Posted on June 15, 2020
There are two tools that exist to help forward Carbon Black Cloud data, the Carbon Black Cloud Event Forwarder or Carbon Black Cloud Syslog.
The Carbon Black Cloud Event Forwarder is the recommended best practice as the tool is integrated into the Carbon Black Cloud and provides improved scaling for large volumes of data. The event forwarder is capable of forwarding both alerts and events to an S3 bucket. Event filtration and alternative destinations will come in future releases.
The Carbon Black Cloud Syslog forwarder utilizes python and Carbon Black Cloud APIs to fetch notifications and audit logs. The notification and audit log APIs have a FIFO, first in first out, queue like behavior so every call made to the endpoint consumes a portion of the queue which provides the latest notifications and audit logs. The data is converted into a syslog either in LEEF or CEF format and sent over udp, tcp, tcp+tls or http.
Right away the methods each forwarder utilizes can dictate whether that solution will work. If you are unable to use Amazon Web Services then the Carbon Black Cloud Event Forwarder will not work. The same would go for the Carbon Black Cloud Syslog forwarder if the system does not support syslog data through HTTP transportation or you are unable to host a server to automate the python script.
If your organization generates large volumes of data (alerts and events) then the Carbon Black Cloud Event Forwarder will be able to handle the constant flow and any bursts of activity. If storage or data transfer cost is a concern, then the Carbon Black Cloud Syslog forwarder with the notification rules offer a filtration on alerts. Notifications only provide a summary of an alert, so there may be fields that will require additional API calls to be made. With large volumes of alerts the time to fetch the details for each notification may cause a backlog of notifications to build. In this case, the Carbon Black Cloud Event Forwarder configured for both alerts and events will allow for quicker processing and lookup.
Carbon Black Cloud Event Forwarder
Carbon Black Cloud Syslog