Search Alerts
Search and query all alerts.
Minimal required permissions: org.alerts Read
External Documentation
To learn more, visit the VMware Carbon Black documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| Query | A query string to query the alerts by. |
| Sort | The sort objects by which the results are sorted. For more information see Carbon Black documentation. For Example: <br/>[<br/> {<br/> "field": "primary_field",<br/> "order": "DESC"<br/> },<br/> {<br/> "field": "tiebreak_field",<br/> "order": "DESC"<br/> }<br/>]<br/> |
| Time range | The range of query time from now. Cannot be used with the Start Time & End Time parameters. For more information see Carbon Black documentation. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Criteria | Criteria by which to return the results. For more information see Carbon Black documentation. |
| End Time | The End time of the query window. Must be used with the Start Time parameter. |
| Exclusions | Exclusions by which to return the results. For more information see Carbon Black documentation. |
| Limit | The limit of the amount of returning results. |
| Offset | The offset of the returning results. |
| Start Time | The start time of the query window. Must be used with the End Time parameter. |
Example Output
{
"results": [
{
"org_key": "ABCD1234",
"alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:708d7dbf-2020-42d4-9cbc-0cddd0ffa31a&orgKey=ABCD1234",
"id": "708d7dbf-2020-42d4-9cbc-0cddd0ffa31a",
"type": "WATCHLIST",
"backend_timestamp": "2023-04-03T08:48:47.211Z",
"user_update_timestamp": "2023-04-13T11:55:20.860Z",
"backend_update_timestamp": "2023-04-03T08:48:47.211Z",
"detection_timestamp": "2023-04-03T08:46:52.302Z",
"first_event_timestamp": "2023-04-03T08:44:43.552Z",
"last_event_timestamp": "2023-04-03T08:44:43.552Z",
"severity": 6,
"reason": "Process taskhostw.exe was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"",
"reason_code": "19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d",
"threat_id": "19261158DBBF00775959F8AA7F7551A1",
"primary_event_id": "t6a_TNVuQb6seMjk_VyDsg-0",
"policy_applied": "NOT_APPLIED",
"run_state": "RAN",
"sensor_action": "ALLOW",
"workflow": {
"change_timestamp": "2023-04-13T11:55:20.860Z",
"changed_by_type": "USER",
"changed_by": "demouser@demoorg.com",
"closure_reason": "NO_REASON",
"status": "IN_PROGRESS"
},
"determination": {
"change_timestamp": "1970-01-01T00:00:00.000Z",
"value": "ALERT_CLASSIFICATION_UNKNOWN",
"changed_by_type": "OPERATOR_UNKNOWN",
"changed_by": null
},
"tags": null,
"alert_notes_present": false,
"threat_notes_present": false,
"is_updated": false,
"device_id": 18078555,
"device_name": "DEMO\\DEMOMACHINE",
"device_uem_id": "",
"device_target_value": "MEDIUM",
"device_policy": "Demo-policy",
"device_policy_id": 12345678,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_username": "DEMOMACHINE\\Administrator",
"device_location": "UNKNOWN",
"device_external_ip": "1.2.3.4",
"device_internal_ip": "1.2.3.4",
"mdr_alert": false,
"report_id": "Fm0YsPDyQ1Kp1Pdd6Lnd8w-abd-defg-123",
"report_name": "Abnormally Large DNS Exchanges (exfil or zone transfer)",
"report_description": "IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.",
"report_tags": [],
"ioc_id": "abd-defg-123",
"ioc_hit": "netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]",
"watchlists": [
{
"id": "lgaClyOmQ86ZwZttq3ZDxg",
"name": "Demo IOCs"
}
],
"process_guid": "ABCD1234-0113db5b-000011bc-00000000-1d966088928e609",
"process_pid": 4540,
"process_name": "c:\\windows\\system32\\taskhostw.exe",
"process_sha256": "1234cd567ab3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad",
"process_md5": "123a4566ab18f93b93d551cd10c1598e",
"process_effective_reputation": "COMPANY_WHITE_LIST",
"process_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": "taskhostw.exe SYSTEM",
"process_username": "DEMOSERVER\\DEMO",
"process_issuer_": "Demo CA",
"process_publisher": "Demo Publisher",
"parent_guid": "ABCD1234-0113db5b-000006bc-00000000-1d94225f1bb0897",
"parent_pid": 1724,
"parent_name": "c:\\windows\\system32\\svchost.exe",
"parent_sha256": "123ab451a82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7",
"parent_md5": "a123456789f632dc8d9404d83bc16316",
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_reputation": "TRUSTED_WHITE_LIST",
"parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"parent_username": "NT AUTHORITY\\SYSTEM",
"childproc_guid": "",
"childproc_username": "",
"childproc_cmdline": "",
"ml_classification_anomalies": [
{
"anomalous_field": "actor_process_modload_count",
"anomaly_name": "Process modloads",
"anomalous_field_baseline_values": [
"0",
"1"
],
"anomalous_value": "65"
},
{
"anomalous_field": "actor_process_filemod_count",
"anomaly_name": "Process filemods",
"anomalous_field_baseline_values": [
"0"
],
"anomalous_value": "8"
}
]
}
],
"num_found": 147,
"num_available": 147
}
Workflow Library Example
Search Alerts with Vmware Carbon Black and Send Results Via Email
Preview this Workflow on desktop