Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
The "Download PPC File" operation under the Evidence resource in this node allows users to retrieve evidence files associated with a specific task ID from Binalyze AIR. This operation is useful for security analysts or incident responders who need to download and analyze evidence collected during an investigation or forensic task.
Typical use cases include:
- Automatically downloading evidence files related to a particular investigation task.
- Filtering evidence by various criteria such as endpoint IDs, IP addresses, isolation status, platform, and more to narrow down the relevant data.
- Integrating evidence retrieval into automated workflows for further processing or archival.
For example, a user might specify a task ID and filter by platform (e.g., Windows) and isolation status (e.g., isolated) to download only relevant evidence files from endpoints that match those criteria.
Properties
| Name | Meaning |
|---|---|
| Task ID | The unique identifier of the task for which to retrieve evidence. Must contain only letters, numbers, hyphens, and underscores. |
| Additional Fields | Optional filters to refine the evidence download request. These include: |
| - Filter By Excluded Endpoint IDs | Comma-separated list of endpoint IDs to exclude from the results. |
| - Filter By Group Full Path | Full path string of the group to filter evidence by. |
| - Filter By Group ID | Identifier of the group to filter evidence by. |
| - Filter By Included Endpoint IDs | Comma-separated list of endpoint IDs to include in the results. |
| - Filter By IP Address | IP address to filter evidence by. |
| - Filter By Isolation Status | One or more isolation statuses to filter by. Options: Isolated, Not Isolated, Isolating, Lifting Isolation. |
| - Filter By Issue | Text to filter evidence by issue description. |
| - Filter By Managed Status | One or more managed statuses to filter by. Options: Managed, Unmanaged. |
| - Filter By Name | Name string to filter evidence by. |
| - Filter By Online Status | One or more online statuses to filter by. Options: Online, Offline. |
| - Filter By Organization IDs | Comma-separated list of organization IDs to filter evidence by. |
| - Filter By Platform | One or more platforms to filter by. Options: Windows, Linux, macOS. |
| - Filter By Policy | Policy name or identifier to filter evidence by. |
| - Filter By Search Term | General search term to filter evidence by. |
| - Filter By Tags | Comma-separated list of tags to filter evidence by. |
| - Filter By Version | Version string to filter evidence by. |
Output
The node outputs JSON data representing the downloaded evidence file(s) associated with the specified task and applied filters. The exact structure depends on the API response but typically includes metadata about the evidence and the file content or a link to the file.
If the evidence includes binary data (such as the actual PPC file), it will be provided in the binary output field, allowing subsequent nodes to process or save the file accordingly.
Dependencies
- Requires an active connection to the Binalyze AIR API using an API key credential configured in n8n.
- The node depends on the Binalyze AIR service being accessible and the provided task ID being valid.
- Proper permissions are needed to access evidence related to the specified task.
Troubleshooting
- Invalid Task ID Format: If the task ID contains invalid characters, the node will reject it. Ensure the task ID only contains letters, numbers, hyphens, and underscores.
- No Evidence Found: Applying overly restrictive filters may result in no evidence being returned. Try broadening filter criteria.
- Authentication Errors: Verify that the API key credential is correctly configured and has sufficient permissions.
- Network Issues: Ensure connectivity to the Binalyze AIR API endpoint.
- API Rate Limits: Excessive requests may trigger rate limiting; consider adding delays or reducing frequency.