Announcing the Alert Forwarder v2.1.0
Posted on April 21, 2025
Summary
As of today, the CBC Data Forwarder now supports version 2.1 of the Alert Forwarder. This update brings two significant improvements:
- All Alerts whose workflow property are in IN PROGRESS or CLOSED status will always be included in your Alert Forwarder output. You may experience this as “duplicate” copies of the Alert (with updates to the workflow and potentially other fields).
- All relevant alerts will now include the following fields (which are already reflected in the Alerts API schema) - and note: as with other Forwarder output, these fields will only be included if they are populated in the Alert record:
| Field | Required Product |
|---|---|
| alert_origin | MDR |
| ml_classification_anomalies.anomalous_field | Enterprise EDR |
| ml_classification_anomalies.anomalous_field_baseline_values | Enterprise EDR |
| ml_classification_anomalies.anomalous_value | Enterprise EDR |
| ml_classification_anomalies.anomaly_name | Enterprise EDR |
If your organization does not subscribe to MDR or Enterprise EDR, you will still benefit from the additional Alerts when workflow changes.
How can I adopt this change?
Customers who wish to benefit from these enhancements must adopt the version 2.1.0 schema of the Alert Forwarder. There are automatic and manual options, depending on the configuration of your Alert Forwarder instance(s).
For customers whose Alert Forwarder is configured for “Minor” Schema updates (aka version_constraint = 2.*.*), your Alert Forwarder will be automatically updated upon release, and you shouldn’t have to take any additional action. (For more information on how semantic versioning is handled in the Carbon Black Cloud Data Forwarder, please see this article here.)
Those customers whose Alert Forwarder is not currently using the v2.1.0 schema, have a couple of options to adopt this (and potentially future) versions of the Alert Forwarder:
- Change the Schema updates setting in the CBC console UI for your Alert Forwarder to “Minor”. When you save this setting, the Data Forwarder will update your Alert Forwarder to the latest schema. All future minor versions (e.g. 2.2.0, 2.3.1 or later) will be automatically applied upon release.
- Set the Schema updates setting to “Patch” and update the Schema version/constraint setting to
2.1.*. Future patch versions (e.g. 2.1.2) if any will be automatically applied upon release, but future minor versions (e.g. 2.2.0 or later) will not be automatically applied upon release. - Set the Schema updates setting to “Pinned” and update the Schema version/constraint setting to
2.1.0. Future patch versions (e.g. 2.1.2) if any will NOT be automatically applied to Alert Forwarders with “Pinned” configuration. - Use the Data Forwarder Config API “Edit Forwarder” endpoint to change the version_constraint field to one of
2.*.*or2.1.*or2.1.0values. - You can also create a new Data Forwarder of type Alert and use one of the above settings combinations.
How can I verify whether my Forwarder is using the current version?
Many Alert Forwarders created before July 2023 are still using a PINNED 2.0.0 version of the Alert Forwarder schema. If you would prefer to upgrade, confirm your Alert Forwarders’ status and then use the steps above:
- Console UI: From the Settings > Data Forwarders page, look for any forwarders of Type = Alert that show this yellow Outdated warning:
![][image1] - API: Call the GET /configs or GET /configs/{config_id} API route, to obtain that forwarder instance’s version_constraint field. If the value of that field is not (as of the current Alert Forwarder schema versions) either “2.*.*” or “2.1.*” or “2.1.0” then your Alert forwarder instance is not currently configured to obtain the v2.1.0 Alert Forwarder schema, and should be updated using the PUT /configs/{config_id} API call.
- Forwarder output: your Alert Forwarder output as received in AWS or Azure will include a
versionfield in each record. If that field’s value is not “2.1.0” then you are not currently receiving output matching the Alert Forwarder v2.1.0 schema version.
Container EOL impact
We would also like to remind Alert Forwarder customers that due to the upcoming end of life of the Carbon Black Cloud Containers product, the following fields are now marked Deprecated and will stop being emitted with any Alerts when this product is no longer supported. These fields will remain in our documentation so that customers who have archived this data have a complete definition of all the data that they have received.
- Connection_type
- Egress_group_id
- Egress_group_name
- Ip_reputation
- K8s_cluster
- K8s_kind
- K8s_namepsce
- K8s_pod_name
- K8s_policy
- K8s_policy_id
- K8s_rule
- K8s_rule_id
- K8s_workload_name
- Remote_is_private
- Remote_k8s_kind
- Remote_k8s_namespace
- Remote_k8s_pod_name
- Remote_k8s_workload_name
With these updates, the Alert Forwarder continues to evolve to meet the needs of our customers - delivering richer data and better alignment with your workflows. I look forward to your feedback (please reply or reach out!) as you adopt version 2.1.0, and we’ll continue to share improvements as they’re released. Thanks for being part of the Carbon Black Cloud community.
References
- Alert Forwarder v2.1 schema
- User Guide - Data Forwarders
- Integration guidance for Data Forwarder (including custom filters, Splunk and other info)
- Semantic Versioning reference guide
Have questions or feedback?
- Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community
- Report bugs and change requests to Broadcom Support
- Subscribe to the Developer Network Newsletter