Policies

Policies are used in AIR to standardize critical options at the organization level for the Console, Responders, and Evidence Repositories. These Policy options allow administrators to set the:

1. The Policy name.

2. The Organization(s) affected by the policy.

3. The destination for collected evidence by OS platform:

   • Local - use the local asset.

   • Evidence Repository - use a remote storage location set in Evidence Repositories.

   • Path - By default, the path to save evidence locally is: Binalyze\AIR\

   • Direct Collection - Enable this switch to collect data while minimizing local disk space usage. During the upload process, approximately 100MB of temporary data is stored in the Cases folder, which is automatically deleted upon completion.

   • Automatically Select Volume - Toggle on this switch to allow AIR to select the local volume with the most available space.

1. The destination for files collected by interACT:

1. Asset Resource Limits utilized by AIR Task Assignments executed by Responders:

• CPU - We suggest setting CPU usage limits to about 40% on active assets/endpoints to avoid disruptions. Schedule resource-heavy tasks during off-peak hours and use lighter triage rules for in-use systems. Monitor impact and adjust as needed.

• Bandwidth - Bandwidth limitations primarily depend on the network and the constraints of the target server. To prevent accidental disruptions to mission-critical operations, users can configure an upper limit on bandwidth usage.

• Disk Space - Evidence collection on the local asset will continue until the specified amount of free disk space remains.

1. Compression and encryption settings

To create a new policy, click the "Settings" button in the Main Menu and then select “Policies” from the Secondary Menu.

Now, when you select "+Add New", you can create the required policies by configuring the six options shown above.