Binalyze AIR

the binalyze air connector allows for automated forensic data acquisition and management directly from within the swimlane platform binalyze air is a comprehensive digital forensics platform that simplifies the acquisition and analysis of digital evidence across various operating systems this connector enables swimlane turbine users to automate the creation of acquisition profiles, trigger evidence collection tasks, and initiate evidence collection on specific endpoints by integrating with binalyze air, security teams can streamline their digital forensics processes, reduce response times, and ensure consistent evidence handling within the swimlane turbine platform limitations none to date supported versions this binalyze air connector uses the latest version api additional docs https //docs binalyze com/#authentication https //docs binalyze com/#intro configuration prerequisites before utilizing the binalyze air connector within swimlane, ensure you have the following prerequisites http bearer token authentication with the following parameters url the endpoint url for the binalyze air api token a valid bearer token to authenticate api requests authentication methods bearer token authentication url the endpoint url for the binalyze air api access token a valid token to authenticate api requests capabilities this binalyze air connector provides the following capabilities create an acquisition profile trigger collection based on acquisition profile trigger evidence collection on target endpoint create an acquisition profile create a new acquisition profile in binalyze air permission needed create acquisition profile binalyze air's documentation for this action can be found https //docs binalyze com/#ad65add9 1b5d 437b bd1c 3aed45528650 trigger collection based on acquisition profile assigns an evidence acquisition task using specified filters binalyze air's documentation for this action can be found https //docs binalyze com/#5c96f97a c2b8 400a ac7d 47ea806ff975 trigger evidence collection on target endpoint retrieve the task report for a specific endpoint binalyze air's documentation for this action can be found https //docs binalyze com/#4f4ba4e5 6879 421c ae5f 5ec7b13bcb57 configurations binalyze air http bearer authentication authenticates using bearer token configuration parameters parameter description type required url a url to the target host string required token the api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create an acquisition profile create a new acquisition profile in binalyze air using the provided json body data endpoint url /api/public/acquisitions/profiles method post input argument name type required description name string optional name of the acquisition profile organizationids array optional list of organization ids windows object optional configuration for windows systems windows evidencelist array optional list of evidence types for windows windows artifactlist array optional list of artifacts for windows windows customcontentprofiles array optional custom content profiles for windows windows networkcapture object optional network capture settings for windows windows networkcapture enabled boolean optional enable or disable network capture windows networkcapture duration number optional duration of network capture in seconds windows networkcapture pcap object optional pcap settings for network capture windows networkcapture pcap enabled boolean optional enable or disable pcap capture windows networkcapture networkflow object optional network flow settings for capture windows networkcapture networkflow\ enabled boolean optional enable or disable network flow capture linux object optional configuration for linux systems linux evidencelist array optional list of evidence types for linux linux artifactlist array optional list of artifacts for linux linux customcontentprofiles array optional custom content profiles for linux linux networkcapture object optional network capture settings for linux linux networkcapture enabled boolean optional enable or disable network capture linux networkcapture duration number optional duration of network capture in seconds linux networkcapture pcap object optional pcap settings for network capture linux networkcapture pcap enabled boolean optional enable or disable pcap capture linux networkcapture networkflow object optional network flow settings for capture linux networkcapture networkflow\ enabled boolean optional enable or disable network flow capture macos object optional configuration for macos systems input example {"json body" {"name" "sample acquisition profile","organizationids" \[0],"windows" {"evidencelist" \["clp"],"artifactlist" \["apcl"],"customcontentprofiles" \[],"networkcapture" {"enabled"\ true,"duration" 600,"pcap" {"enabled"\ true},"networkflow" {"enabled"\ true}}},"linux" {"evidencelist" \["syscntrls"],"artifactlist" \["apcl"],"customcontentprofiles" \[],"networkcapture" {"enabled"\ false,"duration" 600,"pcap" {"enabled"\ false},"networkflow" {"enabled"\ false}}},"macos" {"evidencelist" \["autoproc"],"artifactlist" \["apcl"],"customcontentprofiles" \[],"networkcapture" {"enabled"\ false,"duration" 600,"pcap" {"enabled"\ false},"networkflow" {"enabled"\ false}}},"aix" {"evidencelist" \["cronj"],"artifactlist" \["myl"],"customcontentprofiles" \[]},"ediscovery" {"patterns" \[{"pattern" " / 7z","category" "archives"}]}}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful result object result of the operation statuscode number status value errors array error message if any output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "fri, 24 jan 2025 20 37 23 gmt"},"reason" "ok","json body" {"success"\ true,"result"\ null,"statuscode" 200,"errors" \[]}} trigger collection based on acquisition profile initiates an evidence collection task in binalyze air using a specified acquisition profile and drone configuration endpoint url /api/public/acquisitions/acquire method post input argument name type required description caseid string optional optional case identifier droneconfig object optional configuration for the drone droneconfig autopilot boolean required enable or disable auto pilot droneconfig enabled boolean required enable or disable drone droneconfig analyzers array required list of analyzers to use valid values /api/public/params/drone/analyzers droneconfig keywords array optional optional list of keywords taskconfig object optional configuration for the task taskconfig choice string required task configuration choice valid values are use policy, use custom options taskconfig diskspace object optional parameter for trigger collection based on acquisition profile taskconfig diskspace reserve number optional the value is expressed in bytes taskconfig saveto object optional save location configuration taskconfig saveto windows object optional configuration for windows taskconfig saveto windows location string required save location type valid values are local, repository taskconfig saveto windows usemostfreevolume boolean required use volume with most free space taskconfig saveto windows repositoryid string optional required only if the location is set to repository taskconfig saveto windows path string optional save path required only if the location is set to local taskconfig saveto windows volume string optional volume to save data required if usemostfreevolume is set to false regex validation /^\[a za z] / the value must follow the format of a single letter (uppercase or lowercase) representing a valid drive, immediately followed by a colon ( ) taskconfig saveto windows tmp string optional temporary save path taskconfig saveto windows directcollection boolean optional enable or disable direct collection taskconfig saveto linux object optional configuration for linux taskconfig saveto linux location string required save location type valid values are local, repository taskconfig saveto linux usemostfreevolume boolean required use volume with most free space taskconfig saveto linux repositoryid string optional required only if the location is set to repository taskconfig saveto linux path string optional save path required only if the location is set to local taskconfig saveto linux volume string optional volume to save data required if usemostfreevolume is set to false regex validation /^\[/] / example "/" input example {"json body" {"caseid" "","droneconfig" {"autopilot"\ false,"enabled"\ false,"analyzers" \["bha","wsa","aa","ara"],"keywords" \["keyword"]},"taskconfig" {"choice" "use custom options","diskspace" {"reserve" 5},"saveto" {"windows" {"location" "local","usemostfreevolume"\ true,"repositoryid" "","path" "binalyze\\\air\\\\","volume" "c ","tmp" "binalyze\\\air\\\tmp","directcollection"\ false},"linux" {"location" "local","usemostfreevolume"\ true,"repositoryid" "","path" "opt/binalyze/air","volume" "/","tmp" "opt/binalyze/air/tmp","directcollection"\ false},"macos" {"location" "local","usemostfreevolume"\ false,"repositoryid" "","path" "opt/binalyze/air","volume" "/","tmp" "opt/binalyze/air/tmp","directcollection"\ false},"aix" {"location" "local","usemostfreevolume"\ true,"path" "opt/binalyze/air","volume" "/","tmp" "opt/binalyze/air/tmp","directcollection"\ false}},"cpu" {"limit" 80},"compression" {"enabled"\ true,"encryption" {"enabled"\ false,"password" ""}}},"acquisitionprofileid" "quick","filter" {"searchterm" "","name" "","ipaddress" "","groupid" "","groupfullpath" "","managedstatus" \["unmanaged"],"isolationstatus" \["isolating"],"platform" \["windows"],"issue" "unreachable","onlinestatus" \["online"],"tags" \[""],"version" "","policy" "","includedendpointids" \[""],"excludedendpointids" \[""],"organizationids" \[0],"label" "","lastseen" "2023 03 06t21 00 00 000z","caseid" "","awsregions" \[""],"azureregions" \[""]},"schedulerconfig" {"when" "now","timezonetype" "custom","timezone" "london","startdate" "","recurrence" "weekly","repeatevery" 1,"repeatonweek" \["mon"],"repeatonmonth" \[""],"endrepeattype" "never","enddate" "","limit" 100}}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful result array result of the operation result id string unique identifier result name string name of the resource result organizationid number unique identifier statuscode number status value errors array error message if any output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "fri, 24 jan 2025 20 37 23 gmt"},"reason" "ok","json body" {"success"\ true,"result" \[{}],"statuscode" 200,"errors" \[]}} trigger evidence collection on target endpoint initiates evidence collection on a specified endpoint using binalyze air, requiring endpointid and taskid as parameters endpoint url /api/public/evidence/case/report/{{endpointid}}/{{taskid}} method get input argument name type required description path parameters endpointid string required unique identifier for the endpoint path parameters taskid string required unique identifier for the task input example {"path parameters" {"endpointid" "string","taskid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "fri, 24 jan 2025 20 37 23 gmt"},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated fri, 24 jan 2025 20 37 23 gmt