Follow this procedure to create and configure a new Data Forwarder.

Note: To configure the Data Forwarder by using an API, see Data Forwarder API and Carbon Black Cloud Forwarder Data Mapping.

Prerequisites

  • You must have Super Admin privileges to add a Data Forwarder.
  • This procedure requires an Azure Blob Storage container, or an existing AWS S3 bucket that has a bucket policy configured to receive bulk data from the Carbon Black Cloud. See Data Forwarder Schema.

Procedure

  1. On the left navigation pane, click Settings > Data Forwarders.
  2. Click Add Forwarder.
  3. Enter a unique name for the Data Forwarder.
  4. Select a Type from the dropdown list.
    • All Data Forwarder Types: Select a Schema updates value and a Schema version/constraint value for that update. For more details about the consequences of these choices, see Semantic Versioning Support in Carbon Black Cloud Data Forwarder (external link). For schema output details, see the Data Forwarder Fields site (external link).

    • All Data Forwarder Types except Endpoint Event: select a Provider.

      • For an AWS provider, enter the S3 bucket name you created on AWS and enter the folder you created in the AWS S3 bucket. For example:

        Alert fields for a new Data Forwarder

      • For an Azure provider, provide the following field data: Tenant ID, Client ID, Storage account, and Container name. For example:

        Azure provider for an alert type Data Forwarder

        Table 1. Summary: Where to find Data Forwarder Configuration Parameters in the Azure Portal
        Parameter Location
        Tenant ID Home > More services/All services > Microsoft Entra ID > Tenant ID
        Client ID Home > Managed identities > (the managed identity you created for this Carbon Black Cloud Data Forwarder) > Client ID
        Storage Account Home > Storage accounts > (use the Name of the storage account you created for this Carbon Black Cloud Data Forwarder)
        Container Name Home > Storage accounts > (your storage account name) > Containers > (use the Name of the container you created for this Carbon Black Cloud Data Forwarder)
    • Endpoint Event
      Note: The Endpoint Event option is only available for AWS destinations.
      1. Select and configure the AWS provider.
      2. Optionally click Add under Filter Data and specify the filter details.

        Select a Basic filter or a Custom Query. For more details, see Data Forwarder Filters.

      Basic Use the dropdown lists to specify how to filter the data, the data requirements, and the data values. See Create a Basic Data Filter for more details.

      For example, the following filter settings deliver only EDR events that have an alert ID.

      Filter data by Data must Value
      Event origin equal EDR
      Has alert ID N/A N/A
      Custom Query Write lucene sytax queries using the Forwarder Data Schema. You can organize and label queries into separate Include and Exclude statements or write as one statement. See: Create a Custom Query Data Filter for more details.

      Example:

      Filter Label Query
      Include
      Window Servers process_path:(c:\\windows\\system32\\svchost.exe) AND (remote_port:30 OR remote_port:5353 OR remote_ip:10.* OR remote_ip:111.222.* OR remote_ip:123.4.5.6)
      Class A Filemods filemod_name:(*.tmp OR *.log OR *.lock OR *.dat OR *.dist OR *.olk15Message)
      Exclude
      Exclude Server X process paths and parent paths process_path:(/Library/CompanyName/Printing/** OR c:\\windows\\winsxs\\*\\tiworker.exe OR c:\\program files (x86)\\druva\\insync\\insyncagent.exe, /Library/CompanyName/cnDDNS/CompanyNameMacDDNS.sh) OR parent_name:(/Library/CompanyName/Printing/GlPr*.sh OR /Library/CompanyName/Printing/rollup-Uni.s OR /Library/CompanyName/Printing/CompanyName*.sh)
  5. Set the forwarder status to On or Off.
    Note: If you select On, data matching your specified criteria begins forwarding to the provider you defined.
  6. To apply the changes, click Save.

Results

The Data Forwarder is now configured.

Note: After a Data Forwarder has been created, you cannot change the Destination or the Type. However, you can modify configuration parameters within a specific Destination, and you can change the Filtering parameters.

What to do next

After creating and configuring your Data Forwarder, you can fetch the data from the provider or connect other tools to process the data, including SIEM solutions like Splunk, QRadar, or ServiceNow.