You can use Carbon Black Cloud Data Forwarders to send bulk data regarding alerts, authentication events, endpoint events, and watchlist hits to external destinations such as an Amazon Web Services (AWS) S3 bucket or Microsoft Azure Blob storage.
Note:
- If you are using an AWS S3 bucket, the Data Forwarder requires you to create an S3 bucket with a bucket policy that grants the necessary permissions to the AWS Principal used by the Data Forwarder. This policy is a resource-based policy.
- If you are using Azure Storage, the Data Forwarder requires you to authorize Carbon Black Cloud to access the Storage account using a Federated credentials-based Managed Identity.
- For customers using AWS, you can create multiple Data Forwarders to send specific data to various sub-folders in the same AWS S3 bucket.
- For customers using Azure Storage, each Data Forwarder instance requires its own Azure Blob Container instance; there is no equivalent to S3 prefixes ("folders") in Azure Storage.
High Level Steps
- Configure your provider to receive data from Carbon Black Cloud.
- For customers using AWS, see the section starting with: Create an S3 Bucket in the AWS Console
- For customers using Azure, see the section starting with: Create an Azure Storage Account
- Create and configure the Data Forwarder in the Carbon Black Cloud console.
TIP: For the Endpoint Event forwarder type specifically, you can use any of the following three methods to configure the Data Forwarder and control the specific data sent to your provider:
- Structured form input within the console (Basic Data Filters)
- Custom lucene syntax queries within the console (Custom Query Data Filters)
- Custom lucene syntax queries using the API
- After creating and configuring your Data Forwarder, you can fetch the data from the destination or connect other tools to process the data, including SIEM solutions like Splunk, QRadar, or ServiceNow.