EDR: What is the Complete List of Process Search Terms
search cancel

EDR: What is the Complete List of Process Search Terms

book

Article ID: 286266

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

What is the complete list of Process Search terms?

Environment

  • EDR Server: 7.x

Resolution

Search Terms
FieldTypeDescription
blocked_md5md5MD5 of a process blocked due to a banning rule.
blocked_statusstatus

Status of a block attempt on a running process due to a banning rule, one of the following:
a-ProcessTerminated
b-NotTerminatedCBProcess
c-NotTerminatedSystemProcess
d- NotTerminatedCriticialSystemProcess
e-NotTerminatedWhiltestedPath
f-NotTerminatedOpenProcessError
g-NotTerminatedTerminateError

childproc_countcountTotal count of child processes created by this process
childproc_md5md5

MD5 of the executable backing the created child processes.

childproc_sha256sha256

SHA-256 of the executable backing the created child processes (if available).

childproc_namekeywordFilename of the child process executables.
cmdlinecmdlineFull command line for this process.
commentstextComment string from the class FileVersionInfo (link in Related Content)
company_nametextCompany name string from the class FileVersionInfo
copied_mod_lencountNumber of bytes collected
crossproc_countcountTotal cound of cross process actions by an actor process.
crossproc_md5md5MD5 of actor process that performed a cross process action on a target process. For Example: crossproc_md5:6d7c8a951af6ad6835c029b3cb88d333.
crossproc_sha256sha256SHA256 of actor process that performed a cross process action on a target process. For Example: crossproc_sha256:BCB8F25FE404CDBFCB0927048F668D7958E590357930CF620F7 4B59839AF2A9C
crossproc_namekeywordName of of actor process that performed a cross process action on a target process. For Example: crossproc_name:ms*.exe
crossproc_typekeyword
  • processopen (or process_open) finds processes which opened a handle into another process with a set of access rights. Sample results: OpenThread() API call requested THREAD_GET_CONTEXT, THREAD_SET_CONTEXT, THREAD_SUSPEND_RESUME access rights.

  • remotethread (or remote_thread) finds processes which injected a thread into another process. Sample results: CreateRemoteThread API used to inject code into target process.

  • processopentarget is similar to processopen, but instead of finding the actor, the process returns the targeted process; i.e., the process which the handle is opened into.

  • remotethreadtarget is similar to remotethread, but instead of finding the actor process, it returns the targeted process; i.e., the process which the thread was injected into.

digsig_issuertextIf digitally signed, the issuer.
digsig_prog_nametextIf digitally signed, the program name.
digsig_publishertextIf digitally signed, the publisher.
digsig_resultsignIf digitally signed, the result. Values are: • “Bad Signature” • “Invalid Signature” • “Expired” • “Invalid Chain” • “Untrusted Root” • “Signed” • “Unsigned” • “Explicit Distrust”
digsig_sign_timedatetimeIf digitally signed, the time of signing. For Example: start:[2016-12-01T22:15:00 TO 2016-12-01T:23:14:59]
digsig_subjecttextIf digitally signed, the subject.
domaintextNetwork connection to this domain.
file_desctextFile description string from the class FileVersionInfo.
file_versiontextFile version string from the class FileVersionInfo.
fileless_scriptload_cmdlinetext(7.7+) Command line contents of a fileless scriptload event.
fileless_scriptload_cmdline_lengthinteger(7.7+) Length of the command line contents of a fileless scriptload event.
filemodpathPath of a file modified by this process. For Example: filemod:c:\windows\system32\boot\winload.exe
filemod_countcountTotal count of file modifications by this process.
filewrite_md5md5MD5 of file written by this process.
filewrite_sha256sha256SHA-256 of file written by this process (if available).
groupkeywordSensor group this sensor was assigned to at the time of process execution.
has_emet_configboolTrue or False - Indicates whether process has EMET mitigation configured/enabled.
has_emet_eventboolTrue or False - Indicates whether process has EMET mitigation events.
host_countintegerCount of hosts that have seen a binary.
host_typekeywordType of the computer: workstation, server, or domain controller.
hostnamekeywordHostname of the computer on which the process was executed.
internal_nametextInternal name string from the class FileVersionInfo
ipaddripaddrNetwork connection to or from this IP address. Only a remote (destination) IP address is searchable regardless of incoming or outgoing. IPv4-mapped addresses (::FFFF:1.2.3.4) are stored as IPv4 netconns, and can be queried using either ipaddr:1.2.3.4 or ipv4mapped:1.2.3.4. IPv4-mapped addresses can also be queried using the ipv6addr:::FFFF:1.2.3.4 . Such queries are automatically translated to ipv4mapped:1.2.3.4. For example: ipaddr:192.168.0.0/16 or ipaddr:10.0.1.1
ipv6addripv6addrNetwork connection to or from this IPv6 address. Only a remote (destination) IP address is searchable regardless of incoming or outgoing. IPv4-compatible IPv6 addresses (::1.2.3.4) are stored as IPv6 netconns and can be queried using either ipv6addr:::1.2.3.4 or ipv6addr::0102:0304 (the latter is the native form; the dotted quad form is automatically translated to the native form). For example: ipv6addr:fe00:b9:266:2011:28dc:43d4:3298:12e2 or ipv6addr:fe00:b9:266:2011::0/50
ipportintegerNetwork connection to this destination port.
is_64bitboolTrue if architecture is x64.
is_executable_imageboolTrue if the binary is an EXE (versus DLL or SYS).
ja3keywordJA3 fingerprint of the server TLS hello packet. For Example: ja3:669181128F1B9B03303D77C6F2EEFD128
ja3skeywordJA3S fingerprint of the server TLS hello packet.
last_server_updatedatetimeLast activity in this process in the server’s local time.
last_updatedatetimeLast activity in this process in the computer’s local time.
legal_copyrighttextLegal copyright string from the class FileVersionInfo.
legal_trademarktextLegal trademark string from the class FileVersionInfo.
md5md5MD5 of the process, parent, child process, loaded module, or a written file.
sha256sha256SHA-256 of the process, parent, child process, loaded module, or a written file (if available).
modloadpathPath of module loaded into this process.
modload_countcountTotal count of module loads by this process.
netconn_block_typeinteger(7.7+) The classification of the network connection attempt. This is a sub-field of a netconn event: 0 equals a successful network connection; 1 equals a network connection attempt that was blocked due to the endpoint being in Isolation.
netconn_countcountTotal count of network connections by this process. For Example: netconn_count:[10 TO * ] for any process with more than 10 network connections.
observed_filenamepathFull path of the binary at the time of collection.
orig_mod_lencountSize in bytes of the binary at time of collection.
original_filenametextOriginal name string from the class FileVersionInfo.
os_typekeywordType of the operating system: Windows, OSX or Linux.
parent_idlongThe internal Carbon Black EDR process guid for the parent process.
parent_md5md5MD5 of the executable backing the parent process.
parent_sha256sha256SHA-256 of the executable backing the parent process (if available).
parent_namekeywordFilename of the parent process executable.
pathpathFull path to the executable backing this process.
private_buildtextPrivate build string from the class FileVersionInfo.
process_idlongThe internal Carbon Black EDR process guid for the process.
process_md5MD5MD5 of the executable backing this process.
process_sha256sha256SHA-256 of the executable backing this process (if available).
process_nametextFilename of the executable backing this process.
product_desctextProduct description string from the class FileVersionInfo.
product_nametextProduct name string from the class FileVersionInfo.
product_versiontextProduct version string from the class FileVersionInfo.
regmodpathPath of a registry key modified by this process.
regmod_countcountTotal count of registry modifications by this process.
sensor_idlongThe internal Carbon Black EDR sensor guid of the computer on which this process was executed.
server_added_timestampdatetimeTime this binary was first seen by the server.
special_buildtextSpecial build string from the class FileVersionInfo.
startdatetimeStart time of this process in the computer’s local time.
tamperedboolTrue if attempts were made to modify the sensor's binaries, disk artifacts, or configuration
usernamekeywordUser context with which the process was executed.
watchlist_<id>datetimeTime that this process or binary matched the watchlist query with
Please view the VMware Carbon Black EDR User Guide, for more guidance and examples.
https://docs.vmware.com/en/VMware-Carbon-Black-EDR/7.7.1/vmw-cb-edr-ug/GUID-38824E7A-AC42-465B-8287-4BE09F34D0C8.html

Additional Information

  • NOTE:  If a query specifies a term without specifying a field, the search is executed on all default fields.   For example:  If the query in the Process Search page is 'abuse' without a preceding Search Term field, then 'abuse' is searched as childproc_md5:abuse, childproc_256:abuse, blocked_md5:abuse, domain:abuse, etc.  As you might imagine this negatively affects performance.  Query should always contain a pair with Search Term field and a Value (SearchTerm:Value).
  • If a parameter is not listed as an available search option, this can be submitted as a feature request via Voice of the Customer:     https://community.carbonblack.com/t5/Knowledge-Base/All-Products-How-to-submit-a-new-enhancement-request/ta-p/72934