Carbon Black Cloud

This script integrates Carbon Black Cloud (CBC) and Binalyze AIR. It is written in Python and uses the CBAPI library to interact with the CB Defense platform.


  • Carbon Black Defense API key with access level type.
  • Creating a credentials.psc file with the help of cbapi-defense configure
  • Binalyze AIR instance URL and webhook name and token.
  • Docker
  • A machine with Network Connection to Binalyze AIR and Carbon Black Cloud instances.


  • Create API key
    • Navigate to Settings > API Keys > Add API Key
    • Create an API Key with Access Level SIEM and Copy both keys
      • API ID Connector ID
      • API Secret Key API Key
    • Create an Alert Notification
      • Navigate to **Settings > Notification > Add Notification
        • Fill in the necessary details
        • Select the Created API Key on the first step
        • Save
  • Create a webhook
    • Click Webhook on the left-hand pane
    • Click + New Webhook
    • Select Carbon Black Parser from Parser
    • Fill in all the necessary information and save
    • Copy the Webhook URL, and paste it to the value of AIR_WEBHOOK_URL in .env:1.
  • Create credentials.defense file
    • Install cbapi
    • Run cbapi-defense configure and follow the instructions. Please refer to Carbon Black Documentation for more information.
    • A credentials.defense file will be created and copy it to the current working directory.


  • Clone the repo
  • Follow the Configuration part and make the proper changes.
  • Run docker build -t carbonblack-air-integration . and finally docker run --env-file=.env carbonblack-air-integration
  • The script will start running and will listen to new Carbon Black alerts. Once a new alert is detected, it will send an acquisition request to the specified Binalyze AIR instance.
  • A message appears when an acquisition request has been sent to the device.
  • If an error occurs, the script will print the error message and log it in the integration.log file.
For more information and script, please visit: