Data Forwarder Schema
Introduction
This document describes the available data schemas that the data forwarder can forward today and the fields each schema contains.
Getting Started
If you have not created a Data Forwarder see the Data Forwarder Configuration API Documentation or check out the Carbon Black Cloud User Guide - Settings - Data Forwarders for how to create one in the Carbon Black Cloud console.
For setting up the AWS S3 bucket, bucket policy, bucket encryption and more check out the Integrations > Data Forwarder page.
Data Types
Basic data types such as “int” and “string” map directly to the corresponding JSON data types. Additional data types are described below:
- Base64 - JSON string containing base64 encoded binary data.
- Ipaddr - JSON string containing canonically formatted IPv4 or IPv6 address.
- Datetime - JSON string containing ISO 8601 date/time format. If no time zone is included, UTC is assumed. All timestamps emitted by the Data Forwarder are sent in ISO 8601 format.
- String enum - JSON string containing the stringified version of the enum from the relevant protobuf field, with the common prefix stripped off. For example, “BLOCK”.
- String enum bitmask - Same as above, but for bitmask input fields, add OR " | " markers between each set bit. For example, for a CbFileAction of 0x300 would be “OPEN_READ | OPEN_WRITE”.
All Schemas
Latest
| Schema | Release Date |
|---|---|
| alert 2.0.0 | July, 2023 |
| endpoint.event 1.1.0 | December, 2023 |
| watchlist.hit 1.0.0 | December, 2021 |
| auth.event 1.0.0 | February, 2024 |
Deprecated
| Schema | Deprecated Date | Targeted Deactivation Date |
|---|---|---|
| alert 1.0.0 | July, 2023 | September 5, 2024 |
| endpoint.event 1.0.0 | December, 2023 |
Last modified on February 26, 2024