Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
The node manages Binalyze AIR triage rules, specifically supporting validation of triage rules written for different rule engines such as YARA, Sigma, and Osquery. This is useful in cybersecurity workflows where automated or manual triage rules are created to detect threats or suspicious activity on endpoints. The "Validate Triage Rule" operation allows users to verify that their rule content is syntactically correct and compatible with the selected engine before deploying it in production.
Practical examples include:
- Validating a YARA rule that detects malware signatures.
- Checking a Sigma rule designed for SIEM event correlation.
- Ensuring an Osquery query used for endpoint monitoring is valid.
This helps prevent errors caused by malformed rules and improves reliability of threat detection automation.
Properties
| Name | Meaning |
|---|---|
| Rule Engine | The engine type for the triage rule. Options: YARA, Sigma, Osquery |
| Rule Content | The actual content of the triage rule based on the selected engine (YARA, Sigma, Osquery) |
Output
The node outputs JSON data representing the result of the triage rule validation. This typically includes whether the rule is valid or not, and may contain error messages or details if the validation fails. The exact structure depends on the underlying API response but generally confirms the correctness of the provided rule content.
No binary data output is involved.
Dependencies
- Requires an API key credential for authenticating with the Binalyze AIR service.
- Depends on the Binalyze AIR API to perform triage rule validation.
- No additional environment variables are explicitly required beyond standard n8n credential setup.
Troubleshooting
Common issues:
- Invalid or malformed rule content causing validation failure.
- Selecting a rule engine that does not match the syntax of the provided rule content.
- Network or authentication errors connecting to the Binalyze AIR API.
Error messages:
- Errors indicating invalid rule syntax should be resolved by correcting the rule according to the selected engine’s specification.
- Authentication errors require verifying the API key credential configuration.
- Unknown resource errors indicate misconfiguration of the resource parameter.
Links and References
- Binalyze AIR Documentation (for detailed info on triage rules and supported engines)
- YARA Rules Documentation
- Sigma Rules Specification
- Osquery Documentation