Document toolboxDocument toolbox

edr.carbonblack

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Feb 15, 2022
6 min read

Introduction

The tags beginning with edr.carbonblack identify events generated by VMware Carbon Black.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.carbonblack. The third level identifies the type of events sent.

Technology

Brand

Type

edr

carbonblack

  • alert
  • binary
  • feed
  • ingress
  • watchlist

Therefore, the valid tags and tables include:

  • edr.carbonblack.alert
  • edr.carbonblack.binary
  • edr.carbonblack.feed
  • edr.carbonblack.ingress
  • edr.carbonblack.watchlist

How is the data sent to Devo?

You can forward logs generated by VMware Carbon Black using any Syslog drain (for example, Syslog-ng) or through The Devo In-House Relay.

Log samples

The following are sample logs sent to each of the edr.carbonblack tags. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

edr.carbonblack.alert

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.alert: {"alert_severity":3.375,"alert_type":"watchlist.hit.ingress.process","cb_server":"cbserver","childproc_count":0,"comms_ip":"192.168.191.1","computer_name":"laptop-dkojg99e","created_time":"2019-07-31T17:20:49.407402Z","crossproc_count":3,"feed_id":14,"feed_name":"attackframework","feed_rating":3.0,"filemod_count":2,"group":"default group","hostname":"laptop-dkojg99e","interface_ip":"192.168.0.2","ioc_confidence":0.5,"ioc_query_index":"events","ioc_query_string":"(modload:crypt32.dll -process_name:mscorsvw.exe -process_name:logonui.exe -process_name:taskhost.exe -process_name:mobsync.exe -process_name:googleupdate.exe -process_name:upd.exe -process_name:audiodg.exe -process_name:wmiprvse.exe -process_name:chrome.exe -process_name:svchost.exe -process_name:backgroundtaskhost.exe -process_name:searchprotocolhost.exe)","ioc_type":"query","ioc_value":"{index_type: events}","link_md5":"https://192.168.191.131/#/binary/CC07C007FA4B9D3B4C69D98DD7CE1C58","link_process":"https://192.168.191.131/#analyze/00000002-0000-3d90-01d5-47c771de9d1c/1","link_sensor":"https://192.168.191.131/#/host/2","md5":"CC07C007FA4B9D3B4C69D98DD7CE1C58","modload_count":66,"netconn_count":0,"os_type":"windows","process_guid":"00000002-0000-3d90-01d5-47c771de9d1c","process_id":"00000002-0000-3d90-01d5-47c771de9d1c","process_name":"taskhostw.exe","process_path":"c:","process_unique_id":"00000002-0000-3d90-01d5-47c771de9d1c-016c490c76fc","regmod_count":1,"report_link":"https://attack.mitre.org/wiki/Technique/T1002","report_score":5,"report_title":"Data Compressed #4","segment_id":"1","sensor_criticality":3.0,"sensor_id":2,"sha256":"d5907d58a3e8a9f5610941d1e281f8dac6437de648ffca08974490fdf7f74acd","status":"Unresolved","timestamp":1564593649.330,"type":"alert.watchlist.hit.ingress.process","unique_id":"bc0309eb-302a-4567-bf36-9080811da106","username":"SYSTEM","watchlist_id":"565652","watchlist_name":"565652"}

And this is how the logs would be parsed:

Field

Value

Type

Source field name

Extra fields

eventdate

2016-10-07 13:30:20.930

timestamp





alert_severity

3.375

float8





alert_type

watchlist.hit.ingress.process

str





cb_server

cbserver

str





childproc_count

0

int4





comms_ip

192.168.191.1

ip4





computer_name

laptop-dkojg99e

str





created_time

2019-07-31T17:20:49.407402Z

str





crossproc_count

3

int4





feed_id

14

int4





feed_name

attackframework

str





feed_rating

3.0

float8





filemod_count

2

int4





group2

default group

str

group



hostname

laptop-dkojg99e

str





interface_ip

192.168.0.2

str





ioc_confidence

0.5

float8





ioc_query_index

events

str





ioc_query_string

(modload:crypt32.dll -process_name:mscorsvw.exe -process_name:logonui.exe -process_name:taskhost.exe -process_name:mobsync.exe -process_name:googleupdate.exe -process_name:upd.exe -process_name:audiodg.exe -process_name:wmiprvse.exe -process_name:chrome.exe -process_name:svchost.exe -process_name:backgroundtaskhost.exe -process_name:searchprotocolhost.exe)

str





ioc_type

query

str





ioc_value

{index_type: events}

str





link_md5

https://192.168.191.131/#/binary/CC07C007FA4B9D3B4C69D98DD7CE1C58

str





link_process

https://192.168.191.131/#analyze/00000002-0000-3d90-01d5-47c771de9d1c/1

str





link_sensor

https://192.168.191.131/#/host/2

str





md5

CC07C007FA4B9D3B4C69D98DD7CE1C58

str





modload_count

66

int4





netconn_count

0

int4





os_type

windows

str





process_guid

00000002-0000-3d90-01d5-47c771de9d1c

str





process_id

00000002-0000-3d90-01d5-47c771de9d1c

str





process_name

taskhostw.exe

str





process_path

c:

str





process_unique_id

00000002-0000-3d90-01d5-47c771de9d1c-016c490c76fc

str





regmod_count

1

int4





report_link

https://attack.mitre.org/wiki/Technique/T1002

str





report_score

5

int4





report_title

Data Compressed #4

str





segment_id

1

str





sensor_criticality

3.0

float8





sensor_id

2

int4





sha256

d5907d58a3e8a9f5610941d1e281f8dac6437de648ffca08974490fdf7f74acd

str





status

Unresolved

str





timestamp

1564593649.330

float8





type

alert.watchlist.hit.ingress.process

str





unique_id

bc0309eb-302a-4567-bf36-9080811da106

str





username

SYSTEM

str





watchlist_id

565652

str





watchlist_name

565652

str





report_ignored

null

bool





version

null

int8

_version_



description

null

str





link

null

str





total_hosts

null

str





message

{"alert_severity":3.375,"alert_type":"watchlist.hit.ingress.process","cb_server":"cbserver","childproc_count":0,"comms_ip":"192.168.191.1","computer_name":"laptop-dkojg99e","created_time":"2019-07-31T17:20:49.407402Z","crossproc_count":3,"feed_id":14,"feed_name":"attackframework","feed_rating":3.0,"filemod_count":2,"group":"default group","hostname":"laptop-dkojg99e","interface_ip":"192.168.0.2","ioc_confidence":0.5,"ioc_query_index":"events","ioc_query_string":"(modload:crypt32.dll -process_name:mscorsvw.exe -process_name:logonui.exe -process_name:taskhost.exe -process_name:mobsync.exe -process_name:googleupdate.exe -process_name:upd.exe -process_name:audiodg.exe -process_name:wmiprvse.exe -process_name:chrome.exe -process_name:svchost.exe -process_name:backgroundtaskhost.exe -process_name:searchprotocolhost.exe)","ioc_type":"query","ioc_value":"{index_type: events}","link_md5":"https://192.168.191.131/#/binary/CC07C007FA4B9D3B4C69D98DD7CE1C58","link_process":"https://192.168.191.131/#analyze/00000002-0000-3d90-01d5-47c771de9d1c/1","link_sensor":"https://192.168.191.131/#/host/2","md5":"CC07C007FA4B9D3B4C69D98DD7CE1C58","modload_count":66,"netconn_count":0,"os_type":"windows","process_guid":"00000002-0000-3d90-01d5-47c771de9d1c","process_id":"00000002-0000-3d90-01d5-47c771de9d1c","process_name":"taskhostw.exe","process_path":"c:","process_unique_id":"00000002-0000-3d90-01d5-47c771de9d1c-016c490c76fc","regmod_count":1,"report_link":"https://attack.mitre.org/wiki/Technique/T1002","report_score":5,"report_title":"Data Compressed #4","segment_id":"1","sensor_criticality":3.0,"sensor_id":2,"sha256":"d5907d58a3e8a9f5610941d1e281f8dac6437de648ffca08974490fdf7f74acd","status":"Unresolved","timestamp":1564593649.330,"type":"alert.watchlist.hit.ingress.process","unique_id":"bc0309eb-302a-4567-bf36-9080811da106","username":"SYSTEM","watchlist_id":"565652","watchlist_name":"565652"}

str





hostchain

localhost=192.168.1.1

str



tag

edr.carbonblack.alert

str



raw

2016-10-07 13:30:21 localhost=192.168.1.1 edr.carbonblack.ingress: {"alert_severity":3.375,"alert_type":"watchlist.hit.ingress.process","cb_server":"cbserver","childproc_count":0,"comms_ip":"192.168.191.1","computer_name":"laptop-dkojg99e","created_time":"2019-07-31T17:20:49.407402Z","crossproc_count":3,"feed_id":14,"feed_name":"attackframework","feed_rating":3.0,"filemod_count":2,"group":"default group","hostname":"laptop-dkojg99e","interface_ip":"192.168.0.2","ioc_confidence":0.5,"ioc_query_index":"events","ioc_query_string":"(modload:crypt32.dll -process_name:mscorsvw.exe -process_name:logonui.exe -process_name:taskhost.exe -process_name:mobsync.exe -process_name:googleupdate.exe -process_name:upd.exe -process_name:audiodg.exe -process_name:wmiprvse.exe -process_name:chrome.exe -process_name:svchost.exe -process_name:backgroundtaskhost.exe -process_name:searchprotocolhost.exe)","ioc_type":"query","ioc_value":"{index_type: events}","link_md5":"https://192.168.191.131/#/binary/CC07C007FA4B9D3B4C69D98DD7CE1C58","link_process":"https://192.168.191.131/#analyze/00000002-0000-3d90-01d5-47c771de9d1c/1","link_sensor":"https://192.168.191.131/#/host/2","md5":"CC07C007FA4B9D3B4C69D98DD7CE1C58","modload_count":66,"netconn_count":0,"os_type":"windows","process_guid":"00000002-0000-3d90-01d5-47c771de9d1c","process_id":"00000002-0000-3d90-01d5-47c771de9d1c","process_name":"taskhostw.exe","process_path":"c:","process_unique_id":"00000002-0000-3d90-01d5-47c771de9d1c-016c490c76fc","regmod_count":1,"report_link":"https://attack.mitre.org/wiki/Technique/T1002","report_score":5,"report_title":"Data Compressed #4","segment_id":"1","sensor_criticality":3.0,"sensor_id":2,"sha256":"d5907d58a3e8a9f5610941d1e281f8dac6437de648ffca08974490fdf7f74acd","status":"Unresolved","timestamp":1564593649.330,"type":"alert.watchlist.hit.ingress.process","unique_id":"bc0309eb-302a-4567-bf36-9080811da106","username":"SYSTEM","watchlist_id":"565652","watchlist_name":"565652"}

str



rawMessage{"alert_severity":3.375,"alert_type":"watchlist.hit.ingress.process","cb_server":"cbserver","childproc_count":0,"comms_ip":"192.168.191.1","computer_name":"laptop-dkojg99e","created_time":"2019-07-31T17:20:49.407402Z","crossproc_count":3,"feed_id":14,"feed_name":"attackframework","feed_rating":3.0,"filemod_count":2,"group":"default group","hostname":"laptop-dkojg99e","interface_ip":"192.168.0.2","ioc_confidence":0.5,"ioc_query_index":"events","ioc_query_string":"(modload:crypt32.dll -process_name:mscorsvw.exe -process_name:logonui.exe -process_name:taskhost.exe -process_name:mobsync.exe -process_name:googleupdate.exe -process_name:upd.exe -process_name:audiodg.exe -process_name:wmiprvse.exe -process_name:chrome.exe -process_name:svchost.exe -process_name:backgroundtaskhost.exe -process_name:searchprotocolhost.exe)","ioc_type":"query","ioc_value":"{index_type: events}","link_md5":"https://192.168.191.131/#/binary/CC07C007FA4B9D3B4C69D98DD7CE1C58","link_process":"https://192.168.191.131/#analyze/00000002-0000-3d90-01d5-47c771de9d1c/1","link_sensor":"https://192.168.191.131/#/host/2","md5":"CC07C007FA4B9D3B4C69D98DD7CE1C58","modload_count":66,"netconn_count":0,"os_type":"windows","process_guid":"00000002-0000-3d90-01d5-47c771de9d1c","process_id":"00000002-0000-3d90-01d5-47c771de9d1c","process_name":"taskhostw.exe","process_path":"c:","process_unique_id":"00000002-0000-3d90-01d5-47c771de9d1c-016c490c76fc","regmod_count":1,"report_link":"https://attack.mitre.org/wiki/Technique/T1002","report_score":5,"report_title":"Data Compressed #4","segment_id":"1","sensor_criticality":3.0,"sensor_id":2,"sha256":"d5907d58a3e8a9f5610941d1e281f8dac6437de648ffca08974490fdf7f74acd","status":"Unresolved","timestamp":1564593649.330,"type":"alert.watchlist.hit.ingress.process","unique_id":"bc0309eb-302a-4567-bf36-9080811da106","username":"SYSTEM","watchlist_id":"565652","watchlist_name":"565652"}str

edr.carbonblack.binary

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.binary: {"cb_server": "d6715ecd51", "compressed_size": 80587, "file_path": "02526d248a4d54e1c0d1bef878d442a2d62a8678ec6b37b1acd12c1002526d248a4d54e", "link_md5": "016010f7f7088970cd193454ac856e919061497f16ef59d5ae870d4e016010f7f70", "md5": "6baf467309308b1b9055180d034d3d2c16", "node_id": 83544, "size": 83544, "timestamp": 1564593805.021, "type": "907e77352001196818ffed3d", "event_timestamp": 1397248033.914, "scores": {"alliance_score_virustotal": 72557}, "hostname": "2280f79", "sensor_id": 64283, "watchlists": {"watchlist_7": "2014-02-13T00:30:11.247Z", "watchlist_9": "2014-02-13T00:21:13.009Z"}}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2016-10-07 13:30:20.930

timestamp



cb_server

d6715ecd51

str



md5

6baf467309308b1b9055180d034d3d2c16

str



node_id

83544

int4



file_path

02526d248a4d54e1c0d1bef878d442a2d62a8678ec6b37b1acd12c1002526d248a4d54e

str



size

83544

int4



compressed_size

80587

int4



link_md5

016010f7f7088970cd193454ac856e919061497f16ef59d5ae870d4e016010f7f70

str



event_timestamp

1397248033.914

float8



type

907e77352001196818ffed3d

str



timestamp

1564593805.021

float8



scores_alliance_score_virustotal

72557

int4



hostname

2280f79

str



sensor_id

64283

int4



watchlists

{"watchlist_7": "2014-02-13T00:30:11.247Z", "watchlist_9": "2014-02-13T00:21:13.009Z"}

str



message

{"cb_server": "d6715ecd51", "compressed_size": 80587, "file_path": "02526d248a4d54e1c0d1bef878d442a2d62a8678ec6b37b1acd12c1002526d248a4d54e", "link_md5": "016010f7f7088970cd193454ac856e919061497f16ef59d5ae870d4e016010f7f70", "md5": "6baf467309308b1b9055180d034d3d2c16", "node_id": 83544, "size": 83544, "timestamp": 1564593805.021, "type": "907e77352001196818ffed3d", "event_timestamp": 1397248033.914, "scores": {"alliance_score_virustotal": 72557}, "hostname": "2280f79", "sensor_id": 64283, "watchlists": {"watchlist_7": "2014-02-13T00:30:11.247Z", "watchlist_9": "2014-02-13T00:21:13.009Z"}}

str



hostchain

localhost=192.168.1.1

str

tag

edr.carbonblack.binary

str

raw

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.binary: {"cb_server": "d6715ecd51", "compressed_size": 80587, "file_path": "02526d248a4d54e1c0d1bef878d442a2d62a8678ec6b37b1acd12c1002526d248a4d54e", "link_md5": "016010f7f7088970cd193454ac856e919061497f16ef59d5ae870d4e016010f7f70", "md5": "6baf467309308b1b9055180d034d3d2c16", "node_id": 83544, "size": 83544, "timestamp": 1564593805.021, "type": "907e77352001196818ffed3d", "event_timestamp": 1397248033.914, "scores": {"alliance_score_virustotal": 72557}, "hostname": "2280f79", "sensor_id": 64283, "watchlists": {"watchlist_7": "2014-02-13T00:30:11.247Z", "watchlist_9": "2014-02-13T00:21:13.009Z"}}

str

rawMessage

{"cb_server": "d6715ecd51", "compressed_size": 80587, "file_path": "02526d248a4d54e1c0d1bef878d442a2d62a8678ec6b37b1acd12c1002526d248a4d54e", "link_md5": "016010f7f7088970cd193454ac856e919061497f16ef59d5ae870d4e016010f7f70", "md5": "6baf467309308b1b9055180d034d3d2c16", "node_id": 83544, "size": 83544, "timestamp": 1564593805.021, "type": "907e77352001196818ffed3d", "event_timestamp": 1397248033.914, "scores": {"alliance_score_virustotal": 72557}, "hostname": "2280f79", "sensor_id": 64283, "watchlists": {"watchlist_7": "2014-02-13T00:30:11.247Z", "watchlist_9": "2014-02-13T00:21:13.009Z"}}

str

edr.carbonblack.feed

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.feed: {"cb_server": "d6715ecd51", "cb_version": "990aae47e31162f848b", "comms_ip": "193.172.50.23", "computer_name": "6b2c4", "docs": [{"alliance_data_attackframework": "43120bf4", "alliance_link_attackframework": "dc19d45d3ec8f8349c5e7f0b6944478b4d7616973b59845", "alliance_score_attackframework": 88119, "alliance_updated_attackframework": "2019-03-15T15:39:53.000Z", "childproc_count": 52372, "cmdline": "ceb113d63f6883166e7f49df0281dc06c2756", "crossproc_count": 52372, "filemod_count": 52372, "host_type": "68a88a672e39e", "last_update": "2014-09-09T18:57:34.267Z", "link_parent": "8d5efd38c7390dc1b29e471be", "link_process": "8d5efd38c7390dc1b29e471be", "link_process_md5": "8d5efd38c7390dc1b29e471be", "modload_count": 21733, "netconn_count": 456, "os_type": "d44c1bfbf", "parent_guid": "c47dd17", "parent_name": "200464adb48058", "parent_pid": 53058, "parent_segment_id": "109", "parent_unique_id": "41284856f03115f04332d9ceb2dc6ffb7682f4995ddabac", "path": "f1866e88e700ddc1c5dfe19a9f80acb4659c", "process_guid": "8ed5", "process_md5": "084ca50629ba181d65fefd3dc627853b0e", "process_name": "b04a297ff40d3", "process_pid": 42343, "process_sha256": "9828845f21c2f09fa277c922c5af57769998ede25aa84892c538a6889828845f21", "regmod_count": 52372, "segment_id": "7846d465ea2a809", "start": "2014-09-09T18:57:34.251Z", "unique_id": "bc637d02641e4eb84ca6b12bc5cc64213a0af2d89a7b5fb", "username": "28fa8e5e7d5517a98b64c9b", "watchlist_659": "5136e26ad738763349d6ab1eb64b8", "parent_md5": "96503c92676ce1a5ef0c3b309c788631", "group": ["0a4b759852e84d6"], "file_version": "223.76.178.28", "product_name": "bff1c3861b87aa39dd0c7e", "is_executable_image": false, "digsig_result": "ee035799e1", "observed_filename": ["49f8f5af4977906fb206f7b32a12daf4dcb370a7f37b581b1ae53f6"], "orig_mod_len": 55888, "company_name": "92a2ffbe3f5bcb1deda7550ad1a5d3", "server_added_timestamp": "2014-09-09T21:00:29.875Z", "internal_name": "5083240", "copied_mod_len": 55888, "product_version": "c4c1d3803d7748b36", "digsig_sign_time": "2010-11-21T00:37:00.000Z", "alliance_score_srstrust": 123, "digsig_result_code": "feb5f41d7a58", "file_desc": "c1092282838ca155bb13d4ee", "endpoint": ["2337d717d1db6e09188"], "legal_copyright": "5115cd1b091e623833d9ebf8a7d971b1db05184a6a75c6218a9052865", "original_filename": "dd3c809c", "is_64bit": false, "md5": "fa30e769889b2b3a80de3b85dffd5386c2", "digsig_publisher": "17bdf0131f101db5683ad81", "hostname": "1e9df001ce69d14ae", "host_count": 24376, "signed": "ee035799e1", "timestamp": "2014-09-09T21:00:29.875Z", "last_seen": "2014-09-09T21:00:29.875Z"}], "feed_id": 79636, "feed_name": "fa7f62422c", "from_feed_search": false, "group": "a9dc77b1f077cf7", "hostname": "1b1290cbe898", "interface_ip": "235.139.28.149", "ioc_attr": {}, "ioc_query_index": "4c2bda17", "ioc_query_string": "34253c5", "ioc_type": "4304f", "ioc_value": "1ba6a105f8e78e1e8389d0ace2c531961e8609d23c78c7329fceff2e1ba6a105f8e78e1e8389d", "link_process": "8d5efd38c7390dc1b29e471be", "link_sensor": "8d5efd38c7390dc1b29e471be", "process_guid": "8ed5", "process_id": "c5dd35dd035adaddef416aa890687b52868e0b", "report_id": "e65d7fee42e817ceee24f3", "report_link": "c267278cd3fa99", "report_score": 88119, "report_title": "0c0fa930c18ec6d85", "segment_id": 24376, "sensor_id": 24376, "server_name": "88d8519671e", "timestamp": 1564594850.07, "type": "f6a703c4ed886f9585cf215e59", "event_timestamp": 1410296635.26, "md5": "d8bc26387899436e4e47d3b904290d48f5", "ioc_attrs": {"highlights": ["e8c9793e1fcc4c8e87be573c767ed9a61f", "fe45f3507e2b419d4f03657a4c96fda982e73dac8d6f16f34bd0575bf"]}}

And this is how the logs would be parsed:

Field

Value

Type

Source field name

Extra fields

eventdate

2016-10-07 13:30:20.930

timestamp





cb_server

d6715ecd51

str





cb_version

990aae47e31162f848b

str





comms_ip

193.172.50.23

ip4





computer_name

6b2c4

str





docs_alliance_data_attackframework

43120bf4

str





docs_alliance_link_attackframework

dc19d45d3ec8f8349c5e7f0b6944478b4d7616973b59845

str





docs_alliance_score_attackframework

88119

int4





docs_alliance_updated_attackframework

2019-03-15T15:39:53.000Z

str





docs_childproc_count

52372

int4





docs_cmdline

ceb113d63f6883166e7f49df0281dc06c2756

str





docs_crossproc_count

52372

int4





docs_filemod_count

52372

int4





docs_host_type

68a88a672e39e

str





docs_last_update

2014-09-09T18:57:34.267Z

str





docs_link_parent

8d5efd38c7390dc1b29e471be

str





docs_link_process

8d5efd38c7390dc1b29e471be

str





docs_link_process_md5

8d5efd38c7390dc1b29e471be

str





docs_modload_count

21733

int4





docs_netconn_count

456

int4





docs_os_type

d44c1bfbf

str





docs_parent_guid

c47dd17

str





docs_parent_name

200464adb48058

str





docs_parent_pid

53058

int4





docs_parent_segment_id

109

str





docs_parent_unique_id

41284856f03115f04332d9ceb2dc6ffb7682f4995ddabac

str





docs_path

f1866e88e700ddc1c5dfe19a9f80acb4659c

str





docs_process_guid

8ed5

str





docs_process_md5

084ca50629ba181d65fefd3dc627853b0e

str





docs_process_name

b04a297ff40d3

str





docs_process_pid

42343

int4





docs_process_sha256

9828845f21c2f09fa277c922c5af57769998ede25aa84892c538a6889828845f21

str





docs_regmod_count

52372

int4





docs_segment_id

7846d465ea2a809

str





docs_start

2014-09-09T18:57:34.251Z

str





docs_unique_id

bc637d02641e4eb84ca6b12bc5cc64213a0af2d89a7b5fb

str





docs_username

28fa8e5e7d5517a98b64c9b

str





docs_watchlist_659

5136e26ad738763349d6ab1eb64b8

str





docs_parent_md5

96503c92676ce1a5ef0c3b309c788631

str





docs_group

["0a4b759852e84d6"]

str





docs_file_version

223.76.178.28

ip4





docs_product_name

bff1c3861b87aa39dd0c7e

str





docs_is_executable_image

false

bool





docs_digsig_result

ee035799e1

str





docs_observed_filename

["49f8f5af4977906fb206f7b32a12daf4dcb370a7f37b581b1ae53f6"]

str





docs_orig_mod_len

55888

int4





docs_company_name

92a2ffbe3f5bcb1deda7550ad1a5d3

str





docs_server_added_timestamp

2014-09-09T21:00:29.875Z

str





docs_internal_name

5083240

str





docs_copied_mod_len

55888

int4





docs_product_version

c4c1d3803d7748b36

str





docs_digsig_sign_time

2010-11-21T00:37:00.000Z

str





docs_alliance_score_srstrust

123

int4





docs_digsig_result_code

feb5f41d7a58

str





docs_file_desc

c1092282838ca155bb13d4ee

str





docs_endpoint

["2337d717d1db6e09188"]

str





docs_legal_copyright

5115cd1b091e623833d9ebf8a7d971b1db05184a6a75c6218a9052865

str





docs_original_filename

dd3c809c

str





docs_is_64bit

false

bool





docs_md5

fa30e769889b2b3a80de3b85dffd5386c2

str





docs_digsig_publisher

17bdf0131f101db5683ad81

str





docs_hostname

1e9df001ce69d14ae

str





docs_host_count

24376

int4





docs_signed

ee035799e1

str





docs_timestamp

2014-09-09T21:00:29.875Z

str





docs_last_seen

2014-09-09T21:00:29.875Z

str





feed_id

79636

int4





feed_name

fa7f62422c

str





from_feed_search

false

bool





group2

a9dc77b1f077cf7

str

group


hostname

1b1290cbe898

str





interface_ip

235.139.28.149

ip4





ioc_attr

{}

str





ioc_query_index

4c2bda17

str





ioc_query_string

34253c5

str





ioc_type

4304f

str





ioc_value

1ba6a105f8e78e1e8389d0ace2c531961e8609d23c78c7329fceff2e1ba6a105f8e78e1e8389d

str





link_process

8d5efd38c7390dc1b29e471be

str





link_sensor

8d5efd38c7390dc1b29e471be

str





process_guid

8ed5

str





process_id

c5dd35dd035adaddef416aa890687b52868e0b

str





report_id

e65d7fee42e817ceee24f3

str





report_link

c267278cd3fa99

str





report_score

88119

int4





report_title

0c0fa930c18ec6d85

str





segment_id

24376

int4





sensor_id

24376

int4





server_name

88d8519671e

str





timestamp

2019-07-31 17:40:50

timestamp





type

f6a703c4ed886f9585cf215e59

str





event_timestamp

2014-09-09 21:03:55

timestamp





md5

d8bc26387899436e4e47d3b904290d48f5

str





ioc_attrs

{"highlights": ["e8c9793e1fcc4c8e87be573c767ed9a61f", "fe45f3507e2b419d4f03657a4c96fda982e73dac8d6f16f34bd0575bf"]}

str





message

{"cb_server": "d6715ecd51", "cb_version": "990aae47e31162f848b", "comms_ip": "193.172.50.23", "computer_name": "6b2c4", "docs": [{"alliance_data_attackframework": "43120bf4", "alliance_link_attackframework": "dc19d45d3ec8f8349c5e7f0b6944478b4d7616973b59845", "alliance_score_attackframework": 88119, "alliance_updated_attackframework": "2019-03-15T15:39:53.000Z", "childproc_count": 52372, "cmdline": "ceb113d63f6883166e7f49df0281dc06c2756", "crossproc_count": 52372, "filemod_count": 52372, "host_type": "68a88a672e39e", "last_update": "2014-09-09T18:57:34.267Z", "link_parent": "8d5efd38c7390dc1b29e471be", "link_process": "8d5efd38c7390dc1b29e471be", "link_process_md5": "8d5efd38c7390dc1b29e471be", "modload_count": 21733, "netconn_count": 456, "os_type": "d44c1bfbf", "parent_guid": "c47dd17", "parent_name": "200464adb48058", "parent_pid": 53058, "parent_segment_id": "109", "parent_unique_id": "41284856f03115f04332d9ceb2dc6ffb7682f4995ddabac", "path": "f1866e88e700ddc1c5dfe19a9f80acb4659c", "process_guid": "8ed5", "process_md5": "084ca50629ba181d65fefd3dc627853b0e", "process_name": "b04a297ff40d3", "process_pid": 42343, "process_sha256": "9828845f21c2f09fa277c922c5af57769998ede25aa84892c538a6889828845f21", "regmod_count": 52372, "segment_id": "7846d465ea2a809", "start": "2014-09-09T18:57:34.251Z", "unique_id": "bc637d02641e4eb84ca6b12bc5cc64213a0af2d89a7b5fb", "username": "28fa8e5e7d5517a98b64c9b", "watchlist_659": "5136e26ad738763349d6ab1eb64b8", "parent_md5": "96503c92676ce1a5ef0c3b309c788631", "group": ["0a4b759852e84d6"], "file_version": "223.76.178.28", "product_name": "bff1c3861b87aa39dd0c7e", "is_executable_image": false, "digsig_result": "ee035799e1", "observed_filename": ["49f8f5af4977906fb206f7b32a12daf4dcb370a7f37b581b1ae53f6"], "orig_mod_len": 55888, "company_name": "92a2ffbe3f5bcb1deda7550ad1a5d3", "server_added_timestamp": "2014-09-09T21:00:29.875Z", "internal_name": "5083240", "copied_mod_len": 55888, "product_version": "c4c1d3803d7748b36", "digsig_sign_time": "2010-11-21T00:37:00.000Z", "alliance_score_srstrust": 123, "digsig_result_code": "feb5f41d7a58", "file_desc": "c1092282838ca155bb13d4ee", "endpoint": ["2337d717d1db6e09188"], "legal_copyright": "5115cd1b091e623833d9ebf8a7d971b1db05184a6a75c6218a9052865", "original_filename": "dd3c809c", "is_64bit": false, "md5": "fa30e769889b2b3a80de3b85dffd5386c2", "digsig_publisher": "17bdf0131f101db5683ad81", "hostname": "1e9df001ce69d14ae", "host_count": 24376, "signed": "ee035799e1", "timestamp": "2014-09-09T21:00:29.875Z", "last_seen": "2014-09-09T21:00:29.875Z"}], "feed_id": 79636, "feed_name": "fa7f62422c", "from_feed_search": false, "group": "a9dc77b1f077cf7", "hostname": "1b1290cbe898", "interface_ip": "235.139.28.149", "ioc_attr": {}, "ioc_query_index": "4c2bda17", "ioc_query_string": "34253c5", "ioc_type": "4304f", "ioc_value": "1ba6a105f8e78e1e8389d0ace2c531961e8609d23c78c7329fceff2e1ba6a105f8e78e1e8389d", "link_process": "8d5efd38c7390dc1b29e471be", "link_sensor": "8d5efd38c7390dc1b29e471be", "process_guid": "8ed5", "process_id": "c5dd35dd035adaddef416aa890687b52868e0b", "report_id": "e65d7fee42e817ceee24f3", "report_link": "c267278cd3fa99", "report_score": 88119, "report_title": "0c0fa930c18ec6d85", "segment_id": 24376, "sensor_id": 24376, "server_name": "88d8519671e", "timestamp": 1564594850.07, "type": "f6a703c4ed886f9585cf215e59", "event_timestamp": 1410296635.26, "md5": "d8bc26387899436e4e47d3b904290d48f5", "ioc_attrs": {"highlights": ["e8c9793e1fcc4c8e87be573c767ed9a61f", "fe45f3507e2b419d4f03657a4c96fda982e73dac8d6f16f34bd0575bf"]}}

str





hostchain

localhost=192.168.1.1

str


tag

edr.carbonblack.feed

str




raw

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.feed: {"cb_server": "d6715ecd51", "cb_version": "990aae47e31162f848b", "comms_ip": "193.172.50.23", "computer_name": "6b2c4", "docs": [{"alliance_data_attackframework": "43120bf4", "alliance_link_attackframework": "dc19d45d3ec8f8349c5e7f0b6944478b4d7616973b59845", "alliance_score_attackframework": 88119, "alliance_updated_attackframework": "2019-03-15T15:39:53.000Z", "childproc_count": 52372, "cmdline": "ceb113d63f6883166e7f49df0281dc06c2756", "crossproc_count": 52372, "filemod_count": 52372, "host_type": "68a88a672e39e", "last_update": "2014-09-09T18:57:34.267Z", "link_parent": "8d5efd38c7390dc1b29e471be", "link_process": "8d5efd38c7390dc1b29e471be", "link_process_md5": "8d5efd38c7390dc1b29e471be", "modload_count": 21733, "netconn_count": 456, "os_type": "d44c1bfbf", "parent_guid": "c47dd17", "parent_name": "200464adb48058", "parent_pid": 53058, "parent_segment_id": "109", "parent_unique_id": "41284856f03115f04332d9ceb2dc6ffb7682f4995ddabac", "path": "f1866e88e700ddc1c5dfe19a9f80acb4659c", "process_guid": "8ed5", "process_md5": "084ca50629ba181d65fefd3dc627853b0e", "process_name": "b04a297ff40d3", "process_pid": 42343, "process_sha256": "9828845f21c2f09fa277c922c5af57769998ede25aa84892c538a6889828845f21", "regmod_count": 52372, "segment_id": "7846d465ea2a809", "start": "2014-09-09T18:57:34.251Z", "unique_id": "bc637d02641e4eb84ca6b12bc5cc64213a0af2d89a7b5fb", "username": "28fa8e5e7d5517a98b64c9b", "watchlist_659": "5136e26ad738763349d6ab1eb64b8", "parent_md5": "96503c92676ce1a5ef0c3b309c788631", "group": ["0a4b759852e84d6"], "file_version": "223.76.178.28", "product_name": "bff1c3861b87aa39dd0c7e", "is_executable_image": false, "digsig_result": "ee035799e1", "observed_filename": ["49f8f5af4977906fb206f7b32a12daf4dcb370a7f37b581b1ae53f6"], "orig_mod_len": 55888, "company_name": "92a2ffbe3f5bcb1deda7550ad1a5d3", "server_added_timestamp": "2014-09-09T21:00:29.875Z", "internal_name": "5083240", "copied_mod_len": 55888, "product_version": "c4c1d3803d7748b36", "digsig_sign_time": "2010-11-21T00:37:00.000Z", "alliance_score_srstrust": 123, "digsig_result_code": "feb5f41d7a58", "file_desc": "c1092282838ca155bb13d4ee", "endpoint": ["2337d717d1db6e09188"], "legal_copyright": "5115cd1b091e623833d9ebf8a7d971b1db05184a6a75c6218a9052865", "original_filename": "dd3c809c", "is_64bit": false, "md5": "fa30e769889b2b3a80de3b85dffd5386c2", "digsig_publisher": "17bdf0131f101db5683ad81", "hostname": "1e9df001ce69d14ae", "host_count": 24376, "signed": "ee035799e1", "timestamp": "2014-09-09T21:00:29.875Z", "last_seen": "2014-09-09T21:00:29.875Z"}], "feed_id": 79636, "feed_name": "fa7f62422c", "from_feed_search": false, "group": "a9dc77b1f077cf7", "hostname": "1b1290cbe898", "interface_ip": "235.139.28.149", "ioc_attr": {}, "ioc_query_index": "4c2bda17", "ioc_query_string": "34253c5", "ioc_type": "4304f", "ioc_value": "1ba6a105f8e78e1e8389d0ace2c531961e8609d23c78c7329fceff2e1ba6a105f8e78e1e8389d", "link_process": "8d5efd38c7390dc1b29e471be", "link_sensor": "8d5efd38c7390dc1b29e471be", "process_guid": "8ed5", "process_id": "c5dd35dd035adaddef416aa890687b52868e0b", "report_id": "e65d7fee42e817ceee24f3", "report_link": "c267278cd3fa99", "report_score": 88119, "report_title": "0c0fa930c18ec6d85", "segment_id": 24376, "sensor_id": 24376, "server_name": "88d8519671e", "timestamp": 1564594850.07, "type": "f6a703c4ed886f9585cf215e59", "event_timestamp": 1410296635.26, "md5": "d8bc26387899436e4e47d3b904290d48f5", "ioc_attrs": {"highlights": ["e8c9793e1fcc4c8e87be573c767ed9a61f", "fe45f3507e2b419d4f03657a4c96fda982e73dac8d6f16f34bd0575bf"]}}

str




edr.carbonblack.ingress

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.ingress: {"action":"delete","actiontype":4,"cb_server":"cbserver","computer_name":"LAPTOP-DKOJG99E","event_type":"filemod","filetype":0,"filetype_name":"Unknown","link_process":"https://192.168.191.131/analyze/00000002-0000-3d50-01d5-47a7e06b40d2/0","link_sensor":"https://192.168.191.131/host/2","md5":"3B346AB31AC51B6A1643CBD5E697C747","path":"c","pid":15696,"process_guid":"00000002-0000-3d50-01d5-47a7e06b40d2","process_path":"c","sensor_id":2,"sha256":"33DAB30AAD320BE105F10DF7DD9FF62E6AD72671B64EA0C9FD8B4FA9091C348C","tamper":false,"tamper_sent":false,"timestamp":1564596522,"type":"ingress.event.filemod","parent_pid":15696}
2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.ingress: {"action": "writeval","actiontype": 2,"cb_server": "cbserver","computer_name": "JASON-WIN81-VM","event_type": "regmod","link_process": "https://cbtests/#analyze/00000001-0000-0484-01d1-1e951b7c000b/1","link_sensor": "https://cbtests/#/host/1","md5": "0E7196981EDE614F1F54FFF2C3843ADF","path": "stillalive","pid": 1156,"process_guid": "00000001-0000-0484-01d1-1e951b7c000b","sensor_id": 1,"timestamp": 1447696798,"type": "ingress.event.regmod"}
2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.ingress: {"action": "create","actiontype": 1,"cb_server": "cbserver","computer_name": "JASON-WIN81-VM","event_type": "filemod","filetype": 0,"filetype_name": "Unknown","link_process": "https://cbtests/#analyze/00000001-0000-0c70-01d1-1e951aae7e2f/1","link_sensor": "https://cbtests/#/host/1","md5": "7A2870C2A8283B3630BF7670D0362B94","path": "b5e2.tmp","pid": 3184,"process_guid": "00000001-0000-0c70-01d1-1e951aae7e2f","sensor_id": 1,"timestamp": 1447696804,"type": "ingress.event.filemod"}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2016-10-07 13:30:20.930

timestamp



action

delete

str



actiontype

4

int4



cb_server

cbserver

str



computer_name

LAPTOP-DKOJG99E

str



event_type

filemod

str



filetype

0

int4



filetype_name

Unknown

str



link_process

https://192.168.191.131/analyze/00000002-0000-3d50-01d5-47a7e06b40d2/0

str



link_sensor

https://192.168.191.131/host/2

str



md5

3B346AB31AC51B6A1643CBD5E697C747

str



path

c

str



pid

15696

int4



process_guid

00000002-0000-3d50-01d5-47a7e06b40d2

str



process_path

c

str



sensor_id

2

int4



sha256

33DAB30AAD320BE105F10DF7DD9FF62E6AD72671B64EA0C9FD8B4FA9091C348C

str



tamper

false

bool



tamper_sent

false

bool



timestamp

2019-07-31 18:08:42.000

timestamp



type

ingress.event.filemod

str



direction

null

str



domain

null

str



ipv4

null

ip4



port

null

int4



local_ip

null

str



local_port

null

int4



protocol

null

int4



remote_ip

null

str



remote_port

null

int4



child_process_guid

null

str



created

null

bool



link_child

null

str



command_line

null

str



expect_followon_w_md5

null

bool



link_parent

null

str



parent_create_time

null

timestamp



parent_md5

null

str



parent_path

null

str



parent_process_guid

null

str



username

null

str



cross_process_type

null

str



is_target

null

bool



link_target

null

str



requested_access

null

int4



target_create_time

null

int8



target_md5

null

str



target_path

null

str



target_pid

null

int4



target_process_guid

null

str



blocked

null

bool



emet_timestamp

null

int8



log_id

null

int4



log_message

null

str



mitigation

null

str



blocked_event

null

str



blocked_reason

null

str



blocked_result

null

str



uid

null

str



tamper_type

null

str



parent_pid

15696

int4



message

{"action":"delete","actiontype":4,"cb_server":"cbserver","computer_name":"LAPTOP-DKOJG99E","event_type":"filemod","filetype":0,"filetype_name":"Unknown","link_process":"https://192.168.191.131/analyze/00000002-0000-3d50-01d5-47a7e06b40d2/0","link_sensor":"https://192.168.191.131/host/2","md5":"3B346AB31AC51B6A1643CBD5E697C747","path":"c","pid":15696,"process_guid":"00000002-0000-3d50-01d5-47a7e06b40d2","process_path":"c","sensor_id":2,"sha256":"33DAB30AAD320BE105F10DF7DD9FF62E6AD72671B64EA0C9FD8B4FA9091C348C","tamper":false,"tamper_sent":false,"timestamp":1564596522,"type":"ingress.event.filemod","parent_pid":15696}

str



hostchain

localhost=192.168.1.1

str

tag

edr.carbonblack.ingress

str

raw

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.ingress: {"action":"delete","actiontype":4,"cb_server":"cbserver","computer_name":"LAPTOP-DKOJG99E","event_type":"filemod","filetype":0,"filetype_name":"Unknown","link_process":"https://192.168.191.131/analyze/00000002-0000-3d50-01d5-47a7e06b40d2/0","link_sensor":"https://192.168.191.131/host/2","md5":"3B346AB31AC51B6A1643CBD5E697C747","path":"c","pid":15696,"process_guid":"00000002-0000-3d50-01d5-47a7e06b40d2","process_path":"c","sensor_id":2,"sha256":"33DAB30AAD320BE105F10DF7DD9FF62E6AD72671B64EA0C9FD8B4FA9091C348C","tamper":false,"tamper_sent":false,"timestamp":1564596522,"type":"ingress.event.filemod","parent_pid":15696}

str

rawMessage

{"action":"delete","actiontype":4,"cb_server":"cbserver","computer_name":"LAPTOP-DKOJG99E","event_type":"filemod","filetype":0,"filetype_name":"Unknown","link_process":"https://192.168.191.131/analyze/00000002-0000-3d50-01d5-47a7e06b40d2/0","link_sensor":"https://192.168.191.131/host/2","md5":"3B346AB31AC51B6A1643CBD5E697C747","path":"c","pid":15696,"process_guid":"00000002-0000-3d50-01d5-47a7e06b40d2","process_path":"c","sensor_id":2,"sha256":"33DAB30AAD320BE105F10DF7DD9FF62E6AD72671B64EA0C9FD8B4FA9091C348C","tamper":false,"tamper_sent":false,"timestamp":1564596522,"type":"ingress.event.filemod","parent_pid":15696}

str

edr.carbonblack.watchlist

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.watchlist: {"cb_server": "d6715ecd51", "cb_version": "ad13bd5aecbc41d30", "docs": [{"cb_version": 90705, "comments": "e3440dff8ae8cf7", "company_name": "17bdf0131f101db5683ad81", "copied_mod_len": 26102, "digsig_result": "7275bbbc", "digsig_result_code": "6f7", "endpoint": ["e8e7a411ef180"], "event_partition_id": [1661220057], "facet_id": 42276, "file_desc": "4b6d8ee0bfeb379b", "file_version": "2a6a7fda09bbd6c2435f4bbf36825a6fbeb92cbc7c", "group": ["0a4b759852e84d6"], "host_count": 24376, "internal_name": "039ad0332017", "is_64bit": true, "is_executable_image": false, "last_seen": "2019-07-31T17:26:52.465Z", "legal_copyright": "4b53f173362315a9eaf0bdec373b84eb9b291421e0c92", "link_md5": "3f33acd74af24c70faf030bf40e667ba151042be5996274fa13b2f643f33acd74", "md5": "e78a432e60b5687b0b789c5016385aa6e1", "observed_filename": ["24e900b963ce7d5090b903b2102573fcd72f3"], "orig_mod_len": 26102, "original_filename": "303bce761820dd", "os_type": "44a48cd13", "private_build": "d89ae68062", "product_name": "5391496cdf88f98c830e4f601b7abb6ef4a0", "product_version": "5c20837a532a0793", "server_added_timestamp": "2014-08-09T11:19:04.009Z", "sha256": "887d7d0eedb051e315ed767437a87fa364cb89bb7af4efcffd7b13d0887d7d0eed", "signed": "7275bbbc", "timestamp": "2014-08-09T11:19:04.009Z", "process_md5": "c42c57209b7b57ad4f5b2d0ea81c2f7e74", "sensor_id": 24376, "modload_count": 34640, "parent_unique_id": "08438fcb29eebd4a0268a5d690211d9575b958437af0bfb", "cmdline": "2f579333d6af950e8c40645ef103feec407bc3", "filemod_count": 52372, "id": "829ce298d1afe50f74f3bb65e6abff07a3ce49", "parent_name": "200464adb48058", "parent_md5": "a0e099270ceb2b47271a3a7020c2d40492", "hostname": "2c2a5498095", "last_update": "2014-08-08T15:15:47.544Z", "start": "2014-08-08T15:15:42.193Z", "regmod_count": 71334, "process_pid": 12971, "username": "ea22c7e9e6458ab1e6", "process_name": "f9f145c3bc4", "path": "2f579333d6af950e8c40645ef103feec407bc3", "netconn_count": 24376, "parent_pid": 74806, "segment_id": 24376, "host_type": "68a88a672e39e", "childproc_count": 52372, "unique_id": "0005b8ade9ec26f64aa2743c0d6efcb60b4704543947b37", "digsig_sign_time": "2010-11-21T00:37:00Z", "digsig_publisher": "17bdf0131f101db5683ad81"}], "highlights_by_doc": {}, "server_name": "3975ee7013cf489787bbe56", "timestamp": 1564594807.517112, "type": "919b082ad54e66c904d1f2", "watchlist_id": 28972, "watchlist_name": "fc69fcc2394", "event_timestamp": 1407583203.5}

And this is how the logs would be parsed:

Field

Value

Type

Extra fields

eventdate

2016-10-07 13:30:20.930

timestamp



cb_server

d6715ecd51

str



cb_version

ad13bd5aecbc41d30

str



docs_cb_version

90705

int4



docs_comments

e3440dff8ae8cf7

str



docs_company_name

17bdf0131f101db5683ad81

str



docs_copied_mod_len

26102

int4



docs_digsig_result

7275bbbc

str



docs_digsig_result_code

6f7

str



docs_endpoint

["e8e7a411ef180"]

str



docs_event_partition_id

[1661220057]

str



docs_facet_id

42276

int4



docs_file_desc

4b6d8ee0bfeb379b

str



docs_file_version

2a6a7fda09bbd6c2435f4bbf36825a6fbeb92cbc7c

str



docs_group

["0a4b759852e84d6"]

str



docs_host_count

24376

int4



docs_internal_name

039ad0332017

str



docs_is_64bit

true

bool



docs_is_executable_image

false

bool



docs_last_seen

2019-07-31T17:26:52.465Z

str



docs_legal_copyright

4b53f173362315a9eaf0bdec373b84eb9b291421e0c92

str



docs_link_md5

3f33acd74af24c70faf030bf40e667ba151042be5996274fa13b2f643f33acd74

str



docs_md5

e78a432e60b5687b0b789c5016385aa6e1

str



docs_observed_filename

["24e900b963ce7d5090b903b2102573fcd72f3"]

str



docs_orig_mod_len

26102

int4



docs_original_filename

303bce761820dd

str



docs_os_type

44a48cd13

str



docs_private_build

d89ae68062

str



docs_product_name

5391496cdf88f98c830e4f601b7abb6ef4a0

str



docs_product_version

5c20837a532a0793

str



docs_server_added_timestamp

2014-08-09T11:19:04.009Z

str



docs_sha256

887d7d0eedb051e315ed767437a87fa364cb89bb7af4efcffd7b13d0887d7d0eed

str



docs_signed

7275bbbc

str



docs_timestamp

2014-08-09T11:19:04.009Z

str



docs_process_md5

c42c57209b7b57ad4f5b2d0ea81c2f7e74

str



docs_sensor_id

24376

int4



docs_modload_count

34640

int4



docs_parent_unique_id

08438fcb29eebd4a0268a5d690211d9575b958437af0bfb

str



docs_cmdline

2f579333d6af950e8c40645ef103feec407bc3

str



docs_filemod_count

52372

int4



docs_id

829ce298d1afe50f74f3bb65e6abff07a3ce49

str



docs_parent_name

200464adb48058

str



docs_parent_md5

a0e099270ceb2b47271a3a7020c2d40492

str



docs_hostname

2c2a5498095

str



docs_last_update

2014-08-08T15:15:47.544Z

str



docs_start

2014-08-08T15:15:42.193Z

str



docs_regmod_count

71334

int4



docs_process_pid

12971

int4



docs_username

ea22c7e9e6458ab1e6

str



docs_process_name

f9f145c3bc4

str



docs_path

2f579333d6af950e8c40645ef103feec407bc3

str



docs_netconn_count

24376

int4



docs_parent_pid

74806

int4



docs_segment_id

24376

int4



docs_host_type

68a88a672e39e

str



docs_childproc_count

52372

int4



docs_unique_id

0005b8ade9ec26f64aa2743c0d6efcb60b4704543947b37

str



docs_digsig_sign_time

2010-11-21T00:37:00Z

str



docs_digsig_publisher

17bdf0131f101db5683ad81

str



highlights_by_doc

{}

str



server_name

3975ee7013cf489787bbe56

str



timestamp

2019-07-31 17:40:07.517

timestamp



type

919b082ad54e66c904d1f2

str



watchlist_id

28972

int4



watchlist_name

fc69fcc2394

str



event_timestamp

2014-08-09 11:20:03.000

timestamp



message

{"cb_server": "d6715ecd51", "cb_version": "ad13bd5aecbc41d30", "docs": [{"cb_version": 90705, "comments": "e3440dff8ae8cf7", "company_name": "17bdf0131f101db5683ad81", "copied_mod_len": 26102, "digsig_result": "7275bbbc", "digsig_result_code": "6f7", "endpoint": ["e8e7a411ef180"], "event_partition_id": [1661220057], "facet_id": 42276, "file_desc": "4b6d8ee0bfeb379b", "file_version": "2a6a7fda09bbd6c2435f4bbf36825a6fbeb92cbc7c", "group": ["0a4b759852e84d6"], "host_count": 24376, "internal_name": "039ad0332017", "is_64bit": true, "is_executable_image": false, "last_seen": "2019-07-31T17:26:52.465Z", "legal_copyright": "4b53f173362315a9eaf0bdec373b84eb9b291421e0c92", "link_md5": "3f33acd74af24c70faf030bf40e667ba151042be5996274fa13b2f643f33acd74", "md5": "e78a432e60b5687b0b789c5016385aa6e1", "observed_filename": ["24e900b963ce7d5090b903b2102573fcd72f3"], "orig_mod_len": 26102, "original_filename": "303bce761820dd", "os_type": "44a48cd13", "private_build": "d89ae68062", "product_name": "5391496cdf88f98c830e4f601b7abb6ef4a0", "product_version": "5c20837a532a0793", "server_added_timestamp": "2014-08-09T11:19:04.009Z", "sha256": "887d7d0eedb051e315ed767437a87fa364cb89bb7af4efcffd7b13d0887d7d0eed", "signed": "7275bbbc", "timestamp": "2014-08-09T11:19:04.009Z", "process_md5": "c42c57209b7b57ad4f5b2d0ea81c2f7e74", "sensor_id": 24376, "modload_count": 34640, "parent_unique_id": "08438fcb29eebd4a0268a5d690211d9575b958437af0bfb", "cmdline": "2f579333d6af950e8c40645ef103feec407bc3", "filemod_count": 52372, "id": "829ce298d1afe50f74f3bb65e6abff07a3ce49", "parent_name": "200464adb48058", "parent_md5": "a0e099270ceb2b47271a3a7020c2d40492", "hostname": "2c2a5498095", "last_update": "2014-08-08T15:15:47.544Z", "start": "2014-08-08T15:15:42.193Z", "regmod_count": 71334, "process_pid": 12971, "username": "ea22c7e9e6458ab1e6", "process_name": "f9f145c3bc4", "path": "2f579333d6af950e8c40645ef103feec407bc3", "netconn_count": 24376, "parent_pid": 74806, "segment_id": 24376, "host_type": "68a88a672e39e", "childproc_count": 52372, "unique_id": "0005b8ade9ec26f64aa2743c0d6efcb60b4704543947b37", "digsig_sign_time": "2010-11-21T00:37:00Z", "digsig_publisher": "17bdf0131f101db5683ad81"}], "highlights_by_doc": {}, "server_name": "3975ee7013cf489787bbe56", "timestamp": 1564594807.517112, "type": "919b082ad54e66c904d1f2", "watchlist_id": 28972, "watchlist_name": "fc69fcc2394", "event_timestamp": 1407583203.5}

str



hostchain

localhost=192.168.1.1

str

tag

edr.carbonblack.watchlist

str

raw

2016-10-07 13:30:20.930 localhost=192.168.1.1 edr.carbonblack.watchlist: {"cb_server": "d6715ecd51", "cb_version": "ad13bd5aecbc41d30", "docs": [{"cb_version": 90705, "comments": "e3440dff8ae8cf7", "company_name": "17bdf0131f101db5683ad81", "copied_mod_len": 26102, "digsig_result": "7275bbbc", "digsig_result_code": "6f7", "endpoint": ["e8e7a411ef180"], "event_partition_id": [1661220057], "facet_id": 42276, "file_desc": "4b6d8ee0bfeb379b", "file_version": "2a6a7fda09bbd6c2435f4bbf36825a6fbeb92cbc7c", "group": ["0a4b759852e84d6"], "host_count": 24376, "internal_name": "039ad0332017", "is_64bit": true, "is_executable_image": false, "last_seen": "2019-07-31T17:26:52.465Z", "legal_copyright": "4b53f173362315a9eaf0bdec373b84eb9b291421e0c92", "link_md5": "3f33acd74af24c70faf030bf40e667ba151042be5996274fa13b2f643f33acd74", "md5": "e78a432e60b5687b0b789c5016385aa6e1", "observed_filename": ["24e900b963ce7d5090b903b2102573fcd72f3"], "orig_mod_len": 26102, "original_filename": "303bce761820dd", "os_type": "44a48cd13", "private_build": "d89ae68062", "product_name": "5391496cdf88f98c830e4f601b7abb6ef4a0", "product_version": "5c20837a532a0793", "server_added_timestamp": "2014-08-09T11:19:04.009Z", "sha256": "887d7d0eedb051e315ed767437a87fa364cb89bb7af4efcffd7b13d0887d7d0eed", "signed": "7275bbbc", "timestamp": "2014-08-09T11:19:04.009Z", "process_md5": "c42c57209b7b57ad4f5b2d0ea81c2f7e74", "sensor_id": 24376, "modload_count": 34640, "parent_unique_id": "08438fcb29eebd4a0268a5d690211d9575b958437af0bfb", "cmdline": "2f579333d6af950e8c40645ef103feec407bc3", "filemod_count": 52372, "id": "829ce298d1afe50f74f3bb65e6abff07a3ce49", "parent_name": "200464adb48058", "parent_md5": "a0e099270ceb2b47271a3a7020c2d40492", "hostname": "2c2a5498095", "last_update": "2014-08-08T15:15:47.544Z", "start": "2014-08-08T15:15:42.193Z", "regmod_count": 71334, "process_pid": 12971, "username": "ea22c7e9e6458ab1e6", "process_name": "f9f145c3bc4", "path": "2f579333d6af950e8c40645ef103feec407bc3", "netconn_count": 24376, "parent_pid": 74806, "segment_id": 24376, "host_type": "68a88a672e39e", "childproc_count": 52372, "unique_id": "0005b8ade9ec26f64aa2743c0d6efcb60b4704543947b37", "digsig_sign_time": "2010-11-21T00:37:00Z", "digsig_publisher": "17bdf0131f101db5683ad81"}], "highlights_by_doc": {}, "server_name": "3975ee7013cf489787bbe56", "timestamp": 1564594807.517112, "type": "919b082ad54e66c904d1f2", "watchlist_id": 28972, "watchlist_name": "fc69fcc2394", "event_timestamp": 1407583203.5}

str

rawMessage

{"cb_server": "d6715ecd51", "cb_version": "ad13bd5aecbc41d30", "docs": [{"cb_version": 90705, "comments": "e3440dff8ae8cf7", "company_name": "17bdf0131f101db5683ad81", "copied_mod_len": 26102, "digsig_result": "7275bbbc", "digsig_result_code": "6f7", "endpoint": ["e8e7a411ef180"], "event_partition_id": [1661220057], "facet_id": 42276, "file_desc": "4b6d8ee0bfeb379b", "file_version": "2a6a7fda09bbd6c2435f4bbf36825a6fbeb92cbc7c", "group": ["0a4b759852e84d6"], "host_count": 24376, "internal_name": "039ad0332017", "is_64bit": true, "is_executable_image": false, "last_seen": "2019-07-31T17:26:52.465Z", "legal_copyright": "4b53f173362315a9eaf0bdec373b84eb9b291421e0c92", "link_md5": "3f33acd74af24c70faf030bf40e667ba151042be5996274fa13b2f643f33acd74", "md5": "e78a432e60b5687b0b789c5016385aa6e1", "observed_filename": ["24e900b963ce7d5090b903b2102573fcd72f3"], "orig_mod_len": 26102, "original_filename": "303bce761820dd", "os_type": "44a48cd13", "private_build": "d89ae68062", "product_name": "5391496cdf88f98c830e4f601b7abb6ef4a0", "product_version": "5c20837a532a0793", "server_added_timestamp": "2014-08-09T11:19:04.009Z", "sha256": "887d7d0eedb051e315ed767437a87fa364cb89bb7af4efcffd7b13d0887d7d0eed", "signed": "7275bbbc", "timestamp": "2014-08-09T11:19:04.009Z", "process_md5": "c42c57209b7b57ad4f5b2d0ea81c2f7e74", "sensor_id": 24376, "modload_count": 34640, "parent_unique_id": "08438fcb29eebd4a0268a5d690211d9575b958437af0bfb", "cmdline": "2f579333d6af950e8c40645ef103feec407bc3", "filemod_count": 52372, "id": "829ce298d1afe50f74f3bb65e6abff07a3ce49", "parent_name": "200464adb48058", "parent_md5": "a0e099270ceb2b47271a3a7020c2d40492", "hostname": "2c2a5498095", "last_update": "2014-08-08T15:15:47.544Z", "start": "2014-08-08T15:15:42.193Z", "regmod_count": 71334, "process_pid": 12971, "username": "ea22c7e9e6458ab1e6", "process_name": "f9f145c3bc4", "path": "2f579333d6af950e8c40645ef103feec407bc3", "netconn_count": 24376, "parent_pid": 74806, "segment_id": 24376, "host_type": "68a88a672e39e", "childproc_count": 52372, "unique_id": "0005b8ade9ec26f64aa2743c0d6efcb60b4704543947b37", "digsig_sign_time": "2010-11-21T00:37:00Z", "digsig_publisher": "17bdf0131f101db5683ad81"}], "highlights_by_doc": {}, "server_name": "3975ee7013cf489787bbe56", "timestamp": 1564594807.517112, "type": "919b082ad54e66c904d1f2", "watchlist_id": 28972, "watchlist_name": "fc69fcc2394", "event_timestamp": 1407583203.5}

str