Event Forwarder

The Carbon Black EDR Event Forwarder is a standalone service that can export events (both watchlist/feed hits and raw endpoint events, if configured) from the Carbon Black EDR enterprise bus in a normalized JSON or LEEF format.

The events can be saved to a file, delivered to a network service, or automatically archived to an Amazon AWS S3 bucket. These events can be consumed by any external system that accepts JSON or LEEF, including Splunk and IBM QRadar.

The list of events to collect is configurable. By default, all feed and watchlist hits, alerts, binary notifications, and raw sensor events are exported into JSON. The configuration file for the connector is stored in /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf .

For details on installing and manually configuring the Event Forwarder, see https://github.com/carbonblack/cb-event-forwarder .

With the release of the Carbon Black EDR version 7.1.0 Server, administrators can customize the Event Forwarder from directly within the Carbon Black EDR console. Carbon Black EDR customers must install Carbon Black EDR Event Forwarder 3.6.2 or higher (available here ) to use this feature. This version of Event Forwarder is automatically available for Carbon Black Hosted EDR customers.

By default, this feature is enabled for Carbon Black Hosted EDR instances, and disabled for Carbon Black EDR deployments. You can enable the feature for Carbon Black EDR by adding EventForwarderEnabled=true in cb.conf and restarting services. For more information about cb.conf, see the Carbon Black EDR Server Configuration Guide.

Forwarding of fileless_scriptload events by an integration with Microsoft Antimalware Scan Interface (AMSI) through the Event Forwarder was introduced in Carbon Black EDR Server version 7.2.0 and Carbon Black EDR Windows Sensor version 7.1. However, full support of this event type, including storage, console display, and API support, is available in Carbon Black EDR Server version 7.6.0. The fileless_scriptload event represents each occasion when the sensor detects PowerShell script content that was executed by any process on a supported endpoint. For more information about AMSI, see the Carbon Black EDR Integration Guide.