| Key |
Description |
Example |
|---|---|---|
| md5 |
MD5 hash value of a binary module that triggered a feed hit. |
44C0CBADFF00F3930B6A01EEAA405C6F |
| sha256 |
SHA-256 hash value of a binary module that triggered a feed hit. |
1123A659BC80DEF22859F36719ED30618589C4B50ABC17DEF38EE7DDB913721 |
| report_id |
ID of the report that was matched. |
report_01 |
| ioc_type |
Type of the IOC that was matched. |
dns |
| ioc_value |
IOC value that was matched. |
www.google.com |
| ioc_attr |
Additional attributes on the IOC value that were matched. |
{port:80, protocol:tcp} |
| hostname |
Name of the host on which the feed hit was detected. |
PANTHER |
| sensor_id |
Sensor ID of the endpoint. |
1 |
| cb_version |
Carbon Black EDR server version. |
5.0.0.140204.501 |
| server_name |
Name of the Carbon Black EDR server. |
cbserver |
| feed_id |
ID of the feed that was matched. |
15 |
| feed_name |
Name of the feed that was matched. |
mdl |
| event_timestamp |
Time of the event. |
1400695113.17 |
| copied_mod_len |
Number of bytes collected. |
73544 |
| endpoint |
Hostname and sensor ID of the endpoint on which the binary was first observed. |
[PANTHER|2] |
| group |
First sensor group in which this binary was observed. |
[Default Group] |
| digsig_issuer |
If digitally signed, the issuer. |
VeriSign Class 3 Code Signing 2010 CA |
| digsig_publisher |
If digitally signed, the publisher. |
Google Inc |
| digsig_result |
If digitally signed, the result. Contains one of the following eight possible values:
|
Signed |
| digsig_result_code |
Internal use. |
0 |
| digsig_sign_time |
If digitally signed, the time of signing. |
2015-02-02T04:42:00Z |
| digsig_subject |
If digitally signed, the subject. |
Google Inc |
| is_executable_image |
True if the binary is an EXE (versus DLL or SYS). |
True |
| is_64bit |
True if the architecture is x64. |
True |
| md5 |
MD5 hash value of a process, a parent process, a child process, a loaded module or a written file. |
44C0CBADFF00F3930B6A0 1EEAA405C6F |
| sha256 |
SHA-256 hash value of a process, a parent process, a child process, a loaded module or a written file. |
1EEAA405C6F44C0CBADFF00F3930B6A044C0CBADFF00F3930B6A01EEAA405C6F |
| observed_filename |
Full path to the executable backing this process. |
c:\program files(x86)\google\chrome\application\wow_helper.exe |
| orig_mod_len |
Size, in bytes, of a binary at the time of collection. |
73544 |
| os_type |
Operating system type of the host. |
Windows |
| server_added_timestamp |
The time this binary was first seen by the server. |
2014-02-04T07:50:56.9 17Z |
| server_name |
Name of the Carbon Black EDR server |
edrserver |
| watchlist_<id> |
For each watchlist that matched a binary, the timestamp of the match. |
‘2014-02-04T07:55:03. 007Z’ |
| file_version |
File version string from the class FileVersionInfo. |
|
| product_name |
Product name string from the class FileVersionInfo. |
|
| company_name |
Company name string from the class FileVersionInfo. |
|
| internal_name |
Internal name string from the class FileVersionInfo. |
|
| original_filename |
Original name string from the class FileVersionInfo. |
|
| file_desc |
File description string from the class FileVersionInfo. |
|
| product_desc |
Product description string from the class FileVersionInfo. |
|
| comments |
Comment string from the class FileVersionInfo. |
|
| legal_copyright |
Legal copyright string from the class FileVersionInfo. |
|
| legal_trademark |
Legal trademark string from the class FileVersionInfo. |
|
| private_build |
Private build string from the class FileVersionInfo. |
|
| special_build |
Special build string from the class FileVersionInfo. |
|
| product_version |
Product name string from the class FileVersionInfo. |
|
