LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
    • AIR's User Settings
      • General
      • Assets
      • Security
      • Features
      • Evidence Repositories
      • Policies
      • User Management
        • User Groups
        • User Roles
      • Backup
      • Investigation Hub Disk Usage
      • Danger Zone
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Step 1 - Assets
  • Step 2 - Setup
  • User Privileges for Task Scheduling:
  • Step 3 - Customization
  • Step 4 - Follow Up
  • How to edit existing Scheduled Tasks

Was this helpful?

Export as PDF
  1. AIR
  2. Features
  3. Acquisition

Scheduling Tasks

Proactive DFIR and automated threat analysis by scheduling AIR Evidence Collections

PreviousIBM AIX CollectionsNextDisk and Volume Imaging

Last updated 7 months ago

Was this helpful?

Scheduling tasks in AIR not only enables the automation of acquisitions and DRONE analysis, but it transforms AIR into a proactive DFIR platform. By setting up scheduled tasks for regular collections and automated DRONE analysis, AIR can proactively identify issues that might well go unnoticed by other security systems.

Instead of waiting for alerts from external sources, AIR takes the initiative to regularly collect and analyze assets according to a predefined schedule and acquisition profile. This proactive approach allows organizations to stay ahead of potential threats and vulnerabilities by detecting issues early on, even before they manifest as security incidents.

By incorporating the scheduling of tasks into security operations, organizations can enhance defense strategies and bolster their overall security posture. Additionally, it ensures that the 'best evidence' is automatically acquired and forensically preserved, facilitating further investigation when needed.

Investigators simply use the tasking wizard to schedule tasks the following activities:

  • Evidence collections.

  • Triage/Threat Hunting.

  • Disk and Volume Imaging.

  • Auto Asset Tagging.

To set up a scheduled task please follow the steps below:

Step 1 - Assets

  1. Choose the Asset(s) on which you wish to shedule tasks - the Bulk Action Bar will be avaiable if yo choose more than one asset

  2. Create a Task Name if required

  3. Allocate the task to a case

  4. Select 'Schedule for later'

Step 2 - Setup

  1. Choose the timezone that will determine when the task is executed. You have the flexibility to execute the task in the local timezone of each selected asset or simultaneously across all assets by choosing a single timezone.

  2. Select a start date and time for the task.

  3. If required toggle on the Repeat switch and set the cadence/recurrence rate.

  4. Select when or whether you want to end the schedule.

  5. Lastly, choose the acquisition profile you wish to apply for the scheduled task.

Note: Scheduled tasks cannot be repeated within a "Case". This is because there is no destination for the task results when a Case is closed, leaving them without a location to be sent to.

User Privileges for Task Scheduling:

  • AIR administrators can now restrict users from scheduling tasks or editing existing ones:

    • Schedule Task: Enables users to "Schedule for later." Without this privilege, this option is disabled, and a tooltip explains the restriction.

    • Update Scheduled Task: Allows users to edit scheduled tasks. If this privilege is not granted, the "Edit" button is disabled with an explanatory tooltip.

Step 3 - Customization

  • This step allows you to use the policies already set as an organizational policy or, if you have the necessary privileges, make changes to:

  • Where the collected evidence is to be saved.

  • Apply Resource limit to the task assignment to reduce potential impacts on the asset.

  • Enable compression and encryption to be applied to the collected evidence.

Step 4 - Follow Up

In this final step you can enable or disable the DRONE and MITRE ATT&CK Analyzers

We highly recommend keeping both analyzers active as they have minimal impact on resources. The MITRE ATT&CK analyzer runs on live assets and, when combined with other analyzers, facilitates immediate identification of potentially compromised assets. This allows for efficient prioritization of investigative efforts.

The results of scheduled tasks and their associated reports can be found in three places:

  1. Tasks that are accessed via the main menu.

  2. The page for the individual Asset > Acquisitions.

  3. And finally, Case Acquisitions, if the task is sent to a Case.

1) Accessing the scheduled Task report via Assets:

Selecting the ‘eye icon’, under the Actions column as shown above, will give you access to the Details view for the Task, and from here you can access the report associated with this scheduled task acquisition:

2) Below we see the same report being accessed from the Assets menu:

3) And finally the same report from the Case Acquisition page but only if you have sent it here:

Tasks scheduled through the console will execute as planned. However, if an asset is offline at the scheduled time, it will automatically receive and carry out the task upon its next connection.

How to edit existing Scheduled Tasks

Managing scheduled tasks has never been easier. The Edit Scheduled Task feature lets you modify existing scheduled tasks avoiding the need to cancel and reconfigure them.

You can easily add or remove assets without restarting the task, saving valuable time and improving workflow efficiency. After selecting the assets, you can then go on to update the task setup, customize options, and manage follow-up actions, streamlining task management for a smoother, faster process.

To modify a scheduled task, go to your Task listings page and filter by Status > Scheduled to display only the scheduled tasks:

From the filtered results, selecting the ‘eye’ icon presents to you with the Edit or Delete Task options:

The Edit Scheduled Task Wizard will now open, allowing the user to toggle off the "Only Selected Assets" switch (as shown below). This now reveals all other available assets that can be added to the scheduled task:

Step 2, the Setup, allows you to edit the Task Name, the Schedule and even the acquisition profile to be used:

Steps 3 and 4, Customization and Follow-Up, are fully configurable, giving you the ability to completely edit the scheduled task as needed.

Customization of options
Toggle options for DRONE
Schedule for later
Setting up the scheduled task