This table lists all Discovery events and their unique subtypes specific to this release of App Control.
| Subtype | ID No. | Severity | Example Descriptions/Comments | |
|---|---|---|---|---|
| Banned file written to computer | 1004 | Warning | Computer $computer$ discovered new banned file '$filePathAndName$' [$hash$]. | |
| Certificate added | 1013 | Info | Certificate '$param1$' was added by user '$username$'. | |
| Certificate checked | 1014 | Info | Computer $computer$ reported that certificate used to sign file ‘$filePathAndName$’ is invalid. Error: 0x$param1$ Computer $computer$ reported that certificate used to counter-sign file ‘$filePathAndName$’ is invalid. Error: 0x$param1$ Server detected that certificate ‘$param2$’ is invalid. Error: 0x$param1$ Agent detected that certificate ‘$param2$’ is valid. Agent detected that certificate ‘$param2$’ is invalid. Error: 0x$param1$ Server checked certificate ‘$param2$’ for errors. Error flags: 0x$param1$ Agent has not been able to verify if certificate ‘$param2$’ is valid. Note: “Invalid” for this event means that it has an error according to the Microsoft CryptoAPI. |
|
| Certificate revocation | 1011 | Warning | Computer $computer$ detected revocation of certificate ‘$param2$’ on file ‘$filePathAndName$ Error: $param1$ Note: This event is for file-signing certificates |
|
| Device attached | 1009 | Info | Device '$param1$' was attached as drive '$param2$'. Interactive user at the time: '$username$'. | |
| Device detached | 1010 | Info | Device '$param1$' was detached as drive '$param2$'. Interactive user at the time: '$username$'. | |
| External notification | 1099 | Info | $Provider$ reported $notificationType$ with name $malwareName$ for file $filename$ from $sourceName$[$source_ipaddress$] to $destName$[$dest_ipaddress$]. Found on $num_endpoints$ endpoints. $Provider$ reported no threat for file ‘$filename$’. Found on $num_endpoints$ endpoints. |
|
| File discovered (browser download) | 1020 | Info | The file '$filePathAndName$' [$hash$] was downloaded by the browser $process$. $param1$ | |
| File discovered (email attachment) | 1021 | Info | The file '$filePathAndName$' [$hash$] was created by the email client $process$. $param1$ | |
| File group created | 1001 | Info | Installation group was created for the file '$filePathAndName$' [$hash$]. | |
| First execution on network | 1007 | Info | File '$filePathAndName$' with hash [$hash$] was executed for the first time. | |
| Malicious file detected | 1201 | Critical | Unknown file '$fileName$' [$hash$] was identified by $provider$ as malicious. File '$fileName$' [$hash$] was identified by $provider$ as malicious. File '$fileName$ [$hash$] was identified by Carbon Black File Reputation as a malicious file. Note: Standard external providers are Check Point, Palo Alto Networks, or Microsoft. Other providers might be added through the App Control API. |
|
| New certificate on network | 1012 | Info | Server discovered new certificate $SubjectName$. Note: This event is for file-signing certificates. |
|
| New device found | 1008 | Notice | A new device '$deviceName$' was mounted as drive '$drive$'. Interactive user at the time: '$username$'. | |
| New file on network | 1005 | Info | Server discovered new file '$filePathAndName$' with hash [$hash$]. | |
| New publisher found | 1000 | Notice | New publisher ‘$publisherName$’ was added. | |
| New unapproved file to computer | 1003 | Notice | Computer $computer$ discovered new file '$filePathAndName$' [$hash$]. | |
| Potential risk file detected | 1200 | Warning | Unknown file '$filename$' [$hash$] was identified by $provider$ as a potential risk File '$filename$' [$hash$] was identified by $provider$ as a potential risk. File '$filename$’ [$hash$] was identified by Cb Reputation as a potential risk. Note: Standard external providers are Check Point, FireEye, Palo Alto Networks or Microsoft. Other providers might be added through the Carbon Black App Control API. |
|
| Service created | 1015 | Info | '$computer$' detected the creation of a new service: $servicename$. | |
| Service deleted | 1016 | Info | '$computer$' detected the deletion of a service: $servicename$. | |
| Suspicious file found | 1022 | Info | Computer $computer$ detected a suspicious file '$filePathAndName$' [$hash$]: $param1$ Note: This event subtype appears when App Control detects an MSI file that has data appended after the signature. |
