Carbon Black Cloud Data Forwarder
Overview
The VMware Carbon Black Cloud platform provides SOC teams with visibility into a high volume of endpoint event context,
which is critical for detection and incident response use cases. The Data Forwarder delivers that valuable endpoint
data to AWS S3 or Azure BLOB storage, ready for consumption by third-party solutions, such as XDR platforms, SIEMs, and Data Lake tools.
Requirements
- Carbon Black Cloud Endpoint Standard or Enterprise EDR
- Cloud Storage - either Amazon Simple Storage Service (Amazon S3) or Azure Blob Storage
- AWS: Configured S3 bucket
- Supports Alerts, Authentication Events, Endpoint Events, Watchlist Hits
- Requires S3 bucket in same AWS region as the CBC tenant organization from which you’ll forward data
- It is possible to work around this requirement using S3 Cross-Region Replication (CRR).
- Azure: Configured Azure BLOB storage
- Supports Alerts, Authentication Events and Watchlist Hits
- AWS: Configured S3 bucket
Quick Links
There are several sets of information about the Data Forwarder, each specific to a task;
- Configuring a Data Forwarder using the Carbon Black Cloud console is described in the User Guide. This is the recommended way to configure a new Forwarder or modify an existing one.
- Configuring a Data Forwarder using the Data Forwarder API offers the same operations as are exposed by the Carbon Black Cloud console. This is recommended for automating Forwarder configuration, such as service providers who create and maintain Forwarders in multiple CBC orgs.
- The Data Forwarder Schema defines the structure of data emitted by the Data Forwarder for each type of Forwarder, e.g. Alert, Authentication Event, Endpoint Event, Watchlist Hit. Use this to understand the fields that are included in the output of each type of Forwarder.
- This Configuration Guide includes step-by-step instructions to configure a Destination (aka Provider) compatible with your Forwarder. The options available are:
- Getting Started with Custom Query Filters. Use this when you want to configure filters to limit the endpoint event data sent by your Endpoint Event Forwarder.
Use Cases
Check out top use cases for the Forwarder and useful queries for filtering your data.
The Data Forwarder is generally recommended for customers who:
- Have a high volume of data - Alerts, Endpoint Events or Watchlist Hits.
- Have access to an AWS S3 bucket or Azure BLOB storage Container. See the Announcement of the Azure Destination.
- Want notifications on all alerts; the Alerts v7 API enables selection of specific Alerts using the API search criteria, whereas the Forwarder sends all Alerts.
- Want to forward all Endpoint Events or Watchlist Hits; these are not retrievable at volume via API.
Support and Resources
- Use the CB Developer Network community Threads to discuss issues and get answers from other API developers in the Carbon Black Community.
- Report bugs and change requests to Broadcom Support.
- View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Last modified on July 8, 2024