- Visit the Webhooks page in Binalyze AIR,
- Click the "+ New Webhook" button on the upper right corner,
- Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),
- Select "Slack: Generic Slack Webhook Parser" as the parser for this webhook,
- Select an Acquisition Profile when Slack activates this webhook,
- Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),
- Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy
- Click the "Save" button,
- Hover your mouse over the link below the Webhook name and double-click to copy.
Click From scratch, type App Name: BinalyzeAIR, pick a workspace to develop your app in and click Create App (no matter what workspace you select, you'll still be able to distribute your app to the other workspaces if you choose).
Scopes give your app permission to do things (for example, post messages) in your development workspace. Make sure that BinalyzeAIR is chosen on the top of the sidebar and then you can select the scopes to add to your app by navigating over to the OAuth & Permissions sidebar.
Scroll down to the Bot Token Scopes section and click Add an OAuth Scope. You should add:
Install your own app by selecting the Install to Workspace button on the OAuth & Permissions page.
After allowing the BinalyzeAIR, you'll be sent through the Slack OAuth UI.
- In app's management dashboard, click the Slash Commands feature in the menu.
- Click on the Create New Command.
- Fill in the blanks as shown below.
- Command: /air-acquisition-ACQUISITION-PROFILE
- Request URL: The webhook URL that you create in the AIR Server.
- Short Description: Trigger full acquisition
- Usage Hint: endpoint
- Save and exit.
- Add the application to the relevant channel.
- Invoke a command with: