Skip to main content

Search Alerts

Search and query all alerts.

Minimal required permissions: org.alerts Read

External Documentation

To learn more, visit the VMware Carbon Black documentation.

Basic Parameters

ParameterDescription
QueryA query string to query the alerts by.
SortThe sort objects by which the results are sorted. For more information see Carbon Black documentation.For Example:
[    {      "field": "primary_field",      "order": "DESC"    },    {      "field": "tiebreak_field",      "order": "DESC"    }]
Time rangeThe range of query time from now. Cannot be used with the Start Time & End Time parameters. For more information see Carbon Black documentation.

Advanced Parameters

ParameterDescription
CriteriaCriteria by which to return the results. For more information see Carbon Black documentation.
End TimeThe End time of the query window. Must be used with the Start Time parameter.
ExclusionsExclusions by which to return the results. For more information see Carbon Black documentation.
LimitThe limit of the amount of returning results.
OffsetThe offset of the returning results.
Start TimeThe start time of the query window. Must be used with the End Time parameter.

Example Output

{
"results": [
{
"org_key": "ABCD1234",
"alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:708d7dbf-2020-42d4-9cbc-0cddd0ffa31a&orgKey=ABCD1234",
"id": "708d7dbf-2020-42d4-9cbc-0cddd0ffa31a",
"type": "WATCHLIST",
"backend_timestamp": "2023-04-03T08:48:47.211Z",
"user_update_timestamp": "2023-04-13T11:55:20.860Z",
"backend_update_timestamp": "2023-04-03T08:48:47.211Z",
"detection_timestamp": "2023-04-03T08:46:52.302Z",
"first_event_timestamp": "2023-04-03T08:44:43.552Z",
"last_event_timestamp": "2023-04-03T08:44:43.552Z",
"severity": 6,
"reason": "Process taskhostw.exe was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"",
"reason_code": "19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d",
"threat_id": "19261158DBBF00775959F8AA7F7551A1",
"primary_event_id": "t6a_TNVuQb6seMjk_VyDsg-0",
"policy_applied": "NOT_APPLIED",
"run_state": "RAN",
"sensor_action": "ALLOW",
"workflow": {
"change_timestamp": "2023-04-13T11:55:20.860Z",
"changed_by_type": "USER",
"changed_by": "demouser@demoorg.com",
"closure_reason": "NO_REASON",
"status": "IN_PROGRESS"
},
"determination": {
"change_timestamp": "1970-01-01T00:00:00.000Z",
"value": "ALERT_CLASSIFICATION_UNKNOWN",
"changed_by_type": "OPERATOR_UNKNOWN",
"changed_by": null
},
"tags": null,
"alert_notes_present": false,
"threat_notes_present": false,
"is_updated": false,
"device_id": 18078555,
"device_name": "DEMO\\DEMOMACHINE",
"device_uem_id": "",
"device_target_value": "MEDIUM",
"device_policy": "Demo-policy",
"device_policy_id": 12345678,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_username": "DEMOMACHINE\\Administrator",
"device_location": "UNKNOWN",
"device_external_ip": "1.2.3.4",
"device_internal_ip": "1.2.3.4",
"mdr_alert": false,
"report_id": "Fm0YsPDyQ1Kp1Pdd6Lnd8w-abd-defg-123",
"report_name": "Abnormally Large DNS Exchanges (exfil or zone transfer)",
"report_description": "IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.",
"report_tags": [],
"ioc_id": "abd-defg-123",
"ioc_hit": "netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]",
"watchlists": [
{
"id": "lgaClyOmQ86ZwZttq3ZDxg",
"name": "Demo IOCs"
}
],
"process_guid": "ABCD1234-0113db5b-000011bc-00000000-1d966088928e609",
"process_pid": 4540,
"process_name": "c:\\windows\\system32\\taskhostw.exe",
"process_sha256": "1234cd567ab3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad",
"process_md5": "123a4566ab18f93b93d551cd10c1598e",
"process_effective_reputation": "COMPANY_WHITE_LIST",
"process_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": "taskhostw.exe SYSTEM",
"process_username": "DEMOSERVER\\DEMO",
"process_issuer_": "Demo CA",
"process_publisher": "Demo Publisher",
"parent_guid": "ABCD1234-0113db5b-000006bc-00000000-1d94225f1bb0897",
"parent_pid": 1724,
"parent_name": "c:\\windows\\system32\\svchost.exe",
"parent_sha256": "123ab451a82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7",
"parent_md5": "a123456789f632dc8d9404d83bc16316",
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_reputation": "TRUSTED_WHITE_LIST",
"parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"parent_username": "NT AUTHORITY\\SYSTEM",
"childproc_guid": "",
"childproc_username": "",
"childproc_cmdline": "",
"ml_classification_anomalies": [
{
"anomalous_field": "actor_process_modload_count",
"anomaly_name": "Process modloads",
"anomalous_field_baseline_values": [
"0",
"1"
],
"anomalous_value": "65"
},
{
"anomalous_field": "actor_process_filemod_count",
"anomaly_name": "Process filemods",
"anomalous_field_baseline_values": [
"0"
],
"anomalous_value": "8"
}
]
}
],
"num_found": 147,
"num_available": 147
}

Workflow Library Example

Search Alerts with Vmware Carbon Black and Send Results Via Email

Workflow LibraryPreview this Workflow on desktop