You can use Carbon Black Cloud Data Forwarders to send bulk data regarding alerts, endpoint events, and watchlist hits to external destinations such as an Amazon Web Services (AWS) S3 bucket.
In addition, you can create multiple Data Forwarders to send specific data to various sub-folders in the same AWS S3 bucket.
- At this time, the only supported destination option is an AWS S3 bucket.
- The Data Forwarder requires you to create an S3 bucket with a bucket policy that grants the necessary permissions to the Principal role used by the Data Forwarder. This policy is a resource-based policy. For more information, see the User Exchange article: Writing an S3 Bucket Policy for the Carbon Black Cloud Event Forwarder
High Level Steps:
- Create and an AWS S3 Bucket and configure a bucket policy to receive data from Carbon Black Cloud.
- Create and configure the Data Forwarder within the Carbon Black Cloud console.
TIP: You can use three methods to configure the Data Forwarder and control the specific data sent to your S3 bucket:
- After creating and configuring your Data Forwarder, you can fetch the data from the S3 bucket or connect other tools to process the data, including SIEM solutions like Splunk or QRadar.