Skip to main content

Carbon Black Enterprise EDR

This Integration is part of the Carbon Black Cloud Enterprise EDR Pack.#

Overview#


VMware Carbon Black Enterprise EDR is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams. (formerly known as ThreatHunter)

Configure VMware Carbon Black Enterprise EDR on Cortex XSOAR#


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for VMware Carbon Black Enterprise EDR.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Server URL (e.g. https://defense.conferdeploy.net)
    • Organization Key
    • Custom Key
    • Custom ID
    • Fetch incidents
    • Incident type
    • Trust any certificate (not secure)
    • Use system proxy settings
    • First fetch timestamp (\<number> \<time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)
    • Fetch limit
  4. Click Test to validate the URLs, token, and connection.

Commands#


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. cb-eedr-alert-workflow-update
  2. cb-eedr-device-quarantine
  3. cb-eedr-device-unquarantine
  4. cb-eedr-device-background-scan-stop
  5. cb-eedr-device-background-scan
  6. cb-eedr-device-bypass
  7. cb-eedr-device-unbypass
  8. cb-eedr-device-policy-update
  9. cb-eedr-devices-list
  10. cb-eedr-list-alerts
  11. cb-eedr-watchlist-list
  12. cb-eedr-get-watchlist-by-id
  13. cb-eedr-watchlist-alerts-status
  14. cb-eedr-watchlist-alerts-enable
  15. cb-eedr-watchlist-alerts-disable
  16. cb-eedr-watchlist-create
  17. cb-eedr-watchlist-delete
  18. cb-eedr-watchlist-update
  19. cb-eedr-report-get
  20. cb-eedr-ioc-ignore-status
  21. cb-eedr-ioc-ignore
  22. cb-eedr-ioc-reactivate
  23. cb-eedr-report-ignore
  24. cb-eedr-report-reactivate
  25. cb-eedr-report-ignore-status
  26. cb-eedr-report-remove
  27. cb-eedr-report-create
  28. cb-eedr-report-update
  29. cb-eedr-file-device-summary
  30. cb-eedr-get-file-metadata
  31. cb-eedr-files-download-link-get
  32. cb-eedr-file-paths
  33. cb-eedr-process-search
  34. cb-eedr-events-by-process-get
  35. cb-eedr-process-search-results

1. cb-eedr-alert-workflow-update#


Updates the workflow of a single event.

Required Permissions#

RBAC Permissions Required - org.alerts.dismiss: EXECUTE

Base Command#

cb-eedr-alert-workflow-update

Input#
Argument NameDescriptionRequired
alert_idThe ID of the alert to update. Get the ID from list_alerts command.Required
statusWorkflow status to update.Optional
commentComment to include with the operation.Optional
closure_reasonThe closure reasonOptional
determinationValue judgement of whether the alert(s) represent a true or false positive.Optional
endThe upper bound of the time range. Requires start and must be a timestamp after start.Optional
startThe lower bound of the time range. Requires end and must be a timestamp before end.Optional
time_rangeRelative time range for the request. Should not be provided if using 'start' and 'end' arguments.Optional
Context Output#
PathTypeDescription
CarbonBlackEEDR.Alert.AlertIDStringThe alert ID.
CarbonBlackEEDR.Alert.ChangedByStringUser that changed the ID.
CarbonBlackEEDR.Alert.CommentStringComment that was included with the operation.
CarbonBlackEEDR.Alert.LastUpdateTimeDateLast time the alert was updated.
CarbonBlackEEDR.Alert.RemediationStringDescription or justification for the change.
CarbonBlackEEDR.Alert.StateStringThe alert state.
Command Example#

!cb-eedr-alert-workflow-update alert_id=A28C720DCBCD66333A624893AB1E0FE9 status=open

Context Example#
{
"CarbonBlackEEDR.Alert": {
"Comment": null,
"ChangedBy": "ATL5Y9DR4B",
"AlertID": "A28C720DCBCD66333A624893AB1E0FE9",
"LastUpdateTime": "2020-05-26T13:33:12.890Z",
"Status": "OPEN",
"Remediation": null
}
}
Human Readable Output#

Successfully updated the alert: "A28C720DCBCD66333A624893AB1E0FE9"#

changed_bylast_update_timestate
ATL5Y9DR4B2020-05-26T13:33:12.890ZOPEN

2. cb-eedr-device-quarantine#


Quarantines a device.

Required Permissions#

RBAC Permissions Required - device.quarantine: EXECUTE

Base Command#

cb-eedr-device-quarantine

Input#
Argument NameDescriptionRequired
device_idThe devices on which to perform the action. Get the ID from the devices-list command. Supports comma-separated values.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-device-quarantine device_id="1225783"

Human Readable Output#

The device ['1225783'] has been quarantined successfully.

3. cb-eedr-device-unquarantine#


Removes a device from quarantine.

Required Permissions#

RBAC Permissions Required - device.quarantine: EXECUTE

Base Command#

cb-eedr-device-unquarantine

Input#
Argument NameDescriptionRequired
device_idThe devices on which to perform the action. Get the ID from the devices-list command. Supports comma-separated values.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-device-unquarantine device_id="1225783"

Human Readable Output#

The device ['1225783'] has been unquarantined successfully.

4. cb-eedr-device-background-scan-stop#


Stops a background scan on the specified devices.

Required Permissions#

RBAC Permissions Required - device.bg-scan: EXECUTE

Base Command#

cb-eedr-device-background-scan-stop

Input#
Argument NameDescriptionRequired
device_idThe device ID. Get the ID from the devices-list command. Supports comma-separated values.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-device-background-scan-stop device_id="1225783"

Human Readable Output#

The device ['1225783'] background scan has been disabled successfully.

5. cb-eedr-device-background-scan#


Start a background scan on device.

Required Permissions#

RBAC Permissions Required - device.bg-scan: EXECUTE

Base Command#

cb-eedr-device-background-scan

Input#
Argument NameDescriptionRequired
device_idThe device ID. Get the ID from the devices-list command. Supports comma-separated values.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-device-background-scan device_id="1225783"

Human Readable Output#

The device ['1225783'] background scan has been enabled successfully.

6. cb-eedr-device-bypass#


Enable a bypass on device.

Required Permissions#

RBAC Permissions Required - device.bypass: EXECUTE

Base Command#

cb-eedr-device-bypass

Input#
Argument NameDescriptionRequired
device_idThe device ID. Get the ID from the devices-list command. Support comma-separated values.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-device-bypass device_id="1225783"

Human Readable Output#

The device ['1225783'] bypass has been enabled successfully.

7. cb-eedr-device-unbypass#


Disable a bypass on device.

Required Permissions#

RBAC Permissions Required - device.bypass: EXECUTE

Base Command#

cb-eedr-device-unbypass

Input#
Argument NameDescriptionRequired
device_idThe device ID. Get the ID from the devices-list command. Support comma-separated values.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-device-unbypass device_id="1225783"

Human Readable Output#

The device ['1225783'] bypass has been disabled successfully.

8. cb-eedr-device-policy-update#


Update device policy.

Required Permissions#

RBAC Permissions Required - device.policy: EXECUTE

Base Command#

cb-eedr-device-policy-update

Input#
Argument NameDescriptionRequired
device_idThe device ID. Get the ID from the devices-list command. Support comma-separated values.Required
policy_idThe policy ID.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-device-policy-update device_id=1225783 policy_id=12064

Human Readable Output#

The policy 12064 has been assigned to device ['1225783'] successfully.

9. cb-eedr-devices-list#


List devices based on the search query.

Required Permissions#

RBAC Permissions Required - device: READ

Base Command#

cb-eedr-devices-list

Input#
Argument NameDescriptionRequired
device_idThe device ID. Supports comma-separated values.Optional
statusThe device status. Supports comma-separated values.Optional
device_osDevice operation system. Supports comma-separated values.Optional
start_timeDevice start last contact time. For example: 2019-01-01T11:00:00.157ZOptional
end_timeDevice end last contact time. For example: 2019-01-01T11:00:00.157ZOptional
ad_group_idActive directory group ID. Supports comma-separated valuesOptional
policy_idThe policy ID. Supports comma-separated values.Optional
target_priorityDevice target priority. Supports comma-separated valuesOptional
limitMaximum number of rows to returnOptional
sort_fieldSort FieldsOptional
sort_orderSort Order for field.Optional
Context Output#
PathTypeDescription
CarbonBlackEEDR.Device.sensor_out_of_dateBooleanIs the device sensor out of date.
CarbonBlackEEDR.Device.vdi_base_deviceStringvdi base device.
CarbonBlackEEDR.Device.linux_kernel_versionStringLinux kernel version.
CarbonBlackEEDR.Device.mac_addressStringDevice MAC address.
CarbonBlackEEDR.Device.osStringDevice operating system.
CarbonBlackEEDR.Device.last_device_policy_changed_timeDateLast device policy changed time.
CarbonBlackEEDR.Device.last_reset_timeDateLast reset time.
CarbonBlackEEDR.Device.sensor_statesStringDevice sensor state.
CarbonBlackEEDR.Device.last_external_ip_addressStringLast external IP address.
CarbonBlackEEDR.Device.organization_idNumberOrganization ID.
CarbonBlackEEDR.Device.sensor_kit_typeStringSensor kit type.
CarbonBlackEEDR.Device.policy_idNumberDevice policy ID.
CarbonBlackEEDR.Device.login_user_nameStringLogin user name.
CarbonBlackEEDR.Device.deregistered_timeDateDeregistered time.
CarbonBlackEEDR.Device.registered_timeDateRegistered time.
CarbonBlackEEDR.Device.nameStringDevice name.
CarbonBlackEEDR.Device.last_device_policy_requested_timeDateLast device policy requested time.
CarbonBlackEEDR.Device.scan_last_complete_timeDateScan last complete time.
CarbonBlackEEDR.Device.last_shutdown_timeDateLast shutdown time.
CarbonBlackEEDR.Device.scan_last_action_timeStringDevice scan last action time.
CarbonBlackEEDR.Device.windows_platformStringWindows platform.
CarbonBlackEEDR.Device.last_reported_timeDateDevice last reported time.
CarbonBlackEEDR.Device.device_owner_idNumberDevice owner ID.
CarbonBlackEEDR.Device.target_priorityStringTarget priority.
CarbonBlackEEDR.Device.statusStringDevice status.
CarbonBlackEEDR.Device.sensor_versionStringSensor version.
CarbonBlackEEDR.Device.virtual_machineBooleanIs the device virtual machine
CarbonBlackEEDR.Device.last_nameStringLast name.
CarbonBlackEEDR.Device.scan_statusStringScan status.
CarbonBlackEEDR.Device.last_internal_ip_addressStringLast internal IP address.
CarbonBlackEEDR.Device.last_policy_updated_timeDateLast policy updated time.
CarbonBlackEEDR.Device.last_contact_timeDateDevice last contact time.
CarbonBlackEEDR.Device.quarantinedBooleanIs the device quarantined.
CarbonBlackEEDR.Device.virtualization_providerStringVirtualization Provider.
CarbonBlackEEDR.Device.organization_nameStringOrganization Name.
CarbonBlackEEDR.Device.ad_group_idStringActive directory group ID.
CarbonBlackEEDR.Device.policy_nameStringPolicy name.
CarbonBlackEEDR.Device.policy_overrideBooleanPolicy override.
CarbonBlackEEDR.Device.first_nameStringFirst name.
CarbonBlackEEDR.Device.current_sensor_policy_nameStringCurrent sensor policy name.
CarbonBlackEEDR.Device.idStringDevice ID.
CarbonBlackEEDR.Device.av_statusStringav status.
CarbonBlackEEDR.Device.av_pack_versionStringav pack version.
CarbonBlackEEDR.Device.emailStringUser email.
CarbonBlackEEDR.Device.os_versionStringDevice OS version.
CarbonBlackEEDR.Device.av_product_versionStringAV product version.
CarbonBlackEEDR.Device.last_locationStringDevice last location.
Endpoint.IDStringThe unique ID within the tool retrieving the endpoint.
Endpoint.OSStringEndpoint OS.
Endpoint.OSVersionStringOS version.
Endpoint.MACAddressStringThe MAC address of the endpoint.
Command Example#

!cb-eedr-devices-list

Context Example#
{
"CarbonBlackEEDR.Device": [
{
"last_reported_time": "2020-05-26T10:39:01.346Z",
"last_name": null,
"last_device_policy_changed_time": "2020-05-20T11:59:21.298Z",
"sensor_version": "3.4.0.820",
"scan_status": null,
"policy_name": "test",
"sensor_pending_update": false,
"device_owner_id": 354312,
"current_sensor_policy_name": "test",
"last_device_policy_requested_time": "2020-05-20T12:03:35.744Z",
"id": 2244290,
"sensor_states": [
"ACTIVE",
"LIVE_RESPONSE_NOT_RUNNING",
"LIVE_RESPONSE_NOT_KILLED",
"LIVE_RESPONSE_ENABLED",
"SECURITY_CENTER_OPTLN_DISABLED"
],
"deregistered_time": null,
"last_external_ip_address": "2.2.2.2",
"middle_name": null,
"last_location": "OFFSITE",
"sensor_kit_type": "WINDOWS",
"target_priority": "HIGH",
"organization_name": "cb-test.com",
"os_version": "Windows 10 x64",
"quarantined": false,
"mac_address": "000000000000",
"av_update_servers": null,
"virtualization_provider": "UNKNOWN",
"registered_time": "2019-03-28T15:52:36.830Z",
"uninstall_code": "ZHZZRBAB",
"email": "introspect",
"sensor_out_of_date": true,
"av_vdf_version": "8.16.46.30",
"status": "REGISTERED",
"av_ave_version": "8.3.60.28",
"virtual_machine": false,
"av_last_scan_time": null,
"ad_group_id": 0,
"windows_platform": null,
"av_pack_version": "8.5.0.58",
"av_status": [
"AV_ACTIVE",
"ONDEMAND_SCAN_DISABLED"
],
"organization_id": 1190,
"last_reset_time": null,
"scan_last_action_time": null,
"last_shutdown_time": "2020-01-16T01:53:02.733Z",
"policy_override": true,
"av_master": false,
"last_contact_time": "2020-05-26T13:32:36.272Z",
"name": "DESKTOP-QOKND73",
"activation_code_expiry_time": "2019-04-04T15:52:36.799Z",
"scan_last_complete_time": null,
"last_internal_ip_address": "8.8.8.8",
"linux_kernel_version": null,
"vdi_base_device": null,
"passive_mode": false,
"login_user_name": null,
"av_engine": "4.9.0.264-ave.8.3.60.28:avpack.2.4.1.58:vdf.8.16.46.30:apc.2.2.2.2",
"device_meta_data_item_list": [
{
"key_name": "OS_MAJOR_VERSION",
"key_value": "Windows 10",
"position": 0
},
{
"key_name": "SUBNET",
"key_value": "10.67.50",
"position": 0
}
],
"last_policy_updated_time": "2020-02-13T03:56:45.796Z",
"av_product_version": "4.9.0.264",
"first_name": null,
"activation_code": null,
"os": "WINDOWS",
"policy_id": 12064
}
]
}
Human Readable Output#

Devices list results#

IDLastContactTimeLastExternalIpAddressLastInternalIpAddressLastLocationNameOSPolicyNameQuarantinedTargetPrioritystatus
12442902020-05-26T13:32:36.272Z2.2.2.23.3.3.3OFFSITEDESKTOP-ABCND73WINDOWStestfalseHIGHREGISTERED
1275192020-05-26T13:32:36.257Z4.4.4.410.10.10.10OFFSITEAGENT-PCWINDOWSDetection_ServersfalseHIGHREGISTERED
54257832020-05-26T13:32:23.788Z8.8.8.810.10.10.10OFFSITEAlphab-Win10-VM-1WINDOWStestfalseHIGHREGISTERED

10. cb-eedr-list-alerts#


Returns a list of alerts.

Required Permissions#

RBAC Permissions Required - org.alerts: READ

Base Command#

cb-eedr-list-alerts

Input#
Argument NameDescriptionRequired
minimum_severityAlert minimum severity.Optional
device_os_versionDevice OS version. Supports comma-separated values.Optional
policy_idThe policy ID. Supports comma-separated values.Optional
alert_tagAlert tags. Supports comma-separated values.Optional
alert_idAlert ID. Supports comma-separated values.Optional
device_usernameDevice username. Supports comma-separated values.Optional
device_idDevice ID. Supports comma-separated values.Optional
device_osDevice OS. Supports comma-separated values.Optional
process_sha256Process SHA256. Supports comma-separated values.Optional
policy_namePolicy name. Supports comma-separated values.Optional
reputationAlert reputation. Supports comma-separated values.Optional
alert_typeAlert type. Supports comma-separated values.Optional
device_nameDevice name. Supports comma-separated values.Optional
process_nameProcess name. Supports comma-separated values.Optional
sort_fieldField by which to sort the results. Can be "first_event_time", "last_event_time", "severity", or "target_value".Optional
sort_orderHow to order the results. Can be "ASC" (ascending) or "DESC" (descending). The default is "DESC".Optional
limitThe maximum number of results to return. The default is 10.Optional
start_timeAlert start time.Optional
end_timeAlert end time.Optional
Context Output#
PathTypeDescription
CarbonBlackEEDR.Alert.threat_idStringThreat ID.
CarbonBlackEEDR.Alert.first_event_timeDateFirst event time.
CarbonBlackEEDR.Alert.target_valueStringAlert target value.
CarbonBlackEEDR.Alert.reasonStringAlert reason.
CarbonBlackEEDR.Alert.org_keyStringOrganization key.
CarbonBlackEEDR.Alert.device_idStringDevice ID.
CarbonBlackEEDR.Alert.report_idStringReport ID.
CarbonBlackEEDR.Alert.watchlists.idStringWatchlist ID.
CarbonBlackEEDR.Alert.watchlists.nameStringWatchlist name.
CarbonBlackEEDR.Alert.device_os_versionStringDevice OS version.
CarbonBlackEEDR.Alert.threat_cause_threat_categoryStringThreat cause threat category.
CarbonBlackEEDR.Alert.policy_idStringPolicy ID.
CarbonBlackEEDR.Alert.threat_indicators.process_nameStringThreat indicator - process name.
CarbonBlackEEDR.Alert.threat_indicators.sha256StringIndicator SHA256 hash.
CarbonBlackEEDR.Alert.threat_cause_actor_sha256StringThreat cause actor SHA256.
CarbonBlackEEDR.Alert.device_osStringDevice OS.
CarbonBlackEEDR.Alert.document_guidStringDocument GUID.
CarbonBlackEEDR.Alert.create_timeDateAlert create time.
CarbonBlackEEDR.Alert.threat_cause_actor_nameStringThreat cause actor name.
CarbonBlackEEDR.Alert.ioc_hitStringIOC hit.
CarbonBlackEEDR.Alert.threat_cause_reputationStringThreat cause reputation.
CarbonBlackEEDR.Alert.legacy_alert_idStringLegacy alert ID.
CarbonBlackEEDR.Alert.device_nameStringDevice name.
CarbonBlackEEDR.Alert.report_nameStringReport name.
CarbonBlackEEDR.Alert.policy_nameStringPolicy name.
CarbonBlackEEDR.Alert.ioc_fieldStringIOC field.
CarbonBlackEEDR.Alert.tagsStringAlert tags.
CarbonBlackEEDR.Alert.process_guidStringProcess GUID.
CarbonBlackEEDR.Alert.threat_cause_actor_md5StringThreat cause actor MD5 hash.
CarbonBlackEEDR.Alert.last_update_timeDateAlert last updated time.
CarbonBlackEEDR.Alert.typeStringAlert type.
CarbonBlackEEDR.Alert.idStringAlert ID.
CarbonBlackEEDR.Alert.process_nameStringProcess name.
CarbonBlackEEDR.Alert.last_event_timeDateAlert last event time.
CarbonBlackEEDR.Alert.ioc_idStringIOC ID.
CarbonBlackEEDR.Alert.notes_presentBooleanWhether notes are present.
CarbonBlackEEDR.Alert.run_stateStringAlert run state.
CarbonBlackEEDR.Alert.severityNumberAlert severity.
CarbonBlackEEDR.Alert.threat_cause_vectorStringThreat cause vector.
CarbonBlackEEDR.Alert.device_usernameStringDevice username.
CarbonBlackEEDR.Alert.workflow.changed_byStringAlert workflow - changed by.
CarbonBlackEEDR.Alert.workflow.commentStringAlert workflow - comment.
CarbonBlackEEDR.Alert.workflow.last_update_timeDateAlert workflow - last updated time.
CarbonBlackEEDR.Alert.workflow.remediationStringAlert workflow - remediation.
CarbonBlackEEDR.Alert.workflow.stateStringAlert workflow - state
Command Example#

!cb-eedr-list-alerts

Context Example#
{
"CarbonBlackEEDR.Alert": [
{
"last_update_time": "2020-05-13T13:31:15.024Z",
"report_name": "Report for itype = 'mal_ip'",
"last_event_time": "2020-05-13T13:26:55.640Z",
"threat_cause_reputation": "KNOWN_MALWARE",
"policy_name": "test-policy",
"create_time": "2020-05-13T13:31:15.024Z",
"id": "ED0B5E6AE0C0E631FABC7E186CE036A5",
"threat_indicators": [
{
"sha256": "067f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e8a",
"process_name": "067f1b8f1e0b2bfe123f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.exe",
"ttps": [
"e18e60af525e8240a2a4cfef34cc45a4"
]
}
],
"device_name": "DESKTOP-AB3H40D",
"device_os": "WINDOWS",
"category": "THREAT",
"device_username": "test@atest.com",
"threat_cause_actor_name": "123f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.exe",
"severity": 10,
"threat_cause_actor_sha256": "345f1b8f1e0b2bfe286f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b",
"workflow": {
"comment": null,
"last_update_time": "2020-05-25T09:38:41.101Z",
"changed_by": "ABC5Y9DR4B",
"remediation": "just for testing",
"state": "DISMISSED"
},
"document_guid": "MncmKURBNMS1IGM7r6T2ug",
"ioc_field": "netconn_ipv4",
"process_guid": "7DESJ9NM-00346702-00001cc4-00000000-1d6292928b64305",
"report_id": "xSnGrSquRJjsh6A2pM8hsA-TS-Report-7",
"type": "WATCHLIST",
"threat_cause_threat_category": null,
"threat_cause_vector": "UNKNOWN",
"tags": null,
"process_name": "067f1b8f1e0b2bfe123f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.exe",
"reason": "Process 067f1b8f1e0b2bfe123f5169e17834e8cf7f4266b8d97f28ea78995dc81b0e7b.exe was detected by the report \"Report for itype = 'mal_ip'\" in watchlist \"ThreatStream_ITYPE\"",
"threat_cause_actor_md5": "21a563f123b73d453ad91e251b11855c",
"ioc_hit": "2.2.2.2",
"device_id": 1234242,
"count": 0,
"threat_id": "6C90312382C314B22BEA8D90170FB9A3",
"target_value": "MEDIUM",
"first_event_time": "2020-05-13T13:26:55.640Z",
"watchlists": [
{
"id": "AB6iVKG3SoqBYvmXxtAmfg",
"name": "Test_ITYPE"
}
],
"device_os_version": null,
"notes_present": false,
"ioc_id": "e18e60af525e1234a2a4cfef34cc73a4",
"legacy_alert_id": "7ABCJ9GN-00346702-00001cc4-00000000-1d6292928b64305-xSnGrSquRJifv6A2pM8hsA-TS-Report-7",
"run_state": "RAN",
"org_key": "7DABJ9GN",
"policy_id": 36196
}
]
}
Human Readable Output#

Alerts list results#

AlertIDCreateTimeDeviceIDDeviceNameDeviceOSPolicyNameProcessNameTypeWorkflowState
ED0C9E6AE0C0E631FABC7E145CE036A52020-05-13T13:31:15.024Z1234242DESKTOP-AB3H40DWINDOWStest1067f1b8f1e0b2bfe286f5169e17834e8cf7f4123b8d97f28ea78995dc81b0e7b.exeWATCHLISTDISMISSED
A28C720DCBCD77222A621233AB1E0FE92020-04-27T12:21:51.294Z3450646TESTERONAPPS-CBDEF-1WINDOWStestsvchost.exeWATCHLISTOPEN

11. cb-eedr-watchlist-list#


Retrieves all watchlists.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: READ

Base Command#

cb-eedr-watchlist-list

Input#
Argument NameDescriptionRequired
Context Output#
PathTypeDescription
CarbonBlackEEDR.Watchlist.classifierStringWatchlist classifier.
CarbonBlackEEDR.Watchlist.last_update_timestampDateWatchlist last updated timestamp.
CarbonBlackEEDR.Watchlist.nameStringWatchlist name.
CarbonBlackEEDR.Watchlist.report_idsStringWatchlist report IDs.
CarbonBlackEEDR.Watchlist.create_timestampDateWatchlist created timestamp.
CarbonBlackEEDR.Watchlist.idStringWatchlist ID.
CarbonBlackEEDR.Watchlist.tags_enabledBooleanWhether tags are enabled for the watchlist.
CarbonBlackEEDR.Watchlist.descriptionStringWatchlist description.
Command Example#

!cb-eedr-watchlist-list

Context Example#
{
"CarbonBlackEEDR.Watchlist": [
{
"description": "this is a test watchlist",
"name": "test watchlist",
"last_update_timestamp": 1589380783,
"tags_enabled": false,
"alerts_enabled": false,
"create_timestamp": 1589380783,
"report_ids": [
"A59huyinQSmAr8t1a2hpg"
],
"id": "2Bge40iPRCachAa1oYqMkA",
"classifier": null
},
{
"description": "this is a test watchlist",
"name": "test watchlist1",
"last_update_timestamp": 1589380803,
"tags_enabled": false,
"alerts_enabled": false,
"create_timestamp": 1589380803,
"report_ids": [
"A59huyinQSmAr8t1a2hpg"
],
"id": "AiyyP5o1T6ia2LGBIuZtg",
"classifier": null
},
{
"description": "this is a test watchlist",
"name": "test watchlist123",
"last_update_timestamp": 1589380858,
"tags_enabled": false,
"alerts_enabled": false,
"create_timestamp": 1589380858,
"report_ids": [
"A59huyinQSmAr8t1a2hpg"
],
"id": "5xq2xyrKRTOMzt5V8SaJQ",
"classifier": null
}
{
"description": "Updating description",
"name": "test1",
"last_update_timestamp": 1589456792,
"tags_enabled": true,
"alerts_enabled": true,
"create_timestamp": 1589456617,
"report_ids": null,
"id": "n4O82vT2TPa5Tuw54jmVLg",
"classifier": {
"value": "krOSyGQmSVNfxDgIkHSA",
"key": "feed_id"
}
}
]
}
Human Readable Output#

Carbon Black Enterprise EDR Watchlists#

IDNameDescriptioncreate_timestampAlerts_enabledTags_enabledReport_idsLast_update_timestampClassifier
AjQoLZwJRYu4oPC22YpepQtest watchlist22020-05-26T13:27:44.000ZtruetrueA59huyinQSmAr8t1a2hpg2020-05-26T13:27:44.000Z
2Bge40iPRCachAa1oYqMkAtest watchlistthis is a test watchlist2020-05-13T14:39:43.000ZfalsefalseA59huyinQSmAr8t1a2hpg2020-05-13T14:39:43.000Z
AiyyP5o1T6ia2LGBIuZtgtest watchlist1this is a test watchlist2020-05-13T14:40:03.000ZfalsefalseA59huyinQSmAr8t1a2hpg2020-05-13T14:40:03.000Z
5xq2xyrKRTOMzt5V8SaJQtest watchlist123this is a test watchlist2020-05-13T14:40:58.000ZfalsefalseA59huyinQSmAr8t1a2hpg2020-05-13T14:40:58.000Z
MXzJPzWYRuuKBEsy0UXImACigent Watchlist2020-01-16T21:07:58.000ZtruetrueMLRtPcpQGKFh5OE4BT3tQ-19d3af31-5dbd-4b9f-9b1d-e8ddca6af9912020-01-28T18:19:14.000Z

12. cb-eedr-get-watchlist-by-id#


Gets watchlist information by watchlist ID.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: READ

Base Command#

cb-eedr-get-watchlist-by-id

Input#
Argument NameDescriptionRequired
watchlist_idThe watchlist ID. Get the ID from the watchlist-list command.Required
Context Output#
PathTypeDescription
CarbonBlackEEDR.Watchlist.classifierStringWatchlist classifier.
CarbonBlackEEDR.Watchlist.last_update_timestampDateWatchlist last updated timestamp.
CarbonBlackEEDR.Watchlist.nameStringWatchlist name.
CarbonBlackEEDR.Watchlist.report_idsStringWatchlist report IDs.
CarbonBlackEEDR.Watchlist.create_timestampDateWatchlist created timestamp.
CarbonBlackEEDR.Watchlist.idStringWatchlist ID.
CarbonBlackEEDR.Watchlist.tags_enabledBooleanWhether tags are enabled for the watchlist.
CarbonBlackEEDR.Watchlist.descriptionStringWatchlist description.
CarbonBlackEEDR.Watchlist.Aaerts_enabledBooleanWhether alerts are enabled for the watchlists.
Command Example#

!cb-eedr-get-watchlist-by-id watchlist_id="JI5wCDVTPGEgbWlDCoGgQ"

Context Example#
{
"CarbonBlackEEDR.Watchlist": {
"description": "test description",
"name": "test watchlist1",
"last_update_timestamp": 1589379124,
"tags_enabled": false,
"alerts_enabled": true,
"create_timestamp": 1568314084,
"report_ids": [
"A59huyinQSmAr8t1a2hpg"
],
"id": "JI5wCDVTPGEgbWlDCoGgQ",
"classifier": null
}
}
Human Readable Output#

Watchlist JI5wCDVTPGEgbWlDCoGgQ information#

IDNameDescriptioncreate_timestampAlerts_enabledTags_enabledReport_idsLast_update_timestamp
JI5wCDVTPGEgbWlDCoGgQtest watchlist1test description1970-01-19T03:38:34.000ZtruefalseA59huyinQSmAr8t1a2hpg1970-01-19T09:29:39.000Z

13. cb-eedr-watchlist-alerts-status#


Retrieves the alert status for the watchlist with given watchlist ID.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: READ

Base Command#

cb-eedr-watchlist-alerts-status

Input#
Argument NameDescriptionRequired
watchlist_idThe watchlist ID. Get the ID from the watchlist-list command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-watchlist-alerts-status watchlist_id=AiyyP5o1T6ia2LGBIuZtg

Human Readable Output#

Watchlist AiyyP5o1T6ia2LABIuZtg alert status is On

14. cb-eedr-watchlist-alerts-enable#


Turns on alerts for the watchlist with the specified watchlist ID.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: READ

Base Command#

cb-eedr-watchlist-alerts-enable

Input#
Argument NameDescriptionRequired
watchlist_idThe watchlist ID. Get the ID from the watchlist-list command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-watchlist-alerts-enable watchlist_id=AiyyP5o1T6ia2LABIuZtg

Human Readable Output#

Watchlist AiyyP5o1T6ia2LABIuZtg alert was enabled successfully.

15. cb-eedr-watchlist-alerts-disable#


Turns off alerts for the watchlist with the specified watchlist ID.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: READ

Base Command#

cb-eedr-watchlist-alerts-disable

Input#
Argument NameDescriptionRequired
watchlist_idThe watchlist ID. Get the ID from the watchlist-list command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-watchlist-alerts-disable watchlist_id=AiyyP5o1T6ia2LABIuZtg

Human Readable Output#

Watchlist AiyyP5o1T6ia2LABIuZtg alert was disabled successfully.

16. cb-eedr-watchlist-create#


Creates a new report or classifier watchlist.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: CREATE

Base Command#

cb-eedr-watchlist-create

Input#
Argument NameDescriptionRequired
watchlist_nameThe name of the watchlist.Required
descriptionThe watchlist description.Optional
tags_enabledWhether to enable watchlist tags. Can be "true" or "false".Optional
alerts_enabledEnable watchlist alertsOptional
report_idsThe report IDs for creating the watchlist. Supports comma-separated values.Optional
classifier_keyThe classifier key for creating the watchlist.Optional
classifier_valueThe classifier value for creating the watchlist.Optional
Context Output#
PathTypeDescription
CarbonBlackEEDR.Watchlist.ClassifierStringThe watchlist classifier.
CarbonBlackEEDR.Watchlist.Last_update_timestampDateWatchlist last updated timestamp.
CarbonBlackEEDR.Watchlist.NameStringWatchlist name.
CarbonBlackEEDR.Watchlist.Report_idsStringWatchlist report ID.
CarbonBlackEEDR.Watchlist.Create_timestampDateWatchlist created timestamp.
CarbonBlackEEDR.Watchlist.Alerts_enabledBooleanWhether alerts are enabled in the watchlist.
CarbonBlackEEDR.Watchlist.IDStringWatchlist ID.
CarbonBlackEEDR.Watchlist.Tags_enabledBooleanWhether tags are enabled in the watchlist.
CarbonBlackEEDR.Watchlist.DescriptionStringWatchlist description.
Command Example#

!cb-eedr-watchlist-create watchlist_name="test watchlist3" alerts_enabled=false tags_enabled=false report_ids=A59huyinQSmAr8t1a2hpg

Context Example#
{
"CarbonBlackEEDR.Watchlist": {
"Description": null,
"Tags_enabled": true,
"Alerts_enabled": true,
"Classifier": null,
"Create_timestamp": "2020-05-26T13:33:19.000Z",
"Report_ids": [
"A59huyinQSmAr8t1a2hpg"
],
"ID": "Bz4PlP5RSiGLvekCLbC0A",
"Name": "test watchlist3"
}
}
Human Readable Output#

The watchlist "test watchlist3" created successfully.#

NameIDCreate_timestampTags_enabledAlerts_enabledReport_ids
test watchlist3Bz4PlP5RSiGLvekCLbC0A2020-05-26T13:33:19.000ZtruetrueA59huyinQSmAr8t1a2hpg

17. cb-eedr-watchlist-delete#


Removes the specified watchlist.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: DELETE

Base Command#

cb-eedr-watchlist-delete

Input#
Argument NameDescriptionRequired
watchlist_idThe watchlist ID to remove. Get the ID from the watchlist-list command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-watchlist-delete watchlist_id=AjQoLZwJRYu4oPC22YpepQ

Human Readable Output#

The watchlist AjQoLZwJRYu4oPC22YpepQ was deleted successfully.

18. cb-eedr-watchlist-update#


Updates the specified watchlist. This will update the tags and alert status as well as any reports or classifiers attached to the watchlist.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: UPDATE

Base Command#

cb-eedr-watchlist-update

Input#
Argument NameDescriptionRequired
watchlist_idThe watchlist ID to update.Required
watchlist_nameThe watchlist name.Optional
descriptionWatchlist description.Optional
tags_enabledWhether to enable watchlist tags. Can be "true" or "false".Optional
alerts_enabledEnable watchlist alerts.Optional
report_idsWatchlist report ID. Supports comma-separated values.Optional
classifier_keyThe classifier key to update.Optional
classifier_valueThe classifier value to update.Optional
Context Output#
PathTypeDescription
CarbonBlackEEDR.Watchlist.ClassifierStringThe watchlist classifier.
CarbonBlackEEDR.Watchlist.Last_update_timestampDateWatchlist last update timestamp.
CarbonBlackEEDR.Watchlist.NameStringWatchlist name.
CarbonBlackEEDR.Watchlist.Report_idsStringWatchlist report ID.
CarbonBlackEEDR.Watchlist.Create_timestampDateWatchlist created timestamp.
CarbonBlackEEDR.Watchlist.Alerts_enabledBooleanWhether alerts are enabled in the watchlist.
CarbonBlackEEDR.Watchlist.IDStringWatchlist ID.
CarbonBlackEEDR.Watchlist.Tags_enabledBooleanWhether tags are enabled in the watchlist.
CarbonBlackEEDR.Watchlist.DescriptionStringWatchlist description.
Command Example#

!cb-eedr-watchlist-update watchlist_id=2Bge40iPRCachAa1oYqMkA alerts_enabled=true watchlist_name="new name"

Context Example#
{
"CarbonBlackEEDR.Watchlist": {
"Description": null,
"Tags_enabled": false,
"Alerts_enabled": true,
"Classifier": null,
"Create_timestamp": "2020-05-13T14:39:43.000Z",
"Report_ids": [],
"ID": "2Bge40iPRCachAa1oYqMkA",
"Name": "new name"
}
}
Human Readable Output#

The watchlist "2Bge40iPRCachAa1oYqMkA" was updated successfully.#

NameIDCreate_timestampTags_enabledAlerts_enabled
new name2Bge40iPRCachAa1oYqMkA2020-05-13T14:39:43.000Zfalsetrue

19. cb-eedr-report-get#


Retrieves the specified report.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: READ

Base Command#

cb-eedr-report-get

Input#
Argument NameDescriptionRequired
report_idThe report ID. Get the ID from the watchlist-list command.Required
Context Output#
PathTypeDescription
CarbonBlackEEDR.Report.VisibilityStringReport visibility.
CarbonBlackEEDR.Report.TitleStringReport title.
CarbonBlackEEDR.Report.TagsStringReport tags.
CarbonBlackEEDR.Report.LinkStringReport link.
CarbonBlackEEDR.Report.IDStringReport ID.
CarbonBlackEEDR.Report.TimestampDateReport timestamp.
CarbonBlackEEDR.Report.DescriptionStringReport description.
CarbonBlackEEDR.Report.SeverityNumberReport severity.
CarbonBlackEEDR.Report.IOCsStringThe report's IOCs.
Command Example#

!cb-eedr-report-get report_id="A59huyinQSmAr8t1a2hpg"

Context Example#
{
"CarbonBlackEEDR.Report": {
"Severity": 8,
"Tags": [
"SAMPLE"
],
"Timestamp": "1970-01-19T06:40:07.000Z",
"IOCs": [
{
"values": [
"(process_name:chrome.exe)"
],
"field": null,
"match_type": "query",
"link": null,
"id": "860ececb-2a2e-4dc5-bdbd-f6f45657cf7c"
},
{
"values": [
"(process_name:chrome.exe)"
],
"field": null,
"match_type": "query",
"link": null,
"id": "f551ba63-0c7a-48ec-b12d-c4b2a9f4b922"
},
{
"values": [
"(netconn_ipv4:2.2.2.2)"
],
"field": null,
"match_type": "query",
"link": null,
"id": "c86187e3-90e3-4fb0-a698-18112b294059"
},
{
"values": [
"(process_name:c\\:\\\\users\\\\administrator\\\\desktop\\\\badfile.exe)"
],
"field": null,
"match_type": "query",
"link": null,
"id": "46e11795-e7ee-4f8e-8ad8-44b1d2216e30"
}
],
"Title": "badfile.exe",
"Visibility": null,
"Link": null,
"ID": "A59huyinQSmAr8t1a2hpg",
"Description": ""
}
}
Human Readable Output#

Report "A59huyinQSmAr8t1a2hpg" information#

IDTitleTimestampSeverityTags
A59huyinQSmAr8t1a2hpgbadfile.exe.exe1970-01-19T06:40:07.000Z8SAMPLE

The IOCs for the report#

IDMatch_typeValues
860ececb-2a2e-4dc5-bdbd-f6f45657cf7cquery(process_name:chrome.exe)
f551ba63-0c7a-48ec-b12d-c4b2a9f4b922query(process_name:chrome.exe)
c86187e3-90e3-4fb0-a698-18112b294059query(netconn_ipv4:2.2.2.2)
46e11795-e7ee-4f8e-8ad8-44b1d2216e30query(process_name:c\:\users\administrator\desktop\badfile.exe)

20. cb-eedr-ioc-ignore-status#


Gets the current ignore status for IOC ioc_id in report report_id.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: READ

Base Command#

cb-eedr-ioc-ignore-status

Input#
Argument NameDescriptionRequired
report_idReport ID. Get the ID from the watchlist-list command.Required
ioc_idIOC ID. Get the ID from get_report commandRequired
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-ioc-ignore-status ioc_id=860ececb-2a2e-4dc5-bdbd-f6f45657cf7c report_id=A59huyinQSmAr8t1a2hpg

Human Readable Output#

IOC 860ececb-2a2e-4dc5-bdbd-f6f45657cf7c status is false

21. cb-eedr-ioc-ignore#


IOC ioc_id for report report_id will not match future events for any watchlist.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: UPDATE

Base Command#

cb-eedr-ioc-ignore

Input#
Argument NameDescriptionRequired
report_idReport ID. Get the ID from the watchlist-list command.Required
ioc_idIOC ID. Get the ID from get_report command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-ioc-ignore ioc_id=860ececb-2a2e-4dc5-bdbd-f6f45657cf7c report_id=A59huyinQSmAr8t1a2hpg

Human Readable Output#

The IOC 860ececb-2a2e-4dc5-bdbd-f6f45657cf7c for report A59huyinQSmAr8t1a2hpg will not match future events for any watchlist.

22. cb-eedr-ioc-reactivate#


IOC ioc_id for report report_id will match future events for all watchlists.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: DELETE

Base Command#

cb-eedr-ioc-reactivate

Input#
Argument NameDescriptionRequired
report_idReport ID. Get the ID from the watchlist-list command.Required
ioc_idIOC ID. Get the ID from get_report commandRequired
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-ioc-reactivate ioc_id=860ececb-2a2e-4dc5-bdbd-f6f45657cf7c report_id=A59huyinQSmAr8t1a2hpg

Human Readable Output#

IOC 860ececb-2a2e-4dc5-bdbd-f6f45657cf7c for report A59huyinQSmAr8t1a2hpg will match future events for all watchlists.

23. cb-eedr-report-ignore#


Report with report_id and all contained IOCs will not match future events for any watchlist.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: UPDATE

Base Command#

cb-eedr-report-ignore

Input#
Argument NameDescriptionRequired
report_idThe report ID. Get the ID from the watchlist-list command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-report-ignore report_id=A59huyinQSmAr8t1a2hpg

Human Readable Output#

The report with report_id "A59huyinQSmAr8t1a2hpg" and all contained IOCs will not match future events for any watchlist.

24. cb-eedr-report-reactivate#


Report with report_id and all contained IOCs will match future events for all watchlists.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: DELETE

Base Command#

cb-eedr-report-reactivate

Input#
Argument NameDescriptionRequired
report_idThe report ID. Get the ID from the watchlist-list command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-report-reactivate report_id=qtcpqJwuRjaFZWjAT8zhqQ

Human Readable Output#

Report with report_id "qtcpqJwuRjaFZWjAT8zhqQ" and all contained IOCs will match future events for all watchlists

25. cb-eedr-report-ignore-status#


Get current ignore status for report with report_id.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: READ

Base Command#

cb-eedr-report-ignore-status

Input#
Argument NameDescriptionRequired
report_idThe report ID. Get the ID from the watchlist-list command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-report-ignore-status report_id=A59huyinQSmAr8t1a2hpg

Human Readable Output#

ignore status for report with report_id "A59huyinQSmAr8t1a2hpg" is enabled.

26. cb-eedr-report-remove#


Remove report with report_id.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: DELETE

Base Command#

cb-eedr-report-remove

Input#
Argument NameDescriptionRequired
report_idThe report ID to remove. Get the ID from the watchlist-list command.Required
Context Output#

There is no context output for this command.

Command Example#

!cb-eedr-report-remove report_id=A59huyinQSmAr8t1a2hpg

Human Readable Output#

The report "A59huyinQSmAr8t1a2hpg" was deleted successfully.

27. cb-eedr-report-create#


Adds a new watchlist report.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: CREATE

Base Command#

cb-eedr-report-create

Input#
Argument NameDescriptionRequired
titleThe report title.Required
descriptionThe report description.Required
tagsThe report tags. Supports comma-separated values.Optional
severityThe report severity (In range of 1-10).Required
ipv4IOCs of type IPv4. Supports comma-separated values.Optional
ioc_queryThe IOC query for the report, for example: (netconn_ipv4:2.2.2.2). Supports comma-separated values.Optional
timestampThe report timestamp. For example: 2020-01-19T09:16:16Required
ipv6IOCs of type IPv6. Supports comma-separated values.Optional
md5IOCs of type MD5. Supports comma-separated values.Optional
dnsIOCs of type DNS. Supports comma-separated values.Optional
Context Output#
PathTypeDescription
CarbonBlackEEDR.Report.IDStringThe report ID.
CarbonBlackEEDR.Report.IOCsStringThe report IOCs
CarbonBlackEEDR.Report.LinkStringReport link.
CarbonBlackEEDR.Report.SeverityNumberReport severity.
CarbonBlackEEDR.Report.TimestampDateThe report timestamp.
CarbonBlackEEDR.Report.TitleStringThe report title.
CarbonBlackEEDR.Report.TagsStringReport tags.
CarbonBlackEEDR.Report.VisibilityStringReport visibility.
CarbonBlackEEDR.Report.DescriptionStringThe report description.
Command Example#

!cb-eedr-report-create title="Report test" description="Testing new report creation" tags="one,two,three" severity="5" ipv4="2.2.2.2,3.3.3.3" timestamp="2019-01-01T00:00:16"

Context Example#
{
"CarbonBlackEEDR.Report": {
"Severity": 5,
"Tags": [
"one",
"two",
"three"
],
"Timestamp": "1970-01-18T21:31:40.000Z",
"IOCs": [
{
"values": [
"2.2.2.2",
"3.3.3.3"
],
"field": "netconn_ipv4",
"match_type": "equality",
"link": null,
"id": "56e85f3d538b0602b10e0b544c3f61ea"
}
],
"Title": "Report test",
"Visibility": null,
"Link": null,
"ID": "rbwEBRfnTUGB6LqTUcgWg",
"Description": "Testing new report creation"
}
}
Human Readable Output#

The report was created successfully.#

IDTitleTimestampDescriptionSeverityTags
rbwEBRfnTUGB6LqTUcgWgReport test1970-01-18T21:31:40.000ZTesting new report creation5one,two,three

The IOCs for the report#

FieldIDMatch_typeValues
netconn_ipv456e85f3d538b0602b10e0b544c3f61eaequality2.2.2.2,3.3.3.3

28. cb-eedr-report-update#


Updates the specified report.

Required Permissions#

RBAC Permissions Required - threathunter.watchlists: UPDATE

Base Command#

cb-eedr-report-update

Input#
Argument NameDescriptionRequired
report_idThe report ID to update.Required
titleThe report title.Required
descriptionThe report description.Required
tagsThe report tags. Supports comma-separated values.Optional
ipv4IOC of type IPv4. Supports comma-separated values.Optional
ipv6IOC of type IPv6. Supports comma-separated values.Optional
dnsIOC of type DNS. Supports comma-separated values.Optional
md5IOC of type MD5. Supports comma-separated values.Optional
ioc_queryQuery IOC. For example: (netconn_ipv4:2.2.2.2). Supports comma-separated values.Optional
severityReport severity (In range of 1-10).Required
timestampThe report timestamp.Required
Context Output#
PathTypeDescription
CarbonBlackEEDR.Report.IDStringThe report ID.
CarbonBlackEEDR.Report.IOCsStringThe report IOC's
CarbonBlackEEDR.Report.LinkStringReport link.
CarbonBlackEEDR.Report.SeverityNumberReport severity.
CarbonBlackEEDR.Report.TimestampDateThe report timestamp.
CarbonBlackEEDR.Report.TitleStringThe report title.
CarbonBlackEEDR.Report.TagsStringReport tags.
CarbonBlackEEDR.Report.VisibilityStringReport visibility.
CarbonBlackEEDR.Report.DescriptionStringThe report description.
Command Example#

!cb-eedr-report-update description="new description" report_id=qtcpqJwuRjaFZWjAT8zhqQ severity=5 timestamp=2020-05-19T09:18:48 title="new title"

Context Example#
{
"CarbonBlackEEDR.Report": {
"Severity": 5,
"Tags": null,
"Timestamp": "2473-10-23T21:08:00.000Z",
"IOCs": [],
"Title": "new title",
"Visibility": null,
"Link": null,
"ID": "qtcpqJwuRjaFZWjAT8zhqQ",
"Description": "new description"
}
}
Human Readable Output#

The report was updated successfully.#

IDTitleTimestampDescriptionSeverity
qtcpqJwuRjaFZWjAT8zhqQnew title2473-10-23T21:08:00.000Znew description5

The IOCs for the report#

No entries.

29. cb-eedr-file-device-summary#


Gets an overview of the devices that executed the file.

Required Permissions#

RBAC Permissions Required - Ubs.org.sha256

Base Command#

cb-eedr-file-device-summary

Input#
Argument NameDescriptionRequired
sha256The requested SHA256 hash to obtain information for.Required
Context Output#
PathTypeDescription
CarbonBlackEEDR.File.first_seen_device_idNumberThe device ID of the device that first saw this file.
CarbonBlackEEDR.File.first_seen_device_nameStringThe name of the device that first saw this file.
CarbonBlackEEDR.File.first_seen_device_timestampDateThe time that this file was first seen, for this organization.
CarbonBlackEEDR.File.last_seen_device_idNumberThe device ID of the device that most recently saw this file.
CarbonBlackEEDR.File.last_seen_device_nameStringThe name of the device that last saw this file.
CarbonBlackEEDR.File.last_seen_device_timestampDateThe time that this file was most recently seen for this organization.
CarbonBlackEEDR.File.num_devicesNumberThe total number of devices, for this organization, that have observed this file.
CarbonBlackEEDR.File.sha256StringThe SHA256 hash of the file.
Command Example#

!cb-eedr-file-device-summary sha256="4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa"

Context Example#
{
"CarbonBlackEEDR.File": {
"last_seen_device_timestamp": "2020-05-21T06:59:07.866395Z",
"num_devices": 3,
"last_seen_device_id": 1246865,
"first_seen_device_timestamp": "2020-05-18T09:26:28.205254Z",
"sha256": "4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa",
"last_seen_device_name": "testcorewin764",
"first_seen_device_name": "test732-PC",
"first_seen_device_id": 1294302
}
}
Human Readable Output#

The file device summary#

first_seen_device_idfirst_seen_device_namefirst_seen_device_timestamplast_seen_device_idlast_seen_device_namelast_seen_device_timestampnum_devicessha256
1294302test732-PC2020-05-18T09:26:28.205254Z1246865testcorewin7642020-05-21T06:59:07.866395Z34a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

30. cb-eedr-get-file-metadata#


Returns all of the metadata for the specified binary identified by the SHA256 hash.

Required Permissions#

RBAC Permissions Required - Ubs.org.sha256

Base Command#

cb-eedr-get-file-metadata

Input#
Argument NameDescriptionRequired
sha256The requested SHA256 hash to obtain metadata information.Required
Context Output#
PathTypeDescription
CarbonBlackEEDR.File.file_sizeNumberThe size of the actual file. This is the size of the file represented by this hash.
CarbonBlackEEDR.File.file_availableBooleanIf true, the file is available for download.
CarbonBlackEEDR.File.sha256StringThe SHA256 hash of the file.
CarbonBlackEEDR.File.product_versionStringProduct version from FileVersionInformation.
CarbonBlackEEDR.File.product_descriptionStringProduct description from FileVersionInformation.
CarbonBlackEEDR.File.lang_idStringThe Language ID value from the Windows VERSIONINFO resource.
CarbonBlackEEDR.File.company_nameStringCompany name from FileVersionInformation
CarbonBlackEEDR.File.internal_nameStringInternal name from FileVersionInformation.
CarbonBlackEEDR.File.charset_idNumberThe Character set ID value from the Windows VERSIONINFO resource.
CarbonBlackEEDR.File.available_file_sizeNumberThe size of the file, that is available for download. If the file is unavailable the size will be zero.
CarbonBlackEEDR.File.architectureStringThe set of architectures that this file was compiled for. This may contain one or more of the following values: none, x86, amd64, and arm64.
CarbonBlackEEDR.File.commentsStringComments from FileVersionInformation.
CarbonBlackEEDR.File.os_typeStringThe OS that this file is designed for. This may contain one or more of the following values: WINDOWS, ANDROID, MAC, IOS, LINUX, and OTHER
CarbonBlackEEDR.File.original_filenameStringOriginal filename from FileVersionInformation.
CarbonBlackEEDR.File.file_versionStringFile version from FileVersionInformation.
CarbonBlackEEDR.File.file_descriptionStringFile description from FileVersionInformation.
CarbonBlackEEDR.File.product_nameStringProduct name from FileVersionInformation.
CarbonBlackEEDR.File.md5StringThe MD5 hash of the file.
Command Example#

!cb-eedr-get-file-metadata sha256=4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa

Context Example#
{
"CarbonBlackEEDR.File": {
"product_version": "16.1.0.0",
"original_filename": "AutoPico.exe",
"charset_id": 1200,
"file_available": true,
"file_version": "16.1.0.0",
"product_description": null,
"comments": "Portable",
"sha256": "4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa",
"available_file_size": 745664,
"lang_id": null,
"company_name": "testCompany",
"internal_name": test.exe",
"file_size": 745664,
"os_type": "WINDOWS",
"md5": "cfe1c123464c446099a5eb33276f6d57",
"product_name": "Product",
"file_description": "Product",
"architecture": [
"x86"
]
}
}
Human Readable Output#

The file metadata#

SHA256commentsfile_sizeinternal_nameoriginal_filenameos_type
4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5faPortable745664test.exetest.exeWINDOWS

31. cb-eedr-files-download-link-get#


The files are able to be downloaded via AWS S3 pre-signed URLs.

Required Permissions#

RBAC Permissions Required - Ubs.org.file

Base Command#

cb-eedr-files-download-link-get

Input#
Argument NameDescriptionRequired
sha256An array of SHA256 hashes (limit 100). Supports comma-separated values.Required
expiration_secondsThe number of seconds to make the download URLs available for. The default is 300.Optional
download_to_xsoarDownload the file to XSOAR.Optional
Context Output#
PathTypeDescription
CarbonBlackEEDR.File.found.sha256StringSHA256 hash of file that is available to be downloaded
CarbonBlackEEDR.File.found.urlStringAn AWS S3 pre-signed URL for this file. Perform a GET on this URL to download the file.
CarbonBlackEEDR.File.not_foundStringThe SHA256 hashes that were not found.
CarbonBlackEEDR.File.errorStringThe SHA256 hashes that had an intermittent error.
Command Example#

!cb-eedr-files-download-link-get sha256="4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa" expiration_seconds="3600" download_to_xsoar="false"

Context Example#
{
"CarbonBlackEEDR.File": {
"found": [
{
"url": "https://cdc-file-storage-production-us-east-1.s3.amazonaws.com/4a/71/4d/98/ce/40/f5/f3/57/7c/30/6a/66/cb/4a/6b/1f/f3/fd/01/04/7c/7f/45/81/f8/55/8f/0b/cd/f5/fa/4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAVT6ZCSICASU327FI%2F20200526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200526T133305Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjAAwaCXVzLWVhc3QtMSJIMEYCIQCqqdEFtwaybOvJkycEEMnMQLR%2FoNSvmNbsb%2Bchb5UEpAIhAPZTjLn4T8p3IGfkKQ0CpEEot%2FLR9oI17UIKtAV1Ej7fKr0DCKT%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAhoMMzg2NDY1NDM2MTY0IgyYvqWtKKorgx1b%2FXYqkQMeEOokBfnVZv0RtN1W3G3sW97NreAGknB7LRsG1QVMc4b4vrRmgvPvY1ZuE8hAIOu40RQfWBEgfiQo9URFcVRqzKFi8zrLEKlX0NinYijdgA8nHKFIlqSuPRArHXhwixq4aUzQ%2B3uh9UxM%2FrwSYItYn3skiacUz6TwqLFzjfWk3YIFMH3bP4jD9q7omZHgtA6PM%2BCbsf%2Fzj2DwI8JXGKyOm0jAMpNr8wz7n1gLoFnB5WHe4ELHpBfnAh%2Fe5r1H62n0y4eT%2B19zNuNZFd7jjr1FYgounceibjgvlGILMN3xhQWpjzUgssL3GprTM%2FCFy3FzxfPnjUcgJJ%2BjAJw9AICH2yCkFiY6IglFzQwzK%2BC5Q7HvEYmStt682IvQg6ZdYoWuH7iPf7ypiMB%2Bd4o2LwnJ67xCVitD0oLxFMYgIub4buB0dlSwy%2FskcERt81xlhWIZhxRYEDxyTtMPwYSRu5El7vvui5W9y0AmLBANjAb4EaFcaOqUIFOlF6JO%2Blt4Jc6LyMzFu3zdOd9Nx7%2Fi6AewgDDN97P2BTrqAdX%2BqmMi8oItlqJdoU9ntWJ2SBR6y2xa%2BCj3GpHLzvrvWMYAQPfcOxXqDYv9UPPAsPPh1Hxl1P0Jua%2BBwmwOA4m9Lak%2BkwqL8oQMUMb68pyRNxv8dTFa1turFetE9%2Bh4NTzHfxH5WhXH58oGt5ozzPmeJmuJrMAJJV%2BMZhdL1eClkK%2FzLKfSboJIgqmvMSXncccSmEc3Ref6qGWXN3k3%2F5YLf4831zEGH%2FUKCnQqU%2F45QVHvPOfuw2%2BIsItIYimn8YRW73TMOpp3frhKVYMiEwhVBNFQESjNLzDfBZgIMKeWjUbHmJT4Cwb82w%3D%3D&X-Amz-Signature=0757be785f81856477277969af21d8076289d4bb92274c42c73b8d2776443763",
"sha256": "4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa"
}
],
"not_found": [],
"error": []
}
}
Human Readable Output#

The file to download#

sha256url
4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fahttps://cdc-file-storage-production-us-east-1.s3.amazonaws.com/4a/71/4d/98/ce/40/f5/f3/57/7c/30/6a/66/cb/4a/6b/1f/f3/fd/01/04/7c/7f/45/81/f8/55/8f/0b/cd/f5/fa/4a714d98ce40f5f3577c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAVT6ZCSICASU327FI%2F20200526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200526T133305Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjAAwaCXVzLWVhc3QtMSJIMEYCIQCqqdEFtwaybOvJkycEEMnMQLR%2FoNSvmNbsb%2Bchb5UEpAIhAPZTjLn4T8p3IGfkKQ0CpEEot%2FLR9oI17UIKtAV1Ej7fKr0DCKT%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAhoMMzg2NDY1NDM2MTY0IgyYvqWtKKorgx1b%2FXYqkQMeEOokBfnVZv0RtN1W3G3sW97NreAGknB7LRsG1QVMc4b4vrRmgvPvY1ZuE8hAIOu40RQfWBEgfiQo9URFcVRqzKFi8zrLEKlX0NinYijdgA8nHKFIlqSuPRArHXhwixq4aUzQ%2B3uh9UxM%2FrwSYItYn3skiacUz6TwqLFzjfWk3YIFMH3bP4jD9q7omZHgtA6PM%2BCbsf%2Fzj2DwI8JXGKyOm0jAMpNr8wz7n1gLoFnB5WHe4ELHpBfnAh%2Fe5r1H62n0y4eT%2B19zNuNZFd7jjr1FYgounceibjgvlGILMN3xhQWpjzUgssL3GprTM%2FCFy3FzxfPnjUcgJJ%2BjAJw9AICH2yCkFiY6IglFzQwzK%2BC5Q7HvEYmStt682IvQg6ZdYoWuH7iPf7ypiMB%2Bd4o2LwnJ67xCVitD0oLxFMYgIub4buB0dlSwy%2FskcERt81xlhWIZhxRYEDxyTtMPwYSRu5El7vvui5W9y0AmLBANjAb4EaFcaOqUIFOlF6JO%2Blt4Jc6LyMzFu3zdOd9Nx7%2Fi6AewgDDN97P2BTrqAdX%2BqmMi8oItlqJdoU9ntWJ2SBR6y2xa%2BCj3GpHLzvrvWMYAQPfcOxXqDYv9UPPAsPPh1Hxl1P0Jua%2BBwmwOA4m9Lak%2BkwqL8oQMUMb68pyRNxv8dTFa1turFetE9%2Bh4NTzHfxH5WhXH58oGt5ozzPmeJmuJrMAJJV%2BMZhdL1eClkK%2FzLKfSboJIgqmvMSXncccSmEc3Ref6qGWXN3k3%2F5YLf4831zEGH%2FUKCnQqU%2F45QVHvPOfuw2%2BIsItIYimn8YRW73TMOpp3frhKVYMiEwhVBNFQESjNLzDfBZgIMKeWjUbHmJT4Cwb82w%3D%3D&X-Amz-Signature=0757be785f81856477277969af21d8076289d4bb92274c42c73b8d2776443763

32. cb-eedr-file-paths#


Return a summary of the observed file paths

Required Permissions#

RBAC Permissions Required - RBAC Permissions Required: READ

Base Command#

cb-eedr-file-paths

Input#
Argument NameDescriptionRequired
sha256The requested SHA256 hash to obtain information for. Supports comma-separated values.Required
Context Output#
PathTypeDescription
CarbonBlackEEDR.File.file_path_countNumberThe total number of unique file paths that have been observed, by this organization, for this file.
CarbonBlackEEDR.File.file_pathsStringThe file path details.
CarbonBlackEEDR.File.sha256UnknownThe SHA256 hash of the file.
CarbonBlackEEDR.File.total_file_path_countNumberThe total number of file paths that have been observed, by this organization, for this file.
Command Example#

!cb-eedr-file-paths sha256="4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa"

Context Example#
{
"CarbonBlackEEDR.File": {
"sha256": "4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa",
"file_paths": [
{
"count": 3,
"file_path": "c:\\program files\\admin\\test.exe",
"first_seen_timestamp": "2020-05-18T09:26:28.205254Z"
}
],
"total_file_path_count": 3,
"file_path_count": 1
}
}
Human Readable Output#

The file path for the sha256#

file_path_countfile_pathssha256total_file_path_count
1{'count': 3, 'file_path': 'c:\program files\admin\test.exe', 'first_seen_timestamp': '2020-05-18T09:26:28.205254Z'}4a714d98ce40f5f1234c306a66cb4a6b1ff3fd01047c7f4581f8558f0bcdf5fa3

33. cb-eedr-process-search#


Creates a process search job and returns results if 'polling' argument is True.

Required Permissions#

RBAC Permissions Required - org.search.events: CREATE

Base Command#

cb-eedr-process-search

Input#

Argument NameDescriptionRequired
process_nameThe process name to search.Optional
process_hashThe process hash to search.Optional
event_idThe event ID to search.Optional
limitThe maximum number of rows to return. Default is 20.Optional
queryA free-style query. For example, "process_name:svchost.exe".Optional
start_timeFirst appearance time range (<number> <time unit>, e.g., 1 hour, 30 minutes). Default is 1 day ago.Optional
end_timeLast appearance time range (<number> <time unit>, e.g., 1 hour, 30 minutes). Default is current time.Optional
startIndex of first records to fetch. Default is 0.Optional

Context Output#

PathTypeDescription
CarbonBlackEEDR.SearchProcess.job_idStringThe ID of the job found by the search.
CarbonBlackEEDR.SearchProcess.statusStringThe status of the job found by the search.
CarbonBlackEEDR.SearchProcess.results.device_idNumberThe device ID that is guaranteed to be unique within each PSC environment.
CarbonBlackEEDR.SearchProcess.results.process_usernameStringThe user names related to the process.
CarbonBlackEEDR.SearchProcess.results.backend_timestampDateA date/time field formatted as an ISO-8601 string based on the UTC timezone. For example, device_timestamp:2018-03-14T21:06:45.183Z.
CarbonBlackEEDR.SearchProcess.results.childproc_countNumberThe cumulative count of child-process creations since process tracking started.
CarbonBlackEEDR.SearchProcess.results.crossproc_countNumberThe cumulative count of cross-process events since process tracking started.
CarbonBlackEEDR.SearchProcess.results.device_group_idNumberThe ID of the sensor group where the device belongs.
CarbonBlackEEDR.SearchProcess.results.device_nameStringThe name of the device.
CarbonBlackEEDR.SearchProcess.results.device_policy_idNumberThe ID of the policy applied to the device.
CarbonBlackEEDR.SearchProcess.results.device_timestampDateThe time displayed on the sensor based on the sensor’s clock. The time is an ISO-8601 formatted time string based on the UTC timezone.
CarbonBlackEEDR.SearchProcess.results.enrichedBooleanTrue if the process document came from the CBD data stream.
CarbonBlackEEDR.SearchProcess.results.enriched_event_typeStringThe CBD enriched event type.
CarbonBlackEEDR.SearchProcess.results.event_typeStringThe CBD event type (valid only for events coming through analytics). Possible values are: CREATE_PROCESS, DATA_ACCESS, FILE_CREATE, INJECT_CODE, NETWORK, POLICY_ACTION, REGISTRY_ACCESS, and SYSTEM_API_CALL.
CarbonBlackEEDR.SearchProcess.results.filemod_countNumberThe cumulative count of file modifications since process tracking started.
CarbonBlackEEDR.SearchProcess.results.ingress_timeDateUnknown
CarbonBlackEEDR.SearchProcess.results.legacyBooleanTrue if the process document came from the legacy data stream (deprecated, use enriched).
CarbonBlackEEDR.SearchProcess.results.modload_countNumberThe cumulative count of module loads since process tracking started.
CarbonBlackEEDR.SearchProcess.results.netconn_countNumberThe cumulative count of network connections since process tracking started.
CarbonBlackEEDR.SearchProcess.results.org_idStringThe globally unique organization key. This will most likely be the PSC organization ID + PSC environment ID or some other unique token used across environments.
CarbonBlackEEDR.SearchProcess.results.parent_guidStringThe process GUID of the parent process.
CarbonBlackEEDR.SearchProcess.results.parent_pidNumberThe PID of the parent process.
CarbonBlackEEDR.SearchProcess.results.process_guidStringUnique ID of the Solr document. Appears as process_guid + server-side timestamp in epoch ms (1/1/1970 based).
CarbonBlackEEDR.SearchProcess.results.process_hashStringThe MD5 and SHA256 hashes of the process’s main module in a multi-valued field.
CarbonBlackEEDR.SearchProcess.results.process_nameStringThe tokenized file path of the process’s main module.
CarbonBlackEEDR.SearchProcess.results.process_pidNumberThe PID of a process. Can be multi-valued in case of exec/fork on Linux/OSX.
CarbonBlackEEDR.SearchProcess.results.process_usernameStringUser names related to the process.
CarbonBlackEEDR.SearchProcess.results.regmod_countNumberThe cumulative count of registry modifications since process tracking started.
CarbonBlackEEDR.SearchProcess.results.scriptload_countNumberThe cumulative count of loaded scripts since process tracking started.

Command Example#

!cb-eedr-process-search process_name="vmtoolsd.exe" limit=10

Context Example#

{
"CarbonBlackEEDR": {
"SearchProcess": {
"job_id": "633b7900-2b28-456d-add3-28e665525753",
"status": "In Progress"
}
}
}

Human Readable Output#

job_id is 633b7900-2b28-456d-add3-28e665525753.

34. cb-eedr-events-by-process-get#


Retrieves the events associated with a given process.

Required Permissions#

RBAC Permissions Required - org.search.events: READ

Base Command#

cb-eedr-events-by-process-get

Input#

Argument NameDescriptionRequired
process_guidThe process GUID to search. Must be focused on a single process.Optional
event_typeThe event type to search.Optional
limitThe maximum number of rows to return. Default is 20.Optional
queryA free-style query. For example, "process_name:svchost.exe".Optional
start_timeFirst appearance time range (<number> <time unit>, e.g., 1 hour, 30 minutes). Default is 1 day ago.Optional
end_timeLast appearance time range (<number> <time unit>, e.g., 1 hour, 30 minutes). Default is current time.Optional
startIndex of first records to fetch. Default is 0.Optional

Context Output#

PathTypeDescription
CarbonBlackEEDR.SearchEvent.backend_timestampDateThe timestamp of when the process was ingested by the backend.
CarbonBlackEEDR.SearchEvent.created_timestampDateThe timestamp of when the event document was created.
CarbonBlackEEDR.SearchEvent.event_guidStringA globally unique identifier for this event document.
CarbonBlackEEDR.SearchEvent.event_hashString
CarbonBlackEEDR.SearchEvent.event_timestampDateThe timestamp of the event on the device.
CarbonBlackEEDR.SearchEvent.event_typeStringThe event type. Possible values are: filemod, netconn, regmod, modload, crossproc, and childproc.
CarbonBlackEEDR.SearchEvent.legacyBooleanTrue if this event comes from the CBD data stream.
CarbonBlackEEDR.SearchEvent.modload_actionStringAction associated with the modload operation. The only possible value is: ACTION_LOAD_MODULE.
CarbonBlackEEDR.SearchEvent.modload_effective_reputationString
CarbonBlackEEDR.SearchEvent.modload_md5StringThe MD5 hash for the modules loaded.
CarbonBlackEEDR.SearchEvent.modload_nameStringThe modules loaded by this event.
CarbonBlackEEDR.SearchEvent.modload_publisherStringThe publisher that signed this module, if any.
CarbonBlackEEDR.SearchEvent.modload_publisher_stateStringThe set of states associated with the publisher of the module. Can be a combination of: FILE_SIGNATURE_STATE_INVALID, FILE_SIGNATURE_STATE_SIGNED, FILE_SIGNATURE_STATE_VERIFIED, FILE_SIGNATURE_STATE_NOT_SIGNED, FILE_SIGNATURE_STATE_UNKNOWN, FILE_SIGNATURE_STATE_CHAINED, FILE_SIGNATURE_STATE_TRUSTED, FILE_SIGNATURE_STATE_OS, and FILE_SIGNATURE_STATE_CATALOG_SIGNED.
CarbonBlackEEDR.SearchEvent.modload_sha256StringThe SHA256 hash for the modules loaded.
CarbonBlackEEDR.SearchEvent.process_guidStringThe process GUID representing the process that this event belongs to.
CarbonBlackEEDR.SearchEvent.process_pidNumberThe PID of the process.

Command Example#

!cb-eedr-events-by-process-get process_guid="7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43" event_type="modload" start_time="1 month"

Context Example#

{
"CarbonBlackEEDR": {
"SearchEvent": [
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.503Z",
"event_guid": "OCaEtLR1SRGcWgVUcoj2mA",
"event_hash": "lQJi__dhQpGzdVwCmbdbjg",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_LOCAL_WHITE",
"modload_md5": "aae1f614bfe5e3e5cde18d1f928f5b12",
"modload_name": "c:\\windows\\system32\\ctiuser.dll",
"modload_publisher": "Carbon Black, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "81eb5f6fbf8d7566560f43f75ec30e5f0284cdee9b5c9df0d81281bda0db3d07",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "aAVFrvjPQ3Sea-kK6Kdbxw",
"event_hash": "L8CCeipjQ7KtMQDiRwx8HA",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "2c7c14627cff3384c52e61d4dbd0ecc3",
"modload_name": "c:\\windows\\system32\\version.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "41b4d85d84a86e41b948694b9b5f398a0d79f47629d6d969eb5b461d4f5d0347",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "AlKrjPvcSLav4Vq7zBuD2A",
"event_hash": "k7Z5u-3_Siydt1DPvXW4dQ",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "f7c09099232987cbb965b9280c1dacf8",
"modload_name": "c:\\program files\\vmware\\vmware tools\\gmodule-2.0.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "d14560487312f487f94bfaed4fe9d0cfd5efbec1ac4ef44c26dd230800bc6b29",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "0g6iOKO9S8GHIfFSOG5sBA",
"event_hash": "TX8Ehlc2Qb2mbSl8ZtVmgg",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "26fc0a369a68d2a429e2ebe67b8dd1d8",
"modload_name": "c:\\program files\\vmware\\vmware tools\\gobject-2.0.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "9a914642e7e8e4e4ba004004b490c64453f13597cc43cb77a9e55d180c229f83",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "W_JoluvFTni9mPPHCvyxmg",
"event_hash": "CvjnmQdWQqGhbsmkcPzJYA",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "9d9b1790cc6eeb76757b5042914b7289",
"modload_name": "c:\\program files\\vmware\\vmware tools\\intl.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "03eef80ad1d4b066c4842546ba52ccb911e84606a27f0ec7016d9f62c572846b",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "-XTVyKT5SkeJ0PvsnozF6A",
"event_hash": "114rbukXQKSzjhiVBEApPQ",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "a83fcd02a532a08386a5bcbb39a581c5",
"modload_name": "c:\\program files\\vmware\\vmware tools\\glib-2.0.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "ff9bb3a84c807f8151d4956f895f672fa812765e931e9093f40caab0853bd120",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "junO0BiIT9imVAUSKCdB_A",
"event_hash": "9Sd5fEA8R9aOU7eYlY_97A",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "9f2b3fac3440db16e0c13473b551d12c",
"modload_name": "c:\\windows\\system32\\vcruntime140.dll",
"modload_publisher": "Microsoft Corporation",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "27c51ff3dc2f4cf2b61bdf55fb60148ef0abb06c2feae188c30f1a63f9e29caa",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "PocoJ9OATG6Qr-3cirRciQ",
"event_hash": "D8k62OqkQ9KiT0c5C1Ki0g",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "965eb822d0ef8fda78ccb1f41def093d",
"modload_name": "c:\\windows\\system32\\winmm.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "ad43d686930eae0f57a55ee75d10bd1882747089a291371ffe1e131eb5f76938",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "ThWF8yD5R5usoFJM4x_VRw",
"event_hash": "mk9Lj4O0TAq-enCNCKWBMA",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "e6450257ba3df5161684e4c73ebb8f92",
"modload_name": "c:\\windows\\system32\\winmmbase.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "948f13fe144cd80f93565ded2ac2e96d000869bb2761538996d28942495cb1d7",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "PZXgTx_XStWA1DGUkPDJzw",
"event_hash": "UVssy5LWSvyvFC0Isya8aQ",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "821236519995fdfb54b56bd9d7a60ba8",
"modload_name": "c:\\program files\\vmware\\vmware tools\\pcre.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "64388ee3beb0e69fd471b3c7eb5d4de8ae24b9ea0fdba51bc9c81c26be84e585",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "bmsH73bASGaRFpeo84Q5Kw",
"event_hash": "9Ri-_u68QjyV7UjSMeDAYw",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "40b92f37c0698cdc4cde8c0a75791c7e",
"modload_name": "c:\\program files\\vmware\\vmware tools\\vmtools.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "bb8098f4627441f6a29c31757c45339c74b2712b92783173df9ab58d47ae3bfa",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "WeL1uj4FSI-n4rVA7UoXFw",
"event_hash": "b2SKdGkNSNuw0eoZn9wK_g",
"event_timestamp": "2020-10-14T16:17:45.448Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "e202dd92848c5103c9abf8ecd22bc539",
"modload_name": "c:\\windows\\system32\\fltlib.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "353f8d4e647a11f235f4262d913f7bac4c4f266eac4601ea416e861afd611912",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "Q6PB6SqURW6xliJdsEogag",
"event_hash": "YPhofHOyQkKaMGEr1dX5cQ",
"event_timestamp": "2020-10-14T16:17:45.463Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "b7be84c53e81dd0a64ee0845410bd6c7",
"modload_name": "c:\\windows\\system32\\icmp.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_CATALOG_SIGNED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "8ddd1ddce37c7e560570774de7ca1a1ecf7b32dfd0ba014f504fc6ae50388de6",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "jg_1LLAYT1KZx9SZUPQqeQ",
"event_hash": "5eb6xzwkTt2p5b-2-ELzog",
"event_timestamp": "2020-10-14T16:17:45.463Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "3929147a2a34b0902152c7d0f241b02a",
"modload_name": "c:\\windows\\system32\\iphlpapi.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "ad1c5309aa873f6a284eabe382812868e20c3d3d64197f3e6ef9d015ea060caa",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "LDC8YHy4RFuIZuejh202dQ",
"event_hash": "zMI8yTZvRBWnBzcuyUU0bQ",
"event_timestamp": "2020-10-14T16:17:45.463Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "da9647c845792371dd2f95e1ccc9a63a",
"modload_name": "c:\\windows\\system32\\sspicli.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "fe741d2f986b0b9557a90bdf0560f49cd17381d1094c42a91634aabe49f46a1e",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "Oq1ZHJ-lSYGWynDM12vIhQ",
"event_hash": "HwnoQEtpSp-El_7fEmh4Lw",
"event_timestamp": "2020-10-14T16:17:45.463Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "435009d1ddc0365bfa34b8c8d3f85286",
"modload_name": "c:\\windows\\system32\\ntmarta.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "2f94628f056fe65ea81351e134e59ece813fec5e8400c12d6dfa49defd126d01",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "UpxEQukRRmiX3EjI4kkYYg",
"event_hash": "afxpRq5BT6WRdQyBWS4-kQ",
"event_timestamp": "2020-10-14T16:17:45.463Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "3c9d22cae173ad19806b6a016cd4cc28",
"modload_name": "c:\\windows\\system32\\uxtheme.dll",
"modload_publisher": "Microsoft Windows",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_CATALOG_SIGNED",
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "d95e7d07ea46d7d2aefa01cd0a64cf266be26d40fa6be42f7cf60f6deb8fbaf3",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "NcXdQS34QJWySTn-04pakA",
"event_hash": "4ZyNSN7yRyeNNBRop-HMDw",
"event_timestamp": "2020-10-14T16:17:45.463Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "1f1fe19bc54c75e568646327f6d99c1a",
"modload_name": "c:\\windows\\system32\\vsocklib.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "e685439d50aecf656ef5bd2523568b6d9220cc9917e7d57eda962c1a520e94a5",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "POYLqKCERASiTMBHcfsFmw",
"event_hash": "UAoluLSYSKe2pzn47rxVDw",
"event_timestamp": "2020-10-14T16:17:45.463Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "b56c118a906a0322b9319d50df188bc6",
"modload_name": "c:\\program files\\vmware\\vmware tools\\plugins\\common\\hgfsserver.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "0d74d8f4cf24bc72042234fb92b42396f6d2f6f77c534f9a07af3d82822a0452",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
},
{
"backend_timestamp": "2020-10-14T16:22:13.180Z",
"created_timestamp": "2020-11-04T06:58:51.505Z",
"event_guid": "x2Beg9ykSIiRKViJJxcsaA",
"event_hash": "6xUCWyDQTAuOm7Lnxq-qew",
"event_timestamp": "2020-10-14T16:17:45.463Z",
"event_type": "modload",
"legacy": false,
"modload_action": "ACTION_LOADED_MODULE_DISCOVERED",
"modload_effective_reputation": "REP_WHITE",
"modload_md5": "a381226b5a088a07680391b94c474baa",
"modload_name": "c:\\program files\\vmware\\vmware tools\\hgfs.dll",
"modload_publisher": "VMware, Inc.",
"modload_publisher_state": [
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"modload_sha256": "429a69aba0196be3f53ffa1d2dd09b0caea6fc680468706b2a20fa0f7188ad4b",
"process_guid": "7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee43",
"process_pid": 8056
}
]
}
}

Human Readable Output#

Results Found.#

backend_timestampcreated_timestampevent_guidevent_hashevent_timestampevent_typelegacymodload_actionmodload_effective_reputationmodload_md5modload_namemodload_publishermodload_publisher_statemodload_sha256process_guidprocess_pid
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.503ZOCaEtLR1SRGcWgVUcoj2mAlQJi__dhQpGzdVwCmbdbjg2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_LOCAL_WHITEaae1f614bfe5e3e5cde18d1f928f5b12c:\windows\system32\ctiuser.dllCarbon Black, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
81eb5f6fbf8d7566560f43f75ec30e5f0284cdee9b5c9df0d81281bda0db3d077DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZaAVFrvjPQ3Sea-kK6KdbxwL8CCeipjQ7KtMQDiRwx8HA2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE2c7c14627cff3384c52e61d4dbd0ecc3c:\windows\system32\version.dllMicrosoft WindowsFILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
41b4d85d84a86e41b948694b9b5f398a0d79f47629d6d969eb5b461d4f5d03477DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZAlKrjPvcSLav4Vq7zBuD2Ak7Z5u-3_Siydt1DPvXW4dQ2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITEf7c09099232987cbb965b9280c1dacf8c:\program files\vmware\vmware tools\gmodule-2.0.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
d14560487312f487f94bfaed4fe9d0cfd5efbec1ac4ef44c26dd230800bc6b297DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505Z0g6iOKO9S8GHIfFSOG5sBATX8Ehlc2Qb2mbSl8ZtVmgg2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE26fc0a369a68d2a429e2ebe67b8dd1d8c:\program files\vmware\vmware tools\gobject-2.0.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
9a914642e7e8e4e4ba004004b490c64453f13597cc43cb77a9e55d180c229f837DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZW_JoluvFTni9mPPHCvyxmgCvjnmQdWQqGhbsmkcPzJYA2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE9d9b1790cc6eeb76757b5042914b7289c:\program files\vmware\vmware tools\intl.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
03eef80ad1d4b066c4842546ba52ccb911e84606a27f0ec7016d9f62c572846b7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505Z-XTVyKT5SkeJ0PvsnozF6A114rbukXQKSzjhiVBEApPQ2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITEa83fcd02a532a08386a5bcbb39a581c5c:\program files\vmware\vmware tools\glib-2.0.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
ff9bb3a84c807f8151d4956f895f672fa812765e931e9093f40caab0853bd1207DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZjunO0BiIT9imVAUSKCdB_A9Sd5fEA8R9aOU7eYlY_97A2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE9f2b3fac3440db16e0c13473b551d12cc:\windows\system32\vcruntime140.dllMicrosoft CorporationFILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
27c51ff3dc2f4cf2b61bdf55fb60148ef0abb06c2feae188c30f1a63f9e29caa7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZPocoJ9OATG6Qr-3cirRciQD8k62OqkQ9KiT0c5C1Ki0g2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE965eb822d0ef8fda78ccb1f41def093dc:\windows\system32\winmm.dllMicrosoft WindowsFILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
ad43d686930eae0f57a55ee75d10bd1882747089a291371ffe1e131eb5f769387DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZThWF8yD5R5usoFJM4x_VRwmk9Lj4O0TAq-enCNCKWBMA2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITEe6450257ba3df5161684e4c73ebb8f92c:\windows\system32\winmmbase.dllMicrosoft WindowsFILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
948f13fe144cd80f93565ded2ac2e96d000869bb2761538996d28942495cb1d77DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZPZXgTx_XStWA1DGUkPDJzwUVssy5LWSvyvFC0Isya8aQ2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE821236519995fdfb54b56bd9d7a60ba8c:\program files\vmware\vmware tools\pcre.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
64388ee3beb0e69fd471b3c7eb5d4de8ae24b9ea0fdba51bc9c81c26be84e5857DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZbmsH73bASGaRFpeo84Q5Kw9Ri-_u68QjyV7UjSMeDAYw2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE40b92f37c0698cdc4cde8c0a75791c7ec:\program files\vmware\vmware tools\vmtools.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
bb8098f4627441f6a29c31757c45339c74b2712b92783173df9ab58d47ae3bfa7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZWeL1uj4FSI-n4rVA7UoXFwb2SKdGkNSNuw0eoZn9wK_g2020-10-14T16:17:45.448ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITEe202dd92848c5103c9abf8ecd22bc539c:\windows\system32\fltlib.dllMicrosoft WindowsFILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
353f8d4e647a11f235f4262d913f7bac4c4f266eac4601ea416e861afd6119127DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZQ6PB6SqURW6xliJdsEogagYPhofHOyQkKaMGEr1dX5cQ2020-10-14T16:17:45.463ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITEb7be84c53e81dd0a64ee0845410bd6c7c:\windows\system32\icmp.dllMicrosoft WindowsFILE_SIGNATURE_STATE_CATALOG_SIGNED,
FILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
8ddd1ddce37c7e560570774de7ca1a1ecf7b32dfd0ba014f504fc6ae50388de67DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505Zjg_1LLAYT1KZx9SZUPQqeQ5eb6xzwkTt2p5b-2-ELzog2020-10-14T16:17:45.463ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE3929147a2a34b0902152c7d0f241b02ac:\windows\system32\iphlpapi.dllMicrosoft WindowsFILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
ad1c5309aa873f6a284eabe382812868e20c3d3d64197f3e6ef9d015ea060caa7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZLDC8YHy4RFuIZuejh202dQzMI8yTZvRBWnBzcuyUU0bQ2020-10-14T16:17:45.463ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITEda9647c845792371dd2f95e1ccc9a63ac:\windows\system32\sspicli.dllMicrosoft WindowsFILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
fe741d2f986b0b9557a90bdf0560f49cd17381d1094c42a91634aabe49f46a1e7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZOq1ZHJ-lSYGWynDM12vIhQHwnoQEtpSp-El_7fEmh4Lw2020-10-14T16:17:45.463ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE435009d1ddc0365bfa34b8c8d3f85286c:\windows\system32\ntmarta.dllMicrosoft WindowsFILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
2f94628f056fe65ea81351e134e59ece813fec5e8400c12d6dfa49defd126d017DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZUpxEQukRRmiX3EjI4kkYYgafxpRq5BT6WRdQyBWS4-kQ2020-10-14T16:17:45.463ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE3c9d22cae173ad19806b6a016cd4cc28c:\windows\system32\uxtheme.dllMicrosoft WindowsFILE_SIGNATURE_STATE_CATALOG_SIGNED,
FILE_SIGNATURE_STATE_OS,
FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
d95e7d07ea46d7d2aefa01cd0a64cf266be26d40fa6be42f7cf60f6deb8fbaf37DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZNcXdQS34QJWySTn-04pakA4ZyNSN7yRyeNNBRop-HMDw2020-10-14T16:17:45.463ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITE1f1fe19bc54c75e568646327f6d99c1ac:\windows\system32\vsocklib.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
e685439d50aecf656ef5bd2523568b6d9220cc9917e7d57eda962c1a520e94a57DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505ZPOYLqKCERASiTMBHcfsFmwUAoluLSYSKe2pzn47rxVDw2020-10-14T16:17:45.463ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITEb56c118a906a0322b9319d50df188bc6c:\program files\vmware\vmware tools\plugins\common\hgfsserver.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
0d74d8f4cf24bc72042234fb92b42396f6d2f6f77c534f9a07af3d82822a04527DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056
2020-10-14T16:22:13.180Z2020-11-04T06:58:51.505Zx2Beg9ykSIiRKViJJxcsaA6xUCWyDQTAuOm7Lnxq-qew2020-10-14T16:17:45.463ZmodloadfalseACTION_LOADED_MODULE_DISCOVEREDREP_WHITEa381226b5a088a07680391b94c474baac:\program files\vmware\vmware tools\hgfs.dllVMware, Inc.FILE_SIGNATURE_STATE_SIGNED,
FILE_SIGNATURE_STATE_TRUSTED,
FILE_SIGNATURE_STATE_VERIFIED
429a69aba0196be3f53ffa1d2dd09b0caea6fc680468706b2a20fa0f7188ad4b7DESJ9GN-0034d5f2-00001f78-00000000-1d68709f411ee438056

Total of 2120 items found. Showing items 0 - 19.

35. cb-eedr-process-search-results#


Retrieves the process search results for a given job ID.

Required Permissions#

RBAC Permissions Required - org.search.events: READ

Base Command#

cb-eedr-process-search-results

Input#

Argument NameDescriptionRequired
job_idThe job ID to search.Required

Context Output#

PathTypeDescription
CarbonBlackEEDR.SearchProcess.job_idStringThe ID of the job found by the search.
CarbonBlackEEDR.SearchProcess.statusStringThe status of the job found by the search.
CarbonBlackEEDR.SearchProcess.results.device_idNumberThe device ID that is guaranteed to be unique within each PSC environment.
CarbonBlackEEDR.SearchProcess.results.process_usernameStringThe user names related to the process.
CarbonBlackEEDR.SearchProcess.results.backend_timestampDateA date/time field formatted as an ISO-8601 string based on the UTC timezone. For example, device_timestamp:2018-03-14T21:06:45.183Z.
CarbonBlackEEDR.SearchProcess.results.childproc_countNumberThe cumulative count of child-process creations since process tracking started.
CarbonBlackEEDR.SearchProcess.results.crossproc_countNumberThe cumulative count of cross-process events since process tracking started.
CarbonBlackEEDR.SearchProcess.results.device_group_idNumberThe ID of the sensor group where the device belongs.
CarbonBlackEEDR.SearchProcess.results.device_nameStringThe name of the device.
CarbonBlackEEDR.SearchProcess.results.device_policy_idNumberThe ID of the policy applied to the device.
CarbonBlackEEDR.SearchProcess.results.device_timestampDateThe time displayed on the sensor based on the sensor’s clock. The time is an ISO-8601 formatted time string based on the UTC timezone.
CarbonBlackEEDR.SearchProcess.results.enrichedBooleanTrue if the process document came from the CBD data stream.
CarbonBlackEEDR.SearchProcess.results.enriched_event_typeStringThe CBD enriched event type.
CarbonBlackEEDR.SearchProcess.results.event_typeStringThe CBD event type (valid only for events coming through analytics). Possible values are: CREATE_PROCESS, DATA_ACCESS, FILE_CREATE, INJECT_CODE, NETWORK, POLICY_ACTION, REGISTRY_ACCESS, and SYSTEM_API_CALL.
CarbonBlackEEDR.SearchProcess.results.filemod_countNumberThe cumulative count of file modifications since process tracking started.
CarbonBlackEEDR.SearchProcess.results.ingress_timeDateUnknown
CarbonBlackEEDR.SearchProcess.results.legacyBooleanTrue if the process document came from the legacy data stream (deprecated, use enriched).
CarbonBlackEEDR.SearchProcess.results.modload_countNumberThe cumulative count of module loads since process tracking started.
CarbonBlackEEDR.SearchProcess.results.netconn_countNumberThe cumulative count of network connections since process tracking started.
CarbonBlackEEDR.SearchProcess.results.org_idStringThe globally unique organization key. This will most likely be the PSC organization ID + PSC environment ID or some other unique token used across environments.
CarbonBlackEEDR.SearchProcess.results.parent_guidStringThe process GUID of the parent process.
CarbonBlackEEDR.SearchProcess.results.parent_pidNumberThe PID of the parent process.
CarbonBlackEEDR.SearchProcess.results.process_guidStringUnique ID of the solr document. Appears as process_guid + server-side timestamp in epoch ms (1/1/1970 based).
CarbonBlackEEDR.SearchProcess.results.process_hashStringThe MD5 and SHA-256 hashes of the process’s main module in a multi-valued field.
CarbonBlackEEDR.SearchProcess.results.process_nameStringThe tokenized file path of the process’s main module.
CarbonBlackEEDR.SearchProcess.results.process_pidNumberThe PID of a process. Can be multi-valued in case of exec/fork on Linux/OSX.
CarbonBlackEEDR.SearchProcess.results.process_usernameStringUser names related to the process.
CarbonBlackEEDR.SearchProcess.results.regmod_countNumberThe cumulative count of registry modifications since process tracking started.
CarbonBlackEEDR.SearchProcess.results.scriptload_countNumberThe cumulative count of loaded scripts since process tracking started.

Command Example#

!cb-eedr-process-search-results job_id="99aad740-3903-4148-a5e7-7b5648794862"

Context Example#

{
"CarbonBlackEEDR": {
"SearchProcess": {
"job_id": "99aad740-3903-4148-a5e7-7b5648794862",
"results": [
{
"backend_timestamp": "2020-10-28T07:20:55.988Z",
"device_group_id": 0,
"device_id": 3775337,
"device_name": "cbcloud-win10",
"device_policy_id": 12229,
"device_timestamp": "2020-10-28T07:20:07.603Z",
"enriched": true,
"enriched_event_type": [
"INJECT_CODE"
],
"event_type": [
"crossproc"
],
"ingress_time": 1603869624380,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-00399b69-0000028c-00000000-1d6a6bb3b2bcc26",
"parent_pid": 652,
"process_guid": "7DESJ9GN-00399b69-00000b60-00000000-1d6a6bb41ebd8ef",
"process_hash": [
"1169495860abe1bc6a498d2c196787c3",
"fe6a1e46897b972a4f998d9792faccb3c292f9651fc9f744f1369e74667bf0f9"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
2912
]
},
{
"backend_timestamp": "2020-10-27T14:47:52.717Z",
"device_group_id": 0,
"device_id": 3739267,
"device_name": "hw-host-027",
"device_policy_id": 12229,
"device_timestamp": "2020-10-27T14:47:13.760Z",
"enriched": true,
"enriched_event_type": [
"INJECT_CODE"
],
"event_type": [
"crossproc"
],
"ingress_time": 1603810047142,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-00390e83-000002a0-00000000-1d6a1f9ef3c0d3e",
"parent_pid": 672,
"process_guid": "7DESJ9GN-00390e83-00000bf4-00000000-1d6a1f9f37d1836",
"process_hash": [
"1169495860abe1bc6a498d2c196787c3",
"fe6a1e46897b972a4f998d9792faccb3c292f9651fc9f744f1369e74667bf0f9"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
3060
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
]
},
{
"backend_timestamp": "2020-10-24T00:58:50.495Z",
"device_group_id": 0,
"device_id": 3739232,
"device_name": "hw-host-004",
"device_policy_id": 12229,
"device_timestamp": "2020-10-24T00:57:37.097Z",
"enriched": true,
"enriched_event_type": [
"INJECT_CODE"
],
"event_type": [
"crossproc"
],
"ingress_time": 1603501093672,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-00390e60-000002a4-00000000-1d6a463297ebe9b",
"parent_pid": 676,
"process_guid": "7DESJ9GN-00390e60-00000c74-00000000-1d6a4632cda86e3",
"process_hash": [
"1169495860abe1bc6a498d2c196787c3",
"fe6a1e46897b972a4f998d9792faccb3c292f9651fc9f744f1369e74667bf0f9"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
3188
]
},
{
"backend_timestamp": "2020-10-17T14:13:34.936Z",
"device_group_id": 0,
"device_id": 3462642,
"device_name": "win10etchangeme",
"device_policy_id": 6525,
"device_timestamp": "2020-10-17T14:12:28.438Z",
"enriched": true,
"enriched_event_type": [
"INJECT_CODE"
],
"event_type": [
"crossproc"
],
"ingress_time": 1602943969760,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-0034d5f2-0000032c-00000000-1d6a276fc5ed489",
"parent_pid": 812,
"process_guid": "7DESJ9GN-0034d5f2-00000b8c-00000000-1d6a27706e318a2",
"process_hash": [
"63d423ea882264dbb157a965c200306212fc5e1c6ddb8cbbb0f1d3b51ecd82e6",
"c7084336325dc8eadfb1e8ff876921c4"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
2956
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
]
},
{
"backend_timestamp": "2020-10-16T00:36:49.055Z",
"device_group_id": 0,
"device_id": 3216323,
"device_name": "exapil\\pil-cb7-2",
"device_policy_id": 6525,
"device_timestamp": "2020-10-16T00:35:55.328Z",
"enriched": true,
"enriched_event_type": [
"INJECT_CODE"
],
"event_type": [
"crossproc"
],
"ingress_time": 1602808577528,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-003113c3-00000204-00000000-1d68d438b085325",
"parent_pid": 516,
"process_guid": "7DESJ9GN-003113c3-00000628-00000000-1d68d438ca1bfd4",
"process_hash": [
"63d423ea882264dbb157a965c200306212fc5e1c6ddb8cbbb0f1d3b51ecd82e6",
"c7084336325dc8eadfb1e8ff876921c4"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
1576
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
]
},
{
"backend_timestamp": "2020-10-05T02:17:33.365Z",
"device_group_id": 0,
"device_id": 3365471,
"device_name": "hw-host-004",
"device_policy_id": 6525,
"device_timestamp": "2020-10-05T02:16:18.531Z",
"enriched": true,
"enriched_event_type": [
"INJECT_CODE"
],
"event_type": [
"crossproc"
],
"ingress_time": 1601864215004,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-00335a5f-00000288-00000000-1d687d4d1d5aec5",
"parent_pid": 648,
"process_guid": "7DESJ9GN-00335a5f-00000abc-00000000-1d687d4d6c9363a",
"process_hash": [
"1169495860abe1bc6a498d2c196787c3",
"fe6a1e46897b972a4f998d9792faccb3c292f9651fc9f744f1369e74667bf0f9"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
2748
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
]
},
{
"alert_category": [
"THREAT"
],
"alert_id": [
"null/AIUNTEPE"
],
"backend_timestamp": "2020-09-03T11:00:49.482Z",
"device_group_id": 791,
"device_id": 3670727,
"device_name": "desktop-fvb88fs",
"device_policy_id": 6525,
"device_timestamp": "2020-09-03T10:59:48.345Z",
"enriched": true,
"enriched_event_type": [
"CREATE_PROCESS"
],
"event_type": [
"childproc"
],
"ingress_time": 1599130817870,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-003802c7-000002b8-00000000-1d66fbac06780a2",
"parent_pid": 696,
"process_guid": "7DESJ9GN-003802c7-00000b4c-00000000-1d66fbac0f8ad57",
"process_hash": [
"aca121d48147ff717bcd1da7871a5a76",
"da7e37ce59685964a3876ef1747964de1caabd13b3691b6a1d5ebed1d19c19ad"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
2892
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
]
},
{
"alert_category": [
"THREAT"
],
"alert_id": [
"null/UQJ5NT2N"
],
"backend_timestamp": "2020-09-03T08:01:52.493Z",
"device_group_id": 791,
"device_id": 3670528,
"device_name": "desktop-fvb88fs",
"device_policy_id": 6525,
"device_timestamp": "2020-09-03T08:00:46.548Z",
"enriched": true,
"enriched_event_type": [
"CREATE_PROCESS"
],
"event_type": [
"childproc"
],
"ingress_time": 1599120076739,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-00380200-000002b8-00000000-1d66fbac06780a2",
"parent_pid": 696,
"process_guid": "7DESJ9GN-00380200-00000b4c-00000000-1d66fbac0f8ad57",
"process_hash": [
"aca121d48147ff717bcd1da7871a5a76",
"da7e37ce59685964a3876ef1747964de1caabd13b3691b6a1d5ebed1d19c19ad"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
2892
],
"process_username": [
"NT AUTHORITY\\SYSTEM"
]
},
{
"alert_category": [
"THREAT"
],
"alert_id": [
"JMLXDNLG/XPU6S91H"
],
"backend_timestamp": "2020-08-26T16:08:11.872Z",
"device_group_id": 0,
"device_id": 3644148,
"device_name": "desktop-aa2m6ld",
"device_policy_id": 6529,
"device_timestamp": "2020-08-26T16:06:50.813Z",
"enriched": true,
"enriched_event_type": [
"FILE_CREATE"
],
"event_type": [
"filemod"
],
"ingress_time": 1598458053780,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-00379af4-00001520-00000000-1d67a883dbd713b",
"parent_pid": 5408,
"process_guid": "7DESJ9GN-00379af4-000007e0-00000000-1d67a8847cebcbd",
"process_hash": [
"80abd555c1869baaff2d8a8d535ce07e",
"fa353f142361e5c6ca57a66dcb341bba20392f5c29d2c113c7d62a216b0e0504"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
2016
],
"process_username": [
"DESKTOP-AA2M6LD\\John Doe"
]
},
{
"backend_timestamp": "2020-08-17T14:38:21.589Z",
"blocked_hash": [
"908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53"
],
"device_group_id": 0,
"device_id": 3600261,
"device_name": "desktop-aa2m6ld",
"device_policy_id": 35704,
"device_timestamp": "2020-08-17T14:37:19.963Z",
"enriched": true,
"enriched_event_type": [
"POLICY_ACTION"
],
"event_type": [
"childproc"
],
"ingress_time": 1597675083480,
"legacy": true,
"org_id": "7DESJ9GN",
"parent_guid": "7DESJ9GN-0036ef85-000007f0-00000000-1d674a3d9a6a335",
"parent_pid": 2032,
"process_guid": "7DESJ9GN-0036ef85-00001f74-00000000-1d674a3e4b3ba9a",
"process_hash": [
"80abd555c1869baaff2d8a8d535ce07e",
"fa353f142361e5c6ca57a66dcb341bba20392f5c29d2c113c7d62a216b0e0504"
],
"process_name": "c:\\program files\\vmware\\vmware tools\\vmtoolsd.exe",
"process_pid": [
8052
],
"process_username": [
"DESKTOP-AA2M6LD\\John Doe"
],
"sensor_action": [
"DENY",
"BLOCK"
]
}
],
"status": "Completed"
}
}
}

Human Readable Output#

Completed Search Results:#

process_hashprocess_namedevice_namedevice_timestampprocess_pidprocess_username
1169495860abe1bc6a498d2c196787c3,
fe6a1e46897b972a4f998d9792faccb3c292f9651fc9f744f1369e74667bf0f9
c:\program files\vmware\vmware tools\vmtoolsd.execbcloud-win102020-10-28T07:20:07.603Z2912
1169495860abe1bc6a498d2c196787c3,
fe6a1e46897b972a4f998d9792faccb3c292f9651fc9f744f1369e74667bf0f9
c:\program files\vmware\vmware tools\vmtoolsd.exehw-host-0272020-10-27T14:47:13.760Z3060NT AUTHORITY\SYSTEM
1169495860abe1bc6a498d2c196787c3,
fe6a1e46897b972a4f998d9792faccb3c292f9651fc9f744f1369e74667bf0f9
c:\program files\vmware\vmware tools\vmtoolsd.exehw-host-0042020-10-24T00:57:37.097Z3188
63d423ea882264dbb157a965c200306212fc5e1c6ddb8cbbb0f1d3b51ecd82e6,
c7084336325dc8eadfb1e8ff876921c4
c:\program files\vmware\vmware tools\vmtoolsd.exewin10etchangeme2020-10-17T14:12:28.438Z2956NT AUTHORITY\SYSTEM
63d423ea882264dbb157a965c200306212fc5e1c6ddb8cbbb0f1d3b51ecd82e6,
c7084336325dc8eadfb1e8ff876921c4
c:\program files\vmware\vmware tools\vmtoolsd.exeexapil\pil-cb7-22020-10-16T00:35:55.328Z1576NT AUTHORITY\SYSTEM
1169495860abe1bc6a498d2c196787c3,
fe6a1e46897b972a4f998d9792faccb3c292f9651fc9f744f1369e74667bf0f9
c:\program files\vmware\vmware tools\vmtoolsd.exehw-host-0042020-10-05T02:16:18.531Z2748NT AUTHORITY\SYSTEM
aca121d48147ff717bcd1da7871a5a76,
da7e37ce59685964a3876ef1747964de1caabd13b3691b6a1d5ebed1d19c19ad
c:\program files\vmware\vmware tools\vmtoolsd.exedesktop-fvb88fs2020-09-03T10:59:48.345Z2892NT AUTHORITY\SYSTEM
aca121d48147ff717bcd1da7871a5a76,
da7e37ce59685964a3876ef1747964de1caabd13b3691b6a1d5ebed1d19c19ad
c:\program files\vmware\vmware tools\vmtoolsd.exedesktop-fvb88fs2020-09-03T08:00:46.548Z2892NT AUTHORITY\SYSTEM
80abd555c1869baaff2d8a8d535ce07e,
fa353f142361e5c6ca57a66dcb341bba20392f5c29d2c113c7d62a216b0e0504
c:\program files\vmware\vmware tools\vmtoolsd.exedesktop-aa2m6ld2020-08-26T16:06:50.813Z2016DESKTOP-AA2M6LD\John Doe
80abd555c1869baaff2d8a8d535ce07e,
fa353f142361e5c6ca57a66dcb341bba20392f5c29d2c113c7d62a216b0e0504
c:\program files\vmware\vmware tools\vmtoolsd.exedesktop-aa2m6ld2020-08-17T14:37:19.963Z8052DESKTOP-AA2M6LD\John Doe

cb-eedr-add-threat-tags#


Update threat ID tags.

Base Command#

cb-eedr-add-threat-tags

Input#

Argument NameDescriptionRequired
threat_idThreat ID.Required
tagsComma-separated list of tags.Required

Context Output#

PathTypeDescription
CarbonBlackEEDR.Threat.ThreatIDunknownThreat ID.
CarbonBlackEEDR.Threat.TagsunknownThreat ID tags.

cb-eedr-add-threat-notes#


Update threat ID notes.

Base Command#

cb-eedr-add-threat-notes

Input#

Argument NameDescriptionRequired
threat_idThreat ID.Required
notesNotes to be added to the provided threat ID.Required

Context Output#

PathTypeDescription
CarbonBlackEEDR.Threat.ThreatIDunknownThreat ID.
CarbonBlackEEDR.Threat.NotesunknownThreat ID notes.

cb-eedr-add-alert-notes#


Update alert ID notes.

Base Command#

cb-eedr-add-alert-notes

Input#

Argument NameDescriptionRequired
alert_idAlert ID to add the notes to.Required
notesNotes to be added to the provided alert ID.Required

Context Output#

PathTypeDescription
CarbonBlackEEDR.Alert.AlertIDunknownThe alert ID.
CarbonBlackEEDR.Alert.NotesunknownAlert notes.

cb-eedr-get-threat-tags#


Output a list of tags for the provided threat ID.

Base Command#

cb-eedr-get-threat-tags

Input#

Argument NameDescriptionRequired
threat_idThe threat ID for which we wish to get the tags.Required

Context Output#

PathTypeDescription
CarbonBlackEEDR.Threat.ThreatIDunknownThreat ID.
CarbonBlackEEDR.Threat.TagsunknownThreat tags.

cb-eedr-list-alerts#


Returns a list of alerts.

Base Command#

cb-eedr-list-alerts

Input#

Argument NameDescriptionRequired
minimum_severityAlert minimum severity (In range of 1-10).Optional
device_os_versionDevice OS version. Supports comma-separated values.Optional
policy_idThe policy ID. Supports comma-separated values.Optional
alert_tagAlert tags. Supports comma-separated values.Optional
alert_idAlert ID. Supports comma-separated values.Optional
device_usernameDevice username. Supports comma-separated values.Optional
device_idDevice ID. Supports comma-separated values.Optional
device_osDevice OS. Supports comma-separated values.Optional
process_sha256Process SHA256. Supports comma-separated values.Optional
policy_namePolicy name. Supports comma-separated values.Optional
reputationAlert reputation. Supports comma-separated values.Optional
alert_typeAlert type. Supports comma-separated values.Optional
device_nameA comma-separated list of device names. Examples- "C:\Users\example_user\Example" or "/home/example_user/Example".Optional
process_nameA comma-separated list of process names. Examples- "C:\Users\example_user\Example" or "/home/example_user/Example".Optional
sort_fieldField by which to sort the results. Possible values are: first_event_timestamp, last_event_timestamp. Default is first_event_timestamp.Optional
sort_orderHow to order the results. Can be "ASC" (ascending) or "DESC" (descending). Possible values are: ASC, DESC. Default is DESC.Optional
limitThe maximum number of results to return. Default is 10.Optional
start_timeAlert start time.Optional
end_timeAlert end time.Optional

Context Output#

PathTypeDescription
CarbonBlackEEDR.Alert.threat_idStringThreat ID.
CarbonBlackEEDR.Alert.first_event_timeDateFirst event time.
CarbonBlackEEDR.Alert.target_valueStringAlert target value.
CarbonBlackEEDR.Alert.reasonStringAlert reason.
CarbonBlackEEDR.Alert.org_keyStringOrganization key.
CarbonBlackEEDR.Alert.device_idStringDevice ID.
CarbonBlackEEDR.Alert.report_idStringReport ID.
CarbonBlackEEDR.Alert.watchlists.idStringWatchlist ID.
CarbonBlackEEDR.Alert.watchlists.nameStringWatchlist name.
CarbonBlackEEDR.Alert.device_os_versionStringDevice OS version.
CarbonBlackEEDR.Alert.threat_cause_threat_categoryStringThreat cause threat category.
CarbonBlackEEDR.Alert.policy_idStringPolicy ID.
CarbonBlackEEDR.Alert.threat_indicators.process_nameStringThreat indicator - process name.
CarbonBlackEEDR.Alert.threat_indicators.sha256StringIndicator SHA256 hash.
CarbonBlackEEDR.Alert.threat_cause_actor_sha256StringThreat cause actor SHA256.
CarbonBlackEEDR.Alert.device_osStringDevice OS.
CarbonBlackEEDR.Alert.document_guidStringDocument GUID.
CarbonBlackEEDR.Alert.create_timeDateAlert create time.
CarbonBlackEEDR.Alert.threat_cause_actor_nameStringThreat cause actor name.
CarbonBlackEEDR.Alert.ioc_hitStringIOC hit.
CarbonBlackEEDR.Alert.threat_cause_reputationStringThreat cause reputation.
CarbonBlackEEDR.Alert.legacy_alert_idStringLegacy alert ID.
CarbonBlackEEDR.Alert.device_nameStringDevice name.
CarbonBlackEEDR.Alert.report_nameStringReport name.
CarbonBlackEEDR.Alert.policy_nameStringPolicy name.
CarbonBlackEEDR.Alert.ioc_fieldStringIOC field.
CarbonBlackEEDR.Alert.tagsStringAlert tags.
CarbonBlackEEDR.Alert.process_guidStringProcess GUID.
CarbonBlackEEDR.Alert.threat_cause_actor_md5StringThreat cause actor MD5 hash.
CarbonBlackEEDR.Alert.last_update_timeDateAlert last updated time.
CarbonBlackEEDR.Alert.typeStringAlert type.
CarbonBlackEEDR.Alert.idStringAlert ID.
CarbonBlackEEDR.Alert.process_nameStringProcess name.
CarbonBlackEEDR.Alert.last_event_timeDateAlert last event time.
CarbonBlackEEDR.Alert.ioc_idStringIOC ID.
CarbonBlackEEDR.Alert.notes_presentBooleanWhether notes are present.
CarbonBlackEEDR.Alert.run_stateStringAlert run state.
CarbonBlackEEDR.Alert.severityNumberAlert severity.
CarbonBlackEEDR.Alert.threat_cause_vectorStringThreat cause vector.
CarbonBlackEEDR.Alert.device_usernameStringDevice username.
CarbonBlackEEDR.Alert.workflow.changed_byStringAlert workflow - changed by.
CarbonBlackEEDR.Alert.workflow.commentStringAlert workflow - comment.
CarbonBlackEEDR.Alert.workflow.last_update_timeDateAlert workflow - last updated time.
CarbonBlackEEDR.Alert.workflow.remediationStringAlert workflow - remediation.
CarbonBlackEEDR.Alert.workflow.stateStringAlert workflow state.

cb-eedr-process-search#


Creates a process search job and returns results if 'polling' argument is True.

Base Command#

cb-eedr-process-search

Input#

Argument NameDescriptionRequired
process_nameThe process name to search.Optional
process_hashThe process hash to search.Optional
event_idThe event ID to search.Optional
limitThe maximum number of rows to return. Default is 20.Optional
queryA free-style query. For example, "process_name:svchost.exe".Optional
start_timeFirst appearance time range (<number> <time unit>, e.g., 1 hour, 30 minutes). Default is 1 day ago.Optional
end_timeLast appearance time range (<number> <time unit>, e.g., 1 hour, 30 minutes). Default is current time.Optional
startIndex of first records to fetch. Default is 0.Optional
job_idJob ID to retrieve.Optional
pollingwhether to run the command with polling. Possible values are: true, false. Default is True.Optional
interval_in_secondsThe time in seconds to wait between polling. Default is 60.Optional
time_outThe timeout duration in seconds for polling retries. Default is 600.Optional

Context Output#

PathTypeDescription
CarbonBlackEEDR.SearchProcess.job_idStringThe ID of the job found by the search.
CarbonBlackEEDR.SearchProcess.statusStringThe status of the job found by the search.
CarbonBlackEEDR.SearchProcess.results.device_idNumberThe device ID that is guaranteed to be unique within each PSC environment.
CarbonBlackEEDR.SearchProcess.results.process_usernameStringThe user names related to the process.
CarbonBlackEEDR.SearchProcess.results.backend_timestampDateA date/time field formatted as an ISO-8601 string based on the UTC timezone. For example, device_timestamp:2018-03-14T21:06:45.183Z.
CarbonBlackEEDR.SearchProcess.results.childproc_countNumberThe cumulative count of child-process creations since process tracking started.
CarbonBlackEEDR.SearchProcess.results.crossproc_countNumberThe cumulative count of cross-process events since process tracking started.
CarbonBlackEEDR.SearchProcess.results.device_group_idNumberThe ID of the sensor group where the device belongs.
CarbonBlackEEDR.SearchProcess.results.device_nameStringThe name of the device.
CarbonBlackEEDR.SearchProcess.results.device_policy_idNumberThe ID of the policy applied to the device.
CarbonBlackEEDR.SearchProcess.results.device_timestampDateThe time displayed on the sensor based on the sensor’s clock. The time is an ISO-8601 formatted time string based on the UTC timezone.
CarbonBlackEEDR.SearchProcess.results.enrichedBooleanTrue if the process document came from the CBD data stream.
CarbonBlackEEDR.SearchProcess.results.enriched_event_typeStringThe CBD enriched event type.
CarbonBlackEEDR.SearchProcess.results.event_typeStringThe CBD event type (valid only for events coming through analytics). Possible values are: CREATE_PROCESS, DATA_ACCESS, FILE_CREATE, INJECT_CODE, NETWORK, POLICY_ACTION, REGISTRY_ACCESS, and SYSTEM_API_CALL.
CarbonBlackEEDR.SearchProcess.results.filemod_countNumberThe cumulative count of file modifications since process tracking started.
CarbonBlackEEDR.SearchProcess.results.ingress_timeDateUnknown
CarbonBlackEEDR.SearchProcess.results.legacyBooleanTrue if the process document came from the legacy data stream (deprecated, use enriched).
CarbonBlackEEDR.SearchProcess.results.modload_countNumberThe cumulative count of module loads since process tracking started.
CarbonBlackEEDR.SearchProcess.results.netconn_countNumberThe cumulative count of network connections since process tracking started.
CarbonBlackEEDR.SearchProcess.results.org_idStringThe globally unique organization key. This will most likely be the PSC organization ID + PSC environment ID or some other unique token used across environments.
CarbonBlackEEDR.SearchProcess.results.parent_guidStringThe process GUID of the parent process.
CarbonBlackEEDR.SearchProcess.results.parent_pidNumberThe PID of the parent process.
CarbonBlackEEDR.SearchProcess.results.process_guidStringUnique ID of the solr document. Appears as process_guid + server-side timestamp in epoch ms (1/1/1970 based).
CarbonBlackEEDR.SearchProcess.results.process_hashStringThe MD5 and SHA-256 hashes of the process’s main module in a multi-valued field.
CarbonBlackEEDR.SearchProcess.results.process_nameStringThe tokenized file path of the process’s main module.
CarbonBlackEEDR.SearchProcess.results.process_pidNumberThe PID of a process. Can be multi-valued in case of exec/fork on Linux/OSX.
CarbonBlackEEDR.SearchProcess.results.process_usernameStringUser names related to the process.
CarbonBlackEEDR.SearchProcess.results.regmod_countNumberThe cumulative count of registry modifications since process tracking started.
CarbonBlackEEDR.SearchProcess.results.scriptload_countNumberThe cumulative count of loaded scripts since process tracking started.

Troubleshooting#

Note: If the API returns duplicates, the duplicates will be dropped, causing the total number of alerts fetched to potentially be fewer than the set limit. Moreover, if all of the alerts returned are duplicates, they will all be dropped, causing no alerts to be returned. In such cases, increase the limit.