Binalyze AIR

the binalyze air connector allows for automated forensic data acquisition and management directly from within the swimlane platform binalyze air is a comprehensive digital forensics platform that simplifies the acquisition and analysis of digital evidence across various operating systems this connector enables swimlane turbine users to automate the creation of acquisition profiles, trigger evidence collection tasks, and initiate evidence collection on specific endpoints by integrating with binalyze air, security teams can streamline their digital forensics processes, reduce response times, and ensure consistent evidence handling within the swimlane turbine platform limitations none to date supported versions this binalyze air connector uses the latest version api additional docs binalyze air authentication link https //docs binalyze com/#authenticationbinalyze air api documentation link https //docs binalyze com/#intro configuration prerequisites before utilizing the binalyze air connector within swimlane, ensure you have the following prerequisites http bearer token authentication with the following parameters url the endpoint url for the binalyze air api token a valid bearer token to authenticate api requests authentication methods bearer token authentication url the endpoint url for the binalyze air api access token a valid token to authenticate api requests capabilities this binalyze air connector provides the following capabilities create an acquisition profile trigger collection based on acquisition profile trigger evidence collection on target endpoint create an acquisition profile create a new acquisition profile in binalyze air permission needed create acquisition profile binalyze air's documentation for this action can be found here https //docs binalyze com/#ad65add9 1b5d 437b bd1c 3aed45528650 trigger collection based on acquisition profile assigns an evidence acquisition task using specified filters binalyze air's documentation for this action can be found here https //docs binalyze com/#5c96f97a c2b8 400a ac7d 47ea806ff975 trigger evidence collection on target endpoint retrieve the task report for a specific endpoint binalyze air's documentation for this action can be found here https //docs binalyze com/#4f4ba4e5 6879 421c ae5f 5ec7b13bcb57 configurations binalyze air http bearer authentication authenticates using bearer token configuration parameters parameter description type required url a url to the target host string required token the api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create an acquisition profile create a new acquisition profile in binalyze air using the provided json body data endpoint url /api/public/acquisitions/profiles method post input argument name type required description name string optional name of the acquisition profile organizationids array optional list of organization ids windows object optional configuration for windows systems evidencelist array optional list of evidence types for windows artifactlist array optional list of artifacts for windows customcontentprofiles array optional custom content profiles for windows networkcapture object optional network capture settings for windows enabled boolean optional enable or disable network capture duration number optional duration of network capture in seconds pcap object optional pcap settings for network capture enabled boolean optional enable or disable pcap capture networkflow object optional network flow settings for capture enabled boolean optional enable or disable network flow capture linux object optional configuration for linux systems evidencelist array optional list of evidence types for linux artifactlist array optional list of artifacts for linux customcontentprofiles array optional custom content profiles for linux networkcapture object optional network capture settings for linux enabled boolean optional enable or disable network capture duration number optional duration of network capture in seconds pcap object optional pcap settings for network capture enabled boolean optional enable or disable pcap capture networkflow object optional network flow settings for capture enabled boolean optional enable or disable network flow capture macos object optional configuration for macos systems output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful result object result of the operation statuscode number status value errors array error message if any example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "fri, 24 jan 2025 20 37 23 gmt" }, "reason" "ok", "json body" { "success" true, "result" null, "statuscode" 200, "errors" \[] } } ] trigger collection based on acquisition profile initiates an evidence collection task in binalyze air using a specified acquisition profile and drone configuration endpoint url /api/public/acquisitions/acquire method post input argument name type required description caseid string optional optional case identifier droneconfig object required configuration for the drone autopilot boolean required enable or disable auto pilot enabled boolean required enable or disable drone analyzers array required list of analyzers to use valid values /api/public/params/drone/analyzers keywords array optional optional list of keywords taskconfig object optional configuration for the task choice string required task configuration choice valid values are use policy, use custom options diskspace object optional parameter for trigger collection based on acquisition profile reserve number optional the value is expressed in bytes saveto object optional save location configuration windows object optional configuration for windows location string required save location type valid values are local, repository usemostfreevolume boolean required use volume with most free space repositoryid string optional required only if the location is set to repository path string optional save path required only if the location is set to local volume string optional volume to save data required if usemostfreevolume is set to false regex validation /^\[a za z] / the value must follow the format of a single letter (uppercase or lowercase) representing a valid drive, immediately followed by a colon ( ) tmp string optional temporary save path directcollection boolean optional enable or disable direct collection linux object optional configuration for linux location string required save location type valid values are local, repository usemostfreevolume boolean required use volume with most free space repositoryid string optional required only if the location is set to repository path string optional save path required only if the location is set to local volume string optional volume to save data required if usemostfreevolume is set to false regex validation /^\[/] / example "/" output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful result array result of the operation id string unique identifier name string name of the resource organizationid number unique identifier statuscode number status value errors array error message if any example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "fri, 24 jan 2025 20 37 23 gmt" }, "reason" "ok", "json body" { "success" true, "result" \[], "statuscode" 200, "errors" \[] } } ] trigger evidence collection on target endpoint initiates evidence collection on a specified endpoint using binalyze air, requiring endpointid and taskid as parameters endpoint url /api/public/evidence/case/report/{{endpointid}}/{{taskid}} method get input argument name type required description endpointid string required unique identifier for the endpoint taskid string required unique identifier for the task output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "fri, 24 jan 2025 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated fri, 24 jan 2025 20 37 23 gmt