Carbon Black Cloud
This script integrates Carbon Black Cloud (CBC) and Binalyze AIR. It is written in Python and uses the CBAPI library to interact with the CB Defense platform.
- Carbon Black Defense API key with access level type.
- Creating a credentials.psc file with the help of
cbapi-defense configure
- Binalyze AIR instance URL and webhook name and token.
- Docker
- A machine with Network Connection to Binalyze AIR and Carbon Black Cloud instances.
- Create API key
- Navigate to Settings > API Keys > Add API Key
- Create an API Key with Access Level SIEM and Copy both keys
- API ID Connector ID
- API Secret Key API Key
- Create an Alert Notification
- Navigate to **Settings > Notification > Add Notification
- Fill in the necessary details
- Select the Created API Key on the first step
- Save
- Create a webhook
- Click Webhook on the left-hand pane
- Click + New Webhook
- Select Carbon Black Parser from Parser
- Fill in all the necessary information and save
- Copy the Webhook URL, and paste it to the value of AIR_WEBHOOK_URL in .env:1.
- Create credentials.defense file
- Run cbapi-defense configure and follow the instructions. Please refer to Carbon Black Documentation for more information.
- A credentials.defense file will be created and copy it to the current working directory.
- Clone the repo
- Follow the Configuration part and make the proper changes.
- Run
docker build -t carbonblack-air-integration .
and finallydocker run --env-file=.env carbonblack-air-integration
- The script will start running and will listen to new Carbon Black alerts. Once a new alert is detected, it will send an acquisition request to the specified Binalyze AIR instance.
- A message appears when an acquisition request has been sent to the device.
- If an error occurs, the script will print the error message and log it in the integration.log file.
Last modified 2mo ago