Posted on December 17, 2021
Now Available: Watchlist Hit Forwarding in the Carbon Black Cloud Data Forwarder
Carbon Black Cloud Enterprise EDR customers can now forward Watchlist Hits to external tools and workflows using the Data Forwarder.
The Carbon Black Cloud Data Forwarder is a reliable, scalable mechanism for Carbon Black Cloud customers to access event, alert and watchlist data in near-real time within other tools and workflows without having to perform one-off API calls.
The VMware Carbon Black Cloud platform provides SOC teams with visibility into a high volume of endpoint event context, which is critical for detection and incident response use cases. The Data Forwarder delivers that valuable endpoint event data to third-party solutions, such as XDR platforms, SIEMs, and Data Lake tools.
Along with the event and alert data that is currently available via the Data Forwarder, this release extends visibility to the latest threat intelligence impacting your organization.
This release provides significant enhancements for your threat hunting and incident response workflows, including:
To enable Watchlist Hit forwarding in your organization, navigate to the Data Forwarder page and select
watchlist.hit as the forwarder type.
While this enhancement can provide beneficial context to analysts and threat hunters, it can also increase the volume of data ingested by your S3 bucket as all hits on all “subscribed”/“tagged” Watchlist will be forwarded, regardless of whether or not the Watchlist is enabled for alerting. Customers who are currently forwarding Watchlist Alerts will receive duplicative data if Watchlist Hit Forwarding is enabled on the same Watchlist that is forwarding alerts.