Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* Acquisition profiles extended to manual created ones. Organization_id vale type bug fixed. Minor changes in README.md file. * Acquisition profiles extended to manual created ones. Organization_id vale type bug fixed. Minor changes in README.md file. * Acquisition profiles extended to manual created ones. Organization_id vale type bug fixed. Minor changes in README.md file. * Docker version updated * Unrelated line deleted. * Acquisition profile changed. arg_to_number is used for type change. * organization id type check changed from str to any in both commands. * Get profile_id function created under Client class. Data type check moved under class's functions. * Test profile id added. * profile id added to the command test coverage. * New_line addressed: https://app.circleci.com/pipelines/github/demisto/content/309467/workflows/b6a8cb09-0e6b-4ea7-a1e9-2650ac98a978/jobs/724183?invite=true#step-120-7123_48 * Conflict resolved * Conflict resolved * Suggestion accepted. * Versioning fixed. * - Get profile id changed: preset values does not have id, so it needs to pbe passed as is. - Arg_to_number moved to the commands section as advised. * - Resolves https://app.circleci.com/pipelines/github/demisto/content/310327/workflows/c343f258-6e56-4098-a697-345d30ba452a/jobs/724633/parallel-runs/0/steps/0-119 * - str to any. * Rolled back the changes because of the comments, test suite(mypy) yells at me. * Type change is alligned with reviewer. * Predefined settings have changed. * revert RN change * This resolves #30161 (comment) * LAst comments fixed. * Reverted to predefined. Added more Org is * Custom profile command example added. * Documentation updated. * Get profile id test case added. * docker image update * docker image update * Context path junk string purged. * Update Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR_test.py * Update Packs/Binalyze/Integrations/BinalyzeAIR/BinalyzeAIR_test.py * Whitespaces cleaned. * Last review's issues addressed. * add predfined description * Minor changes on descriptions. * Demo review implemented. * Demo review implemented. * Error handling removed. * Test case fixed. * Test case minor change. * Test case minor change. * Test case minor change. * Newline and typo * Update BinalyzeAIR_test.py --------- Co-authored-by: binalyze-murat <106888581+binalyze-murat@users.noreply.github.com> Co-authored-by: sapirshuker <sshuker@paloaltonetworks.com> Co-authored-by: Sapir Shuker <49246861+sapirshuker@users.noreply.github.com>
- Loading branch information
1 parent
9ec4820
commit 01e9451
Showing
10 changed files
with
205 additions
and
115 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,73 +1,77 @@ | ||
## Binalyze AIR Integration | ||
This integration allows you to use the Binalyze AIR's isolation and evidence collecting features easily. | ||
--- | ||
|
||
Collect your forensics data under 10 minutes. | ||
This integration was integrated and tested with version 2.6.2 of Binalyze AIR | ||
|
||
## Configure Binalyze AIR on Cortex XSOAR | ||
|
||
1. Navigate to **Settings** > **Integrations** > **Servers & Services**. | ||
2. Search for Binalyze AIR. | ||
3. Click **Add instance** to create and configure a new integration instance. | ||
4. Click **Test** to validate the URLs, token, and connection. | ||
|
||
| **Parameter** | **Description** | **Required** | | ||
| --- | --- | --- | | ||
| Binalyze AIR Server URL | Binalyze AIR Server URL | True | | ||
| API Key | e.g.: api_1234567890abcdef1234567890abcdef | True | | ||
| Trust any certificate (not secure) | | False | | ||
| Use system proxy settings | | False | | ||
## Commands | ||
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. | ||
After you successfully execute a command, a DBot message appears in the War Room with the command details. | ||
### binalyze-air-isolate | ||
*** | ||
Isolate an endpoint | ||
|
||
|
||
#### Base Command | ||
|
||
`binalyze-air-isolate` | ||
#### Input | ||
|
||
| **Argument Name** | **Description** | **Required** | | ||
| --- | --- | --- | | ||
| hostname | Hostname of endpoint. | Required | | ||
| organization_id | Organization ID of the endpoint. Possible values are: 0, 1, 2. | Required | | ||
| isolation | To isolate use enable. Possible values are: enable, disable. | Required | | ||
|
||
|
||
#### Context Output | ||
|
||
| **Path** | **Type** | **Description** | | ||
| --- | --- | --- | | ||
| BinalyzeAIR.Isolate.result._id | string | Isolation unique task ID | | ||
| BinalyzeAIR.Isolate.result.name | string | Isolation task name | | ||
| BinalyzeAIR.Isolate.result.organizationId | number | Organization Id of endpoint | | ||
|
||
### binalyze-air-acquire | ||
*** | ||
Acquire evidence from an endpoint | ||
|
||
|
||
#### Base Command | ||
|
||
`binalyze-air-acquire` | ||
#### Input | ||
|
||
| **Argument Name** | **Description** | **Required** | | ||
| --- | --- | --- | | ||
| hostname | Hostname of endpoint. | Required | | ||
| profile | Acquisition profile. Possible values are: compromise-assessment, browsing-history, event-logs, memory-ram-pagefile, quick, full. | Required | | ||
| case_id | ID for the case,e.g. C-2022-0001. | Required | | ||
| organization_id | Organization ID of the endpoint. Possible values are: 0, 1, 2. | Required | | ||
|
||
|
||
#### Context Output | ||
|
||
| **Path** | **Type** | **Description** | | ||
| --- | --- | --- | | ||
| BinalyzeAIR.Acquire.result._id | string | Acquisition unique task ID | | ||
| BinalyzeAIR.Acquire.result.name | string | Acquisiton task name | | ||
## Binalyze AIR Integration | ||
This integration allows you to use the Binalyze AIR's isolation and evidence collecting features easily. | ||
--- | ||
|
||
Collect your forensics data under 10 minutes. | ||
This integration was integrated and tested with version 2.6.2 of Binalyze AIR | ||
|
||
## Configure Binalyze AIR on Cortex XSOAR | ||
|
||
1. Navigate to **Settings** > **Integrations** > **Servers & Services**. | ||
2. Search for Binalyze AIR. | ||
3. Click **Add instance** to create and configure a new integration instance. | ||
4. Click **Test** to validate the URLs, token, and connection. | ||
|
||
| **Parameter** | **Description** | **Required** | | ||
| --- | --- | --- | | ||
| Binalyze AIR Server URL | Binalyze AIR Server URL | True | | ||
| API Key | e.g.: api_1234567890abcdef1234567890abcdef | True | | ||
| Trust any certificate (not secure) | | False | | ||
| Use system proxy settings | | False | | ||
|
||
## Commands | ||
|
||
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. | ||
After you successfully execute a command, a DBot message appears in the War Room with the command details. | ||
|
||
### binalyze-air-isolate | ||
|
||
*** | ||
Isolate an endpoint | ||
|
||
|
||
#### Base Command | ||
|
||
`binalyze-air-isolate` | ||
#### Input | ||
|
||
| **Argument Name** | **Description** | **Required** | | ||
| --- | --- | --- | | ||
| hostname | Hostname of endpoint. | Required | | ||
| organization_id | Organization ID of the endpoint. For the use of a custom organization ID, you can specify a custom value outside the predefined set. | Required | | ||
| isolation | To isolate use enable. Possible values are: enable, disable. | Required | | ||
|
||
|
||
#### Context Output | ||
|
||
| **Path** | **Type** | **Description** | | ||
| --- | --- | --- | | ||
| BinalyzeAIR.Isolate.result._id | string | Isolation unique task ID | | ||
| BinalyzeAIR.Isolate.result.name | string | Isolation task name | | ||
| BinalyzeAIR.Isolate.result.organizationId | number | Organization Id of endpoint | | ||
|
||
### binalyze-air-acquire | ||
*** | ||
Acquire evidence from an endpoint | ||
|
||
|
||
#### Base Command | ||
|
||
`binalyze-air-acquire` | ||
#### Input | ||
|
||
| **Argument Name** | **Description** | **Required** | | ||
| --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- | | ||
| hostname | Hostname of endpoint. | Required | | ||
| profile | Acquisition profile. To use a custom acquisition profile, you can specify a custom value outside the predefined set. Possible values are: compromise-assessment, browsing-history, event-logs, memory-ram-pagefile, quick, full. | Required | | ||
| case_id | ID for the case,e.g. C-2022-0001. | Required | | ||
| organization_id | Organization ID of the endpoint. For the use of a custom organization ID, you can specify a custom value outside the predefined set. | Required | | ||
|
||
|
||
#### Context Output | ||
|
||
| **Path** | **Type** | **Description** | | ||
| --- | --- | --- | | ||
| BinalyzeAIR.Acquire.result._id | string | Acquisition unique task ID | | ||
| BinalyzeAIR.Acquire.result.name | string | Acquisiton task name | | ||
| BinalyzeAIR.Acquire.result.organizationId | number | Organization Id of endpoint | |
Oops, something went wrong.