Follow this procedure to create and configure a new Data Forwarder.

Note: If you prefer to configure the Data Forwarder via API, see Event (Data) Forwarder Configuration API Documentation and Carbon Black Cloud Forwarder Data Mapping.

Prerequisites

This procedure requires an existing AWS S3 bucket with a bucket policy configured to receive bulk data from the Carbon Black Cloud. For more information, see Create an S3 Bucket in AWS and Configure the Bucket Policy.

Procedure

  1. On the left navigation pane, click Settings > Data Forwarders.
  2. Click Add Forwarder.
  3. In the Add Forwarder page, enter the Basic Info.
    Note: All fields are mandatory in this section.
    • Name: Provide a unique name for the Data Forwarder.
    • Type: Select one of the following from the drop-down list.
      • Alert

        If you select the Alert option, proceed to step 5.

      • Endpoint event

        If you select the Endpoint Event option, proceed to step 4 to define the filter data.

      • Watchlist hit

        If you select the Watchlist hit option, proceed to step 5

    • S3 bucket name: Enter the S3 bucket name you created on AWS.
    • S3 prefix: Enter the name of the folder you created in the AWS S3 bucket.
  4. If you selected Endpoint Event in the previous step, you must click Add under Filter Data and specify the filter details.
    You can use a Basic filter or a Custom Query. For details see: Data Forwarder Filters.
    Option Description
    Basic Use the drop-down lists to specify how to filter the data, the data requirements, and the data values. See: Create a Basic Data Filter for more details.

    For example, the filter settings shown below would deliver only EDR events that have an alert ID.

    Filter data by Data must Value(s)
    Event origin equal EDR
    Has alert ID N/A N/A
    Custom Query Write lucene sytax queries using the Forwarder Data Schema. You can organize and label queries into separate Include and Exclude statements or write as one statement. See: Create a Custom Query Data Filter for more details.

    Example:

    Filter Label Query
    Include
    Window Servers process_path:(c:\\windows\\system32\\svchost.exe) AND (remote_port:30 OR remote_port:5353 OR remote_ip:10.* OR remote_ip:111.222.* OR remote_ip:123.4.5.6)
    Class A Filemods filemod_name:(*.tmp OR *.log OR *.lock OR *.dat OR *.dist OR *.olk15Message)
    Exclude
    Exclude Server X process paths and parent paths process_path:(/Library/CompanyName/Printing/** OR c:\\windows\\winsxs\\*\\tiworker.exe OR c:\\program files (x86)\\druva\\insync\\insyncagent.exe, /Library/CompanyName/cnDDNS/CompanyNameMacDDNS.sh) OR parent_name:(/Library/CompanyName/Printing/GlPr*.sh OR /Library/CompanyName/Printing/rollup-Uni.s OR /Library/CompanyName/Printing/CompanyName*.sh)
  5. Set the forwarder status to either On or Off.
    Note: If you select On, data matching the criteria you specified will begin forwarding to the AWS S3 bucket you defined.
  6. To apply the changes, click Save.

Results

The Data Forwarder is now configured.

What to do next

You should test the connection between the Carbon Black Cloud and the AWS S3 bucket. See: Test a New Data Forwarder

In addition, after creating and configuring your Data Forwarder, you can fetch the data from the S3 bucket or connect other tools to process the data, including SIEM solutions like Splunk or QRadar.