Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
The node integrates with Binalyze AIR to manage triage rules, specifically supporting the operation to assign triage tasks. This operation allows users to assign one or more triage rules to a specific case, configuring how the triage task should be handled (automatically or manually). It also supports enabling the MITRE ATT&CK framework for enhanced threat intelligence mapping.
This node is beneficial in security incident response workflows where automated or manual triage of cases is required based on predefined triage rules. For example, a security analyst can automate the assignment of triage tasks to cases triggered by alerts, filtering endpoints and assets involved, and optionally applying MITRE ATT&CK techniques for better context.
Properties
| Name | Meaning |
|---|---|
| Case ID | The unique identifier of the case to which the triage task will be assigned. |
| Triage Rule IDs | A comma-separated list of triage rule IDs that specify which triage rules to assign to the case. |
| Task Choice | Specifies whether the triage task should be configured automatically ("Auto") or require manual configuration ("Manual"). |
| Enable MITRE ATT&CK | Boolean flag indicating whether to enable the MITRE ATT&CK framework integration for this triage task. |
| Additional Fields | A collection of optional filters and parameters to refine the assignment scope: |
| - Excluded Endpoint IDs | Comma-separated endpoint IDs to exclude from the triage task. |
| - Filter By Group Full Path | Filter endpoints by their group full path. |
| - Filter By Group ID | Filter endpoints by group ID. |
| - Filter By IP Address | Filter endpoints by IP address. |
| - Filter By Isolation Status | Filter endpoints by isolation status; options include "Isolated" and "Not Isolated". |
| - Filter By Issue | Filter endpoints by associated issue. |
| - Filter By Managed Status | Filter endpoints by managed status; options include "Managed" and "Unmanaged". |
| - Filter By Name | Filter endpoints by name. |
| - Filter By Online Status | Filter endpoints by online status; options include "Online" and "Offline". |
| - Filter By Organization | Select an organization by ID, name, or from a list to filter endpoints accordingly. |
| - Filter By Platform | Filter endpoints by platform; options include "Windows", "Linux", and "MacOS". |
| - Filter By Policy | Filter endpoints by policy. |
| - Filter By Tags | Comma-separated tags to filter endpoints. |
| - Filter By Version | Filter endpoints by version. |
| - Included Endpoint IDs | Comma-separated endpoint IDs to explicitly include in the triage task. |
| - Search Term | A search term to further filter endpoints. |
Output
The node outputs JSON data representing the result of the triage task assignment operation. This typically includes confirmation details such as the assigned triage rule IDs, the case ID, task configuration, and any metadata returned by the Binalyze AIR API related to the assignment.
If binary data output is supported by other operations in the node, it would represent files or evidence downloads, but for this operation, the output is structured JSON confirming the assignment.
Dependencies
- Requires an active connection to Binalyze AIR via an API key credential.
- The node depends on the Binalyze AIR API to perform triage rule assignments.
- Proper permissions and API access must be configured in Binalyze AIR for the user/API key used.
- No additional external services are required beyond Binalyze AIR.
Troubleshooting
Common Issues:
- Invalid or missing Case ID or Triage Rule IDs will cause the operation to fail.
- Incorrect formatting of comma-separated lists (e.g., extra spaces) may lead to errors.
- Insufficient permissions or expired API keys will result in authentication errors.
- Filtering parameters that do not match any endpoints may cause the assignment to have no effect.
Error Messages:
"Unknown resource": Indicates the resource parameter is incorrect or unsupported.- Authentication errors suggest checking the API key credential validity.
- Validation errors on input fields indicate missing required properties or invalid formats.
Resolutions:
- Verify all required fields are provided and correctly formatted.
- Ensure the API key credential has appropriate permissions.
- Use the node's load options and search features to select valid triage rule IDs and case IDs.
- Review Binalyze AIR logs or API responses for detailed error information.
Links and References
- Binalyze AIR Official Documentation
- MITRE ATT&CK Framework
- n8n Documentation on Creating Custom Nodes