LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. AIR
  2. Features

Policies

PreviousEvidence RepositoriesNextTags

Last updated 1 month ago

Was this helpful?

Policies are used in AIR to standardize critical options at the organization level for the Console, Responders, and Evidence Repositories.

AIR includes a Default Policy that is read-only and covers all configuration areas. It cannot be edited and acts as a fallback when no other policies are assigned or when some settings are missing. This ensures every acquisition task has a complete configuration, preventing gaps.

Policies in AIR help standardize critical settings for the Console, Responders, and Evidence Repositories at the organization level. While the Default Policy is preconfigured and uneditable, users with the necessary permissions can view, create, and modify custom policies as needed.

To create a new policy, click the "Settings" button in the Main Menu and then select “Policies” from the Secondary Menu.

When you select the "+Add New" Action Button, you can create the required policies by configuring the options shown below:

  1. The Policy name.

  2. The Organization(s) affected by the policy.

  3. The destination for collected evidence by OS platform:

    • Local - use the local asset.

    • Path - By default, the path to save evidence locally is: Binalyze\AIR\

    • Direct Collection - Enable this switch to collect data while minimizing local disk space usage. During the upload process, approximately 100MB of temporary data is stored in the Cases folder, which is automatically deleted upon completion.

    • Automatically Select Volume - Toggle on this switch to allow AIR to select the local volume with the most available space.

  1. The destination for files collected by interACT:

  1. Asset Resource Limits utilized by AIR Task Assignments executed by Responders:

  • CPU - We suggest setting CPU usage limits to about 40% on active assets/endpoints to avoid disruptions. Schedule resource-heavy tasks during off-peak hours and use lighter triage rules for in-use systems. Monitor impact and adjust as needed.

  • Bandwidth - Bandwidth limitations primarily depend on the network and the constraints of the target server. To prevent accidental disruptions to mission-critical operations, users can configure an upper limit on bandwidth usage.

  • Disk Space - Evidence collection on the local asset will continue until the specified amount of free disk space remains.

  1. Compression and encryption settings

Compression is enabled by default, but users can disable it if preferred. Note that disabling compression may significantly increase the size of your collections on disk.

Encrypt Evidence toggled on will require the entry of a password, which will be needed later to access the collected data. The data will be encrypted with AES256-bit encryption and stored in a zip archive.

We do not save the passwords you enter, and they cannot be recovered through the AIR console. Therefore, please ensure you securely store them yourself. We strongly recommend using a Password Manager application to manage and safeguard your passwords.

  1. Scan Local Drive Only (Triage)

Enable this option to limit the YARA scan to the machine's local drives only, preventing it from scanning mapped network or external drives. This ensures the scan stays focused on the local system, avoiding unnecessary delays from remote locations.

  1. Isolation IP/Port & Process Allow Lists

In AIR Policies, the Isolation IP/Port & Process Allow Lists feature enables users to create custom allow lists that can be applied after an asset has been isolated by AIR. This provides more granular control over the network access and functionality of isolated assets.

Evidence Repository - use a remote storage location set in .

The AIR console provides the ability to by terminating all existing connections to an asset and preventing any new connections. This isolation feature operates using a Kernel Mode Driver and does not rely on the Windows Firewall.

Evidence Repositories
isolate assets
In this case the user will have access to all Policy options
Evidence Collection Storage Configurations
interACT repository settings for downloads
Resource Limitation Settings
Compression and encryption settings toggled ON
Scan Local Drive Only (Triage)
Isolation IP/Port & Process Allow Lists