SigmaHQ/tools/config/carbon-black.yml

title: CarbonBlack field mapping
order: 20
backends:
  - carbonblack
  - cb
fieldmappings:
  AccountName: username
  CommandLine: cmdline
  ComputerName: hostname
  CurrentDirectory: path
  Description: product_name
  DestinationHostname: winlog.event_data.DestinationHostname
  DestinationIp: ipaddr
  DestinationIsIpv6: ipaddr
  DestinationPort: ipport
  Image: path
  ImageLoaded: modload
  ImagePath: path
  #NewProcessName: process_name
  #ParentCommandLine: NONE??
  ParentProcessName: parent_name
  ParentImage: parent_name
  Path: path
  ProcessCommandLine: cmdline
  ProcessName: process_name
  #Signature: digsig_result
  SourceIp: ipaddr
  DestinationAddress: ipaddr
  DestinationPort: ipport
  DestPort: ipport
  TargetObject: regmod
  TargetFilename: filemod
  TargetFileName: filemod
  Targetfilename: filemod
  SourceImage: parent_name
  TargetImage: childproc_name
  NewProcessName: childproc_name
  Product: product_name
  Signature: digsig_publisher
  CallTrace: modload
  DestinationHostname: domain
  User: username
  StartModule: modload
  Company: company_name
  Description: file_desc
  FileVersion: file_version



#  DestinationHostname: hostname
#  DestinationIp: ipaddr
#  DestinationPort: ipport
#
#  SourceIp: ipaddr
#  SourcePort: ipport
#
#  IpAddress: ipaddr
#  IpPort: ipport
#
#  ProcessName: process_name
#  ParentProcessName: parent_name
#
#  TargetDomainName: domain
#
#  Image: path
#  ImagePath: path
#  ImageLoaded: path
#  Path: path
#  TargetFilename: path
#
#  Hashes: md5
#  Imphash: md5
#
#
#  User: username
#  SubjectDomainName: domain
#  SubjectUserName: username
#
#  WorkstationName: domain
#
#  CommandLine: cmdline
#  ComputerName: hostname
#
#  FileVersion: product_version
#  Description: product_desc
#  Product: product_name
#  Company: company_name
#
#  Keywords: process_name
#  Computer: host_type


excludedfields:
  - EventID
  - Robot2
  - TargetObject
  - CallTrace
  - Imphash