Coder Social home page Coder Social logo

binalyze / carbonblack-air Goto Github PK

View Code? Open in Web Editor NEW
0.0 0.0 0.0 19 KB

Binalyze AIR and Carbon Black Cloud Integration

Home Page: https://kb.binalyze.com/air/integrations/carbon-black-cloud

License: GNU General Public License v3.0

Dockerfile 15.46% Python 84.54%
dfir dfir-automation incident-response

carbonblack-air's Introduction

Carbon Black & Binalyze AIR Integration Script

This script integrates Carbon Black Cloud (CBC) and Binalyze AIR. It is written in Python and uses the CBAPI library to interact with the CB Defense platform. The script listens for notifications from CB, and when a new alert is detected, it sends an acquisition request to the Binalyze AIR instance specified in the air_webhook variable.

Prerequisites

  • Carbon Black Defense API key with access level type.
  • Binalyze AIR instance URL and a configured webhook.
  • Creating a credentials.psc file with the help of cbapi-defense configure
  • Docker.
  • Correctly configured .env file.
  • A machine that has Network Connection to both Binalyze Air and Carbon Black instances.

Configuration

Navigate to Carbon Black Cloud Console

  1. Create API Key
    1. Navigate to Settings > API Keys > Add API Key
    2. Create API Key with Access Level SIEM and Copy both keys:
      1. API ID Connector ID.
      2. API Secret Key API Key.
  2. Create an Alert Notification
    1. Navigate to Settings > Notification > Add Notification.
      1. Fill in all the necessary details.
      2. Select the Created API Key on the first step.
      3. Save.

Navigate to Binalyze AIR Console

  1. Create a webhook.
    1. Click the webhook on the left-hand pane.
    2. Click + New Webhook.
    3. Select Carbon Black Parser from Parser.
    4. Fill in all the necessary information and save.
    5. Copy the webhook URL, and paste it to the value of AIR_WEBHOOK_URL in .env:1.

Navigate the environment you want to run the script.

  1. Create credentials.defense file click here for more information.
    1. First, install cbapi
    2. Run cbapi-defense configure and follow the instructions. Please refer Carbon Black Documentation for more information.
    3. A credentials.defense file will be created, and copy its contents to the file in this directory(or replace).
    4. Copy the Carbon Black instance hostname and paste it to the value of CB_DEFENSE_SERVER in .env:2

Usage

  1. Clone the repo.
  2. Follow the Configuration part and make the proper changes.
  3. Run docker build -t carbonblack-air-integration . and finally docker run --env-file=.env carbonblack-air-integration
  4. The script will start running and will listen for new alerts from CarbonBlack. Once a new alert is detected, it will send an acquisition request to the specified Binalyze AIR instance.
  5. A message appears when an acquisition request has been sent to the device.
  6. The script will print the error message and log it in the integration.log file if an error occurs.

Note

  • The script uses the time and requests libraries.
  • The script can be stopped by pressing Ctrl + C.
  • The script queries the alerts from Carbon Black, writes to query.json and sends a request to Binalyze AIR Console.
  • The script logs all the errors it encounters in integration.log file.

carbonblack-air's People

Contributors

binalyze-murat avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.