Environment

• Carbon Black Cloud Console: All Versions

Objective

Resolution

1. Decide on a use case and necessary Event Type for the Data Forwarder, such as Alert triage, SIEM integration, or watchlist reporting.
   • Alert: All available Alerts.
   • Endpoint Event: All available endpoint telemetry.
   • Watchlist Hit: All available Watchlist hits. 
2. Configure your AWS S3 Bucket or Azure Blob Storage to receive data from Carbon Black Cloud.
3. Add a Data Forwarder in the Carbon Black Cloud Console.
   Tip: If using the Endpoint Event forwarder type, there are three methods of configuring which data is sent.
   • Basic Data Filter: Structured form input within the Console
   • Custom Query Data Filter: Custom lucene syntax queries within the Console
   • API: Custom lucene syntax using the Data Forwarder API
4. Fetch the forwarded data from the destination or connect other tools to process the data, including SIEM solutions like Splunk, QRadar, or ServiceNow.

• Getting Started: Custom Filters for the Data Forwarder
• Syntax Tips for Custom Query Filters
• Using Wildcards with Custom Query Filters

• Alert Schema 2.0.0
• Endpoint Event Schema 1.1.0
• Watchlist Hit Schema 1.0.0

Additional Notes

• Currently, the Endpoint Event type is unavailable for Azure Blob Storage.
• For an end-to-end guide on using Data Forwarder with Splunk, refer to this article and the associated video.

Related Content