Carbon Black Cloud Data Forwarder


The VMware Carbon Black Cloud platform provides SOC teams with visibility into a high volume of endpoint event context, which is critical for detection and incident response use cases. The Data Forwarder delivers that valuable endpoint event data to an AWS S3 bucket or Azure BLOB storage, ready for consumption by third-party solutions, such as XDR platforms, SIEMs, and Data Lake tools.


  • Carbon Black Cloud Endpoint Standard or Enterprise EDR
  • Amazon Simple Storage Service (Amazon S3) or Azure Blob Storage

Configured S3 bucket in the same region as the tenant organization from which you’ll forward data.

  • It is possible to work around this requirement using S3 Cross-Region Replication (CRR).
  • Supports Alerts, Watchlist Hits and Endpoint Events
  • Or: Configured Azure BLOB storage
    • Supports Alerts and Watchlist Hits

Quick Links

There are several sets of information about the Data Forwarder, each specific to a task;

  • Configuring a Data Forwarder using the Carbon Black Cloud console is described in the User Guide. This is the recommended way to configure a new Forwarder or modify an existing one.
  • Configuring a Data Forwarder using the Data Forwarder API has the same operations as the Carbon Black Cloud console exposes. This is recommended for service providers or similar organizations that create multiple Forwarders with the same configuration.
  • The Data Forwarder Schema defines the structure of data emitted by the Data Forwarder for each type of Forwarder, e.g. Alert, Watchlist Hit. Use this to understand the fields that are included in the output of each type of Forwarder.
  • Configuration Guide which has step by step instructions to configure the Destination / Provider. The options available are:
    1. AWS S3 Bucket
    2. Azure Blob Storage, released in January 2024.
  • Getting Started with Custom Query Filters. Use this when you want to configure filters to limit the endpoint event data sent by a Forwarder.

Use Cases

Check out top use cases for the Forwarder and useful queries for filtering your data.

The Data Forwarder is generally recommended for customers who:

  • Have a high volume of data - Alerts, Watchlist Hits or Endpoint Events.
  • With Access to an AWS S3 bucket or Azure BLOB storage Container. See the Announcement of the Azure Destination.
  • Want notifications on all alerts; the Alerts v7 API enables selection of Alerts using the search criteria whereas the Forwarder sends all Alerts.
  • Want to forward all Endpoint Events or Watchlist Hits; these are not available via API.

Support and Resources

  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
  • Report bugs and change requests to Carbon Black Support.
  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.

Last modified on January 17, 2024