Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
The "Create Triage Rule" operation in the Binalyze AIR node allows users to define and add new triage rules for endpoint investigation and threat detection. Triage rules are used to automatically scan endpoints' file systems and memory using different rule engines (YARA, Sigma, or Osquery) to identify suspicious activity or artifacts.
This operation is beneficial in scenarios where security analysts want to automate the detection of threats or anomalies on endpoints by applying custom or community-developed detection rules. For example, a SOC analyst can create YARA rules to detect malware signatures or Sigma rules to identify suspicious log patterns, which will then be applied during endpoint triage.
Practical examples:
- Creating a YARA rule that scans both file system and memory for known malware indicators.
- Adding a Sigma rule to detect specific event log patterns related to lateral movement.
- Defining an Osquery rule to query endpoint configurations for compliance checks.
Properties
| Name | Meaning |
|---|---|
| Rule Engine | The engine type for the triage rule. Options: YARA, Sigma, Osquery. |
| Rule Description | A textual description of the triage rule. Must contain only alphanumeric characters, spaces, hyphens, underscores, or @ sign. |
| Rule Content | The actual content of the triage rule written in the selected engine's syntax (YARA, Sigma, or Osquery). |
| Search In | Where to run the triage rule when using YARA engine. Options: File System, Memory, or both. |
| Additional Fields | Optional extra fields including: |
| - Organization | The organization to associate with this triage rule. Use "0" for all organizations. |
| - Rule Tag IDs | Comma-separated list of tag IDs to associate with the triage rule. |
Output
The output JSON contains the details of the created triage rule as returned by the Binalyze AIR API. This typically includes identifiers, metadata such as description, engine type, rule content, associated tags, and organizational information.
No binary data output is involved in this operation.
Dependencies
- Requires an active connection to Binalyze AIR via an API key credential configured in n8n.
- The node depends on the Binalyze AIR API being accessible and properly authenticated.
- No additional external dependencies beyond the API and credentials.
Troubleshooting
- Invalid Description Error: If the description contains invalid characters, the node will reject it. Ensure the description only uses alphanumeric characters, spaces, hyphens, underscores, or @ signs.
- Authentication Failures: Errors related to authentication usually indicate missing or invalid API credentials. Verify the API key configuration.
- Rule Syntax Errors: If the rule content does not conform to the selected engine's syntax (YARA, Sigma, Osquery), the API may reject the creation request. Validate the rule content before submission.
- Organization ID Issues: When specifying an organization, ensure the ID is a positive number or zero for default. Invalid IDs will cause errors.
- Tag IDs Format: Tag IDs must be comma-separated strings without invalid characters.