The following sets of fields are searchable on the Triage Alerts and Threat Report Search pages.
As with process and binary searches, if no field is specified for a term, the search is executed on all default fields. In the following table, default fields are indicated by (def).
| Field |
Field Type |
Description |
|---|---|---|
| alert_severity |
float |
Overall score of the alert (combines report score, feed rating, sensor criticality). For more information, see Threat Intelligence Feeds. |
| alert_type |
keyword |
Type of the alert: one of "watchlist.hit.ingress.binary", "wathclist.hit.ingress.process", "watchlist.hit.query.process", "watchlist.hit.query.binary", "watchlist.hit.ingress.host" |
| assigned_to |
keyword (def) |
Name of the Carbon Black EDR administrator who changed the alert status. |
| create_time |
datetime |
Date and time this feed report was created. |
| created_time |
datetime |
Creation time of the alert. |
| description |
text (def) |
Description of the feed report, whitespace tokenized so each term is individually searchable. |
| domain |
domain (def) |
A domain IOC value in the feed report. |
| feed_category |
text (def) |
Category of this report/feed, whitespace tokenized. |
| feed_id |
int |
Numeric value of the feed id (-1 for watchlists). |
| feed_name |
keyword (def) |
Name of the feed that triggered the alert. All user-created watchlists have the feed name "My Watchlists" as a special case. |
| group |
keyword |
Sensor group name of the endpoint on which the process/binary that triggered the alert was observed. |
| hostname |
keyword (def) |
Hostname of endpoint that the process/binary that triggered the alert was observed on. |
| ioc_value |
keyword (def) |
Value (IP address, MD5, or SHA-256) of the IOC that caused the alert to be triggered. |
| ipaddr |
ipaddr |
An IP address IOC value in the feed report. |
| ipv6addr |
ipv6addr |
An IPv6 address IOC value in the feed report. |
| is_ignored |
bool |
Indicates whether the report has been marked to be ignored on this server. |
| md5 |
md5 (def) |
MD5 of the process that triggered the alert, or an MD5 IOC value in the feed report. |
| observed_filename |
keyword (def) |
Full path name of the process triggered the alert (not tokenized). |
| process_name |
keyword (def) |
Filename of the process that triggered the alert. |
| process_path |
path (def) |
Full path to the executable backing the process. |
| report_id |
keyword |
Name or unique identifier of the threat report that is part of the field. |
| report_score |
float |
Report score of the feed that triggered the alert. For more information, see Threat Intelligence Feeds. |
| resolved_time |
datetime |
Time this alert was triaged by a resolution action. |
| sha256 |
sha256 (def) |
SHA-256 of the process that triggered the alert (if available), or a SHA-256 IOC value in the feed report. |
| status |
keyword |
Status of the alert: one of "resolved", "unresolved", "in progress", "false positive". |
| tags |
text (def) |
Tags related to this report/feed, whitespace tokenized. |
| title |
text |
Text title of the feed report, whitespace tokenized. |
| update_time |
datetime |
Date and time this feed report was last updated. |
| username |
keyword (def) |
Username in whose context the process that triggered the alert event was executed. |
| watchlist_id |
int (def) |
Numeric value of the watchlist id (not applicable to feeds). |
| watchlist_name |
keyword (def) |
Name of the watchlist or the report (for feeds). |
