Number of failed logon attempts since last successful logon Values: INVALID, LOGON_SUCCESS, LOGON_FAILED, LOGOFF_SUCCESS, PRIVILEGES_GRANTED, ACCOUNT_LOCKED, LOGON_DISCOVERED True if the logon attempt occurred using an elevated token false if the logon attempt occurred without the use of an elevated tokenĪction that results from an authentication attempt Identifies if the logon attempt is attributed to a service (Windows) or daemon (macOS/Linux)ĭomain name of the user the authentication event is attributed to Common processes include Winlogon, Schannell, KSecDD, Secondary Logon Service (runas), IKE, HTTP.SYS, SspTest, dsRole, DS Replication CredProvConsent (user account control) The logon process that validated the credentials in Event ID 4611. True if the logon attempt occurred using cleartext credentials false if the logon attempt occurred using encrypted credentials Note: 'id' or 'legacy_alert_id' will work for searching events or processes associated with a CB_ANALYTIC alert.Ī tactic from the MITRE ATT&CK framework defines a reason for an adversary’s action, such as achieving credential accessĪ technique from the MITRE ATT&CK framework defines an action an adversary takes to accomplish a goal, such as dumping credentials to achieve credential accessĪllows searching for a specific combination of MITRE ATT&CK tactic and technique use the format tactic:technique.subtechnique ID of the alert(s) associated with the process or event. Field NameĪ Carbon Black Cloud classification for events tagged to an alert indicating whether the event is a “threat” or “observed”ĮNRICHED_EVENT ENRICHED_EVENT DETAILS PROCESS PROCESS DETAILS EVENT OBSERVATION Schema Note: Additional details and examples can be found in the Carbon Black Cloud console search guide. Searching across both Endpoint Standard and Enterprise EDR data? See below for limitations. *** - Indicates that the field needs to be requested in the fields property of a search job.Processes Only - Indicates that the field is only searchable for Processes.Aggregation Only - Indicates that the field is only returned for the Aggregation endpoint for Enriched Events. Rather than having to explicitly search process_name:chrome.exe OR childproc_name:chrome.exe OR filemod_name:chrome.exe, a search for chrome.exe will find that String in any of those three fields for you as well as in other value search enabled fields. Value-Searchable - Indicates that the field’s value is searchable though a value based query e.g.Searchable - Indicates that the field can be used in the criteria, exclusion or query elements of search requests e.g.TOKENIZED - Can be searched by a partial phrase.Note: For fields where the Routes Supported column contains no entries, this means this field is not returned by any API route - it is only usable in the search request. Returns fields from a process summary search These fields can be used for sorting and filtering search queries or returning most prevalent values. Returns the full set of data for Auth Events. Returns data about authentication events that occur on Windows endpoints. Returns the full set of data for Observations. Returns data about Observations, which are the noteworthy, searchable findings across your whole fleet. Returns data about an observable occurrence on an endpoint Returns the full set of data for Processes Returns data about instances where a program was executed on an endpoint Returns the full set of data for Enriched Events Returns endpoint data that has been analyzed against typical attacker behavior and flagged as potentially malicious Possible routesĬlicking these icons will take you to the relevant API. You can also see accepted values and routes supported per each field. View the definition of each field, default values, whether it is required, searchable and/or tokenized. The following table lists the fields that can be returned in the response or used for searching with the Carbon Black Cloud using any of
0 Comments
Leave a Reply. |