---
title: Getting Started with Datadog
description: Collect your Carbon Black Defense Logs
breadcrumbs: Docs > Integrations > Carbon Black
---

# Carbon Black

{% callout %}
# Important note for users on the following Datadog sites: us2.ddog-gov.com

{% alert level="info" %}
To find out if this integration is available in your organization, see your [Datadog Integrations](https://app.datadoghq.com/integrations) page or ask your organization administrator.

To initiate an exception request to enable this integration for your organization, email [support@ddog-gov.com](mailto:support@ddog-gov.com).
{% /alert %}

{% /callout %}

## Overview{% #overview %}

Use the Datadog-Carbon Black integration to forward your Carbon Black EDR events and alerts as Datadog logs.

## Setup{% #setup %}

### Installation{% #installation %}

Datadog uses Carbon Black's event forwarder and Datadog's Lambda forwarder to collect Carbon Black events and alerts from your S3 bucket.

Carbon Black provides a [Postman collection](https://documenter.getpostman.com/view/7740922/SWE9YGSs?version=latest) for the API that you use to create the Carbon Black event forwarder.

#### Configuration{% #configuration %}

1. [Install the Datadog Forwarder](https://docs.datadoghq.com/logs/guide/forwarder.md).
1. [Create a bucket in your AWS Management Console](https://community.carbonblack.com/t5/Developer-Relations/Carbon-Black-Cloud-Data-Forwarder-Quick-Setup-amp-S3-Bucket/td-p/89194#create-a-bucket) to forward events to.
1. [Configure the S3 bucket to allow the Carbon Black forwarder to write data](https://community.carbonblack.com/t5/Developer-Relations/Carbon-Black-Cloud-Data-Forwarder-Quick-Setup-amp-S3-Bucket/td-p/89194#configure-bucket-to-write-events).
   - **Important**: The S3 bucket must have a prefix with the keyword `carbon-black` in which the CB events come in. This allows Datadog to recognize the source of the logs correctly.
1. [Create an access level in the Carbon Black Cloud console](https://community.carbonblack.com/t5/Developer-Relations/Carbon-Black-Cloud-Data-Forwarder-Quick-Setup-amp-S3-Bucket/td-p/89194#create-access-level).
1. [Create an API key in the Carbon Black Cloud console](https://community.carbonblack.com/t5/Developer-Relations/Carbon-Black-Cloud-Data-Forwarder-Quick-Setup-amp-S3-Bucket/td-p/89194#create-new-api-key).
1. [Configure the API in Postman](https://community.carbonblack.com/t5/Developer-Relations/Carbon-Black-Cloud-Data-Forwarder-Quick-Setup-amp-S3-Bucket/td-p/89194#configure-api-in-postman) by updating the value of the following Postman environment variables with the key created above: `cb_url`, `cb_org_key`, `cb_custom_id`, and `cb_custom_key`.
1. [Create two Carbon Black event forwarders](https://community.carbonblack.com/t5/Developer-Relations/Carbon-Black-Cloud-Data-Forwarder-Quick-Setup-amp-S3-Bucket/td-p/89194#create-new-forwarder) with different names for Carbon Black alerts (`"type": "alert"`) and endpoint events (`"type": "endpoint.event"`).
1. [Setup the Datadog Forwarder to trigger on the S3 bucket](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function.md?tab=awsconsole#collecting-logs-from-s3-buckets).

## Troubleshooting{% #troubleshooting %}

Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).