You can use Carbon Black Cloud Data Forwarders to send bulk data regarding alerts, endpoint events, and watchlist hits to external destinations such as an Amazon Web Services (AWS) S3 bucket or Microsoft Azure Blob storage.
Note:
- If you are using an AWS S3 bucket, the Data Forwarder requires you to create an S3 bucket with a bucket policy that grants the necessary permissions to the AWS Principal used by the Data Forwarder. This policy is a resource-based policy. For more information, see the User Exchange article: Writing an S3 Bucket Policy for the Carbon Black Cloud Event Forwarder (external link, credentials required).
- You can create multiple Data Forwarders to send specific data to various sub-folders in the same AWS S3 bucket.
- If you are using Azure, the Data Forwarder requires you to authorize Carbon Black Cloud access to the Storage account using a Federated credentials-based Managed Identity.
High Level Steps
- Configure your provider to receive data from Carbon Black Cloud. See Data Forwarder API.
- Create and configure the Data Forwarder in the Carbon Black Cloud console.
TIP: You can use three methods to configure the Data Forwarder and control the specific data sent to your provider by the Endpoint Event forwarder type:
- Structured form input within the console (Basic Data Filters)
- Custom lucene syntax queries within the console (Custom Query Data Filters)
- Custom lucene syntax queries using the API
- After creating and configuring your Data Forwarder, you can fetch the data from the destination or connect other tools to process the data, including SIEM solutions like Splunk, QRadar, or ServiceNow.
