Carbon Black Cloud Integration

Prerequisites

• Carbon Black Defense API key with access level type.

• Creating a credentials.psc file with the help of cbapi-defense configure

• AIR instance URL and webhook name and token.

• Docker

• A machine with Network Connection to AIR and Carbon Black Cloud instances.

Configuration

Navigate to Carbon Black Cloud Console

• Create API key

  • Navigate to Settings > API Keys > Add API Key

  • Create an API Key with Access Level SIEM and Copy both keys

    • API ID Connector ID

    • API Secret Key API Key

  • Create an Alert Notification

    • Navigate to **Settings > Notification > Add Notification

      • Fill in the necessary details

      • Select the Created API Key on the first step

      • Save

Navigate to AIR Console

• Create a webhook

  • Click Webhook on the left-hand pane

  • Click + New Webhook

  • Select Carbon Black Parser from Parser

  • Fill in all the necessary information and save

  • Copy the Webhook URL, and paste it to the value of AIR_WEBHOOK_URL in .env:1.

Navigate the environment you want to run the script

• Create credentials.defense file

  • Install cbapi

  • Run cbapi-defense configure and follow the instructions. Please refer to Carbon Black Documentation for more information.

  • A credentials.defense file will be created and copy it to the current working directory.

Usage

• Clone the repo

• Follow the Configuration part and make the proper changes.

• Run docker build -t carbonblack-air-integration . and finally docker run --env-file=.env carbonblack-air-integration

• The script will start running and will listen to new Carbon Black alerts. Once a new alert is detected, it will send an acquisition request to the specified AIR instance.

• A message appears when an acquisition request has been sent to the device.

• If an error occurs, the script will print the error message and log it in the integration.log file.

For more information and script, please visit: https://github.com/binalyze/carbonblack-air