Back to Blogs

Announcing Auth Event Forwarding for the Carbon Black Cloud Data Forwarder

Posted on February 28, 2024

---

Data Forwarder Support for Auth Events

As an Enterprise EDR customer, you now have the option to add a new type of Forwarder to send all Authentication Events to a Forwarder destination (AWS S3 or Azure Blob Storage Container) as they are reported by your Windows sensors.

The Auth Events forwarder type fully supports Semantic Versioning, and initially releases with a v1.0.0 schema and can be configured with Schema updates (version_constraint in the API) of 1.0.0 (pinned), 1.0.* (patch) or 1.*.* (minor).

This means that Data Forwarder users can opt-in for automatic upgrades of their Auth Events forwarder, as and when new Auth Event forwarder schemas are released in the future, just like with all other Data Forwarder types that support Semantic Versioning.

Data Forwarder versioning improvements

Finalising our support for Semantic Versioning in the Data Forwarder, we are making the following changes:

• Improvements to the Endpoint Event filtering capability, which will ensure that all filters assigned to a single Endpoint Event forwarder instance only include those fields that are available in the schema version that your Endpoint Event Forwarder instance has currently selected.

  • For example, it will no longer be possible to set a filter on an Endpoint Event forwarder of version 1.0.0 that includes the netconn_application_protocol field, but that same field will be allowed for a version 1.1.0 Endpoint Event forwarder’s Custom Query filters

  • When using the Add Forwarder and Edit Forwarder pages, the Custom Query filter section will no longer suggest field names that are not valid for the version of the Endpoint Event schema currently selected for your Forwarder

• Validating Endpoint Event filter when editing a Forwarder: whenever you update Endpoint Event filters on an existing Forwarder - or if you change the Schema version/constraint assigned to your Endpoint Event forwarder - the Carbon Black Cloud Data Forwarder service compares the new combination of Schema version and filters

  • If you select an older Schema version for your existing Endpoint Event forwarder, and one of your filters includes a field that isn’t available in that schema version, the Forwarder service will not accept your requested change - the filters will have to be modified to use only compatible fields

  • If you attempt to change a filter for your existing Endpoint Event forwarder and add a field that’s not available in the current schema version, the Forwarder service will also reject this change

  • An error message will indicate e.g. “netconn_application_protocol is not valid for version 1.0.0”

Data Forwarder Config API adds optional field to two API endpoints

• The /validate_filter API route now includes version_constraint as an optional input. This will enable the CBC console and the API consumer to determine exactly which fields are supported in the selected schema version. If version_constraint is not included in the request, the API will validate against the lowest supported schema version (currently 1.0.0 version of Endpoint Events schema)

• When using the Filterable Event Schema API route, caller can specify version_constraint URL parameter. When specified, the API will return all filterable fields available for that schema version; if not specified, the API will return all filterable fields for the lowest supported schema version (currently 1.0.0 version of Endpoint Events schema).

Data Forwarder APIs now enforce schema compatibility

• When using Create Filter or Edit Filter API routes, the API will check the version_constraint value for the associated config ID; if any field in the query is not available in that schema version, the API will return an error indicating which field(s) are not valid.

• When using Edit Forwarder API route, the API will check the fields used in all query values for all Filters assigned to that forwarder; if any field in any Filter’s query is not available in the specified (or default) version_constraint, the API will return an error indicating which field(s) are not valid.

Resources:

• Release Notes
• Data Forwarder Configuration API
• User Guide

Have questions or feedback?

• Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community
• Report bugs and change requests to Carbon Black Support
• New survey coming soon!
• Subscribe to the Developer Network Newsletter