Integrations
- Integrations
- 1Password
- Abnormal
- Absolute
- AbuseIPDB
- Acronis
- Active Directory On-Prem
- Adaptive Shield
- Adobe Cloud
- ADP
- Agari Phishing Response
- Airlock
- Airlock Digital
- Akamai Identity Cloud Social
- Alert Logic
- AlgoSec Firewall Analyzer
- Alienvault OTX
- Alienvault USM
- Anthropic
- Anodot
- Any Run
- Ansible
- Anvilogic
- Apex One
- ArcSight ESM
- Area 1
- Asana
- Asset Panda
- Astrix
- Atlassian Crowd
- Atlassian User Management
- Atlassian User Provisioning
- AuditBoard
- auth0
- Authentik
- Authomize
- Automox
- AWS
- AWS IAM Identity Center
- Axonius
- Azure
- Azure Data Explorer
- Azure DevOps
- Azure Log Analytics
- Azure Storage
- BambooHR
- Big Fix
- BigPanda
- Bitbucket
- Bitdefender
- Bitsight
- Bitwarden
- Black Duck
- Black Kite
- Blink
- BMC Remedy
- Box
- Brinqa
- Cato Networks
- Censys
- Chorus
- Cisco Advanced Phishing Protection
- Cisco Domain Protection
- Cisco Meraki
- Cisco Talos
- Cisco Umbrella
- Cisco Webex
- Claroty xDome
- ClearPass
- ClickHouse
- ClickUp
- Cloud Custodian
- Cloudflare
- Cloudflare R2
- Cobalt.io
- Check Point Harmony
- Check Point Infinity Events
- Check Point Management
- Check Point XDR/XPR
- Checkmarx SAST
- Checkmarx One
- Chronicle
- Compass
- Confluence
- Confluence Data Center
- Coralogix
- Coralogix Incident Management
- Cortex XDR
- Cortex Xpanse
- Coupa Compass
- CredStash
- Cribl
- CrowdStrike
- CyberArk
- Cybersixgill
- CyCognito
- Cyera
- Cylance
- Cyware CTIX
- Darktrace
- Dasera
- Databricks
- Datadog
- DataSet
- Discord
- Docusign
- Delighted
- Delinea
- Devo
- Domo
- Drata
- Dropbox
- Dropbox Business
- druva
- Duo
- Duo Auth
- Dynatrace
- EasyVista
- EchoTrail
- Egnyte
- Egnyte Secure Govern
- Elasticsearch
- Entro
- Entrust Certificate Services
- Ermetic
- Exabeam
- Exchange Online
- Expel
- F5
- Falcon LogScale
- Falcon Surface
- Fastly
- Flare.io
- Forcepoint DLP
- Forescout
- FortiGate
- Freshservice
- GCP
- Gemini
- Ghostwriter
- Git
- GitHub
- GitLab
- Glean
- Gmail
- Google Calendar
- Google Chat
- Google Docs
- Google Drive
- Google Forms
- Google Meet
- Google Looker
- Google Sheets
- Google Workspace
- Grafana
- Greenhouse
- GreyNoise
- Grip Security
- GYTPOL
- Have I Been Pwned
- HackerOne
- Halo Service Desk
- HackNotice
- HiBob
- HubSpot
- Hunters
- Hybrid Analysis
- Hyperproof
- IBM CLoud
- IBM NS1 Connect
- IBM X Force
- Imperva
- Incident.io
- Infobip
- Infoblox Cloud Services Portal
- Intercom
- Intezer
- IP API
- IPinfo
- IPWHOIS
- Ivanti RiskSense
- Ironscales
- Jamf
- JetBrains
- JFrog
- Jira
- Jira Data Center
- Joe Sandbox
- JumpCloud
- Kandji
- Keeper Secrets Manager
- Kenna Security
- KnowBe4
- KnowBe4 Events
- Kubernetes
- Lacework
- LaunchDarkly
- LimaCharlie
- Linear
- Litmos
- Living Security
- LogicMonitor
- LogRhythm
- Manage Engine ServiceDesk Plus
- Mattermost
- Maven
- Microsoft Defender For Cloud
- Microsoft Defender For Cloud Apps
- Microsoft Defender For Endpoints
- Microsoft Defender XDR
- Microsoft E-Discovery
- Microsoft Entra ID
- Microsoft Graph
- Microsoft Intune
- Microsoft Office 365 Management Activity
- Microsoft Outlook
- Microsoft Purview
- Microsoft Sentinel
- Microsoft SQL Server
- Microsoft Teams
- Mimecast
- MISP
- Monday
- MongoDB Atlas
- MxToolbox
- Neo4j
- NetBox
- Netography
- Netskope
- New Relic
- Nightfall AI
- NinjaOne
- Notion
- Nozomi Networks
- Nuclei
- Nucleus
- Nutanix Hypervisor
- Obsidian
- Okta
- OneDrive
- OneLogin
- OneTrust
- Oort
- OpenAI
- OpenCTI
- Opsgenie
- OPSWAT
- Oracle Cloud
- Oracle HCM
- Orca Security
- OWASP ZAP
- PagerDuty
- Palo Alto NGFW
- Palo Alto Firewall
- Panther
- Pentera
- Perception Point
- PhishLabs
- PhishLabs Incident Data
- PhishLabs Open Web Monitoring
- Pingdom
- PingID
- PingOne
- PlexTrac
- PortSwigger
- Power BI
- PowerShell
- Postman
- Postman SCIM
- Prisma Access
- Prisma Cloud
- Prisma Cloud CWP
- Prometheus
- Proofpoint
- Proofpoint ITM
- Proofpoint Protection Server
- Proofpoint Security Awareness Training
- Proofpoint TAP
- Proofpoint TRAP
- Pub-Sub
- QRadar
- Qualys
- Rapid7
- Rapid7 InsightIDR
- Rapid7 InsightVM Cloud
- Rapid7 Threat Command
- Reco
- Recorded Future
- Recorded Future Triage Cloud
- Red Hat IDM
- Rippling
- runZero
- SafeBase
- Sage HR
- SailPoint
- SailPoint IdentityIQ
- Salesforce
- SAP Ariba
- Sap Concur
- ScienceLogic
- Securin
- Securin VI
- SecurityScorecard
- Securonix
- Seemplicity
- Sekoia.io
- SemGrep
- SentinelOne
- ServiceNow
- SharePoint
- Shodan
- Shopify
- Silverfort
- Slack
- Smartsheet
- Snipe IT
- Snowflake
- Snyk
- SolarWinds Information Service
- SolarWinds Service Desk
- SonarQube
- Sophos
- Split
- Splunk
- Splunk Observability
- Splunk SOAR
- Spur
- StrongDM
- Sumo Logic
- Symantec EDR
- Sysdig
- Tableau
- Tanium
- TeamCity
- TeamViewer
- Telegram
- Tempo
- Tenable
- Tenable Security Center
- Terraform
- Terraform Cloud
- Tessian
- TheHive
- Thinkst Canary
- ThreatQuotient
- Trellix Email Security
- Trello
- Trend Vision One
- Twilio
- UKG HR
- Uptycs
- URLScan
- Vault
- Veracode
- Verkada
- Vertica
- VMware vSphere
- VMware Carbon Black
- VirusTotal
- WeChat
- WhatsApp
- WhoIs
- WildFire
- Wiz
- Workday
- Workspace ONE UEM
- YesWeHack
- Zendesk
- Zero Networks
- Zoom
- Zscaler Internet Access
- Zscaler Private Access
Actions
Search Alerts
Search and query all alerts.
Minimal required permissions: org.alerts Read
External Documentation
To learn more, visit the VMware Carbon Black documentation.
Basic Parameters
Parameter | Description |
---|---|
Query | A query string to query the alerts by. |
Sort | The sort objects by which the results are sorted. For more information see Carbon Black documentation.For Example:[ { "field": "primary_field", "order": "DESC" }, { "field": "tiebreak_field", "order": "DESC" }] |
Time range | The range of query time from now. Cannot be used with the Start Time & End Time parameters. For more information see Carbon Black documentation. |
Advanced Parameters
Parameter | Description |
---|---|
Criteria | Criteria by which to return the results. For more information see Carbon Black documentation. |
End Time | The End time of the query window. Must be used with the Start Time parameter. |
Exclusions | Exclusions by which to return the results. For more information see Carbon Black documentation. |
Limit | The limit of the amount of returning results. |
Offset | The offset of the returning results. |
Start Time | The start time of the query window. Must be used with the End Time parameter. |
Example Output
{
"results": [
{
"org_key": "ABCD1234",
"alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:708d7dbf-2020-42d4-9cbc-0cddd0ffa31a&orgKey=ABCD1234",
"id": "708d7dbf-2020-42d4-9cbc-0cddd0ffa31a",
"type": "WATCHLIST",
"backend_timestamp": "2023-04-03T08:48:47.211Z",
"user_update_timestamp": "2023-04-13T11:55:20.860Z",
"backend_update_timestamp": "2023-04-03T08:48:47.211Z",
"detection_timestamp": "2023-04-03T08:46:52.302Z",
"first_event_timestamp": "2023-04-03T08:44:43.552Z",
"last_event_timestamp": "2023-04-03T08:44:43.552Z",
"severity": 6,
"reason": "Process taskhostw.exe was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"",
"reason_code": "19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d",
"threat_id": "19261158DBBF00775959F8AA7F7551A1",
"primary_event_id": "t6a_TNVuQb6seMjk_VyDsg-0",
"policy_applied": "NOT_APPLIED",
"run_state": "RAN",
"sensor_action": "ALLOW",
"workflow": {
"change_timestamp": "2023-04-13T11:55:20.860Z",
"changed_by_type": "USER",
"changed_by": "demouser@demoorg.com",
"closure_reason": "NO_REASON",
"status": "IN_PROGRESS"
},
"determination": {
"change_timestamp": "1970-01-01T00:00:00.000Z",
"value": "ALERT_CLASSIFICATION_UNKNOWN",
"changed_by_type": "OPERATOR_UNKNOWN",
"changed_by": null
},
"tags": null,
"alert_notes_present": false,
"threat_notes_present": false,
"is_updated": false,
"device_id": 18078555,
"device_name": "DEMO\\DEMOMACHINE",
"device_uem_id": "",
"device_target_value": "MEDIUM",
"device_policy": "Demo-policy",
"device_policy_id": 12345678,
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_username": "DEMOMACHINE\\Administrator",
"device_location": "UNKNOWN",
"device_external_ip": "1.2.3.4",
"device_internal_ip": "1.2.3.4",
"mdr_alert": false,
"report_id": "Fm0YsPDyQ1Kp1Pdd6Lnd8w-abd-defg-123",
"report_name": "Abnormally Large DNS Exchanges (exfil or zone transfer)",
"report_description": "IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.",
"report_tags": [],
"ioc_id": "abd-defg-123",
"ioc_hit": "netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]",
"watchlists": [
{
"id": "lgaClyOmQ86ZwZttq3ZDxg",
"name": "Demo IOCs"
}
],
"process_guid": "ABCD1234-0113db5b-000011bc-00000000-1d966088928e609",
"process_pid": 4540,
"process_name": "c:\\windows\\system32\\taskhostw.exe",
"process_sha256": "1234cd567ab3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad",
"process_md5": "123a4566ab18f93b93d551cd10c1598e",
"process_effective_reputation": "COMPANY_WHITE_LIST",
"process_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": "taskhostw.exe SYSTEM",
"process_username": "DEMOSERVER\\DEMO",
"process_issuer_": "Demo CA",
"process_publisher": "Demo Publisher",
"parent_guid": "ABCD1234-0113db5b-000006bc-00000000-1d94225f1bb0897",
"parent_pid": 1724,
"parent_name": "c:\\windows\\system32\\svchost.exe",
"parent_sha256": "123ab451a82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7",
"parent_md5": "a123456789f632dc8d9404d83bc16316",
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_reputation": "TRUSTED_WHITE_LIST",
"parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"parent_username": "NT AUTHORITY\\SYSTEM",
"childproc_guid": "",
"childproc_username": "",
"childproc_cmdline": "",
"ml_classification_anomalies": [
{
"anomalous_field": "actor_process_modload_count",
"anomaly_name": "Process modloads",
"anomalous_field_baseline_values": [
"0",
"1"
],
"anomalous_value": "65"
},
{
"anomalous_field": "actor_process_filemod_count",
"anomaly_name": "Process filemods",
"anomalous_field_baseline_values": [
"0"
],
"anomalous_value": "8"
}
]
}
],
"num_found": 147,
"num_available": 147
}
Workflow Library Example
Search Alerts with Vmware Carbon Black and Send Results Via Email
Preview this Workflow on desktop
Was this page helpful?
Assistant
Responses are generated using AI and may contain mistakes.