The Carbon Black Cloud Log Source Type normalizes Carbon Black Cloud data into a format that QRadar can index. The following table provides the full QRadar to Carbon Black Cloud field mapping.
QRadar to Carbon Black Cloud Field Mapping
| QRadar Field | Carbon Black Cloud Field |
|---|---|
| Action | action |
| Additional Events Present | additional_events_present |
| Alert Blocked Threat Category | blocked_threat_category |
| Alert C2 Involved | threat_activity_c2 |
| Alert Category | category |
| Alert DLP Involved | threat_activity_dlp |
| Alert First Event Time | first_event_time |
| Alert ID | id, alert_id |
| Alert Last Event Time | last_event_time |
| Alert Last Update Time | last_update_time |
| Alert Not Blocked Threat Category | not_blocked_threat_category |
| Alert Notes Present | notes_present |
| Alert Phishing Involved | threat_activity_phish |
| Alert Policy Applied | policy_applied |
| Alert Reason Code | reason_code |
| Alert Status | status |
| Alert Tags | tags |
| Alert Threat Cause Actor Name | threat_cause_actor_name |
| Alert Threat Cause Category | threat_cause_threat_category |
| Alert Threat Caused By Event ID | threat_cause_cause_event_id |
| Alert Threat Cause Reputation | threat_cause_reputation |
| Alert Threat Cause Vector | threat_cause_vector |
| Alert Threat Notes Present | threat_notes_present |
| Alert URL | alert_url |
| API Call | crossproc_api |
| Attack Tactic | attack_tactic |
| Attack Technique | attack_technique |
| Audit Log Event Timestamp | eventTime |
| Audit Log Flagged | flagged |
| Backend Timestamp | backend_timestamp |
| Backend Update Timestamp | backend_update_timestamp |
| Blocked Effective Reputation | blocked_effective_reputation |
| Blocked MD5 | blocked_md5 |
| Blocked Name | blocked_name |
| Blocked SHA256 | blocked_sha256 |
| CBC Event Count | scriptload_count, modload_count |
| Child Process Command Line | childproc_cmdline |
| Cluster Name | cluster_name, k8s_cluster |
| Cluster Policy ID | k8s_policy_id |
| Command Line | process_cmdline |
| Connection Type | connection_type |
| Cross-process Event Target | crossproc_target |
| Date Time | backend_timestamp, create_time, syslog_create_time |
| Destination FQDN | netconn_domain |
| Destination IP | remote_ip, netconn_remote_ip |
| Destination MAC | [no field specified] |
| Destination Port | remote_port, netconn_remote_port |
| Determination Changed By | determination_changed_by |
| Determination Changed By Type | determinated_changed_by_type |
| Determination Change Timestamp | determination_change_timestamp |
| Determination Value | determination_value |
| Device Group | device_group |
| Device ID | device_id |
| Device Name | device_name |
| Device Priority | target_value |
| Device Timestamp | device_timestamp |
| Device UEM ID | device_uem_id |
| Duration Seconds | process_duration |
| Egress Group ID | egress_group_id |
| Egress Group Name | egress_group_name |
| Event Category | severity, type, cat |
| Event ID | type, cat |
| Event ID (custom) | created_by_event_id, eventId, event_id |
| Event Origin | event_origin |
| Event Summary | event_description, description, reason |
| File Hash | filemod_hash[1], modload_hash[1], scriptload_hash[1], fileless_scriptload_hash[1], modload_sha256 |
| Fileless Script Load Command Line | fileless_scriptload_cmdline |
| File Path | filemod_name, regmod_name, modload_name, scriptload_name |
| First Event Timestamp | first_event_timestamp |
| Identity Extended Field | [no field specified] |
| Identity Group Name | device_group |
| Identity Host Name | device_name |
| Identity IP | device_internal_ip |
| Identity IPv6 | [no field specified] |
| Identity MAC | [no field specified] |
| Identity Net BIOS Name | [no field specified] |
| IOC Field | ioc_field |
| IOC ID | ioc_id |
| IOC Value | ioc_hit |
| IP Reputation | ip_reputation |
| IPv6 Destination | netconn_remote_ipv6 |
| IPv6 Source | netconn_local_ipv6 |
| Is Updated | is_updated |
| Legacy Alert ID | legacy_alert_id |
| Location | device_location |
| Log Source Time | create_time - yyyy-MM-dd'T'HH:mm:ss'Z', eventTime - yyyy-MM-dd'T'HH:mm:ss'Z', syslog_create_time - yyyy-MM-dd'T'HH:mm:ss.SSS'Z', device_timestamp - yyyy-MM-dd HH:mm:ss.SSS +0000 'UTC' |
| MDR Determination Change Timestamp | mdr_determination_change_timestamp |
| MDR Determination Value | mdr_determination_value |
| MDR Workflow Change Timestamp | mdr_workflow_change_timestamp |
| MDR Workflow is Assigned | mdr_workflow_is_assigned |
| MDR Workflow Status | mdr_workflow_status |
| Minimum Severity | minimum_severity |
| ML Classification Final Verdict | ml_classification_final_verdict |
| ML Classification Global Prevalence | ml_classification_global_prevalence |
| ML Classification Org Prevalence | ml_classification_org_prevalence |
| Namespace | namespace |
| Network Connection Inbound | netconn_inbound |
| Network Protocol | netconn_protocol, protocol |
| Organization Name | orgName |
| OS Name | device_os |
| OS Version | device_os_version |
| Parent Command | parent_cmdline |
| Parent Effective Reputation | parent_effective_reputation |
| Parent GUID | parent_guid, threat_cause_parent_guid |
| Parent Hash | parent_hash[1] |
| Parent Process ID | parent_pid |
| Parent Process Reputation | parent_reputation |
| Parent Username | parent_username |
| Pod Name | k8s_pod_name |
| Policy ID | policy_id |
| Policy Name | poliy_name |
| Post NAT Destination IP | [no field specified] |
| Post NAT Destination Port | [no field specified] |
| Post NAT Source IP | device_external_ip |
| Post NAT Source Port | [no field specified] |
| Pre NAT Destination IP | [no field specified] |
| Pre NAT Destination Port | [no field specified] |
| Pre NAT Source IP | device_internal_ip |
| Pre NAT Source Port | [no field specified] |
| Primary Event ID | primary_event_id |
| Process Effective Reputation | process_effective_reputation |
| Process Fork PID | process_fork_pid |
| Process GUID | process_guid, threat_cause_process_guid |
| Process Hash | threat_cause_actor_sha256, process_hash[1] |
| Process ID | threat_cause_actor_process_pid, process_pid |
| Process Issuer | process_issuer |
| Process Name | process_name |
| Process Path | process_path |
| Process Publisher Content | process_publisher[] |
| Process Reputation | process_reputation |
| Process Terminated | process_terminated |
| Protocol | netconn_protocol |
| Proxy Hostname | netconn_proxy_domain |
| Proxy IP | netconn_proxy_ip |
| Proxy Port | netconn_proxy_port |
| Remote Domain | remote_domain |
| Remote Is Private | remote_is_private |
| Remote Namespace | remote_namespace, remote_k8s_namespace |
| Remote Pod Name | remote_k8s_pod_name |
| Remote Replicate ID | remote_replica_id |
| Remote Workload ID | remote_workload_id |
| Remote Workload Kind | remote_workload_kind |
| Remote Workload Name | remote_workload_name |
| Replica ID | replica_id |
| Report ID | report_id |
| Report Link | report_link |
| Report Name | report_name |
| Report Tags | report_tags[] |
| Rule Category ID | rule_category_id |
| Rule Config Category | rule_config_category |
| Rule ID | rule_id |
| Rule Name | rule_name |
| Run State | run_state |
| Sensor Action | sensor_action |
| Source IP | local_ip, clientIp |
| Source MAC | [no field specified] |
| Source Port | local_port |
| Target Command Line | target_cmdline |
| Target GUID | childproc_guid, crossproc_guid |
| Target Hash | childproc_hash[1], crossproc_hash[1], fileless_scriptload_hash[1], scriptload_hash[1] |
| Target Name | crossproc_name, childproc_name |
| Target Process ID | childproc_pid |
| Target Reputation | crossproc_reputation, childproc_reputation, modload_effective_reputation |
| Target Username | childproc_username, crossproc_username |
| Threat ID | threat_id |
| Threat Indicators | threat_indicators |
| Threat Name | threat_name |
| Threat Severity | threat_severity |
| TMS Rule ID | tms_rule_id |
| TTPs | ttps |
| USB Device Friendly Name | external_device_friendly_name |
| USB Product ID | product_id |
| USB Product Name | product_name |
| USB Serial Number | serial_number |
| Username | process_username, device_username, loginName |
| User Update Timestamp | user_update_timestamp |
| Vendor ID | vendor_id |
| Vendor Name | vendor_name |
| Watchlists Content | watchlists[] |
| Workflow Changed By | workflow_changed_by |
| Workflow Changed By Type | workflow_changed_by_type |
| Workflow Change Timestamp | workflow_change_timestamp |
| Workflow Closure Reason | workflow_closure_reason |
| Workflow Status | workflow_status |
| Workload ID | workload_id |
| Workload Kind | workload_kind |
| Workload Name | workload_name |
