Get alert by a given alert ID.

Minimal required permissions: org.alerts Read

External Documentation

To learn more, visit the VMware Carbon Black documentation.

Parameters

ParameterDescription
Alert IDThe ID of the alert. Can be obtained by the Search Alerts action.

Example Output

{
	"org_key": "ABCD1234",
	"alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:52fa009d-e2d1-4118-8a8d-04f521ae66aa&orgKey=ABCD1234",
	"id": "12ab345cd6-e2d1-4118-8a8d-04f521ae66aa",
	"type": "WATCHLIST",
	"backend_timestamp": "2023-04-14T21:30:40.570Z",
	"user_update_timestamp": null,
	"backend_update_timestamp": "2023-04-14T21:30:40.570Z",
	"detection_timestamp": "2023-04-14T21:27:14.719Z",
	"first_event_timestamp": "2023-04-14T21:21:42.193Z",
	"last_event_timestamp": "2023-04-14T21:21:42.193Z",
	"severity": 8,
	"reason": "Process infdefaultinstall.exe was detected by the report \"Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall\" in 6 watchlists",
	"reason_code": "05696200-88e6-3691-a1e3-8d9a64dbc24e:7828aec8-8502-3a43-ae68-41b5050dab5b",
	"threat_id": "0569620088E6669121E38D9A64DBC24E",
	"primary_event_id": "-7RlZFHcSGWKSrF55B_4Ig-0",
	"policy_applied": "NOT_APPLIED",
	"run_state": "RAN",
	"sensor_action": "ALLOW",
	"workflow": {
		"change_timestamp": "2023-04-14T21:30:40.570Z",
		"changed_by_type": "SYSTEM",
		"changed_by": "ALERT_CREATION",
		"closure_reason": "NO_REASON",
		"status": "OPEN"
	},
	"determination": null,
	"tags": [
		"tag1",
		"tag2"
	],
	"alert_notes_present": false,
	"threat_notes_present": false,
	"is_updated": false,
	"device_id": 18118174,
	"device_name": "pscr-test-01-1677785028.620244-9",
	"device_uem_id": "",
	"device_target_value": "LOW",
	"device_policy": "123abcde-c21b-4d64-9e3e-53595ef9c7af",
	"device_policy_id": 1234567,
	"device_os": "WINDOWS",
	"device_os_version": "Windows 10 x64 SP: 1",
	"device_username": "demouser@demoorg.com",
	"device_location": "UNKNOWN",
	"device_external_ip": "1.2.3.4",
	"mdr_alert": false,
	"report_id": "oJFtoawGS92fVMXlELC1Ow-b4ee93fc-ec58-436a-a940-b4d33a613513",
	"report_name": "Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall",
	"report_description": "\n\nThreat:\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.\n\nFalse Positives:\nSome environments may legitimate use this, but should be rare.\n\nScore:\n85",
	"report_tags": [
		"attack",
		"attackframework",
		"threathunting"
	],
	"report_link": "https://attack.mitre.org/wiki/Technique/T1218",
	"ioc_id": "b4ee93fc-ec58-436a-a940-b4d33a613513-0",
	"ioc_hit": "((process_name:InfDefaultInstall.exe)) -enriched:true",
	"watchlists": [
		{
			"id": "9x0timurQkqP7FBKX4XrUw",
			"name": "Carbon Black Advanced Threats"
		}
	],
	"process_guid": "ABCD1234-0114761e-00002ae4-00000000-19db1ded53e8000",
	"process_pid": 10980,
	"process_name": "infdefaultinstall.exe",
	"process_sha256": "1a2345cd88666a458f804e5d0fe925a9f55cf016733458c58c1980addc44cd774",
	"process_md5": "12c34567894a49f13193513b0138f72a9",
	"process_effective_reputation": "LOCAL_WHITE",
	"process_reputation": "NOT_LISTED",
	"process_cmdline": "InfDefaultInstall.exe C:\\Users\\username\\userdir\\Infdefaultinstall.inf",
	"process_username": "DEMO\\DEMOUSER",
	"process_issuer": "Demo Code Signing CA - G2",
	"process_publisher": "Demo Test Authority",
	"childproc_guid": "",
	"childproc_username": "",
	"childproc_cmdline": "",
	"ml_classification_final_verdict": "NOT_ANOMALOUS",
	"ml_classification_global_prevalence": "LOW",
	"ml_classification_org_prevalence": "LOW"
}

Workflow Library Example

Get Alert with Vmware Carbon Black and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?