Task Creation

Introduction to Task Creation in Binalyze AIR

Tasks in Binalyze AIR are operations assigned to assets via the AIR console, either manually or automatically through triggers. Each task can comprise multiple 'tasking assignments,' where a single task on one asset is a 'tasking assignment,' but the term 'task' can also describe the same tasking assignment across many assets. These tasks facilitate various operational needs and can be categorized into three types:

Types of Tasks

  1. Manual Tasks:

    • These are assigned manually by users directly through the AIR console.

  2. Scheduled Tasks:

    • Created by users to commence at a future time. Scheduled tasks can be one-time events or recurring at daily, weekly, or monthly intervals.

  3. Triggered Tasks:

    • Automatically assigned to assets in response to trigger requests from integrated SIEM, SOAR, or EDR solutions.

Tasks enhance operational efficiency by allowing flexible and automated responses to various cybersecurity scenarios, ensuring that your assets are continually monitored and managed effectively. For more detailed information, please visit our Knowledge Base and refer to the AIR release notes.

Activities that Generate Tasking Assignments

In Binalyze AIR, tasking assignments are generated by various activities that target asset operations, including:

  1. Data Acquisition:

    • Initiating the collection of digital evidence from an asset. This can be a comprehensive acquisition or targeted to specific evidence types.

  2. Triage:

    • Running predefined or custom rules (YARA, Sigma, osquery) to identify suspicious activities or indicators of compromise on the assets.

  3. Timeline (Investigation):

    • Creating and analyzing timelines to understand the sequence of events on an asset for forensic investigation.

  4. InterACT Sessions:

    • Establishing a secure remote shell session to manually investigate and interact with the asset in real-time.

  5. Baseline Acquisition and Comparison:

    • Running comparisons to detect deviations from a predefined baseline state of the asset and acquiring baseline data.

  6. Disk/Volume Imaging:

    • Capturing the complete state of disks or volumes for comprehensive forensic analysis.

  7. Auto Tagging:

    • Automatically tagging assets based on predefined criteria for easier management and identification.

  8. Calculating Hash:

    • Generating hash values for files to ensure data integrity and assist in identifying duplicate or tampered files.

  9. Offline Acquisition and Offline Triage:

    • Performing data acquisition and triage on assets that are not connected to the network.

Administrative Tasks

Some more 'administrative' activities also generate tasking assignments and these include:

  • Shutdown, Reboot, and Uninstall:

    • Remotely managing the power state and software configuration of assets.

  • Isolation:

    • Isolating an asset from the network to prevent further compromise.

  • Responder Deployment:

    • Deploying response tools to the asset for immediate action.

  • Purge Local Data and Retry Upload:

    • Managing data on the asset, including purging local data and retrying data uploads.

  • Migration and Version Update:

    • Migrating data between systems and updating software versions.

  • Log Retrieval:

    • Collecting logs for further analysis and troubleshooting.

By understanding and utilizing these task types, users can streamline their incident response and investigation workflows, improving overall security posture and response times.

Tasks are saved at the organization level and can be reviewed comprehensively by navigating to More > Task:

Individual tasking assignments for an asset can also be reviewed by visiting the specific asset. From the secondary menu, you can select "All Tasks" or utilize the filtered tasks view to focus on specific task types:

Let's now take a look at how to create a Task in AIR

Step 1 - Assets

Select the Asset(s) on which you wish to execute tasks - In the example below we will Acquire Evidence from an asset named JackWhite:

The Bulk Action Bar will be available if you choose more than one asset:

Step 2 - Setup

  1. Create a Task Name if required (if not one will be auto-generated)

  2. Allocate the task to a Case, this is important if you need to build a case for an ongoing investigation and you plan to investigate this asset further or other assets as part of the same investigation. All investigation activity can be recorded within Cases. A Case can be thought of as a container, into which activity for a particular investigation can be grouped, making Incident Response management and investigations easier especially as the Case will also be presented in the Investigation Hub.

  3. Select Now as a Task Start Time to execute the task immediatley (see here for Scheduling Tasks)

  4. Choose an Acquisition Profile (e.g., Compromise Assessment, Full Acquisition etc). We offer many ‘out of the box’ profiles, but you can also create and save your own as needed.

Step 3 - Customization

This step allows you to use the policies already set as an organizational policy or, if you have the necessary privileges, make changes to:

  • Where the collected evidence is to be saved.

  • Apply Resource limit to the task assignment to reduce potential impacts on the asset.

  • Enable compression and encryption to be applied to the collected evidence.

Customization of options

Step 4 - Follow Up

In this final step you can enable or disable the DRONE and MITRE ATT&CK Analyzers

We highly recommend keeping both analyzers active as they have minimal impact on resources. The MITRE ATT&CK analyzer runs on live assets and, when combined with other analyzers, facilitates immediate identification of potentially compromised assets. This allows for efficient prioritization of investigative efforts.

Keyword Searches

Step 4, 'Follow Up', also allows the user to add Keywords and upload keyword list files for DRONE searches, allowing investigators to conduct more focused and efficient searches within their data collections.

Keyword Lists Features:

  • No character limit for keyword lists, but a 1 MB file size limit applies.

  • Each keyword must be on a new line for proper search functionality.

  • Keyword searches are limited to data within the Case.db (excluding CSV files).

  • Keyword searches are supported by regex, read more here: Regex in AIR

  • This search functionality extends to event log data collected by Sigma analyzers, including:

    • Windows: Event Record Analyzer

    • Linux: Syslog Analyzer

    • macOS: Audit Event Analyzer

Keyword searches are limited to data within the Case.db and do not include content within any CSV files prepared by AIR (eg; $mft, $UsnJrnl). Additionally, the search will not cover the contents of files on or collected from the asset.

This feature offers investigators greater flexibility and precision in their searches, significantly enhancing the DRONE module's capabilities. Regex support will be added soon in an upcoming release.

The results of all tasks and their associated reports can be found in three places:

  1. Tasks that are accessed via the main menu.

  2. The page for the individual Asset > Acquisitions.

  3. And finally, Case Acquisitions, if the task is sent to a Case.

1) Accessing the scheduled Task report via Assets:

Selecting the ‘eye icon’, under the Actions column as shown above, will give you access to the Details view for the Task, and from here you can access the report associated with this scheduled task acquisition:

2) Below we see the same report being accessed from the Assets menu:

3) And finally the same report from the Case Acquisition page but only if you have sent it here:

Last updated