The Data Forwarder method of data ingestion provides high scalability. This method is recommended when you have high volume or significant bursts of data.
The Data Forwarder streams the data to an AWS S3 bucket. The data is then pulled into QRadar via the Amazon AWS REST API Protocol.
Use the Data Forwarder input in conjunction with the built-in API input to access the full features of the Carbon Black Cloud app for IBM QRadar.
Supported data and features:
- Alerts
- Endpoint Events
- View Device Information
- Right-click Actions
Requirements:
- Data Forwarder(s) configured in Carbon Black Cloud
- Amazon AWS S3 REST API Protocol for QRadar updated to the latest version
To use a Data Forwarder input, you will need:
- AWS S3 bucket
- AWS SQS queue
- Management Access Policy and User
- Carbon Black Cloud Data Forwarder
- Log Source in QRadar
Note:
- For each data type (Alerts and Events), you must have a separate Data Forwarder in Carbon Black Cloud.
- You can configure more than one forwarder of either type if you have complex filtering needs.
