Configuration - ace-ecosystem/cbinterface2 GitHub Wiki
Configuration & Setup
cbinterface will use the same configuration files that CBAPI-Python, and other Carbon Black python libraries use to connect to your configured Carbon Black environments.
First, if you don't already have your environment configured, look here for help configuring the underlying cbapi to work with whatever Carbon Black product and environment setup you have.
Configurations that are specific to cbinferace, such as your default Carbon Black environment (if you have more than one), and your timezone will be saved to a ~/.carbonblack/cbinterface.ini file for persistence.
For Live Response functions, you will need to add a lr_token to your respective Carbon Black profile configurations (instructions below).
API Access
You will need API keys with appropriate permissions to use cbinterface functionality.
If you're using Carbon Black Response, API access is simple to set-up. See these instructions for help.
PSC API Permissions
See the Carbon Black documentation for help creating API keys and Access Levels.
The following table maps what API permissions are required for each area of CbInterface PSC functionality to work. This is for all non-Live Response functionality. Any "DELETE" access level can be omitted if you don't want an analyst to have that capability. If you don't need or want all cbinterface functionality, grant the API permissions necessary for the cbinterface functionality you do want or need.
cbinterface functionality |
API Permission Name | Access Level |
|---|---|---|
| Process Search & Investigation | org.search.events | READ, CREATE, UPDATE |
| Universal Binary Store | ubs.org.file, ubs.org.sha256 | READ |
| PSC Device Info | device | READ |
| PSC Device Quarantine | device.quarantine | Execute |
| Intel: Feeds | org.feeds | READ |
| Intel: Watchlists | org.watchlists | READ, UPDATE, CREATE, DELETE |
| Intel: Migrations | org.watchlists | READ, UPDATE, CREATE |
| Intel: Alerts | org.alerts* | READ, Execute |
NOTE: If you want Live Response functionality, you will need a separate Live Response API key with the LIVE_RESPONSE_API Access Level Type. Instructions are provided, in the next section, for supplying a Live Response token to your configuration.
PSC Adding Live Response Credentials
After you've created a Live Response API credential, you must supply the API Secret Key and API Key ID as the value to a lr_token config item. These credentials should be supplied to your configuration profile like lr_token={API Secret Key}/{API Key ID}.
See the contents of my ~/.carbonblack/credentials.psc config file and notice where a Live Response API token as been provided to my default profile.
$ cat ~/.carbonblack/credentials.psc
[default]
url = https://defense-prod05.conferdeploy.net
token = ABCDEFGHIJKLMNOPQRSTUVWX/ABCDE12345
org_key = ABCDEFGH
ssl_verify = True
lr_token = LMNOPQRSTUVWXABCDEFGHIJK/12345ABCDE
Carbon Black Environment Selection
If you only have a single Carbon Black environment, you likely can skip this section entirely.
If you have more than one environment or your default environment is not named default, you'll have to select/set the environment you want to work with.
You can specify the environment you want to work with via the following argument:
cbinterface -e psc:default
Additionally, you can save your default environment persistence:
cbinterface --set-default-enviroment response:default
# shorthand:
cbinterface -sde response:default
Note that because CbInterface works with multiple Carbon Black products and multiple product environments, the environments are identified as "product:profile" when cbinterface loads the Carbon Black configuration files.
Your Timezone
The default time zone is UTC. You can set your time zone persistence to whatever you want with the --set-default-timezone option:
cbinterface --set-default-timezone Europe/Rome
You can also specify a time zone to convert all timestamps to with the -tz option. This is helpful if you want to see events in different time zones. For example, our team standardized on UTC for Incident Response time-lines.