You can use Carbon Black Cloud Data Forwarders to send bulk data regarding alerts, endpoint events, and watchlist hits to external destinations such as an Amazon Web Services (AWS) S3 bucket.

In addition, you can create multiple Data Forwarders to send specific data to various sub-folders in the same AWS S3 bucket.
  • At this time, the only supported destination option is an AWS S3 bucket.
  • The Data Forwarder requires you to create an S3 bucket with a bucket policy that grants the necessary permissions to the Principal role used by the Data Forwarder. This policy is a resource-based policy. For more information, see the User Exchange article: Writing an S3 Bucket Policy for the Carbon Black Cloud Event Forwarder

High Level Steps:

  1. Create and an AWS S3 Bucket and configure a bucket policy to receive data from Carbon Black Cloud.
  2. Create and configure the Data Forwarder within the Carbon Black Cloud console.
    TIP: You can use three methods to configure the Data Forwarder and control the specific data sent to your S3 bucket:
  3. After creating and configuring your Data Forwarder, you can fetch the data from the S3 bucket or connect other tools to process the data, including SIEM solutions like Splunk or QRadar.

Related API Documentation

Data (Event) Forwarder Configuration API Documentation

Carbon Black Cloud Forwarder Data Mapping

Data Forwarder & Splunk Configuration

Getting Started: Custom Filters for the Data Forwarder

Additional Related Content

Bucket Policy Options for the Carbon Black Cloud Data Forwarder

Amazon: How Do I Create an S3 Bucket?

Amazon: Bucket Restrictions & Limitations