Back to Blogs

Advanced Filtering for the Carbon Black Cloud Data Forwarder

Posted on November 8, 2021

Advanced Event Filtering with Custom Queries

Advanced Filters are now available for the VMware Carbon Black Cloud Data Forwarder. With this update you can reduce the volume of data that’s delivered to downstream tools by providing the ability to specify precisely which events are needed for your use case.

The Carbon Black Cloud Data Forwarder is a reliable, scalable mechanism for Carbon Black Cloud customers to access event and alert data in near-real time within other tools and workflows without having to perform one-off API calls. It delivers valuable endpoint event data to an AWS S3 bucket ready for consumption by third-party solutions, such as XDR platforms, SIEMs, and Data Lake tools.


  • Reduce data storage costs by filtering out unwanted endpoint events
  • Target specific use cases with customized filters
  • Filter out noisy, known-good datasets
  • Eliminate makeshift filtering mechanisms in downstream tools by applying filters directly within Carbon Black Cloud


  • Increased Filter Flexibility
  • Filter on nearly all endpoint event fields
  • Leverage Investigate and Watchlist style Lucene queries to further define Forwarder filters and output
  • Ensure queries are accurate and valid with syntax highlighting and detailed error messages

Enhanced Ease of Use

  • Filters can be given unique names for easier management and organization
  • Multiple forwarders with unique filters can be created to fulfill specific use cases or multiple destinations
  • Filters can either include or exclude events for maximum flexibility
  • Refreshed In-console User Experience
  • Streamlined user experience in-console to simplify Data Forwarder configuration and management
  • Apply basic filters with a few clicks or customize with Lucene Queries


Have questions or feedback?