Carbon Black Cloud Integration
This script integrates Carbon Black Cloud (CBC) and Binalyze AIR. It is written in Python and uses the CBAPI library to interact with the CB Defense platform.
- Carbon Black Defense API key with access level type.
- Creating a credentials.psc file with the help of
- Binalyze AIR instance URL and webhook name and token.
- A machine with Network Connection to Binalyze AIR and Carbon Black Cloud instances.
- Create API key
- Navigate to Settings > API Keys > Add API Key
- Create an API Key with Access Level SIEM and Copy both keys
- API ID Connector ID
- API Secret Key API Key
- Create an Alert Notification
- Navigate to **Settings > Notification > Add Notification
- Fill in the necessary details
- Select the Created API Key on the first step
- Create a webhook
- Click Webhook on the left-hand pane
- Click + New Webhook
- Select Carbon Black Parser from Parser
- Fill in all the necessary information and save
- Copy the Webhook URL, and paste it to the value of AIR_WEBHOOK_URL in .env:1.
- Clone the repo
- Follow the Configuration part and make the proper changes.
docker build -t carbonblack-air-integration .and finally
docker run --env-file=.env carbonblack-air-integration
- The script will start running and will listen to new Carbon Black alerts. Once a new alert is detected, it will send an acquisition request to the specified Binalyze AIR instance.
- A message appears when an acquisition request has been sent to the device.
- If an error occurs, the script will print the error message and log it in the integration.log file.