of the sensor
created	true	Specifies whether this process_guid is the child or the parent
event_type	childproc	The type of event
link_child	https://cbtests/#analyze…	Deep link to EDR UI for child process
link_process	https://cbtests/#analyze…	Deep link to EDR UI for parent process
link_sensor	https://cbtests/#/host/1	Deep link to EDR UI for sensor
md5	D6021013D7C4E248AEB8BED12D3DCC88	md5 of the module
pid	2804	Endpoint OS Process id of process
process_guid	00000001-0000-0af4-01d1-1e444bf4c3dd	Cb Process GUID of parent process
sensor_id	1	sensor ID of associated sensor
timestamp	1447697423	Endpoint timestamp of this event since epoch
type	ingress.event.childproc	The full type of event

ingress.event.procstart (Process Start)

Below is an example of an ingress.event.procstart JSON event.

{
    "cb_server": "cbserver",
    "command_line": "\"C:\\Windows\\system32\\SearchProtocolHost.exe\" Global\\UsGthrFltPipeMssGthrPipe253_ Global\\UsGthrCtrlFltPipeMssGthrPipe253 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)\" \"C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\usgthrsvc\" \"DownLevelDaemon\" ",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "proc",
    "expect_followon_w_md5": false,
    "link_parent": "https://cbtests/#analyze/00000001-0000-0af4-01d1-1e444bf4c3dd/1",
    "link_process": "https://cbtests/#analyze/00000001-0000-07b4-01d1-209a100bc217/1",
    "link_sensor": "https://cbtests/#/host/1",
    "md5": "D6021013D7C4E248AEB8BED12D3DCC88",
    "parent_create_time": 1447440685,
    "parent_md5": "79227C1E2225DE455F365B607A6D46FB",
    "parent_path": "c:\\windows\\system32\\searchindexer.exe",
    "parent_process_guid": "00000001-0000-0af4-01d1-1e444bf4c3dd",
    "path": "c:\\windows\\system32\\searchprotocolhost.exe",
    "pid": 1972,
    "process_guid": "00000001-0000-07b4-01d1-209a100bc217",
    "sensor_id": 1,
    "timestamp": 1447697423,
    "type": "ingress.event.procstart",
    "username": "SYSTEM"
}

Key	Value	Description
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
command_line	"C:\Windows\system32\SearchProtocolHost.exe"…	Command Line of the new process
computer_name	JASON-WIN81-VM	hostname of the sensor
event_type	proc	type of event
expect_followon_w_md5	false	If the md5 could not be calculated in time then EDR will send another procstart with the process md5
link_parent	https://cbtests/#analyze…	Deep link to EDR UI for parent process
link_process	https://cbtests/#analyze…	Deep link to EDR UI for this process
link_sensor	https://cbtests/#/host/1	Deep link to EDR UI for sensor
md5	D6021013D7C4E248AEB8BED12D3DCC88	MD5 of the executable binary associated with this process
parent_create_time	1447440685	seconds since epoch of parent process create time
parent_md5	79227C1E2225DE455F365B607A6D46FB	MD5 of parent’s executable image
parent_path	c:\windows\system32\searchindexer.exe	file path of parent’s executable image
parent_process_guid	00000001-0000-0af4-01d1-1e444bf4c3dd	Cb Process GUID of parent process
path	c:\windows\system32\searchprotocolhost.exe	file path of the child processes' executable image
pid	1972	OS Process id of child process
process_guid	00000001-0000-07b4-01d1-209a100bc217	Cb Process GUID of child process
sensor_id	1	sensor ID of associated sensor
timestamp	1447697423	Endpoint timestamp of this event since epoch
type	ingress.event.procstart	The full type of event
username	SYSTEM	Username used to create child process
logon_type	4	Describes the logon type of the logon session associated with a process. Here value ‘4’ corresponds to ‘Batch’ which indicates that the process is executed on behalf of a user without their direct intervention (possibly a scheduled task). Possible valid values are 0 and 2 to 13 as per https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-logonsession.

ingress.event.crossprocopen (Cross Process Open)

Below is an example of an ingress.event.crossprocopen JSON event.

{
    "cb_server": "cbserver",
    "computer_name": "WIN-OTEMNUTBS23",
    "cross_process_type": "open_process",
    "event_type": "cross_process",
    "is_target": false,
    "link_process": "https://cbtests/#analyze/00000007-0000-0ccc-01d1-209ab5339f45/1",
    "link_sensor": "https://cbtests/#/host/7",
    "link_target": "https://cbtests/#analyze/00000007-0000-02c4-01d1-20982cef85d3/1",
    "md5": "053EEEE1ABAE53F044F1E386E22AE525",
    "pid": 3276,
    "process_guid": "00000007-0000-0ccc-01d1-209ab5339f45",
    "requested_access": 5136,
    "sensor_id": 7,
    "target_create_time": 130921702131467731,
    "target_md5": "382100E75B6F4668AEAEF228C6CEFFAD",
    "target_path": "c:\\windows\\system32\\lsass.exe",
    "target_pid": 708,
    "target_process_guid": "00000007-0000-02c4-01d1-20982cef85d3",
    "timestamp": 1447697702,
    "type": "ingress.event.crossprocopen"
}

Key	Value	Description
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name	WIN-OTEMNUTBS23	hostname of the sensor
cross_process_type	open_process	The type of cross process event: either open_process (opening a handle to another process) or open_thread
event_type	cross_process	type of event
is_target	false	specifies whether process_guid is the target of the cross process event
link_target	https://cbtests/#analyze…	Deep link to EDR UI for target process
link_process	https://cbtests/#analyze…	Deep link to EDR UI for this process
link_sensor	https://cbtests/#/host/1	Deep link to EDR UI for sensor
md5	053EEEE1ABAE53F044F1E386E22AE525	md5 of process_guid executable image
pid	3276	Endpoint OS Process id of process that generated the crossprocopen event
process_guid	00000007-0000-0ccc-01d1-209ab5339f45	Process guid of child process
requested_access	5136	Windows bitfield representing the requested access for this process or thread handle (decimal)
sensor_id	7	sensor ID of associated sensor
target_create_time	130921702131467731	Target Process create time represented as a 64-bit Windows FILETIME
target_md5	382100E75B6F4668AEAEF228C6CEFFAD	md5 of target process executable image
target_path	c:\windows\system32\lsass.exe	Path of the target process' executable image
target_pid	708	Process ID of the target process
target_process_guid	00000007-0000-02c4-01d1-20982cef85d3	process_guid of the target process
timestamp	1447697702	Endpoint timestamp of this event since epoch
type	ingress.event.crossprocopen	The full type of event

ingress.event.emetmitigation (EMET Mitigation)

Below is an example of an ingress.event.emetmitigation JSON event.

{
    "blocked": true,
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "emet_timestamp": 130949318600000000,
    "event_type": "emet_mitigation",
    "link_process": "https://cbtests/#analyze/00000001-0000-0d10-01d1-39b621f894f9/1",
    "link_sensor": "https://cbtests/#/host/1",
    "log_id": 1032,
    "log_message": "EMET detected EAF mitigation and will close the application: EMET_Test64.exe\r\n\r\nEAF check failed:\n  Application \t: C:\\Users\\dan\\Desktop\\EMET_TEST\\EMET_Test64.exe\n  User Name \t: DANWIN764\\dan\n  Session ID \t: 1\n  PID \t\t: 0xD10 (3344)\n  TID \t\t: 0xDB4 (3508)\n  Module \t: N/A\n  Mod Base \t: 0x0000000000000000\n  Mod Address \t: 0x000000000297000D\n  Mem Address \t: 0x0000000000000000\n\r\n",
    "md5": "053EEEE1ABAE53F044F1E386E22AE525",
    "mitigation": "Eaf",
    "pid": 3344,
    "process_guid": "00000001-0000-0d10-01d1-39b621f894f9",
    "sensor_id": 1,
    "timestamp": 1450458260,
    "type": "ingress.event.emetmitigation"
}

Key	Value	Description
blocked	true	boolean value describing if the action was successfully blocked by EMET
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name	JASON-WIN81-VM	hostname of the sensor
emet_timestamp	130949318600000000	timestamp of EMET event represented by a 64-bit Windows FILETIME
event_type	emet_mitigation	type of event
link_process	https://cbtests/#analyze…	Deep link to EDR UI for process
link_sensor	https://cbtests/#/host/1	Deep link to EDR UI for sensor
log_id	1032	EMET log ID associated with this emetmitigation event
log_message	EMET detected EAF mitigation…	The full log message generated by EMET
md5	053EEEE1ABAE53F044F1E386E22AE525	md5 of process_guid executable image
mitigation	Eaf	The type of EMET mitigation performed to block the operation. Possible values are Dep, Sehop, Asr, Aslr, NullPage, HeapSpray, MandatoryAslr, Eaf, EafPlus, BottomUpAslr, LoadLibrary, MemoryProtection, SimulateExecFlow, StackPivot, CallerChecks, BannedFunctions, DeepHooks, AntiDetours.
pid	3344	Endpoint OS Process id of process that generated the emetmitigation event
process_guid	00000001-0000-0d10-01d1-39b621f894f9	Process GUID of offending process
sensor_id	1	sensor ID of associated sensor
timestamp	1450458260	Endpoint timestamp of this event since epoch
type	ingress.event.emetmitigation	The full type of event

ingress.event.processblock (Process Block)

Below is an example of an ingress.event.processblock JSON event.

{
    "blocked_event": "ProcessCreate",
    "blocked_reason": "Md5Hash",
    "blocked_result": "ProcessTerminated",
    "cb_server": "cbserver",
    "command_line": "\"C:\\Program Files\\Microsoft Games\\hearts\\hearts.exe\" ",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "blocked_process",
    "md5": "A8524F6C3AFF774911BCA26AB8322602",
    "path": "c:\\program files\\microsoft games\\hearts\\hearts.exe",
    "sensor_id": 1,
    "timestamp": 1450470603,
    "type": "ingress.event.processblock",
    "uid": "S-1-5-21-3382350439-2970772701-2583938045-1000",
    "username": "DANWIN764\\dan"
}

Key	Value	Description
blocked_event	ProcessCreate	The type of event that was blocked: either ProcessCreate (the process was terminated immediately upon execution) or RunningProcess (the process was already running on the endpoint when the block was applied).
blocked_reason	Md5Hash	The reason for block action (Md5Hash is the only possible value)
blocked_result	ProcessTerminated	The result of the blocked action: ProcessTerminated, NotTerminatedCBProcess, NotTerminatedSystemProcess, NotTerminatedCriticalSystemProcess, NotTerminatedWhitelistPath, NotTerminatedOpenProcessError, or NotTerminatedTerminateError.
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
command_line	"C:\Program Files\Microsoft Games\hearts\hearts.exe"	Command line associated with the blocked process
computer_name	JASON-WIN81-VM	hostname of the sensor
event_type	blocked_process	type of event
md5	A8524F6C3AFF774911BCA26AB8322602	md5 of the blocked executable
path	c:\program files\microsoft games\hearts\hearts.exe	Path of the blocked executable on disk
sensor_id	1	sensor ID of associated sensor
timestamp	1450458260	Endpoint timestamp of this event since epoch
type	ingress.event.processblock	The full type of event
uid	S-1-5-21-3382350439-2970772701-2583938045-1000	Security Identifier of the username name used for process creation
username	DANWIN764\dan	Username that initiated the process creation

ingress.event.tamper (EDR Tamper)

Below is an example of an ingress.event.tamper JSON event.

{
    "cb_server": "cbserver",
    "computer_name": "JASON-WIN81-VM",
    "event_type": "tamper",
    "sensor_id": 1,
    "tamper_type": "CbProcessTerminated",
    "timestamp": 1450470455,
    "type": "ingress.event.tamper"
}

Key	Value	Description
cb_server	cbserver	Used to distinguish between multiple EDR servers. Set this in the “server_name” option of cb-event-forwarder.ini.
computer_name	JASON-WIN81-VM	hostname of the sensor
event_type	tamper	type of event
sensor_id	1	sensor ID of associated sensor
tamper_type	CbProcessTerminated	The activity which triggered this tamper event: CoreDriverUnloaded, NetworkDriverUnloaded, CbServiceStopped, CbProcessTerminated, or CbCodeInjection
timestamp	1450458260	Endpoint timestamp of this event since epoch
type	ingress.event.tamper	The full type of event

task.error.logged

Below is an example of a task.error.logged JSON event.

{
    "error_text": "Error during synchronization of feed somename(23): bad query field: '#47'",
    "task_name": "FeedSynchronizer",
    "task_type": "Task",
    "timestamp": "2020-12-08 15:28:15.999581-05:00"
}

Key	Value	Description
error_text	Error during synchronization of feed somename(23): bad query field: ‘#47’	The text describing the error.
task_name	FeedSynchonizer	The name of the task that generated the error.
task_type	Task	The type of task: “Task” refers to a background task in cb-enterprised; “Job” refers to a cron job.
timestamp	2020-12-08 15:28:15.999581-05:00	The timestamp of the occurence of the error.

LEEF Event format

Below is an example of a watchlist.hit.process event. The following table breaks up the key value pairs and gives a description.

Note that the LEEF output generated by the Carbon Black event forwarder is encoded in UTF-8. Tabs and newlines included as part of a field value are escaped as “\t” and “\n” respectively. Single backslashes in any field’s value are transmitted as “\”. Note that the sample output you have may not include this escape mechanism; we have added this in the latest code base to avoid parsing ambiguity when newlines and tabs are encountered in the input data. I have adjusted the example data below to reflect the backslash

LEEF:1.0|CB|CB|5.1.0.150625.500|watchlist.hit.process|cb_server=None    childproc_count=0
cmdline="C:\\Program Files\\Bit9\\Parity Agent\\Parity.exe" /service /server bit9server.bit9se.com /port 41002
comms_ip=-1062672891    crossproc_count=0   filemod_count=5 group=Default Group host_type=workstation
hostname=W7-LOW id=00000016-0000-0608-01d1-171453a78ab2 interface_ip=192.168.230.5
last_update=2015-11-04T15:20:56.939Z    modload_count=371   netconn_count=1 os_type=windows
parent_guid=00000016-0000-0210-01d1-1714513a9f24    parent_md5=000000000000000000000000000000
parent_name=services.exe    parent_pid=528  parent_unique_id=00000016-0000-0210-01d1-1714513a9f24-00000001
path=c:\\program files\\bit9\\parity agent\\parity.exe  process_guid=00000016-0000-0608-01d1-171453a78ab2
process_md5=15785fcb9495aa518c8c751e80ab9bf7    process_name=parity.exe process_pid=1544    regmod_count=8
segment_id=1    sensor_id=22    server_name=cbserver    start=2015-11-04T15:20:24.072Z  timestamp=1446092826.89
type=watchlist.hit.process  unique_id=00000016-0000-0608-01d1-171453a78ab2-00000001 username=SYSTEM
watchlist_id=7  watchlist_name=Non-System Filemods to system32

Key	Value	Description
cb_server	None	Used to distinguish between multiple Carbon Black servers when their event source is merged into a single event source. This is reflected from the cb-event-forwarder configuration file
childproc_count	0	Total count of child processes created by this process
cmdline	"C:\\Program Files\\Bit9\\Parity Agent\\Parity.exe" /service /server bit9server.bit9se.com /port 41002	Process command line. After unescaping, this command line is “C:\Program Files\Bit9\Parity Agent\Parity.exe" /service /server bit9server.bit9se.com /port 41002”
comms_ip	-1062672891 (192.168.230.5)	IP address that the Cb server received the events on. If the endpoint is behind a NAT, for example, this will be the external IP of the network the endpoint lives on NOTE: your output has this field as an integer. The final cb-event-forwarder code will reformat this as the IP address (seen here in parentheses)
crossproc_count	0	Number of cross process events (process injection or opening a handle to another process).
filemod_count	5	Total count of file modifications made by this process
group	Default Group	Sensor group this sensor was assigned to at time of process execution
host_type	workstation	Type of the computer: server, workstation, domain controller
hostname	W7-LOW	Hostname of the computer on which the process executed (at time of execution)
id	00000016-0000-0608-01d1-171453a78ab2	Process unique identifier. Note: within the CB Web UI you can view the process by going to https://<cbserverurl>/#analyze/<guid>/1.
interface_ip	192.168.230.5	The IP address of the network interface(s) on the endpoint that generated this message
last_update	2015-11-04T15:20:56.939Z	Last activity in this process in endpoint local time. Example: 2014-02-04T16:23:22.547Z
modload_count	371	Total count of module loads in this process.
netconn_count	1	Total count of network connections made and received by this process.
os_type	windows	Operating system type of the endpoint, e.g. Windows, Linux, Osx.
parent_guid	00000016-0000-0210-01d1-1714513a9f24	Parent process unique identifier. Note: within the CB Web UI you can view the process by going to https://<cbserverurl>/#analyze/<guid>/1.
parent_md5	000000000000000000000000000000	MD5 of the parent process.
parent_name	services.exe	Name of the parent process.
parent_pid	528	Process ID of parent process.
parent_unique_id	00000016-0000-0210-01d1-1714513a9f24-00000001	Parent process unique identifier.
path	c:\\program files\\bit9\\parity agent\\parity.exe	Full path to the executable file backing this process.
process_guid	00000016-0000-0608-01d1-171453a78ab2	Process unique identifier. Note: within the CB Web UI you can view the process by going to https://<cbserverurl>/#analyze/<guid>/1.
process_md5	15785fcb9495aa518c8c751e80ab9bf7	MD5 of process
process_name	parity.exe	Name of the process
process_pid	1544	Process ID of the process
regmod_count	8	Total count of registry modifications made by this process.
sensor_id	22	Endpoint identifier. Within the Cb Web UI you can view this sensor by going to https://<cbserver>/#/host/<sensor_id>
server_name	cbserver	Name of the Carbon Black server
start	2015-11-04T15:20:24.072Z	Start time of this process in endpoint local time. Example: 2014-02-04T16:23:22.516Z
timestamp	1446092826.89	Date/Time of when the event occurred since epoch
type	watchlist.hit.process	The Event type
unique_id	00000016-0000-0608-01d1-171453a78ab2-00000001	Process unique identifier.
username	SYSTEM	User context in which the process executed.
watchlist_id	7	Watchlist Unique Identifier
watchlist_name	Non-System Filemods to system32	Watchlist Name

LEEF and netconn (Network Connection) Events

The LEEF encoder in the EDR Event Forwarder normalizes the data in the ingress.event.netconn event type to match the expected schema in the LEEF format. When the associated network connection is outbound, then the local_ip and local_port keys are mapped to the src and srcPort fields respectively, and the remote_ip and remote_port keys are mapped to the dst and dstPort fields in the LEEF output. The reverse is done when the associated network connection is inbound. This should cause the netconns to map correctly in IBM QRadar or other tools that can read LEEF formatted event logs.