The following are supported data forwarder types: Alert, Endpoint event, and Watchlist hit.
Alert Data Forwarders
- Includes: All Alerts, including Carbon Black Analytics (both Threat and Observed), Watchlist, and Device Control.
- Usage: If Carbon Black Cloud updates an alert with additional information, a new copy of the alert is forwarded.
Auth Events Data Forwarders
Note: Auth Events are available for Enterprise EDR customers only.
- Includes: All Auth Events are reported on the Investigate > Auth Events tab.
- Usage: When Carbon Black Cloud receives an Auth Event from one of your sensors, a copy of that Auth Event is forwarded.
Endpoint Event Data Forwarders
- Includes: All endpoint activity, such as process starts, network connections, file modifications, and registry key activity.
- Usage: You can filter Endpoint events to control precisely what data is forwarded. Any endpoint activities meeting the criteria of the defined filters are forwarded.
Watchlist Hit Data Forwarders
Note: Watchlist hits are available for Enterprise EDR customers only.
- Includes: All Watchlist Hits, including alerted and non-alerted. See: Managing Watchlists
- Usage: If Carbon Black Cloud receives a watchlist hit, a copy of the hit is forwarded.
Note: The schema for each Data Forwarder type, field descriptions, and example output can be found in the
Developer Network Data Forwarder Data Guide.