Back to Blogs

Watchlist Hit Forwarding in the Carbon Black Cloud Data Forwarder

Posted on December 17, 2021

Now Available: Watchlist Hit Forwarding in the Carbon Black Cloud Data Forwarder

Carbon Black Cloud Enterprise EDR customers can now forward Watchlist Hits to external tools and workflows using the Data Forwarder.

The Carbon Black Cloud Data Forwarder is a reliable, scalable mechanism for Carbon Black Cloud customers to access event, alert and watchlist data in near-real time within other tools and workflows without having to perform one-off API calls.

The VMware Carbon Black Cloud platform provides SOC teams with visibility into a high volume of endpoint event context, which is critical for detection and incident response use cases. The Data Forwarder delivers that valuable endpoint event data to third-party solutions, such as XDR platforms, SIEMs, and Data Lake tools.

Along with the event and alert data that is currently available via the Data Forwarder, this release extends visibility to the latest threat intelligence impacting your organization.

This release provides significant enhancements for your threat hunting and incident response workflows, including:

  • Ability to forward additional metadata that is not available through Watchlist Alerts, including command lines, hashes, digital signature attributes, reputation and username - both for the actor and the parent process - as well as all tags added to the Watchlist Reports
  • Ability to forward hits from Watchlists that do not allow alerts to be enabled, including ATT&CK Framework, Carbon Black Early Access Indicators, Carbon Black Endpoint Visibility, and Carbon Black Endpoint Suspicious Indicators

To enable Watchlist Hit forwarding in your organization, navigate to the Data Forwarder page and select watchlist.hit as the forwarder type.


While this enhancement can provide beneficial context to analysts and threat hunters, it can also increase the volume of data ingested by your S3 bucket as all hits on all “subscribed”/“tagged” Watchlist will be forwarded, regardless of whether or not the Watchlist is enabled for alerting. Customers who are currently forwarding Watchlist Alerts will receive duplicative data if Watchlist Hit Forwarding is enabled on the same Watchlist that is forwarding alerts.

Resources: