# Mattermost Integration #### Step 1 - Creating A webhook for Mattermost * Visit the **Webhooks** page in AIR, * Click the "**+ New Webhook**" button in the upper right corner, * Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.), * Select "**Mattermost: Generic Mattermost Webhook Parser**" as the parser for this webhook, * Select an **Acquisition Profile** when **Mattermost** activates this webhook, * Select the **Ignore** option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint), * Provide other settings such as **Evidence Repository**, **CPU Limit**, **Compression & Encryption** to use or let AIR configure them automatically based on the matching policy * Click the "**Save**" button #### Step 2 - Setting Up Mattermost Server * Open the dropdown menu on the left pane and click on Integrations. * Select "Slash Commands" and click on "Add Slash Command" button. * Fill in the text box accordingly: * **Title:** AIR Acquisition * **Description:** You can start an acquisition task in the specified endpoint by using this command. * **Command Trigger Word:** Type a trigger word that can easily relate to the specified acquisition profile. **For example:** /air-acquisition-full * **Request URL:** Webhook URL that you obtained from AIR Server. * **Request Method: POST** * **Response Username:** AIR * **Response Icon:** Leave Blank. * **Autocomplete: Selected** * **Autocomplete Hint:** \[Endpoint Hostname] * **Autocomplete Description:** Provide the hostname of the endpoint. * Click save. Mattermost will provide a Token to authenticate the slash command in AIR Server. Click done. #### Step 3- Using integration Go to a channel and press "/" for available commands. Type `/air-acquisition-full [ENDPOINT HOSTNAME]`. For example: `/air-acquisition-full SampleDummyHostForTest`