Using this integration, users can trigger webhooks from chat windows with slash commands.
- Visit the Webhooks page in Binalyze AIR,
- Click the "+ New Webhook" button in the upper right corner,
- Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
- Select "Mattermost: Generic Mattermost Webhook Parser" as the parser for this webhook,
- Select an Acquisition Profile when Mattermost activates this webhook,
- Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
- Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
- Click the "Save" button
- Open the dropdown menu on the left pane and click on Integrations.
- Select "Slash Commands" and click on "Add Slash Command" button.
- Fill in the text box accordingly:
- Title: Binalyze AIR Acquisition
- Description: You can start an acquisition task in the specified endpoint by using this command.
- Command Trigger Word: Type a trigger word that can easily relate to the specified acquisition profile. For example: /air-acquisition-full
- Request URL: Webhook URL that you obtained from AIR-Server.
- Request Method: POST
- Response Username: BinalyzeAIR
- Response Icon: Leave Blank.
- Autocomplete: Selected
- Autocomplete Hint: [Endpoint Hostname]
- Autocomplete Description: Provide the hostname of the endpoint.
- Click save.
Mattermost will provide a Token to authenticate the slash command in AIR-Server. Click done.
Go to a channel and press "/" for available commands.
/air-acquisition-full [ENDPOINT HOSTNAME].