Back to binalyze.com

Carbon Black Cloud Integration

This script integrates Carbon Black Cloud (CBC) and Binalyze AIR. It is written in Python and uses the CBAPI library to interact with the CB Defense platform.

Prerequisites

  • Carbon Black Defense API key with access level type.

  • Creating a credentials.psc file with the help of cbapi-defense configure

  • Binalyze AIR instance URL and webhook name and token.

  • Docker

  • A machine with Network Connection to Binalyze AIR and Carbon Black Cloud instances.

Configuration

Navigate to Carbon Black Cloud Console

  • Create API key

    • Navigate to Settings > API Keys > Add API Key

    • Create an API Key with Access Level SIEM and Copy both keys

      • API ID Connector ID

      • API Secret Key API Key

    • Create an Alert Notification

      • Navigate to **Settings > Notification > Add Notification

        • Fill in the necessary details

        • Select the Created API Key on the first step

        • Save

Navigate to Binalyze AIR Console

  • Create a webhook

    • Click Webhook on the left-hand pane

    • Click + New Webhook

    • Select Carbon Black Parser from Parser

    • Fill in all the necessary information and save

    • Copy the Webhook URL, and paste it to the value of AIR_WEBHOOK_URL in .env:1.

Navigate the environment you want to run the script

  • Create credentials.defense file

    • Install cbapi

    • Run cbapi-defense configure and follow the instructions. Please refer to Carbon Black Documentation for more information.

    • A credentials.defense file will be created and copy it to the current working directory.

Usage

  • Clone the repo

  • Follow the Configuration part and make the proper changes.

  • Run docker build -t carbonblack-air-integration . and finally docker run --env-file=.env carbonblack-air-integration

  • The script will start running and will listen to new Carbon Black alerts. Once a new alert is detected, it will send an acquisition request to the specified Binalyze AIR instance.

  • A message appears when an acquisition request has been sent to the device.

  • If an error occurs, the script will print the error message and log it in the integration.log file.

For more information and script, please visit: https://github.com/binalyze/carbonblack-air

PreviousSlack IntegrationNextRapid7 InsightIDR Integration

Last updated