Integrations
- Integrations
- 1Password
- Abnormal
- Absolute
- AbuseIPDB
- Acronis
- Adaptive Shield
- Adobe Cloud
- ADP
- Agari Phishing Response
- Airlock
- Airlock Digital
- Akamai Identity Cloud Social
- Alert Logic
- AlgoSec Firewall Analyzer
- Alienvault OTX
- Alienvault USM
- Anthropic
- Anodot
- Any Run
- Ansible
- Anvilogic
- Apex One
- ArcSight ESM
- Area 1
- Asana
- Asset Panda
- Atlassian Crowd
- Atlassian User Management
- Atlassian User Provisioning
- AuditBoard
- auth0
- Authentik
- Authomize
- Automox
- AWS
- AWS IAM Identity Center
- Axonius
- Azure
- Azure Data Explorer
- Azure DevOps
- Azure Log Analytics
- Azure Storage
- BambooHR
- Big Fix
- BigPanda
- Bitbucket
- Bitdefender
- Bitsight
- Bitwarden
- Black Duck
- Black Kite
- Blink
- BMC Remedy
- Box
- Brinqa
- Cato Networks
- Censys
- Chorus
- Cisco Advanced Phishing Protection
- Cisco Domain Protection
- Cisco Meraki
- Cisco Talos
- Cisco Umbrella
- Cisco Webex
- Claroty xDome
- ClearPass
- ClickHouse
- ClickUp
- Cloud Custodian
- Cloudflare
- Cloudflare R2
- Cobalt.io
- Check Point Harmony
- Check Point Infinity Events
- Check Point Management
- Check Point XDR/XPR
- Checkmarx SAST
- Checkmarx One
- Chronicle
- Compass
- Confluence
- Confluence Data Center
- Coralogix
- Coralogix Incident Management
- Cortex XDR
- Cortex Xpanse
- CredStash
- Cribl
- CrowdStrike
- CyberArk
- Cybersixgill
- CyCognito
- Cyera
- Cylance
- Cyware CTIX
- Darktrace
- Dasera
- Databricks
- Datadog
- DataSet
- Discord
- Docusign
- Delighted
- Delinea
- Devo
- Domo
- Drata
- Dropbox
- Dropbox Business
- druva
- Duo
- Duo Auth
- Dynatrace
- EasyVista
- EchoTrail
- Egnyte
- Egnyte Secure Govern
- Elasticsearch
- Entro
- Ermetic
- Exabeam
- Exchange Online
- Expel
- F5
- Falcon LogScale
- Falcon Surface
- Flare.io
- Forcepoint DLP
- Forescout
- FortiGate
- Freshservice
- GCP
- Gemini
- Ghostwriter
- Git
- GitHub
- GitLab
- Glean
- Gmail
- Google Calendar
- Google Chat
- Google Docs
- Google Drive
- Google Forms
- Google Meet
- Google Looker
- Google Sheets
- Google Workspace
- Grafana
- Greenhouse
- GreyNoise
- Grip Security
- GYTPOL
- Have I Been Pwned
- HackerOne
- Halo Service Desk
- HiBob
- HubSpot
- Hunters
- Hybrid Analysis
- Hyperproof
- IBM CLoud
- IBM NS1 Connect
- IBM X Force
- Imperva
- Incident.io
- Infobip
- Infoblox Cloud Services Portal
- Intercom
- Intezer
- IP API
- IPinfo
- IPWHOIS
- Ivanti RiskSense
- Ironscales
- Jamf
- JetBrains
- JFrog
- Jira
- Jira Data Center
- Joe Sandbox
- JumpCloud
- Kandji
- Keeper Secrets Manager
- Kenna Security
- KnowBe4
- KnowBe4 Events
- Kubernetes
- Lacework
- LaunchDarkly
- Linear
- Litmos
- LogicMonitor
- LogRhythm
- Manage Engine ServiceDesk Plus
- Mattermost
- Maven
- Microsoft Defender For Cloud
- Microsoft Defender For Cloud Apps
- Microsoft Defender For Endpoints
- Microsoft Defender XDR
- Microsoft E-Discovery
- Microsoft Entra ID
- Microsoft Graph
- Microsoft Intune
- Microsoft Office 365 Management Activity
- Microsoft Outlook
- Microsoft Purview
- Microsoft Sentinel
- Microsoft SQL Server
- Microsoft Teams
- Mimecast
- MISP
- Monday
- MongoDB Atlas
- MxToolbox
- Neo4j
- NetBox
- Netography
- Netskope
- New Relic
- Nightfall AI
- NinjaOne
- Notion
- Nozomi Networks
- Nuclei
- Nucleus
- Nutanix Hypervisor
- Obsidian
- Okta
- OneDrive
- OneLogin
- OneTrust
- Oort
- OpenAI
- OpenCTI
- Opsgenie
- OPSWAT
- Oracle Cloud
- Oracle HCM
- Orca Security
- OWASP ZAP
- PagerDuty
- Palo Alto NGFW
- Palo Alto Firewall
- Panther
- Pentera
- Perception Point
- PhishLabs
- PhishLabs Incident Data
- PhishLabs Open Web Monitoring
- Pingdom
- PingID
- PingOne
- PlexTrac
- PortSwigger
- Power BI
- PowerShell
- Postman
- Postman SCIM
- Prisma Access
- Prisma Cloud
- Prisma Cloud CWP
- Prometheus
- Proofpoint
- Proofpoint ITM
- Proofpoint Protection Server
- Proofpoint Security Awareness Training
- Proofpoint TAP
- Proofpoint TRAP
- Pub-Sub
- QRadar
- Qualys
- Rapid7
- Rapid7 InsightIDR
- Rapid7 InsightVM Cloud
- Rapid7 Threat Command
- Reco
- Recorded Future
- Recorded Future Triage Cloud
- Red Hat IDM
- Rippling
- runZero
- SafeBase
- Sage HR
- SailPoint
- SailPoint IdentityIQ
- Salesforce
- SAP Ariba
- ScienceLogic
- Securin
- Securin VI
- SecurityScorecard
- Securonix
- Sekoia.io
- SemGrep
- SentinelOne
- ServiceNow
- SharePoint
- Shodan
- Shopify
- Silverfort
- Slack
- Smartsheet
- Snipe IT
- Snowflake
- Snyk
- SolarWinds Service Desk
- SonarQube
- Sophos
- Split
- Splunk
- Splunk Observability
- Splunk SOAR
- Spur
- StrongDM
- Sumo Logic
- Symantec EDR
- Sysdig
- Tableau
- Tanium
- TeamCity
- TeamViewer
- Telegram
- Tenable
- Tenable Security Center
- Terraform
- Terraform Cloud
- Tessian
- TheHive
- Thinkst Canary
- ThreatQuotient
- Trellix Email Security
- Trello
- Trend Vision One
- Twilio
- UKG HR
- Uptycs
- URLScan
- Vault
- Veracode
- Verkada
- Vertica
- VMware vSphere
- VMware Carbon Black
- VirusTotal
- WeChat
- WhatsApp
- WhoIs
- WildFire
- Wiz
- Workday
- Workspace ONE UEM
- YesWeHack
- Zendesk
- Zero Networks
- Zoom
- Zscaler Internet Access
- Zscaler Private Access
Actions
Search Alerts
Search and query all alerts.
Minimal required permissions: org.alerts Read
External Documentation
To learn more, visit the VMware Carbon Black documentation.
Basic Parameters
Parameter | Description |
---|---|
Query | A query string to query the alerts by. |
Sort | The sort objects by which the results are sorted. For more information see Carbon Black documentation.For Example:[ { "field": "primary_field", "order": "DESC" }, { "field": "tiebreak_field", "order": "DESC" }] |
Time range | The range of query time from now. Cannot be used with the Start Time & End Time parameters. For more information see Carbon Black documentation. |
Advanced Parameters
Parameter | Description |
---|---|
Criteria | Criteria by which to return the results. For more information see Carbon Black documentation. |
End Time | The End time of the query window. Must be used with the Start Time parameter. |
Exclusions | Exclusions by which to return the results. For more information see Carbon Black documentation. |
Limit | The limit of the amount of returning results. |
Offset | The offset of the returning results. |
Start Time | The start time of the query window. Must be used with the End Time parameter. |
Example Output
Copy
{
"results": [
{
"org_key": "ABCD1234",
"alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:708d7dbf-2020-42d4-9cbc-0cddd0ffa31a&orgKey=ABCD1234",
"id": "708d7dbf-2020-42d4-9cbc-0cddd0ffa31a",
"type": "WATCHLIST",
"backend_timestamp": "2023-04-03T08:48:47.211Z",
"user_update_timestamp": "2023-04-13T11:55:20.860Z",
"backend_update_timestamp": "2023-04-03T08:48:47.211Z",
"detection_timestamp": "2023-04-03T08:46:52.302Z",
"first_event_timestamp": "2023-04-03T08:44:43.552Z",
"last_event_timestamp": "2023-04-03T08:44:43.552Z",
"severity": 6,
"reason": "Process taskhostw.exe was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"",
"reason_code": "19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d",
"threat_id": "19261158DBBF00775959F8AA7F7551A1",
"primary_event_id": "t6a_TNVuQb6seMjk_VyDsg-0",
"policy_applied": "NOT_APPLIED",
"run_state": "RAN",
"sensor_action": "ALLOW",
"workflow": {
"change_timestamp": "2023-04-13T11:55:20.860Z",
"changed_by_type": "USER",
"changed_by": "demouser@demoorg.com",
"closure_reason": "NO_REASON",
"status": "IN_PROGRESS"
},
"determination": {
"change_timestamp": "1970-01-01T00:00:00.000Z",
"value": "ALERT_CLASSIFICATION_UNKNOWN",
"changed_by_type": "OPERATOR_UNKNOWN",
"changed_by": null
},
"tags": null,
"alert_notes_present": false,
"threat_notes_present": false,
"is_updated": false,
"device_id": 18078555,
"device_name": "DEMO\\DEMOMACHINE",
"device_uem_id": "",
"device_target_value": "MEDIUM",
"device_policy": "Demo-policy",
"device_policy_id": 12345678,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_username": "DEMOMACHINE\\Administrator",
"device_location": "UNKNOWN",
"device_external_ip": "1.2.3.4",
"device_internal_ip": "1.2.3.4",
"mdr_alert": false,
"report_id": "Fm0YsPDyQ1Kp1Pdd6Lnd8w-abd-defg-123",
"report_name": "Abnormally Large DNS Exchanges (exfil or zone transfer)",
"report_description": "IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.",
"report_tags": [],
"ioc_id": "abd-defg-123",
"ioc_hit": "netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]",
"watchlists": [
{
"id": "lgaClyOmQ86ZwZttq3ZDxg",
"name": "Demo IOCs"
}
],
"process_guid": "ABCD1234-0113db5b-000011bc-00000000-1d966088928e609",
"process_pid": 4540,
"process_name": "c:\\windows\\system32\\taskhostw.exe",
"process_sha256": "1234cd567ab3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad",
"process_md5": "123a4566ab18f93b93d551cd10c1598e",
"process_effective_reputation": "COMPANY_WHITE_LIST",
"process_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": "taskhostw.exe SYSTEM",
"process_username": "DEMOSERVER\\DEMO",
"process_issuer_": "Demo CA",
"process_publisher": "Demo Publisher",
"parent_guid": "ABCD1234-0113db5b-000006bc-00000000-1d94225f1bb0897",
"parent_pid": 1724,
"parent_name": "c:\\windows\\system32\\svchost.exe",
"parent_sha256": "123ab451a82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7",
"parent_md5": "a123456789f632dc8d9404d83bc16316",
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_reputation": "TRUSTED_WHITE_LIST",
"parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"parent_username": "NT AUTHORITY\\SYSTEM",
"childproc_guid": "",
"childproc_username": "",
"childproc_cmdline": "",
"ml_classification_anomalies": [
{
"anomalous_field": "actor_process_modload_count",
"anomaly_name": "Process modloads",
"anomalous_field_baseline_values": [
"0",
"1"
],
"anomalous_value": "65"
},
{
"anomalous_field": "actor_process_filemod_count",
"anomaly_name": "Process filemods",
"anomalous_field_baseline_values": [
"0"
],
"anomalous_value": "8"
}
]
}
],
"num_found": 147,
"num_available": 147
}
Workflow Library Example
Search Alerts with Vmware Carbon Black and Send Results Via Email
Preview this Workflow on desktop
Was this page helpful?