This topic contains a complete list of fields that are searchable in Carbon Black EDR Process and Binary searches.

Some fields are valid in only one of the two, and some in both. Any binary-related field that the process search uses actually searches the executable file backing the process.

If a query specifies a term without specifying a field, the search is executed on all default fields. Default fields are indicated by (def) .

Note:

Availability of SHA-256 hash data is dependent upon sensor capabilities. The macOS sensor version 6.2.4, which is packaged with Carbon Black EDR Server version 6.3, sends SHA-256 hashes to the server. Check Broadcom Carbon Black Support for information about other sensors that can generate SHA-256 hashes.

For files that were originally discovered by a sensor that did not provide SHA-256 hashes, process information for new executions show SHA-256 hashes, but binary entries show SHA-256 as “(unknown)” until they appear as new files on a sensor that supports SHA-256. This applies to all SHA-256 related fields.

Field

Process Search

Binary Search

Field Type

Description

blocked_md5

x (def)

-

md5

MD5 of a process blocked due to a banning rule.

blocked_status

x

-

status

Status of a block attempt on a running process due to a banning rule, one of the following:

a-ProcessTerminated

b-NotTerminatedCBProcess

c-NotTerminatedSystemProcess

d-NotTerminatedCriticialSystemProcess

e-NotTerminatedWhiltestedPath

f-NotTerminatedOpenProcessError

g-NotTerminatedTerminateError

childproc_count

x

-

count

Total count of child processes created by this process.

childproc_md5

x (def)

-

md5

MD5 of the executable backing the created child processes.

childproc_sha256

x (def)

-

sha256

SHA-256 of the executable backing the created child processes (if available).

childproc_name

x (def)

-

keyword

Filename of the child process executables.

cmdline

x (def)

-

cmdline

Full command line for this process.

comments

-

x (def)

text

Comment string from the class FileVersionInfo.

company_name

x

x (def)

text

Company name string from the class FileVersionInfo.

copied_mod_len

x

x

count

Number of bytes collected.

crossproc_count

x

count

Total count of cross process actions by an actor process.

crossproc_md5

x

md5

MD5 of an actor process that performed a cross process action on a target process.

crossproc_sha256

x

sha256

SHA-256 of an actor process that performed a cross process action on a target process (if available).

crossproc_name

x

keyword

Name of an actor process that performed a cross process action on a target process.

crossproc_type

x (def)

keyword

  • processopen (or process_open) finds processes which opened a handle into another process with a set of access rights. Sample results: OpenThread() API call requested THREAD_GET_CONTEXT, THREAD_SET_CONTEXT, THREAD_SUSPEND_RESUME access rights.

  • remotethread (or remote_thread) finds processes which injected a thread into another process. Sample results: CreateRemoteThread API used to inject code into target process.

  • processopentarget is similar to processopen, but instead of finding the actor, the process returns the targeted process; i.e., the process which the handle is opened into.

  • remotethreadtarget is similar to remotethread, but instead of finding the actor process, it returns the targeted process; i.e., the process which the thread was injected into.

digsig_issuer

x

x (def)

text

If digitally signed, the issuer.

digsig_prog_name

x

x (def)

text

If digitally signed, the program name.

digsig_publisher

x

x (def)

text

If digitally signed, the publisher.

digsig_result

x

x (def)

sign

If digitally signed, the result. Values are:

  • “Bad Signature”

  • “Invalid Signature”

  • “Expired”

  • “Invalid Chain”

  • “Untrusted Root”

  • “Signed”

  • “Unsigned”

  • “Explicit Distrust”

digsig_sign_time

x

x

datetime

If digitally signed, the time of signing.

digsig_subject

x

x (def)

text

If digitally signed, the subject.

domain

x (def)

-

domain

Network connection to this domain.

file_desc

x

x (def)

text

File description string from the class FileVersionInfo.

file_version

x

x (def)

text

File version string from the class FileVersionInfo.
fileless_scriptload_cmdline x - text Command line contents of a fileless scriptload event.
fileless_scriptload_cmdline_length x - integer Length of the command line contents of a fileless scriptload event.

filemod

x (def)

-

path

Path of a file modified by this process.

filemod_count

x

-

count

Total count of file modifications by this process.

filewrite_md5

x (def)

-

md5

MD5 of file written by this process.

filewrite_sha256

x (def)

-

md5

SHA-256 of file written by this process (if available).

group

x (def)

x (def)

keyword

Sensor group this sensor was assigned to at the time of process execution.

has_emet_config

x

-

bool

True or False - Indicates whether process has EMET mitigations configured/enabled.

has_emet_event

x

-

bool

True or False - Indicates whether process has EMET mitigation events.

host_count

-

x

count

Count of hosts that have seen a binary.

host_type

x (def)

-

keyword

Type of the computer: workstation, server, or domain controller.

hostname

x (def)

x (def)

keyword

Hostname of the computer on which the process was executed.

internal_name

x

x (def)

text

Internal name string from the class FileVersionInfo.

ipaddr

x

-

ipaddr

Network connection to or from this IP address.

Only a remote (destination) IP address is searchable regardless of incoming or outgoing.

IPv4-mapped addresses (::FFFF:1.2.3.4) are stored as IPv4 netconns, and can be queried using either ipaddr:1.2.3.4 or ipv4mapped:1.2.3.4.

IPv4-mapped addresses can also be queried using the ipv6addr:::FFFF:1.2.3.4 . Such queries are automatically translated to ipv4mapped:1.2.3.4.

ipv6addr

x

-

ipv6addr

Network connection to or from this IPv6 address.

Only a remote (destination) IP address is searchable regardless of incoming or outgoing.

IPv4-compatible IPv6 addresses (::1.2.3.4) are stored as IPv6 netconns and can be queried using either ipv6addr:::1.2.3.4 or ipv6addr::0102:0304 (the latter is the native form; the dotted quad form is automatically translated to the native form).

ipport

x

-

integer

Network connection to this destination port.

is_64bit

x

x

bool

True if architecture is x64.

is_executable_image

x

x

bool

True if the binary is an EXE (versus DLL or SYS).

ja3

x

-

md5

JA3 fingerprint of the client TLS hello packet. You can search for the hash value. The term searched for must exactly match the value in the field.

ja3s

x

-

md5

JA3S fingerprint of the server TLS hello packet. You can search for the hash value. The term searched for must exactly match the value in the field.

last_server_update

x

-

datetime

Last activity in this process in the server’s local time.

last_update

x

-

datetime

Last activity in this process in the computer’s local time.

legal_copyright

x

x (def)

text

Legal copyright string from the class FileVersionInfo.

legal_trademark

x

x (def)

text

Legal trademark string from the class FileVersionInfo.

md5

x (def)

x (def)

md5

MD5 of the process, parent, child process, loaded module, or a written file.

modload

x (def)

-

path

Path of module loaded into this process.

modload_count

x

-

count

Total count of module loads by this process.
netconn_block_type x - integer The classification of the network connection attempt. This is a sub-field of a netconn event: 0 equals a successful network connection; 1 equals a network connection attempt that was blocked due to the endpoint being in Isolation.

netconn_count

x

-

count

Total count of network connections by this process.

observed_filename

x

x (def)

path

Full path of the binary at the time of collection.

orig_mod_len

x

x

count

Size in bytes of the binary at time of collection.

original_filename

x

x (def)

text

Original name string from the class FileVersionInfo.

os_type

x

x

keyword

Type of the operating system: Windows, macOS, or Linux.

parent_id

x

-

long

The internal Carbon Black EDR process guid for the parent process.

parent_md5

x (def)

-

md5

MD5 of the executable backing the parent process.

parent_sha256

x (def)

-

sha256

SHA-256 of the executable backing the parent process (if available).

parent_name

x (def)

-

keyword

Filename of the parent process executable.

path

x (def)

-

path

Full path to the executable backing this process.

private_build

x

x (def)

text

Private build string from the class FileVersionInfo.

process_id

x

-

long

The internal Carbon Black EDR process guid for the process.

process_md5

x (def)

-

md5

MD5 of the executable backing this process.

process_sha256

x (def)

-

sha256

SHA-256 of the executable backing this process (if available).

process_name

x (def)

-

keyword

Filename of the executable backing this process.

product_desc

x

x (def)

text

Product description string from the class FileVersionInfo.

product_name

x

x (def)

text

Product name string from the class FileVersionInfo.

product_version

x

x (def)

text

Product version string from the class FileVersionInfo.

regmod

x (def)

-

path

Path of a registry key modified by this process.

regmod_count

x

-

count

Total count of registry modifications by this process.

sensor_id

x

-

long

The internal Carbon Black EDR sensor guid of the computer on which this process was executed.

server_added_ timestamp

-

x

datetime

Time this binary was first seen by the server.

sha256

x (def)

x (def)

sha256

SHA-256 of the process, parent, child process, loaded module, or a written file (if available).

special_build

x

x (def)

text

Special build string from the class FileVersionInfo.

start

x

-

datetime

Start time of this process in the computer’s local time.

tampered

x

x

bool

True if attempts were made to modify the sensor's binaries, disk artifacts, or configuration

username

x (def)

-

keyword

User context with which the process was executed.

watchlist_<id>

x

x

datetime

Time that this process or binary matched the watchlist query with <id>.