LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Tagging Triage Rules
  • Scan Local Drives Only for Triage Tasks

Was this helpful?

Export as PDF
  1. AIR
  2. Features

Triage

Threat Hunting at speed and scale

PreviousAuto TaggingNextTriage Rule Templates

Last updated 1 month ago

Was this helpful?

Almost every case starts with one or more leads. If there are too many leads, the investigator might need to validate all their leads one by one, which is very time-consuming. Or, if there are too few leads, investigators don't have enough information to continue their case. Both situations are not good for the investigation and can impact the speed of resolution.

Triage is the process of hunting for and prioritizing the evidence that they’ll be analyzing. However, prioritizing this evidence is not a straightforward or easy job. An Investigator needs lots of data, leads, or experience to do it well. So, they generally use known attack indicators, called the IOC indicator of the compromise. An indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

An investigator or analyst will generally scan all system data or part of it to discover these IOCs. When they see a match, it typically means that those systems are related to a specific attack type and need to be investigated first. Investigators use YARA, osquery, and Sigma rules for these scans. Investigators can define and scan IOCs by using AIR's built-in YARA, osquery, and Sigma template rules or editors.

Binalyze AIR DFIR Suite provides three different tools to the investigators for triage, which, as stated, are YARA, osquery, and Sigma. These tools generally scan assets to find specific data using IOC (Indicator of Compromise).

YARA (Yet Another Recursive Acronym) is a tool aimed at (but not limited to) helping malware researchers identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression that determine its logic.

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write, and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once-developed detection methods and make them shareable with others. Sigma is for log files what Snort is for network traffic and YARA is for files.

osquery, an open-source tool, employs SQL-like queries to extract intricate system data. It offers cross-platform compatibility, making it ideal for real-time system monitoring, security analysis, and compliance assessments. Security professionals often use it to detect vulnerabilities, monitor system changes, and ensure adherence to security standards.

Binalyze AIR features a library for YARA, osquery, and Sigma rules, allowing investigators to develop, validate, and manage their rules directly within the platform using the built-in editors. These rules can be saved to Libraries > Triage Rules in AIR.

Investigators can easily threat hunting and scan their assets by selecting the necessary rules from the library. The Triage process flow, depicted below, illustrates how organizational policies allow administrators to control AIR’s functionality and define role-based permissions for specific activities.

Creating a case in AIR also enables users to centralize all collections, triage results, and activities related to a specific incident or investigation. This integration empowers the Investigation Hub to dynamically present everything from raw evidence to automated DRONE findings in a unified view.

NB: Character limitation for single triage rule

  • To prevent the browser becoming unresponsive we have limited the maximum to 350K characters in a single Triage Rule.

Tagging Triage Rules

Triage rules in the AIR console can be allocated Tags, which help to organize the rules and filter them when required. This feature for triage rules aids in managing them more efficiently and allows for streamlined searches and better organization within the console.

When creating or using a Triage Rule, the UI allows the user to filter existing rules by their associated Tags.

The Triage Rule Library includes Preset Filters in the secondary menu, allowing users to organize rules hierarchically, also known as 'Nested Tagging'. By incorporating a colon in their tags, users can structure and categorize rules more efficiently. For example, the tag "APT26:Tim:hashset" helps organize related rules under a structured hierarchy, enhancing navigation and accessibility in the library.

Scan Local Drives Only for Triage Tasks

With the Scan Local Drives Only feature, users can improve Yara triage efficiency by focusing threat hunting and triage scans solely on local drives, excluding remote external or network drives that often introduce unnecessary data into the investigation. The attached mounted USB drives should be included as ‘local drives’.

Key Details:

  • Available for all AIR-supported operating systems.

  • Disabled by default but can be enabled via the organizational policies page: Settings>Policies>Scan Local Drives Only.

  • It can also be configured when creating individual triage tasks using the custom options:

This feature ensures that only relevant data from local drives is collected, reducing noise and improving the speed and accuracy of investigations.

Organize triage rules hierarchically - 'Nested Tagging'
Triage creation and execution in AIR
Settings>Policies>Scan Local Drives Only