Mattermost Integration
Using this integration, users can trigger webhooks from chat windows with slash commands.
Step 1 - Creating A webhook for Mattermost
Visit the Webhooks page in Binalyze AIR,
Click the "+ New Webhook" button in the upper right corner,
Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
Select "Mattermost: Generic Mattermost Webhook Parser" as the parser for this webhook,
Select an Acquisition Profile when Mattermost activates this webhook,
Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
Click the "Save" button
Step 2 - Setting Up Mattermost Server
Open the dropdown menu on the left pane and click on Integrations.
Select "Slash Commands" and click on "Add Slash Command" button.
Fill in the text box accordingly:
Title: Binalyze AIR Acquisition
Description: You can start an acquisition task in the specified endpoint by using this command.
Command Trigger Word: Type a trigger word that can easily relate to the specified acquisition profile. For example: /air-acquisition-full
Request URL: Webhook URL that you obtained from AIR-Server.
Request Method: POST
Response Username: BinalyzeAIR
Response Icon: Leave Blank.
Autocomplete: Selected
Autocomplete Hint: [Endpoint Hostname]
Autocomplete Description: Provide the hostname of the endpoint.
Click save.
Mattermost will provide a Token to authenticate the slash command in AIR-Server. Click done.
Step 3- Using integration
Go to a channel and press "/" for available commands.
Type /air-acquisition-full [ENDPOINT HOSTNAME].
For example:
/air-acquisition-full SampleDummyHostForTest
Last updated