Mappings: Carbon Black Cloud Watchlist Hit
| Input | Value |
|---|---|
| Vendor | VMware |
| Product | Carbon Black Cloud |
| Log Format | JSON |
| Event ID Regex Pattern | watchlist.hit |
| Output | Value |
|---|---|
| Vendor | VMware |
| Product | Carbon Black Cloud |
| Record Type | Audit |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | action | |
| baseImage | process_path | |
| changeTarget | crossproc_api | |
| commandLine | process_cmdline | |
| device_hostname | device_name | |
| device_ip | device_internal_ip | |
| device_natIp | device_external_ip | |
| device_osName | device_os | |
| file_hash_md5 | process_hash.1 | |
| file_hash_sha256 | process_hash.2 | |
| file_path | process_path | |
| normalizedSeverity | severity | |
| parentBaseImage | parent_path | |
| parentCommandLine | parent_cmdline | |
| parentPid | parent_pid | |
| pid | process_pid | |
| severity | severity | |
| threat_identifier | ioc_id | |
| threat_name | report_name | |
| threat_referenceUrl | alert_url | |
| threat_ruleType | None | The static text direct is populated in this schema field. |
| threat_signalName | report_name | |
| user_username | device_username |