Data Forwarder Schema and API
Introduction
There are several sets of information about the Data Forwarder, each specific to a task;
- Configuring a Data Forwarder using the Carbon Black Cloud console is described in the User Guide. This is the recommended way to configure a new Forwarder or modify an existing one.
- Configuring a Data Forwarder using the Data Forwarder API supports the same operations as the Carbon Black Cloud console exposes. This is recommended for service providers or similar organizations that create multiple Forwarders with the same configuration.
- The Data Forwarder Schema defines the structure of data emitted by the Data Forwarder for each type of Forwarder, e.g. Alert, Auth Event, Endpoint Event, Watchlist Hit. Use this to understand the fields that are included in the output of each type of Forwarder.
- Configuration Guide which has step by step instructions to configure the Destination / Provider. The options available are:
- AWS S3 Bucket
- Azure Blob Storage, released in January 2024.
Latest
Output Schema
| Schema | Release Date |
|---|---|
| alert 2.1.0 | April, 2025 |
| endpoint.event 1.2.0 | May, 2025 |
| watchlist.hit 1.0.0 | December, 2021 |
| auth.event 1.0.0 | February, 2024 |
Configuration API
| Schema | Release Date |
|---|---|
| Data Forwarder API v2 | November, 2021 |
Deprecated
Output Schema
| Schema | Deprecated Date | Targeted Deactivation Date |
|---|---|---|
| alert 2.0.0 | April, 2025 | |
| endpoint.event 1.0.0 | December, 2023 | |
| endpoint.event 1.1.0 | May, 2025 |
Integrations
See our latest integrations that utilize the Data Forwarder to enhance customer workflows.
| Name | Description | Version | Release Date | Supported Products |
|---|---|---|---|---|
| QRadar App | Configures a connection in QRadar to ingest alerts, audit logs, and events from Carbon Black Cloud using the Data Forwarder and APIs into IBM QRadar. Actions such as quarantining devices and adding IOCs to watchlists can be initiated in QRadar to take effect in Carbon Black Cloud. | 2.3.0 | 2024-06-05 | Platform Workload Enterprise EDR Endpoint Standard |
| Service Now: ITSM App SecOps App Vulnerability Response (VR) App |
Ingest Alerts and Vulnerabilities from Carbon Black Cloud to Service Now and automatically create Service Now incidents to track the resolution. A large set of actions such as quarantining devices are available to be initiated in ServiceNow and take effect in Carbon Black Cloud. | ITSM App: 3.0.0 SecOps App: 3.0.0 VR: 2.0.0 |
2024-03 | Platform Workload Enterprise EDR Endpoint Standard |
| Splunk SIEM App | Lets administrators bring alerts, events, audit logs, and vulnerability data from Carbon Black Cloud into their Splunk dashboard. | 2.2.4 | 2024-12-12 | Platform Workload Enterprise EDR Endpoint Standard Audit and Remediation |
Last modified on May 16, 2025