commonfields: id: Binalyze AIR version: -1 vcShouldKeepItemLegacyProdMachine: false name: Binalyze AIR display: Binalyze AIR category: Endpoint image: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMcAAABDCAYAAAAoJBEIAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAABIrSURBVHhe7Z13lFRFFsb3v92zZ91dIxgIAgIiUTAgIIo5Yg6IsggoggoqYs7kMMQZYMhIzjkzZJAMkpGcs2QGGKit3+1XM83Qr/tNTzPt9NR3Tp2e7nr1XoX73bp169abvykLC4uAsOSwsHCBJYeFhQssOSwsXGDJYWHhAksOCwsXWHJYWLjAksPCwgWWHBYWLrDksLBwgSWHhYULLDksLFxgyWFh4YKwyXHq9HnVd9AqldBzqeqYuFgtXr7HybGIJC5evKRGT9ygOvdYrDp1X6zGT9mkLl1yMi2uKsImx/RZW9W/8rRQuYq0Vf+8tbl66Z2hTo5FJLF77wmVv1QHdX3B1ura21upO8t3UUePnXVyLa4mwibHxOl/qFuKtVN33p+g8pZor16pOczJuTpYuWa/+qnVbNWk7Vz1S5s5av3GQ05ObGP7zmOqmCZE4Xs6q0JlO6uyVXqoQ0fOOLkWVxNhk2PyjM3q1rvSyPHau8OdnKsD7s8MlbtonPrHzc1UnQbjnJzYxo5dx9RdD6SRo9wjPdTho5YcWYFsQ44X3x6i8pbsIM+7rXg7VfPDMU5ObMOSI3rINuR4tebwVHLw3Pc+Ge/kxDYsOaKHbEOON2uPUHn0cww5Pmg0wcmJbVhyRA/Zhhxv1x2l8hT3kQNHwEdfTHJyYhuWHNFDtiFHzQ/HylqD591cLE598s1UJye2YckRPWQbcrzXcHzq826+M041/nG6kxPbsOSIHrINOep/PjH1ebk1Ob5tOtPJiW1YckQPV4UcBw+dVklzt6nEvsvUjy1ni5b/9Nup6gv9SajJb0t3O1d6R4OvJqduOrLX8XPrOU6Odxw/kazWbTykps7covoMWqlatJ+vvmmSpBp9P03q9+VPM+S3EePWq30HTjqlvIGQji3b/1RTkraorr2Xqu+azZR10bsfjVU16o1WtRuM06bgFNW83TwJB9m739v9wyEHoT3LV+2T9PvaA+rChYtOTmicOXtBrfh9n1qmy67SZc+7lOX3rbq923ZkPFHu4OHTzp284c9jZ6VvW3deIP1Iv77zwWj1/ifj1ffNZ6mho9eqnbuPO1dHBhEjR/X3R8lAfNh4kipduZvkEVqCIGMGsU7g8yb92216YU24yZp1B527hcZn302V8jwvV9G2qmWH+U5OcGz447CK77lE6nf/4z3VHeU6S91y63uQpG5+iTqT7irfRXXvt9y5izuSz6WoVh3nq8de6q+K6rr5txsys06ivfxOH5g8BL5p27kqJSW44IZDDhTHdQVbq9vLdFQ33NFGDRuzzskJjbbxC31lS1O2tRowfLWTczmat58nbSpWPkF28DOSGMPiFbqqz3+Yps4mX3DuGBjHjp9VTdrMUeWq9JD+pP/ox9v0s02/0p/IBPdF0R2J0MwaEXIUuTdelX24uzScijKIhfVvhbQgFizbSRKDy7Wkovf51g18Ltdaygu+0FqdMpSnIxjEYEDz19LahboYQlIP6lrkvnghScG7O6kCZXyJ66iPqWMBnYeQoOWDYavWhPQDnjTazD2k7fpZBbRwImQIKd+L6uea+/O8f+drKaEwwRAOOT7+crL0Ec+7sXAb1aXXUicnNL76eYb0lynbvusiJ+dy1NNmbq4ibXS94jOepH86q2vytVBDRq117ngl1qw/qCo93UfdUKiNjJX0mx63vCV9pCCx98VYkscn1z70XF+1z+PMHAwRIQcJoaMBsJvf6QQIU/6JXlpj91IltKbg93y6MT5t49OyD1ftp06fOe/c1R3fNk26jBwdugUeNAM2CRE+6sWzEFr2SZgt8muBLV05UVV8ureqrDuShNDR0Qiz0W7U76UawQMqT546p8roexEYSL0gCc+677Gecl9mlCq6jffo+/Nc/z5jMBHCPXtPOHe7EuGQAxMR7Wr6yssMaIA5yJrOlO3cY4mTczmwEP6eu6lc4zX59y3pRk2ulnrWDQTaTb/SX7QfUjD+5ap0FxOe8SW9rMenVKVuInf0O/eHIHUaZj68KCLkQPjQylSu0XfT1ISpf4g5c0jbldj5JOzBsZM2querDRYtbgjCtN9/6O/OXd3xY8tZMiuZQUvQppIbENh7H+2Zqm0QQAbmjdojVLc+yyS8npkF25xpnXT4yBk1a952EWaupRza/t5He0j9gyFBa2ZsYOo0c+52tXnrUbGRuS/2/rnzKTLVL1yyW9X9dIIoCO5v2jJSr3Hc8Fclx9oNB0VB0XZmplCJNR5rMGZR7l1Mpxv12A8fG9jk+1/9MTKDYd4WuLujfPYasCLgWmXXnuPqhxazUjeJUYj5S3XUdcxccGpEyIEGZJ2xYnVoEwmBqVrdP06qvXq91ggn1x1E4xpyoP0Tgwz40T/PilAj3FyPNmfd4QVzFu6QOol5pAWyRMWuEjYeSbxcY1hq+xFA1ixu+KuSI6NAUTKDYq6iFG/RsoPVcOLkOeeKNCxatkdkizFA0DF75y7c6eS6A1OPctz/psLBFagXRGZBrgc6IyHrM7WGlrK68RCr1IPd1IFDp5zcwGABDil4Hp+9B650cq4EWhuzBnJg3jFzeBXwAwdPSX2ol6wh7o9Xm7cddXIjg45a47KwpC2YCiwi3RAL5CDsnvFA6dAW1gyldR+v3xRYs3/9S5L0D7ML/YOX0wsgFfdmvJGvzJpWESNHKNvcH5g9RnjRDpTH5AiGuITfZLB85IhTA4a5m2LpyUEZXIhegCZjnYRJJot3nTZtPuLkRgYsQo0AYiuzgHZDOOSAbP7rs2iSg4Xxg8/0EVmhHflKdVDF9eeqNfudKy5HSsol9fjL/WV9hmxgKoWSDQPGnbUd/UT5J18dICcpw0VUyAFefzctkJCBDOVujNeDZMjB9W62KghEDnzrXgBxH3jSksOUzQw5WGexhrtFz2K0wSfw8WrJir3OFVeC9YOvvT6PFgtwxtMLWN9hurGuYfwqPNVb1pXhImrkQCAQDDMILJSDocevy1PJQblxkzc5OVciM+TIiplj5PgNui2xTQ768blqg2WWp/7iztam6vxFu5wrAgNnCceCjRPlcU2ujOCRF35NfRbEysyeR9TIwc60/yC07rTAyQmMfkNWSUdzPc+dkrTZybkS0SAHO8t4u9p1+U1286vXHSUL7+ffGiweuheqDxEXJF4t/mbwqFcskuOs7gvayrpBvE1aWEkz525zrnCHv1zR97jc36g1InSqPUK9VnO4KlmxqxCL/mUrAS9kuIgaOdj8SvM+xYk3Khhw9+Yq4ts45LnTZ291cq5EVpOjv17/VNRTOPVCIDAj8JDRL7htsbP5xIxkxxzzwvj7Y40cmDY16o0RbxFtpB9pP/LiBbi1Td1J9D/95iWZxTjlIAf7JHjJwkXUyNEszt81G6d+bjXbyQkM9kh42wm+cTbcFi1zX6RlJTlMuAWmAM9hvweBR7AYZP42ie+0FWGJRXIQX1b3swkyRrhT6X+UxBg9dl7B2tPUnXvQbuqRoaQV1H9vbyVex1B7VMEQNXIQkJhGjrYS8BcM7I+wCO/Zf4W8uylYMF1WkWPpyr3SBwwgwo72In6r4ddTxIHAQLM2or4ICN9xQRPWwuxBvWKJHLiQhRi6LK5w9jIICMwIRo5PmzkYv0rP9JE6dO6+2HPi/V54N2cv2OHcNTxEjRwEnfkPYNfewRfkGUFWkQMhFH+81nAQg/WEFxt36Ki1Uo56xQo5OEIAMSh3h64rz/91SOjIh/SYmrQlVa4wRVmvRQtRI0etj8cqIispT0cSJh4pZAU5Lmkb4unXB4qJxDVoSq+bhX307GFmzVggR7N284QYvqiCeCmHdzEcLFu5L9Xly246eyQs8KOBqJCDjZ5HX/S53OgEOgMTJVLICnLgnWLKZwC5tsKTvT0FUILMkiOUezI9OXoNcI8mSI+MkoOoXRbfjCN9RTwUJmW44JwLITvMPqb/t0Q4QsErokIOghIRXBqOV+HuhxI9+aMR8JWr94c8KPNXJwfvGA6HHMxO9NWhI8Hbnz58pFPiYicnNPzXgqHIwYyEeUgfQQ5C3OMSgh8lCAV2tM2MbOrQd/AqJzdrERFy5CnRIUPHZNFORrMRb4OPOhjY5SSaFU+Qzw2aIJGebsgKcjCIhCfgpeIaridS1QuYObyuOfbsOym+e6NJiVBFuQQDsUlG+0MSTs55BXWhTpQNRo7BI9cIiSAth7x4XrAAyoyAw1rMRtQB6wIldFKPS1YjIuRgg6fys9o2TA5tG+KtQcAZaLwahKwPdDltZoCGuiZvCxF0NBQ7p5DKLSQ5qxbknGkwJKcvcGN6wfufjpf6Uw5B5D5uOKNnI2Yl6sP1lGOT8dy5FOeKK+Ef2MhsQ5Df6nUHnNzAwJzBHKIMbebTjRzEqUEKUycWzt84Z/o52cgRWk/pfOA2cMjJrOVQhOwNvcjJUf27F3AcgTCUzCJsckycxoukfYJBIqz42TcHyU73mIkbJViMc8icFx83ZZPsB1R9a7AIER2L65PyT702UCWfC06q+o0npgqhSdi2bqTKKnJM0H1gNBwJjxWOhknTN0uZPftOyEBhMxM2wdlydnNRJqYMQhxKs/PqU7Q0gmKe88QrA8QEIsQ+PTgjb/qLMowNh80wtzgTgfODE470H+PFGXeOHMhM4Aik1M2FHJiFZi+D61iIM44EDLKW9JqIYftM1wnnRnpwLPr6Qq3lGeIm10qBseAVTbhrR0/YoKbN2ipv+2cPjHUVZ8mxYJhpae+2nd7G3A1hk4Pz4j5B9wkfjYDtdDBCz99MiXyiHfnd2JEkBq9kpW4hTQTgr6FNQiijTQ605Ks1h10mKGh2+oVytA+tze9oV/ZzEGzTBvqHDURm4WCYqwmA2cL15jnMvv/J31Lqihb2B+dZyui1Cc/0CZez7+CMA33JGHFP6kSdycds5dM8w40ciX2XqxscwTVtob+Y0amj14TJJ/UPMIMcO54saw+eg7XAsxhL6kqdKes7R+7bYKVdJN5nQBuuLdBKXvCRGYRNDmzuz7+fJoKB9mPQ6Vw0D2e0jWCZxGyBxmRQ0PpV3xqiNm4OTQzQR2sqzCq8NdzLhGK4/RsCyIG2uUkvEBEEhNWrxwNy4C2hXZQlbQxCYKZvIk/ZtTcDY9qLswGC8htrBv5GQXBPBpjYH6+eJCJ5WZhTL/qQZ/H3w8/3CxiWPXbyRnkWY4PTgDohZCbxnToxJvQPY4ImJwyGuhtysKGWHqytuCfHURFM6pOW0iICQqXrCraSQ2lu5hX/h+QDbapCAtoB+aibrw2+E57SFp0gDvKHXNAWnAODRqxx7hQewiaHwez5O+TtELzomd1hKo1WYGAQYj7RKsUrdJEz1Zz7ZUrMyH8nSk5Okdf7cA8GlTdRQBg34CrG917tvZESAMhLA0579CQhaBysqlZnpLyClM3KUGHPp3U+p84gPDMFJGChTtvR8AwawoYgYHo20iYDpg0kzghYF7D+qq9nUmYsTBMiBtzAmQkW2IRuI0SMC/VCyFA0KAHGpNbH48RJwAYmszQ724YcHRMDn9VfsnyP+rpJkqx/MAtNIjqgwVdpqaF8TpZ6+CeOzPK6ItY5oWRhweJdqvEP0yXiFgUBofGQQgQ+jZmK/NEvvP4Ikz6zyDQ5/EEcCxthvC+JtQbrDmKgVq05IBoWIc8MeB8WM0BmYvSvNvYfPCULR0Kv6YMlK/aICYpZl1EyRAooBjMu1Is9JerI6cjkdE4UBJaZxJAjGPmyGoQM8S4C3qs1f9FOrZi3C3H4vmX70UzFUQVCRMlhkf3h/68eMP+Y5XMqLDksUsFewj3OiykwjzHBmPlyKiw5LFJBBDELZWYNnAich8jMSbrsDksOCwFrEF5OgBcKcrDueLPOSCc3Z8KSIwcDzxxuajYC8QLhXcMFjkmFm5iX8+VkWHLEOPDucKSYjUbcx7iCm8bNVfUaTZTYMFzjbJ75Nv98xGADLaf856xgsOSIYbChSdAeswBmEt4n3LOQge8mxg0zClLIBlrhtkIM3h6f02HJEcPg5QJs9LHhh/CbJLvjeqZgU5DwC3af2bB95o1BatT4nOu6TQ9LjhjGhZSLEqDIywaYKYhLYg8DsvBmckJPeGEzrxNic9DiclhyxDgIL+flDkQKz5izTaKD8UwRihIs7N3CksPCwhWWHBYWLrDksLBwgSWHhYULLDksLFxgyWFh4QJLDgsLF1hyWFgEhFL/B6gw65bRNQo1AAAAAElFTkSuQmCC description: Collect your forensics data under 10 minutes. detaileddescription: "## Binalyze AIR Integration\n\n- This integration allows you to use the Binalyze AIR's powerful features easily.\n---\n\n## SETUP\n- Give a name to your instance,\n- Type AIR server's URL(do not put a forward-slash at the end),\n- Type your username and password that you created in AIR Server,\n- Click Save & Exit on the right bottom corner.\n---\n## USAGE \nYou can use the integration in Automation, Playboks or in Playground.\n In Playground: \n- !air-isolation endpoint= organization= isolation=enable or\n- !air-isolation endpoint= organization= isolation=disable or \n- !air-acquisition endpoint= profile= .\n---\n For more information, please refer to [View Integration Documentation](https://kb.binalyze.com/air/integrations/cortex-xsoar-integration).\n For support, please e-mail us at support@binalyze.com." configuration: - display: Server URL (e.g. https://air.local) name: server defaultvalue: https://air.local type: 0 required: true - display: Username name: creds type: 9 required: true - display: API Key name: api_key type: 4 required: false - display: Trust any certificate (not secure) name: insecure type: 8 required: false - display: Use system proxy settings name: proxy type: 8 required: false script: script: | import json import urllib3 import traceback urllib3.disable_warnings() # Enter your webhook urls QUICK_URL = 'http://air.local/api/webhook/cortex6/{endpoint}?token=58a5f249-6d6d-4bea-80f6-e326617cc3c4' EVENTLOG_URL = 'http://air.local/api/webhook/cortex2/{endpoint}?token=818cad88-0ce7-4840-9ead-2b71d0670e7a' FULL_URL = 'http://air.local/api/webhook/cortex3/{endpoint}?token=cbcf96d7-164e-4e0b-a871-e960422c7b03' MEMORY_URL = 'http://air.local/api/webhook/cortex4/{endpoint}?token=6b2a67b8-0f4a-44b6-8889-4d6d6e6ca143' BROWSINGHISTORY_URL = 'http://air.local/api/webhook/cortex5/{endpoint}?token=49e29f58-1453-4161-9a4d-f286d7181be5' PARAMS = demisto.params() ARGS = demisto.args() AIR_SERVER = demisto.params()['server'] USERNAME = demisto.params()['creds']['identifier'] PASSWORD = demisto.params()['creds']['password'] USE_SSL = not demisto.params()['insecure'] def set_proxies(): if demisto.params()['proxy']: http = os.environ['http_proxy'] or os.environ['HTTP_PROXY'] https = os.environ['https_proxy'] or os.environ['HTTPS_PROXY'] proxies = { 'http': http, 'https': https } return proxies return None PROXIES = set_proxies() QUICK_URI = '/' + '/'.join(QUICK_URL.split('/')[3:6]) QUICK_TOKEN = QUICK_URL.split('=')[-1] EVENTLOG_URI = '/' + '/'.join(EVENTLOG_URL.split('/')[3:6]) EVENTLOG_TOKEN = EVENTLOG_URL.split('=')[-1] FULL_URI = '/' + '/'.join(FULL_URL.split('/')[3:6]) FULL_TOKEN = FULL_URL.split('=')[-1] MEMORY_URI = '/' + '/'.join(MEMORY_URL.split('/')[3:6]) MEMORY_TOKEN = MEMORY_URL.split('=')[-1] BROWSINGHISTORY_URI = '/' + '/'.join(BROWSINGHISTORY_URL.split('/')[3:6]) BROWSINGHISTORY_TOKEN = BROWSINGHISTORY_URL.split('=')[-1] API_LIST = { 'air_login' : '{0}/api/auth/login'.format(AIR_SERVER), 'isolate_uri' : '{0}/api/endpoints/tasks/isolation'.format(AIR_SERVER), 'info' : '{0}/api/app/info'.format(AIR_SERVER), 'organisation_id' : '{0}/api/organizations'.format(AIR_SERVER) } def test_connection(): url = API_LIST['info'] response = requests.get(url) if response.status_code == 200: demisto.results('ok') else: demisto.results('test connection failed') def air_acquisition(endpoint: str, profile: str) -> Dict[str, str]: output = 'The acquisiton profile "' + profile + '" has been started by AIR in the endpoint named:' return {output: endpoint} def air_acquisition_command(args: Dict[str, Any]) -> CommandResults: endpoint = args.get('endpoint', 'example endpoint') if not endpoint: raise ValueError('endpoint not specified') # Call the standalone function and get the raw response profile = args.get('profile', 'example profile') if not profile: raise ValueError('endpoint not specified') # Generate the url and make the request. if profile == 'quick': url = '{0}{1}/{2}?token={3}'.format(AIR_SERVER, QUICK_URI, endpoint, QUICK_TOKEN) response = requests.get(url) if profile == 'event logs': url = '{0}{1}/{2}?token={3}'.format(AIR_SERVER, EVENTLOG_URI, endpoint, EVENTLOG_TOKEN) response = requests.get(url) if profile == 'full': url = '{0}{1}/{2}?token={3}'.format(AIR_SERVER, FULL_URI, endpoint, FULL_TOKEN) response = requests.get(url) if profile == 'memory': url = '{0}{1}/{2}?token={3}'.format(AIR_SERVER, MEMORY_URI, endpoint, MEMORY_TOKEN) response = requests.get(url) if profile == 'browsing history': url = '{0}{1}/{2}?token={3}'.format(AIR_SERVER, BROWSINGHISTORY_URI, endpoint, BROWSINGHISTORY_TOKEN) response = requests.get(url) result = air_acquisition(endpoint, profile) return CommandResults( outputs_prefix='Air acquisition by webhook started in', outputs_key_field='endpoint', outputs=result, ) def air_login(args: Dict[str, Any]) -> CommandResults: headers = {'User-Agent': 'Binalyze AIR', 'Content-type': 'application/json', 'Accept-Charset': 'UTF-8'} data = {'username': USERNAME, 'password': PASSWORD, 'rememberMe': True ,} data = json.dumps(data, indent=2) air_login = API_LIST['air_login'] login = requests.post(url=air_login, headers=headers, data=data) accessToken = login.json()['accessToken'] refreshToken = login.json()['refreshToken'] air_token = 'Authentication=' + accessToken + '; ' + 'RefreshToken=' + refreshToken global air_header air_header = {'Cookie': air_token, 'User-Agent': 'Binalyze AIR', 'Content-type': 'application/json', 'Accept-Charset': 'UTF-8'} def air_isolation(endpoint: str, isolation: str) -> Dict[str, str]: output = 'The isolation ' + isolation + 'd in:' return {output: endpoint} def air_isolation_command(args: Dict[str, Any]) -> CommandResults: endpoint = args.get('endpoint', 'Hostname of endpoint') if not endpoint: raise ValueError('endpoint not specified') isolation = args.get('isolation', 'enable') if not isolation: raise ValueError('endpoint not specified') organizations = args.get('organization', 'Organization name of the Endpoint') url = API_LIST['organisation_id'] response = requests.request("GET", url, headers=air_header) response_info = response.json() organizations_list = [organizations for organizations in response_info['entities']] for name in organizations_list: organizations_name = name['name'] global organizations_id if organizations_name in organizations: organizations_id = name['_id'] if isolation == 'enable': data = json.dumps({ "enabled": True, "filter": {"name": endpoint, "organizationIds": [organizations_id]} }) url = API_LIST['isolate_uri'] response = requests.request("POST", url, headers=air_header, data=data) result = air_isolation(endpoint, isolation) return CommandResults( outputs_prefix='Air Isolated', outputs_key_field='endpoint', outputs=result, ) if isolation == 'disable': data = json.dumps({ "enabled": False, "filter": {"name": endpoint, "organizationIds": [organizations_id]} }) url = API_LIST['isolate_uri'] response = requests.request("POST", url, headers=air_header, data=data) result = air_isolation(endpoint, isolation) return CommandResults( outputs_prefix='Air unisolated', outputs_key_field='endpoint', outputs=result, ) def main() -> None: try: demisto.debug(f'Command being called is {demisto.command()}') air_login(demisto.args()) if demisto.command() == 'test-module': test_connection() if demisto.command() == 'air-acquisition': return_results(air_acquisition_command(demisto.args())) elif demisto.command() == 'air-isolation': return_results(air_isolation_command(demisto.args())) except Exception as ex: demisto.error(traceback.format_exc()) # print the traceback return_error(f'Failed to execute BaseScript. Error: {str(ex)}') ''' ENTRY POINT ''' if __name__ in ('__main__', '__builtin__', 'builtins'): main() type: python commands: - name: air-isolation arguments: - name: endpoint required: true description: Hostname of endpoint - name: organization required: true auto: PREDEFINED predefined: - aaa - bbb description: Organization name of the endpoint defaultValue: aaa - name: isolation required: true auto: PREDEFINED predefined: - enable - disable defaultValue: enable description: Isolate an endpoint - name: air-acquisition arguments: - name: endpoint required: true description: Hostname of endpoint - name: profile required: true auto: PREDEFINED predefined: - quick - event logs - full - memory - browsing history description: Select the acquisiton profile description: Collect forensics data dockerimage: demisto/python3:3.9.6.22912 runonce: false subtype: python3