Mattermost Integration

Step 1 - Creating A webhook for Mattermost

• Visit the Webhooks page in AIR,

• Click the "+ New Webhook" button in the upper right corner,

• Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),

• Select "Mattermost: Generic Mattermost Webhook Parser" as the parser for this webhook,

• Select an Acquisition Profile when Mattermost activates this webhook,

• Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

• Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy

• Click the "Save" button

Step 2 - Setting Up Mattermost Server

• Open the dropdown menu on the left pane and click on Integrations.

• Select "Slash Commands" and click on "Add Slash Command" button.

• Fill in the text box accordingly:

  • Title: AIR Acquisition

  • Description: You can start an acquisition task in the specified endpoint by using this command.

  • Command Trigger Word: Type a trigger word that can easily relate to the specified acquisition profile. For example: /air-acquisition-full

  • Request URL: Webhook URL that you obtained from AIR Server.

  • Request Method: POST

  • Response Username: AIR

  • Response Icon: Leave Blank.

  • Autocomplete: Selected

  • Autocomplete Hint: [Endpoint Hostname]

  • Autocomplete Description: Provide the hostname of the endpoint.

• Click save.

Mattermost will provide a Token to authenticate the slash command in AIR Server. Click done.

Step 3- Using integration

Go to a channel and press "/" for available commands.

Type /air-acquisition-full [ENDPOINT HOSTNAME].

For example:

/air-acquisition-full SampleDummyHostForTest