Back to binalyze.com

Architecture

A brief overview of system architecture

Components

Binalyze AIR is an on-premise or cloud-based, client-server solution that allows you to remotely perform a variety of tasks on assets such as collecting forensic evidence and performing triage with YARA, Sigma, or osquery.

1. Management Console

Management Console is a web-based application that can be viewed from any device with an up-to-date browser.

2. AIR Responders

Assets connect to the management console via a lightweight "passive" responder that can be deployed manually or via mechanisms such as SCCM.

2.1. Passive Responder Explained

As you might have already guessed from the term "passive agent", AIR agents:

  • DO NOT scan anything on the asset that may cause slowdowns (e.g. your Antivirus),

  • DO NOT block anything on the asset that may cause false positives (e.g. your DLP),

  • DO NOT create any alerts that may cause "alert fatigue".

3. Communication with the Binalyze Domain

DOMAINCATEGORIESDESCRIPTION

https://binalyze.com

UPDATE

This domain is used by AIR Server instances to check if there is any new version to update.

https://license.binalyze.com

LICENSE

This domain is used by AIR Server instances to check the licence information

https://api.binalyze.com

TIMESTAMP

This domain is used by AIR Server for RFC 3161 features which requires integration with a timestamp server.

https://cdn.binalyze.com

UPDATE

This domain is used by AIR Server instances to update artefacts like MITRE Attack Rules , docker compose files, update scripts, offline installer packages.

https://one.binalyze.com

FIS USAGE STATS

FEATURE FLAGS

USAGE ANALYTICS

This domain is used by AIR Server instances to

  • Collect case activity & Organization ID metrics for FIS License charges/billing.

  • Feature flag service to enable/disable features on AIR.

  • Analytics to analyse usage statistics.

https://cr.binalyze.com

UPDATE

This domain is a container registry for AIR Server instances to update server components like the application server images, database images, caching server images etc.

A note on Cloud Infrastructure

All of the web services and API backends listed above are hosted on Microsoft Azure preferably in East/West US Datacenters and protected by Cloudflare.

What data is sent or received by Binalyze domains

Domain

Data Sent To Domain

Data Received From Domain

https://binalyze.com

N/A

Version Information

https://license.binalyze.com

License Key

License Status Details

https://api.binalyze.com

Hash of PPC

Ref: [AIR] Timestamp PPC Files RFC-3161

RFC-3161 Timestamp Token

https://cdn.binalyze.com

N/A

Packages

https://one.binalyze.com

FIS USAGE STATS:

OrganizationID’s, Case Id, License Key, CaseEventType, CaseEventTime, endpoint Id, Task Id

i.e.: "logId": 764149386100000, "type": "endpointTaskAddedToCaseEvent", "publishedDate": "2022-06-03T10:22:18.610Z", "data": { "caseId": "C-2022-0028", "endpointId": "2b2ea7b0-be61-445c-b735-ac1a9a39e448", "taskAssignmentId": "2b1d5b2c-72ac-4828-9a82-b3510ce9fd5a" }, "license": "LICENSE-KEY"

FEATURE FLAGS: License Key

USAGE ANALYTICS: Amplitude event structure

FEATURE FLAGS: Feature flag states

USAGE ANALYTICS: N/A

https://cr.binalyze.com

N/A

Binary Packages

PreviousTerminologyNextAIR Responder Architecture; overview and performance analysis

Last updated