Data Forwarder Schema and API
Introduction
There are two sets of information about the Data Forwarder;
- The Data Forwarder API which is used to configure new or modify existing data forwarders. All operations available through the API can also be done through the Carbon Black Cloud console and are described in the User Guide.
- The Data Forwarder Schema which defines the structure of data emitted by the Data Forwarder for each type of Forwarder, e.g. Alert, Watchlist Hit.
In addition, the Data Forwarder Guide explains how to configure AWS S3 buckets and other setup steps.
Latest
Output Schema
| Schema | Release Date |
|---|---|
| alert 2.0.0 | July, 2023 |
| endpoint.event 1.0.0 | December, 2019 |
| watchlist.hit 1.0.0 | December, 2021 |
Configuration API
| Schema | Release Date |
|---|---|
| Data Forwarder API v2 | November, 2021 |
Deprecated
Output Schema
| Schema | Deprecated Date | Targeted Deactivation Date |
|---|---|---|
| alert 1.0.0 | July, 2023 | July 31, 2024 |
Configuration API
| Document | Deprecated Date | Targeted Deactivation Date |
|---|---|---|
| Data Forwarder Configuration API v1 | November, 2021 | July 31, 2024 |
Integrations
See our latest integrations that utilize the Data Forwarder to enhance customer workflows.
| Name | Description | Version | Release Date | Supported Products |
|---|---|---|---|---|
| QRadar App | Configures a connection in QRadar to ingest alerts, audit logs, and events from Carbon Black Cloud using the Data Forwarder and APIs into IBM QRadar. Actions such as quarantining devices and adding IOCs to watchlists can be initiated in QRadar to take effect in Carbon Black Cloud. | 2.2.0 | 2023-05-03 | Platform Workload Enterprise EDR Endpoint Standard |
| Service Now: ITSM App SecOps App Vulnerability Response (VR) App |
Ingest Alerts and Vulnerabilities from Carbon Black Cloud to Service Now and automatically create Service Now incidents to track the resolution. A large set of actions such as quarantining devices are available to be initiated in ServiceNow and take effect in Carbon Black Cloud. | ITSM App: 2.1.0 SecOps App: 2.1.0 VR: 1.1.0 |
2022-02 | Platform Workload Enterprise EDR Endpoint Standard |
| Splunk App | Lets administrators bring alerts, events, audit logs, or vulnerability data from Carbon Black Cloud into their Splunk dashboard. | 1.1.10 | 2023-08-17 | Platform Workload Enterprise EDR Endpoint Standard Audit and Remediation |
Give Feedback
Use this form to give us feedback about this site or any of the documentation.
Last modified on September 21, 2023