Mappings: Carbon Black Cloud C2C Process Auditing
| Input | Value |
|---|---|
| Vendor | CarbonBlack |
| Product | Cloud |
| Log Format | JSON |
| Event ID Regex Pattern | endpoint.event.proc(?:end|start) |
| Output | Value |
|---|---|
| Vendor | Carbon Black |
| Product | Cloud |
| Record Type | EndpointProcess |
| Cloud SIEM Schema Field | Original Record Key | Notes |
|---|---|---|
| action | action | |
| baseImage | process_path | |
| commandLine | process_cmdline | |
| description | action | This is a lookup field. More info to come in the catalog later... |
| device_hostname | device_name | |
| device_ip | device_internal_ip | |
| device_natIp | device_external_ip | |
| device_osName | device_os | |
| file_hash_md5 | process_hash.1 | |
| file_hash_sha256 | process_hash.2 | |
| file_path | process_path | |
| normalizedAction | action | This is a lookup field. More info to come in the catalog later... |
| normalizedResource | None | The static text process is populated in this schema field. |
| parentBaseImage | parent_path | |
| parentCommandLine | parent_cmdline | |
| parentPid | parent_pid | |
| pid | process_pid | |
| resource | target_cmdline | |
| severity | severity | |
| success | sensor_action | This is a lookup field. More info to come in the catalog later... |
| user_username | device_username |