Data Forwarder Schema


This document describes the available data schemas that the data forwarder can forward today and the fields each schema contains.

Getting Started

If you have not created a Data Forwarder see the Data Forwarder Configuration API Documentation or check out the Carbon Black Cloud User Guide - Settings - Data Forwarders for how to create one in the Carbon Black Cloud console.

For setting up the AWS S3 bucket, bucket policy, bucket encryption and more check out the Integrations > Data Forwarder page.

Data Types

Basic data types such as “int” and “string” map directly to the corresponding JSON data types. Additional data types are described below:

  • Base64 - JSON string containing base64 encoded binary data.
  • Ipaddr - JSON string containing canonically formatted IPv4 or IPv6 address.
  • Datetime - JSON string containing ISO 8601 date/time format. If no time zone is included, UTC is assumed. All timestamps emitted by the Data Forwarder are sent in ISO 8601 format.
  • String enum - JSON string containing the stringified version of the enum from the relevant protobuf field, with the common prefix stripped off. For example, “BLOCK”.
  • String enum bitmask - Same as above, but for bitmask input fields, add OR " | " markers between each set bit. For example, for a CbFileAction of 0x300 would be “OPEN_READ | OPEN_WRITE”.

All Schemas


Schema Release Date
alert 2.0.0 July, 2023
endpoint.event 1.1.0 December, 2023
watchlist.hit 1.0.0 December, 2021
auth.event 1.0.0 February, 2024


Schema Deprecated Date Targeted Deactivation Date
alert 1.0.0 July, 2023 July 31, 2024
endpoint.event 1.0.0 December, 2023

Last modified on February 26, 2024