This topic contains a complete list of fields that are searchable in Carbon Black EDR Process and Binary searches.
Some fields are valid in only one of the two, and some in both. Any binary-related field that the process search uses actually searches the executable file backing the process.
If a query specifies a term without specifying a field, the search is executed on all default fields. Default fields are indicated by (def)
.
Availability of SHA-256 hash data is dependent upon sensor capabilities. The macOS sensor version 6.2.4, which is packaged with Carbon Black EDR Server version 6.3, sends SHA-256 hashes to the server. Check VMware Carbon Black Support for information about other sensors that can generate SHA-256 hashes.
For files that were originally discovered by a sensor that did not provide SHA-256 hashes, process information for new executions show SHA-256 hashes, but binary entries show SHA-256 as “(unknown)” until they appear as new files on a sensor that supports SHA-256. This applies to all SHA-256 related fields.
Field |
Process Search |
Binary Search |
Field Type |
Description |
---|---|---|---|---|
blocked_md5 |
x (def) |
- |
md5 |
MD5 of a process blocked due to a banning rule. |
blocked_status |
x |
- |
status |
Status of a block attempt on a running process due to a banning rule, one of the following: a-ProcessTerminated b-NotTerminatedCBProcess c-NotTerminatedSystemProcess d-NotTerminatedCriticialSystemProcess e-NotTerminatedWhiltestedPath f-NotTerminatedOpenProcessError g-NotTerminatedTerminateError |
childproc_count |
x |
- |
count |
Total count of child processes created by this process. |
childproc_md5 |
x (def) |
- |
md5 |
MD5 of the executable backing the created child processes. |
childproc_sha256 |
x (def) |
- |
sha256 |
SHA-256 of the executable backing the created child processes (if available). |
childproc_name |
x (def) |
- |
keyword |
Filename of the child process executables. |
cmdline |
x (def) |
- |
cmdline |
Full command line for this process. |
comments |
- |
x (def) |
text |
Comment string from the class FileVersionInfo. |
company_name |
x |
x (def) |
text |
Company name string from the class FileVersionInfo. |
copied_mod_len |
x |
x |
count |
Number of bytes collected. |
crossproc_count |
x |
count |
Total count of cross process actions by an actor process. |
|
crossproc_md5 |
x |
md5 |
MD5 of an actor process that performed a cross process action on a target process. |
|
crossproc_sha256 |
x |
sha256 |
SHA-256 of an actor process that performed a cross process action on a target process (if available). |
|
crossproc_name |
x |
keyword |
Name of an actor process that performed a cross process action on a target process. |
|
crossproc_type |
x (def) |
keyword |
|
|
digsig_issuer |
x |
x (def) |
text |
If digitally signed, the issuer. |
digsig_prog_name |
x |
x (def) |
text |
If digitally signed, the program name. |
digsig_publisher |
x |
x (def) |
text |
If digitally signed, the publisher. |
digsig_result |
x |
x (def) |
sign |
If digitally signed, the result. Values are:
|
digsig_sign_time |
x |
x |
datetime |
If digitally signed, the time of signing. |
digsig_subject |
x |
x (def) |
text |
If digitally signed, the subject. |
domain |
x (def) |
- |
domain |
Network connection to this domain. |
file_desc |
x |
x (def) |
text |
File description string from the class FileVersionInfo. |
file_version |
x |
x (def) |
text |
File version string from the class FileVersionInfo. |
fileless_scriptload_cmdline | x | - | text | Command line contents of a fileless scriptload event. |
fileless_scriptload_cmdline_length | x | - | integer | Length of the command line contents of a fileless scriptload event. |
filemod |
x (def) |
- |
path |
Path of a file modified by this process. |
filemod_count |
x |
- |
count |
Total count of file modifications by this process. |
filewrite_md5 |
x (def) |
- |
md5 |
MD5 of file written by this process. |
filewrite_sha256 |
x (def) |
- |
md5 |
SHA-256 of file written by this process (if available). |
group |
x (def) |
x (def) |
keyword |
Sensor group this sensor was assigned to at the time of process execution. |
has_emet_config |
x |
- |
bool |
True or False - Indicates whether process has EMET mitigations configured/enabled. |
has_emet_event |
x |
- |
bool |
True or False - Indicates whether process has EMET mitigation events. |
host_count |
- |
x |
count |
Count of hosts that have seen a binary. |
host_type |
x (def) |
- |
keyword |
Type of the computer: workstation, server, or domain controller. |
hostname |
x (def) |
x (def) |
keyword |
Hostname of the computer on which the process was executed. |
internal_name |
x |
x (def) |
text |
Internal name string from the class FileVersionInfo. |
ipaddr |
x |
- |
ipaddr |
Network connection to or from this IP address. Only a remote (destination) IP address is searchable regardless of incoming or outgoing. IPv4-mapped addresses (::FFFF:1.2.3.4) are stored as IPv4 netconns, and can be queried using either ipaddr:1.2.3.4 or ipv4mapped:1.2.3.4. IPv4-mapped addresses can also be queried using the ipv6addr:::FFFF:1.2.3.4 . Such queries are automatically translated to ipv4mapped:1.2.3.4. |
ipv6addr |
x |
- |
ipv6addr |
Network connection to or from this IPv6 address. Only a remote (destination) IP address is searchable regardless of incoming or outgoing. IPv4-compatible IPv6 addresses (::1.2.3.4) are stored as IPv6 netconns and can be queried using either ipv6addr:::1.2.3.4 or ipv6addr::0102:0304 (the latter is the native form; the dotted quad form is automatically translated to the native form). |
ipport |
x |
- |
integer |
Network connection to this destination port. |
is_64bit |
x |
x |
bool |
True if architecture is x64. |
is_executable_image |
x |
x |
bool |
True if the binary is an EXE (versus DLL or SYS). |
ja3 |
x |
- |
md5 |
JA3 fingerprint of the client TLS hello packet. You can search for the hash value. The term searched for must exactly match the value in the field. |
ja3s |
x |
- |
md5 |
JA3S fingerprint of the server TLS hello packet. You can search for the hash value. The term searched for must exactly match the value in the field. |
last_server_update |
x |
- |
datetime |
Last activity in this process in the server’s local time. |
last_update |
x |
- |
datetime |
Last activity in this process in the computer’s local time. |
legal_copyright |
x |
x (def) |
text |
Legal copyright string from the class FileVersionInfo. |
legal_trademark |
x |
x (def) |
text |
Legal trademark string from the class FileVersionInfo. |
md5 |
x (def) |
x (def) |
md5 |
MD5 of the process, parent, child process, loaded module, or a written file. |
modload |
x (def) |
- |
path |
Path of module loaded into this process. |
modload_count |
x |
- |
count |
Total count of module loads by this process. |
netconn_block_type | x | - | integer | The classification of the network connection attempt. This is a sub-field of a netconn event: 0 equals a successful network connection; 1 equals a network connection attempt that was blocked due to the endpoint being in Isolation. |
netconn_count |
x |
- |
count |
Total count of network connections by this process. |
observed_filename |
x |
x (def) |
path |
Full path of the binary at the time of collection. |
orig_mod_len |
x |
x |
count |
Size in bytes of the binary at time of collection. |
original_filename |
x |
x (def) |
text |
Original name string from the class FileVersionInfo. |
os_type |
x |
x |
keyword |
Type of the operating system: Windows, macOS, or Linux. |
parent_id |
x |
- |
long |
The internal Carbon Black EDR process guid for the parent process. |
parent_md5 |
x (def) |
- |
md5 |
MD5 of the executable backing the parent process. |
parent_sha256 |
x (def) |
- |
sha256 |
SHA-256 of the executable backing the parent process (if available). |
parent_name |
x (def) |
- |
keyword |
Filename of the parent process executable. |
path |
x (def) |
- |
path |
Full path to the executable backing this process. |
private_build |
x |
x (def) |
text |
Private build string from the class FileVersionInfo. |
process_id |
x |
- |
long |
The internal Carbon Black EDR process guid for the process. |
process_md5 |
x (def) |
- |
md5 |
MD5 of the executable backing this process. |
process_sha256 |
x (def) |
- |
sha256 |
SHA-256 of the executable backing this process (if available). |
process_name |
x (def) |
- |
keyword |
Filename of the executable backing this process. |
product_desc |
x |
x (def) |
text |
Product description string from the class FileVersionInfo. |
product_name |
x |
x (def) |
text |
Product name string from the class FileVersionInfo. |
product_version |
x |
x (def) |
text |
Product version string from the class FileVersionInfo. |
regmod |
x (def) |
- |
path |
Path of a registry key modified by this process. |
regmod_count |
x |
- |
count |
Total count of registry modifications by this process. |
sensor_id |
x |
- |
long |
The internal Carbon Black EDR sensor guid of the computer on which this process was executed. |
server_added_ timestamp |
- |
x |
datetime |
Time this binary was first seen by the server. |
sha256 |
x (def) |
x (def) |
sha256 |
SHA-256 of the process, parent, child process, loaded module, or a written file (if available). |
special_build |
x |
x (def) |
text |
Special build string from the class FileVersionInfo. |
start |
x |
- |
datetime |
Start time of this process in the computer’s local time. |
tampered |
x |
x |
bool |
True if attempts were made to modify the sensor's binaries, disk artifacts, or configuration |
username |
x (def) |
- |
keyword |
User context with which the process was executed. |
watchlist_<id> |
x |
x |
datetime |
Time that this process or binary matched the watchlist query with <id>. |