Data Forwarder Schema and API


Introduction

There are several sets of information about the Data Forwarder, each specific to a task;

  • Configuring a Data Forwarder using the Carbon Black Cloud console is described in the User Guide. This is the recommended way to configure a new Forwarder or modify an existing one.
  • Configuring a Data Forwarder using the Data Forwarder API has the same operations as the Carbon Black Cloud console exposes. This is recommended for service providers or similar organizations that create multiple Forwarders with the same configuration.
  • The Data Forwarder Schema defines the structure of data emitted by the Data Forwarder for each type of Forwarder, e.g. Alert, Watchlist Hit. Use this to understand the fields that are included in the output of each type of Forwarder.
  • Configuration Guide which has step by step instructions to configure the Destination / Provider. The options available are:
    1. AWS S3 Bucket
    2. Azure Blob Storage, released in January 2024.

Latest

Output Schema

Schema Release Date
alert 2.0.0 July, 2023
endpoint.event 1.1.0 December, 2023
watchlist.hit 1.0.0 December, 2021

Configuration API

Schema Release Date
Data Forwarder API v2 November, 2021

Deprecated

Output Schema

Schema Deprecated Date Targeted Deactivation Date
alert 1.0.0 July, 2023 July 31, 2024
endpoint.event 1.0.0 December, 2023

Configuration API

Document Deprecated Date Targeted Deactivation Date
Data Forwarder Configuration API v1 November, 2021 July 31, 2024

Integrations

See our latest integrations that utilize the Data Forwarder to enhance customer workflows.

Name Description Version Release Date Supported Products
QRadar App Configures a connection in QRadar to ingest alerts, audit logs, and events from Carbon Black Cloud using the Data Forwarder and APIs into IBM QRadar. Actions such as quarantining devices and adding IOCs to watchlists can be initiated in QRadar to take effect in Carbon Black Cloud. 2.2.0 2023-05-03 Platform
Workload
Enterprise EDR
Endpoint Standard
Service Now:
ITSM App
SecOps App
Vulnerability Response (VR) App
Ingest Alerts and Vulnerabilities from Carbon Black Cloud to Service Now and automatically create Service Now incidents to track the resolution. A large set of actions such as quarantining devices are available to be initiated in ServiceNow and take effect in Carbon Black Cloud. ITSM App: 2.1.0
SecOps App: 2.1.0
VR: 1.1.0
2022-02 Platform
Workload
Enterprise EDR
Endpoint Standard
Splunk App Lets administrators bring alerts, events, audit logs, or vulnerability data from Carbon Black Cloud into their Splunk dashboard. 1.1.10 2023-08-17 Platform
Workload
Enterprise EDR
Endpoint Standard
Audit and Remediation

Give Feedback

New survey coming soon!


Last modified on January 17, 2024