Mappings: Carbon Black Cloud Alert - Tuned Activity
| Input | Value |
|---|---|
| Vendor | VMware |
| Product | Carbon Black Cloud |
| Log Format | JSON |
| Event ID Regex Pattern | SAFE_REPUTATION_ALERT |
| Output | Value |
|---|---|
| Vendor | VMware |
| Product | Carbon Black Cloud |
| Record Type | Endpoint |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | run_state | |
| baseImage | threat_indicators.1.process_name | |
| commandLine | process_cmdline | |
| device_hostname | device_name | |
| device_ip | device_internal_ip | |
| device_natIp | device_external_ip | |
| device_osName | device_os | |
| device_uniqueId | device_id | |
| file_basename | threat_indicators.1.process_name | |
| file_hash_md5 | process_md5 | |
| file_hash_sha256 | threat_indicators.1.sha256 | |
| file_path | threat_cause_actor_name | |
| normalizedSeverity | severity | This is a lookup field. More info to come in the catalog later... |
| parentPid | parent_pid | |
| pid | process_pid | |
| severity | severity | |
| threat_category | threat_cause_threat_category | |
| threat_identifier | ioc_id | |
| threat_name | watchlists.1.name | |
| threat_referenceUrl | alert_url | |
| threat_ruleType | None | The static text direct is populated in this schema field. |
| threat_signalName | watchlists.1.name | |
| user_username | device_username |