Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
The node allows updating an existing triage rule in the Binalyze AIR system. Triage rules are used to automate the process of analyzing and categorizing digital forensic data based on specific criteria defined by the user. This update operation is useful when you want to modify the content, description, or other attributes of a triage rule to refine detection or analysis logic.
Common scenarios include:
- Adjusting detection rules as new threats or patterns emerge.
- Correcting or improving existing triage rules without creating new ones.
- Changing the scope of where the rule applies (e.g., file system vs memory).
Practical example: You have a YARA-based triage rule that scans for suspicious files on endpoints. After discovering new indicators, you update the rule content and description to improve detection accuracy.
Properties
| Name | Meaning |
|---|---|
| Triage Rule | The specific triage rule to update. Can be selected from a list or specified by its ID. |
| Rule Engine | The engine type used for the triage rule. Options: YARA, Sigma, Osquery. |
| Rule Description | A textual description of the triage rule. Must contain only alphanumeric characters, spaces, hyphens, underscores, and @ sign. |
| Rule Content | The actual content of the triage rule, written according to the selected engine's syntax. |
| Search In | (Only for YARA engine) Specifies where to search when running the triage rule. Options: File System, Memory, or Both. |
| Additional Fields - Organization | Optionally specify the organization this triage rule belongs to. Use "0" for all organizations or select by list, ID, or name. |
Output
The node outputs JSON data representing the updated triage rule object as returned by the Binalyze AIR API. This typically includes fields such as the triage rule ID, description, engine type, rule content, associated organization, and other metadata.
No binary data output is indicated for this operation.
Dependencies
- Requires an active connection to the Binalyze AIR API via an API key credential configured in n8n.
- The node depends on the Binalyze AIR service being accessible and the API token having permissions to update triage rules.
Troubleshooting
- Invalid Triage Rule ID: If the provided triage rule ID contains invalid characters (anything other than letters, numbers, hyphens, and underscores), the node will throw a validation error. Ensure the ID matches the required pattern.
- Description Validation Error: The description must only contain allowed characters; otherwise, the node will reject it with a validation message.
- API Authentication Errors: If the API key is missing, expired, or lacks permissions, the node will fail to update the triage rule. Verify credentials and permissions.
- Rule Content Syntax Errors: Although not validated by the node itself, incorrect rule content may cause the backend to reject the update. Validate the rule content against the chosen engine's syntax before updating.
- Organization ID Issues: When specifying an organization, ensure the ID is a positive number or zero for default/all organizations. Invalid IDs will cause errors.
Links and References
- Binalyze AIR Documentation — Official documentation for triage rules and API usage.
- YARA Rules Documentation — For writing and validating YARA rules.
- Sigma Rules GitHub — Information about Sigma rule format.
- Osquery Documentation — For osquery query syntax and usage.