Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
The "Create Acquisition Profile" operation in the Acquisition resource allows users to create a new acquisition profile within an organization. An acquisition profile defines parameters and settings for collecting digital evidence and artifacts from endpoint assets during forensic or incident response activities.
This node is beneficial in scenarios where organizations need to automate and standardize the collection of forensic data across multiple endpoints. For example, security teams can create profiles specifying which types of evidence (documents, logs, executables) and artifacts (memory dumps, registry, network connections) to collect, streamlining investigations and ensuring consistent data gathering.
Practical examples:
- Creating a profile named "Incident Response Profile" that collects memory dumps, system information, and logs from all managed Windows assets.
- Defining a profile for compliance audits that gathers installed software lists and file system snapshots from Linux servers.
Properties
| Name | Meaning |
|---|---|
| Profile Name | The name of the acquisition profile to be created. This is a required string input. |
| Description | A textual description of the acquisition profile, explaining its purpose or scope. Optional string input. |
| Organization | The target organization under which the acquisition profile will be created. This can be selected from a list, specified by numeric ID, or by organization name. This is a required field. |
| Additional Fields | A collection of optional fields to further customize the acquisition profile: |
| - Artifacts | Select one or more artifacts to collect during acquisition. Options include Browser History, File System, Installed Software, Memory Dump, Network Connections, Registry, and System Information. |
| - Evidence Types | Select one or more types of evidence to collect, such as Documents, Executables, Files, Images, and Logs. |
Output
The node outputs JSON data representing the newly created acquisition profile. This typically includes details such as the profile's unique identifier, name, description, associated organization, selected artifacts, and evidence types. The output enables downstream nodes or workflows to reference or manipulate the created profile.
No binary data output is involved in this operation.
Dependencies
- Requires an API key credential for authenticating with the external Binalyze AIR service.
- The node depends on the external Binalyze AIR API to manage acquisition profiles.
- Proper configuration of the API authentication credentials in n8n is necessary.
- The organization must exist in the system before creating an acquisition profile under it.
Troubleshooting
Common Issues:
- Providing an invalid or non-numeric organization ID when specifying the organization by ID will cause validation errors.
- Omitting required fields like Profile Name or Organization will result in errors preventing profile creation.
- Network or authentication failures with the external API may cause the node to fail.
Error Messages and Resolutions:
- "Not a valid organization ID (must be numeric)": Ensure the organization ID is a number if entering manually.
- "Missing required parameter" or similar: Verify that all mandatory inputs are provided.
- Authentication errors: Check that the API key credential is correctly configured and has sufficient permissions.
- API connectivity issues: Confirm network access to the external service and that the service is operational.
Links and References
- Binalyze AIR Documentation — Official documentation for managing acquisition profiles and other resources.
- n8n Expressions Documentation — Guide on using expressions for dynamic values in properties.