Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Carbon Black Response

 

The Carbon Black Response extension for JSA adds new custom event properties for Carbon Black Response Payload.

JSA Custom Properties for Carbon Black Response Content Extension V1.0.1

The following table shows the custom properties updated in JSA Custom Properties for Carbon Black Response Content Extension V1.0.1.

Table 1: Custom Properties Updated in JSA Custom Properties for Carbon Black Response Content Extension V1.0.1

Name

Optimized

Capture Group

Regex

Process Name

Yes

1

process_name=([^\t]+)

(Back to top)The Carbon Black Response extension for JSA adds new custom event properties for Carbon Black Response Payload.

JSA Custom Properties for Carbon Black Response Content Extension V1.0.0

The following table shows the custom properties in JSA Custom Properties for Carbon Black Response Content Extension V1.0.0.

Table 2: Custom Properties in JSA Custom Properties for Carbon Black Response Content Extension V1.0.0

Name

Optimized

Capture Group

Regex

Alert Type

No

1

alert_type=([^\t]+)

Command Line

Yes

1

(?:command_line|cmdline)=“?([^\t]+)“?

CB Server

No

1

cb_server=([^\t]+)

Computer Name

Yes

1

computer_name=([^\t]+)

Domain

No

1

domain=([^\t]+)

Feed Name

No

1

feed_name=([^\t]+)

File Hash

Yes

1

sha256=([^\t]+)

Hostname

Yes

1

hostname=([^\t]+)

Local IP

No

1

local_ip=([^\t]+)

OS Vendor

Yes

1

os_type=([^\t]+)

Process Id

No

1

\spid=([^\t]+)

Parent GUID

No

1

parent_guid=([^\t]+)

Parent MD5

No

1

parent_md5=([^\t]+)

Parent Process ID

No

1

parent_pid=([^\t]+)

Parent Path

No

1

parent_path=([^\t]+)

Parent Process Guid

No

1

parent_process_guid=([^\t]+)

Path

No

1

\spath=([^\t]+)

Process CommandLine

Yes

1

(?:command_line|cmdline)="?([^\t]+)"?

Process Direction

No

1

direction=([^\t]+)

Process Guid

No

1

\sprocess_guid=([^\t]+)

Process Name

Yes

1

process_name=([^\t]+)

Process Path

No

1

process_path=([^\t]+)

Proxy Domain

Yes

1

proxy_domain=([^\t]+)

Proxy IP

No

1

proxy_ip=([^\t]+)

Remote IP

No

1

remote_ip=([^\t]+)

Server Name

Yes

1

(?:-ServerName:|server_name=)([^\t]+)

Type

No

1

\stype=([^\t]+)

Unique ID

No

1

(?:\suid|unique_id)=([^\t]+)

Watchlist Name

No

1

watchlist_name=([^\t]+)

Watchlists

No

1

watchlists=([^\t]+)

(Back to top)The Carbon Black Response extension for JSA adds new custom event properties for Carbon Black Response Payload.

Related Documentation