Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
The node provides integration with Binalyze AIR, a digital forensics and incident response platform. Specifically, the Baseline - Acquire Baseline operation allows users to acquire baseline data for a given case by filtering endpoints based on various criteria. This is useful in scenarios where an organization wants to establish a known good state (baseline) of endpoints related to a specific investigation or case.
Typical use cases include:
- Automatically gathering baseline endpoint data filtered by attributes such as group, IP address, isolation status, platform, and more.
- Streamlining forensic investigations by programmatically acquiring relevant baseline information for a case.
- Filtering endpoints dynamically to focus on specific subsets during baseline acquisition.
Properties
| Name | Meaning |
|---|---|
| Case ID | The unique identifier of the case for which the baseline acquisition is performed. |
| Filter Options | A collection of optional filters to narrow down the endpoints included in the baseline acquisition. Filters include: |
| Excluded Endpoint IDs | Comma-separated list of endpoint IDs to exclude from the baseline. |
| Group Full Path | Filter endpoints by their full group path. |
| Group ID | Filter endpoints by group ID. |
| Included Endpoint IDs | Comma-separated list of endpoint IDs to include in the baseline. |
| IP Address | Filter endpoints by IP address. |
| Isolation Status | Filter endpoints by isolation status. Possible values: Isolated, Not Isolated. |
| Issue | Filter endpoints by issue. |
| Managed Status | Filter endpoints by managed status. Possible values: Managed, Unmanaged. |
| Name | Filter endpoints by endpoint name. |
| Online Status | Filter endpoints by online status. Possible values: Online, Offline. |
| Organization IDs | Comma-separated list of organization IDs to filter endpoints. |
| Platform | Filter endpoints by platform. Possible values: Windows, Linux, macOS. |
| Policy | Filter endpoints by policy. |
| Search Term | Search term to filter endpoints. |
| Tags | Filter endpoints by tags (comma-separated). |
| Version | Filter endpoints by version. |
Output
The node outputs JSON data representing the result of the baseline acquisition operation. This typically includes details about the acquired baseline and the endpoints that matched the specified filters.
- The output JSON structure will contain information about the baseline acquisition status, associated case, and filtered endpoints.
- No binary data output is indicated for this operation.
Dependencies
- Requires an API key credential for authenticating with the Binalyze AIR platform.
- The node depends on the Binalyze AIR API to perform baseline acquisitions.
- Proper configuration of the API authentication credentials within n8n is necessary.
- Network access to the Binalyze AIR service endpoint must be available.
Troubleshooting
Common Issues:
- Invalid or missing Case ID: The operation requires a valid case identifier; ensure it is correctly provided.
- Incorrect filter formats: Comma-separated lists must be properly formatted without extra spaces or invalid characters.
- Authentication failures: Verify that the API key credential is valid and has sufficient permissions.
- Network connectivity issues: Ensure the n8n instance can reach the Binalyze AIR API endpoint.
Error Messages:
"Unknown resource": Indicates the resource parameter is incorrect or unsupported.- API errors related to authorization or invalid parameters will be returned from the Binalyze AIR API; check the error message for specifics.
Resolution Tips:
- Double-check all required fields and filter inputs.
- Confirm API credentials and permissions.
- Review network settings and firewall rules.
- Consult Binalyze AIR API documentation for detailed error codes.