Comment on page

Mattermost Integration

Using this integration, users can trigger webhooks from chat windows with slash commands.

Step 1 - Creating A webhook for Mattermost

  • Visit the Webhooks page in Binalyze AIR,
  • Click the "+ New Webhook" button in the upper right corner,
  • Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
  • Select "Mattermost: Generic Mattermost Webhook Parser" as the parser for this webhook,
  • Select an Acquisition Profile when Mattermost activates this webhook,
  • Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
  • Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
  • Click the "Save" button

Step 2 - Setting Up Mattermost Server

  • Open the dropdown menu on the left pane and click on Integrations.
  • Select "Slash Commands" and click on "Add Slash Command" button.
  • Fill in the text box accordingly:
    • Title: Binalyze AIR Acquisition
    • Description: You can start an acquisition task in the specified endpoint by using this command.
    • Command Trigger Word: Type a trigger word that can easily relate to the specified acquisition profile. For example: /air-acquisition-full
    • Request URL: Webhook URL that you obtained from AIR-Server.
    • Request Method: POST
    • Response Username: BinalyzeAIR
    • Response Icon: Leave Blank.
    • Autocomplete: Selected
    • Autocomplete Hint: [Endpoint Hostname]
    • Autocomplete Description: Provide the hostname of the endpoint.
  • Click save.
Mattermost will provide a Token to authenticate the slash command in AIR-Server. Click done.

Step 3- Using integration

Go to a channel and press "/" for available commands.
Type /air-acquisition-full [ENDPOINT HOSTNAME].
For example:
/air-acquisition-full SampleDummyHostForTest