Carbon Black EDR Search Process

Use this playbook to search processes in Carbon Black Enterprise EDR. This playbook implements polling by continuously running the cb-eedr-process-search-results command until the operation completes.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • CarbonBlackEnterpriseEDR

Scripts

This playbook does not use any scripts.

Commands

  • cb-eedr-process-search-results
  • cb-eedr-process-search

Playbook Inputs


NameDescriptionDefault ValueRequired
queryQuery with Carbon Black API syntaxOptional
process_nameTokenized file path of the process’ main module.Optional
process_hashMD5 and SHA-256 hashes of process’ main module in a multi-valued field.Optional
event_idCBD Event id (valid only for events coming through Analytics)Optional
limitnumber of results to fetchOptional
intervaldetermine how long to wait between fetching data for polling1Optional
timeoutdetermine timeout for polling10Optional

Playbook Outputs


PathDescriptionType
CarbonBlackEEDR.SearchProcess.job_idA request job id.string
CarbonBlackEEDR.SearchProcess.statusA request job current status.string
CarbonBlackEEDR.SearchProcess.results.device_idDevice id that is guaranteed to be unique within each PSC environment, which is a set of organizations.number
CarbonBlackEEDR.SearchProcess.results.process_usernameUsernames related to process.string
CarbonBlackEEDR.SearchProcess.results.backend_timestampDate/time field formatted as ISO-8601 string based on UTC timezone. For example, device_timestamp:2018-03-14T21:06:45.183Zdate
CarbonBlackEEDR.SearchProcess.results.childproc_countCumulative counts of child process creations since process tracking started.number
CarbonBlackEEDR.SearchProcess.results.crossproc_countCumulative counts of cross-process events since process tracking started.number
CarbonBlackEEDR.SearchProcess.results.device_group_idId of sensor group where the device belongs.number
CarbonBlackEEDR.SearchProcess.results.device_nameName of device.string
CarbonBlackEEDR.SearchProcess.results.device_policy_idId of policy applied to the device.number
CarbonBlackEEDR.SearchProcess.results.device_timestampTime seen on sensor, based on sensor’s clock. ISO-8601 formatted time string based on UTC.date
CarbonBlackEEDR.SearchProcess.results.enrichedTrue if process document came from the CbD data stream.boolean
CarbonBlackEEDR.SearchProcess.results.enriched_event_typeCbD enriched event type.string
CarbonBlackEEDR.SearchProcess.results.event_typeCBD Event type (valid only for events coming through Analytics). One of CREATE_PROCESS, DATA_ACCESS, FILE_CREATE, INJECT_CODE, NETWORK, POLICY_ACTION, REGISTRY_ACCESS, SYSTEM_API_CALL.string
CarbonBlackEEDR.SearchProcess.results.filemod_countCumulative counts of file modifications since process tracking started.number
CarbonBlackEEDR.SearchProcess.results.ingress_timeUnknowndate
CarbonBlackEEDR.SearchProcess.results.legacyTrue if process document came from the legacy data stream (deprecated, use enriched).boolean
CarbonBlackEEDR.SearchProcess.results.modload_countCumulative counts of module loads since process tracking started.number
CarbonBlackEEDR.SearchProcess.results.netconn_countCumulative counts of network connections since process tracking started.number
CarbonBlackEEDR.SearchProcess.results.org_idGlobally unique organization key (will likely be PSC organization id + PSC environment id or some other unique token used across environments)string
CarbonBlackEEDR.SearchProcess.results.parent_guidprocess_guid of parent process.string
CarbonBlackEEDR.SearchProcess.results.parent_pidPID of parent process.number
CarbonBlackEEDR.SearchProcess.results.process_guidUnique id of process (same as document_guid above but without the timestamp suffix).string
CarbonBlackEEDR.SearchProcess.results.process_hashMD5 and SHA-256 hashes of process’ main module in a multi-valued field.string
CarbonBlackEEDR.SearchProcess.results.process_nameTokenized file path of the process’ main module.string
CarbonBlackEEDR.SearchProcess.results.process_pidPID of a process. Can be multi-valued in case of exec/fork on Linux/OSX.number