LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Acquisition Profile
  • AIR Console
  • Asset and Asset Status
  • In AIR, an Asset can be in one of 3 states:
  • Asset Management - Using Persistent Saved Filters
  • Evidence Item or Artifact?
  • Evidence Repository
  • Organizations
  • Responder
  • Task
  • Triggers (Webhooks)
  • Triage

Was this helpful?

Export as PDF
  1. AIR
  2. Introduction

Terminology

A brief overview of AIR terminology

Acquisition Profile

A group of evidence types, application artifacts, and custom content items. There are acquisition profiles provided 'out-of-box' but you can also create additional ones by visiting "Integrations" in the Main Menu.

AIR Console

AIR has a web-based management interface that allows you to efficiently manage assets and assign tasks. Users can customize their experience by switching between light and dark modes from the main AIR menu, enhancing usability and overall satisfaction.

Asset and Asset Status

In Binalyze AIR, an asset is defined as any entity, whether a device or system, physical or virtual, that operates on a supported operating system such as Windows, macOS, Linux, Chrome, IBM AIX, and ESXi. Assets are the foundational elements on which Binalyze AIR performs various actions, including evidence collection and task execution, crucial for responding to and hunting cyber threats. Examples of assets encompass computers, servers, hosts, cloud accounts, and disk images.

In AIR, an Asset can be in one of 3 states:

  1. Managed: The asset's responder has been successfully deployed to the device and is ready to collect tasking assignments from the console.

  2. Unmanaged: An asset is categorized as Unmanaged under two specific conditions:

    • Discovery without Deployment: The asset is identified through Active Directory or Cloud Account scans but does not have the AIR responder installed.

    • Unreachable with No Data: The asset has been disconnected from the AIR console for over 30 days (Unreachable), and there is no stored forensic data from that asset in the AIR console.

  3. Off-Network: An asset is classified as Off-Network under two specific scenarios:

    • Data Supplied: The asset has previously provided data through methods such as an Off-Network Acquisition or Triage task.

    • Unreachable with Stored Data: The asset holds forensic data within the console but is currently inaccessible for further data collection or task assignments.

    For both scenarios, investigation of the existing data is possible, and additional data can be manually imported as required.

The Assets Summary window on the home page can also report the asset as:

  1. Unreachable: The asset's responder is currently unreachable. If an Asset's Responder fails to connect to the Binalyze AIR console for over 30 days, its status changes to "unreachable." Until then, its status will be managed as online or offline.

  2. Update Required: The responder on the asset requires an update to function correctly.

  3. Update Advised: The responder is still functional, but for full functionality, an update is recommended.

  4. Isolated: The asset is currently isolated from the network apart from communication with the AIR console only.

Asset Management - Using Persistent Saved Filters

Persistent Saved Filters enable users to create and store custom asset filters, making it easier to locate and manage assets without having to reapply filter conditions in each session.

Evidence Item or Artifact?

Evidence Item:

In the context of Binalyze AIR and cybersecurity generally, an evidence item refers to data extracted from various components of a computer operating system and associated system areas crucial for recording, managing, or operating the system. These items often produce digital evidence that can be analyzed to uncover details of user activity and potential security incidents or anomalies.

Artifact:

On the other hand, in Binalyze AIR, artifacts are files produced by applications during their execution. These files contain valuable information about the activities performed by the application, including logs, configuration files, temporary files, and other artifacts of potential interest for forensic analysis and investigation.

Evidence Repository

A remote location for saving evidence collected as the result of an AIR tasking. These include:

  1. SMB

  2. SFTP

  3. FTPS

  4. Amazon S3

  5. Azure Blob

  6. Network Shares

To create a New Repository go to Settings in the Main Menu and select Evidence Repositories from the secondary Menu. From the window 'New Repository' complete the mandatory fields and select the type of repository you wish to add.

Organizations

In Binalyze AIR, an organization is a structural entity that allows for the separation of assets, users, and cases within a multi-tenant environment. The multi-tenancy capability of AIR enables a single console to manage multiple organizations, each with its own isolated environment. Here’s how it works:

  1. Asset Management: An asset (e.g., a device or endpoint) can belong to only one organization, ensuring clear boundaries between different organizational environments. However, within that organization, the same asset can be assigned to multiple cases​.

  2. Case Management: Cases could perhaps also be called 'investigations' or 'incidents' and they are also aligned to a specific organization. Access to cases can be restricted based on user privileges within that organization​.

  3. Global and Organization-Specific Settings: Certain settings, such as policies and evidence repositories, can be configured globally across all organizations or individually for each organization. This flexibility allows administrators to enforce global standards while still providing the ability to customize configurations at the organizational level when required​​.

  4. Policies and Evidence Repositories: Policies can be applied either globally or on an organization-by-organization basis. For example, evidence repositories, which store collected data, can be aligned to all organizations (global) or set up uniquely for each organization, allowing for localized data control​.

This multi-tenant architecture in Binalyze AIR ensures that organizations can operate independently within the same platform, benefiting from both shared resources and isolated environments, depending on their needs.

Responder

The AIR responder is a streamlined 40MB standalone package that brings the expertise of level 3 and 4 analysts directly to your digital assets.

Unlike 'agents' that constantly monitor systems and consume significant resources, AIR responders only activate to perform precise, user-defined DFIR tasks on demand. This approach allows for deploying thousands of virtual responders across your IT ecosystem, ready to execute proactive and reactive incident response activities such as evidence collection, threat hunting, and forensic-level analysis as needed. Binalyze's approach prioritizes efficient security enhancement, marrying minimal asset impact with maximum readiness and incident response capability.

Task

Operations that are assigned to the assets by the AIR console either manually or automatically via a trigger. A task can be assigned to multiple assets, and this is managed through 'task assignments.' Each individual assignment, known as a 'task assignment,' creates a one-to-one correspondence between the task assigned by the console and the specific asset on which the task assignment is executed, ensuring precise management and tracking across all assigned tasks.

Tasks could be either:

  1. Manual: Assigned manually by users,

  2. Scheduled: Created by users to start in the future. Scheduled tasks could either be one-time or recurring (daily/weekly/monthly).

  3. Triggered: Assigned to as the assets as a response to a trigger request which is sent by a SIEM/SOAR/EDR solution.

Triggers (Webhooks)

Triggers are the main extensibility mechanism for AIR to receive alerts from other security suites such as SIEM/SOAR/EDRs.

A trigger is the combination of a parser, an acquisition profile, and a destination for saving the collected evidence (either local or remote).

Binalyze AIR takes this to the next level by allowing the trigger to further automate the post-acquisition analysis by leveraging DRONE and MITRE&CK scanners. So in effect, the alert from your security tools can launch AIR into the collection of relevant forensic data, the analysis of that data, and the delivery of any DFIR findings into the Intelligence Hub with no analyst intervention whatsoever.

Triage

Searching for pieces of evidence such as a file hash, process, or malicious domain at scale. AIR provides you with 'out-of-box' examples for YARA, Sigma, and osquery, making it fast and easy to start sweeping your environment.

PreviousWhat is AIR?NextArchitecture

Last updated 2 months ago

Was this helpful?

Read more details about

Evidence Repositories here.
LogoAIR Responder Deployment | Knowledge Base