Back to binalyze.com
Search…
Welcome
AIR
AIR
Introduction
Setup
Update
Features
Integrations
Microsoft Azure SSO Integration
Splunk Integration
IBM QRadar Integration
Wazuh Integration
Cortex XSOAR Integration
Slack Integration
FAQ
TACTICAL
TACTICAL
What is TACTICAL?
Running TACTICAL from command line
Command Line Options
Evidence Types
Artifact Types
Command Line Examples
Exit Codes
Download TACTICAL
TACTICAL for Chrome
DRONE
DRONE
Introduction
How to use it?
Settings
Reporting
Features
Download DRONE
General
Licenses
Powered By GitBook
Cortex XSOAR Integration
Integration of AIR with Cortex XSOAR is possible via Plug-In.

Steps to Integrate

Step 1: Preparing AIR Server

1. Create a new webhook by clicking the “Webhooks” tab.
2. Give an appropriate name to the New Webhook.
3. Choose Parser “Cortex XSOAR: Generic Cortex XSOAR Webhook Parser”.
4. Change the other options accordingly and click Save. For more information about how to create webhooks, please refer to Triggers (Webhooks).

Step 2: Adding Integration File to Cortex XSOAR

Download the integration file. Binalyze AIR.yml
1. Sign in to Cortex XSOAR server.
2. Click “Settings” on the left bottom corner.
3. Click “Upload Integration”.
4. Select the Binalyze_AIR.yml file and click open.
5. Paste the webhook URLs that you created in Step 1 to the relevant lines.
6. After changing Webhook URLs, Click “Save Version” and close the dialog.

Step 3

1. Click “Add instance” on the right pane.
2. Fill in the AIR Server URL, username, and password boxes.
3. Click “Test”, and you will see “Success”, which means Cortex XSOAR established the test connection with the AIR Server.
4. The integration is ready to use.

Usage

Isolation
  • You can use the integration in Automations, Playbooks, or War Room.
  • To execute an isolation task, write the following command on the bottom of the page:
1
!air-isolation endpoint=<ENDPOINTHOSTNAME> isolation=enable
Copied!
  • A dialogue pops up, accept and continue.
  • The command is executed successfully.

Acquisition

  • To execute an acquisition task, write the following command on the bottom of the page:
1
!air-acquisition endpoint=<ENDPOINTHOSTNAME> profile=quick
Copied!
  • The command is executed successfully.
  • The acquisition profile is started in the endpoint.
Previous
Wazuh Integration
Next
Slack Integration
Last modified 6mo ago
Copy link
Contents
Steps to Integrate
Usage