Mattermost Integration

Using this integration, users can trigger webhooks from chat windows with slash commands.

Step 1 - Creating A webhook for Mattermost

  • Visit the Webhooks page in Binalyze AIR,

  • Click the "+ New Webhook" button in the upper right corner,

  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),

  • Select "Mattermost: Generic Mattermost Webhook Parser" as the parser for this webhook,

  • Select an Acquisition Profile when Mattermost activates this webhook,

  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

  • Click the "Save" button

Step 2 - Setting Up Mattermost Server

  • Open the dropdown menu on the left pane and click on Integrations.

  • Select "Slash Commands" and click on "Add Slash Command" button.

  • Fill in the text box accordingly:

    • Title: Binalyze AIR Acquisition

    • Description: You can start an acquisition task in the specified endpoint by using this command.

    • Command Trigger Word: Type a trigger word that can easily relate to the specified acquisition profile. For example: /air-acquisition-full

    • Request URL: Webhook URL that you obtained from AIR-Server.

    • Request Method: POST

    • Response Username: BinalyzeAIR

    • Response Icon: Leave Blank.

    • Autocomplete: Selected

    • Autocomplete Hint: [Endpoint Hostname]

    • Autocomplete Description: Provide the hostname of the endpoint.

  • Click save.

Mattermost will provide a Token to authenticate the slash command in AIR-Server. Click done.

Step 3- Using integration

Go to a channel and press "/" for available commands.

Type /air-acquisition-full [ENDPOINT HOSTNAME].

For example:

/air-acquisition-full SampleDummyHostForTest

Last updated