Carbon Black Cloud: Getting Started With the Data Forwarder
Article ID: 292124
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
How to get started with and best practices for the Carbon Black Cloud Data Forwarder.
Environment
- Carbon Black Cloud Console: All Versions
Resolution
Setup Overview:
- Decide on a use case and necessary Event Type for the Data Forwarder, such as Alert triage, SIEM integration, or watchlist reporting.
- Alert: All available Alerts.
- Endpoint Event: All available endpoint telemetry.
- Watchlist Hit: All available Watchlist hits.
- Configure your AWS S3 Bucket or Azure Blob Storage to receive data from Carbon Black Cloud.
- Add a Data Forwarder in the Carbon Black Cloud Console.
Tip: If using the Endpoint Event forwarder type, there are three methods of configuring which data is sent.- Basic Data Filter: Structured form input within the Console
- Custom Query Data Filter: Custom lucene syntax queries within the Console
- API: Custom lucene syntax using the Data Forwarder API
- Fetch the forwarded data from the destination or connect other tools to process the data, including SIEM solutions like Splunk, QRadar, or ServiceNow.
Additional Information
- Currently, the Endpoint Event type is unavailable for Azure Blob Storage.
- For an end-to-end guide on using Data Forwarder with Splunk, refer to this article and the associated video.
Feedback
Yes
No
Powered by
