# Carbon Black Cloud Integration ### Prerequisites * Carbon Black Defense API key with access level type. * Creating a credentials.psc file with the help of `cbapi-defense configure` * AIR instance URL and webhook name and token. * Docker * A machine with Network Connection to AIR and Carbon Black Cloud instances. ### Configuration #### Navigate to Carbon Black Cloud Console * Create API key * Navigate to Settings > API Keys > Add API Key * Create an API Key with *Access Level* SIEM and Copy both keys * API ID *Connector ID* * API Secret Key *API Key* * Create an Alert Notification * Navigate to \*\*Settings > Notification > Add Notification * Fill in the necessary details * Select the Created API Key on the first step * Save #### Navigate to AIR Console * Create a webhook * Click Webhook on the left-hand pane * Click **+ New Webhook** * Select **Carbon Black Parser** from **Parser** * Fill in all the necessary information and save * Copy the **Webhook URL,** and paste it to the value of AIR\_WEBHOOK\_URL in .env:1. #### Navigate the environment you want to run the script * Create credentials.defense file * Install [cbapi](https://cbapi.readthedocs.io/en/latest/installation.html) * Run cbapi-defense configure and follow the instructions. Please refer to [Carbon Black Documentation](https://developer.carbonblack.com/reference/enterprise-response/guide/getting-started-with-the-cbapi/) for more information. * A credentials.defense file will be created and copy it to the current working directory. ### Usage * Clone the repo * Follow the Configuration part and make the proper changes. * Run `docker build -t carbonblack-air-integration .` and finally `docker run --env-file=.env carbonblack-air-integration` * The script will start running and will listen to new Carbon Black alerts. Once a new alert is detected, it will send an acquisition request to the specified AIR instance. * A message appears when an acquisition request has been sent to the device. * If an error occurs, the script will print the error message and log it in the integration.log file. For more information and script, please visit: