Auto Asset Tagging

How to automatically tag your assets based on simple conditions.

Overview

Performing Digital Forensics at scale requires a proper classification of your assets.

Knowing how many web servers, domain controllers, or application servers you have highly decreases the response time while helping you focus on a group of devices on your network. This in turn increases the situational awareness in an investigation.

How it works

Auto Asset Tagging is a feature of Binalyze AIR that lets you automatically tag assets based on conditions such as:

  • Existence of a file or directory

  • Existence of a running process

In fact, you can identify pretty much anything on your assets as you can use YARA, osquery, and Sigma to write your own rules. You can also easily AND/OR the conditions in conjunction with the environment variables.

This feature can be enabled or disabled from the Auto Asset Tagging section in Settings>Features>Auto Asset Tagging.

Once enabled, a newly added asset will be automatically assigned a task to query the Auto Asset Tagging conditions, and based on the results, AIR will tag the assets using the relevant Tag Name. If you want to re-run tagging on all assets, you can easily do this by clicking the "Run Now" button on the Auto Asset Tagging page.

Auto Asset Tagging (AAT) can be saved specifically for individual organizations or universally across all organizations. This capability supports users in creating and applying incident-specific AATs selectively, avoiding unnecessary use or exposure of a rule outside the intended organizational context.

There are a number of 'out-of-the-box' supported Auto Asset Tags such as those listed below, but as we now know you can also create custom tags whenever you need them:

  • Apache

  • Redis

  • Mysql

  • Rabbitmq

  • Docker

  • Kubernetes

  • Domain Controller

  • IIS Web Server

  • Web Server

  • Mail Server

  • MSSQL Server

When we look at the AAT conditions set for the tagging of an Apache Server, we can see that the AIR agent will be looking at 5 conditions, all independent of each other as the OR switch is active. So, if any one of these conditions exists the Apache Tag will be applied to the asset:

It is possible for a user to create, edit, and delete the parameters shown below, but only if they have permission to do so:

AIR has very granular permissions control over Users and Roles, and within Roles, there are currently 108 individually configurable privileges. Six of these allow Global Administrators to determine what users can do within the Auto Asset Tagging feature:

Read more about how AIR uses Auto Asset Tagging to speed up your investigations here; The Power of Auto Asset Tagging in DFIR

Any Auto Asset Tags used in a Tasking Assignment are displayed under the Information tab in the Task Details window. In the example below we can see that the Tagging Rule for MSSQL Server has been run along with 25 others that are related by clicking on the ‘+25’ link:

Last updated