| Key |
Description |
Example |
|---|---|---|
| process_id |
Process Solr doc identifier. |
00000064-0000-07f0-01d2-8e03fc88f25e |
| segment_id |
Process Solr doc segment identifier. |
1488563344023 |
| report_id |
ID of the report that was matched. |
report_01 |
| ioc_type |
Type of the IOC that was matched. |
dns |
| ioc_value |
IOC value that was matched. |
www.google.com |
| ioc_attr |
Additional attributes on the IOC value that were matched. |
{port:80, protocol:tcp, direction:’Outbound’} |
| hostname |
Hostname of the computer on which the feed hit was detected. |
PANTHER |
| comms_ip |
IP address from which Carbon Black EDR received the event (which could be a NAT or proxy address, if one is configured for the computer on which the process executed; otherwise this is the same as interface_ip). |
10.101.301.4 |
| interface_ip |
IP address of the computer on which the process executed. |
10.101.301.4 |
| sensor_id |
Sensor ID of the endpoint. |
1 |
| cb_version |
Carbon Black EDR server version. |
5.0.0.140204.501 |
| server_name |
Name of the Carbon Black EDR server. |
edrserver |
| feed_id |
ID of the feed that was matched. |
15 |
| feed_name |
Name of the feed that was matched. |
mdl |
| event_timestamp |
Time of the event. |
1400695113.17 |
| childproc_count |
Total count of child processes that were created by this process. |
0 |
| cmdline |
Process command line. |
“c:\net.exe” /user |
| filemod_count |
Total count of files that were modified by this process. |
0 |
| group |
Sensor group to which this sensor was assigned at the time of process execution. |
Default Group |
| host_type |
Type of the computer: workstation, server, or domain controller. |
server |
| last_update |
Last activity in this process, in the computer’s local time. |
2014-02-04T16:23:22.5 47Z |
| modload_count |
Total count of modules that were loaded by this process. |
45 |
| netconn_count |
Total count of network connections made by this process. |
0 |
| os_type |
Operating system type of the host. |
Windows |
| parent_name |
Name of the parent process. |
svchost.exe |
| parent_md5 |
MD5 hash value of the parent process. |
506708142bc63daba64f2d3ad1dcd5bf |
| parent_sha256 |
SHA-256 hash value of the parent process. |
1123a659bc80def22859f36719ed30618589c4b50abc17def38ff7eed913721 |
| parent_pid |
Parent process PID. |
2532 |
| parent_unique_id |
Parent process unique ID. |
00000c42-0000-172c-01d0-5d6cca2adbb2-000000000001 |
| path |
Full path to the executable backing this process. |
c:\program files(x86)\google\update\googleupdate.exe |
| process_md5 |
MD5 hash value of the executable backing this process. |
506708142bc63daba64f2d3ad1dcd5bf |
| process_sha256 |
SHA-256 hash value of the executable backing this process. |
1123a659bc80def22859f36719ed30618589c4b50abc17def38ff7eed913721 |
| process_name |
Filename of the executable backing this process. |
googleupdate.exe |
| process_pid |
Process PID. |
44988 |
| regmod_count |
Total count of registry modifications made by this process. |
0 |
| start |
Start time of this process, in the computer’s local time. |
2014-02-04T16:23:22.5 16Z |
| unique_id |
Process unique ID. |
00000c42-0000-172c-01d0-5d6cca2adbb2-015A954A1297 |
| username |
User context in which the process was executed. |
SYSTEM |
| watchlist_id |
Watchlist that matched (-1 is the internal syslog test). |
-1 |
| watchlist_name |
Name of the watchlist that matched. |
SyslogTest |
