Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
This node interacts with the "Evidence" resource of the Binalyze AIR platform, specifically supporting the operation to retrieve detailed information about a PPC (Presumably "Post-Processing Collection") file related to a given task. It is useful in digital forensics and incident response workflows where users need to fetch evidence metadata or details associated with specific tasks executed on endpoints.
Typical use cases include:
- Retrieving evidence file info after a forensic acquisition task completes.
- Filtering evidence files based on various endpoint or organizational attributes.
- Integrating evidence metadata retrieval into automated investigation or reporting workflows.
For example, a security analyst could automate fetching evidence details for a task ID representing a completed endpoint acquisition, optionally filtering by endpoint status or tags to narrow down relevant data.
Properties
| Name | Meaning |
|---|---|
| Task ID | The unique identifier of the task for which to retrieve evidence information. Must contain only letters, numbers, hyphens, and underscores. |
| Additional Fields | Optional filters to refine the evidence retrieval query. These include: |
| - Filter By Excluded Endpoint IDs | Comma-separated list of endpoint IDs to exclude from results. |
| - Filter By Group Full Path | Full path string of a group to filter endpoints belonging to that group. |
| - Filter By Group ID | Identifier of a group to filter endpoints. |
| - Filter By Included Endpoint IDs | Comma-separated list of endpoint IDs to include in results. |
| - Filter By IP Address | IP address to filter endpoints. |
| - Filter By Isolation Status | One or more isolation statuses to filter endpoints by: Isolated, Not Isolated, Isolating, Lifting Isolation. |
| - Filter By Issue | Filter endpoints by issue description or identifier. |
| - Filter By Managed Status | Filter endpoints by management status: Managed or Unmanaged. |
| - Filter By Name | Filter endpoints by name. |
| - Filter By Online Status | Filter endpoints by online status: Online or Offline. |
| - Filter By Organization IDs | Comma-separated list of organization IDs to filter endpoints. |
| - Filter By Platform | Filter endpoints by platform type: Windows, Linux, macOS. |
| - Filter By Policy | Filter endpoints by policy name or ID. |
| - Filter By Search Term | General search term to filter endpoints. |
| - Filter By Tags | Comma-separated list of tags to filter endpoints. |
| - Filter By Version | Filter endpoints by version string. |
Output
The node outputs JSON data containing detailed information about the PPC file(s) associated with the specified task ID, filtered according to any additional fields provided. The exact structure depends on the API response but typically includes metadata such as file identifiers, timestamps, endpoint details, and possibly status or classification information.
If binary data output is supported (not explicitly shown in the code), it would represent the actual evidence file content or related attachments.
Dependencies
- Requires an active connection to the Binalyze AIR API via an API key credential configured in n8n.
- The node depends on the Binalyze AIR service being accessible and the user having appropriate permissions to access evidence data.
- No other external dependencies are indicated.
Troubleshooting
- Invalid Task ID: If the Task ID contains invalid characters, the node will reject it due to regex validation. Ensure the Task ID only contains letters, numbers, hyphens, and underscores.
- No Evidence Found: If no evidence matches the Task ID and filters, the output may be empty. Verify the Task ID and filter criteria.
- Authentication Errors: Failure to authenticate with the Binalyze AIR API will prevent data retrieval. Check API key validity and permissions.
- Network Issues: Connectivity problems to the Binalyze AIR service can cause timeouts or errors.
- Filter Misconfiguration: Using incompatible or incorrect filter values (e.g., wrong platform names or malformed lists) may result in no data or errors.
Links and References
- Binalyze AIR Official Documentation — For detailed API and product usage.
- n8n Documentation — For general guidance on using custom nodes and credentials.