Links

Terminology

A brief overview of AIR terminology

AIR Console

Web-based management interface which lets you manage your Assets and assign tasks.

Asset

An Asset is a device (desktop/laptop/server/workstation) in your environment which could be either one of 2 states:
  1. 1.
    Managed: Asset agent is successfully deployed to the device and ready to perform tasks,
  2. 2.
    Unmanaged: Device is discovered by enumerating Active Directory but does not have the AIR Agent deployed.
The Assets Summary window on the home page can also report the Asset as:
  1. 1.
    Off-Network: The Asset has supplied data to the console via an Off-Network Acquisition or Triage task.
  2. 2.
    Unreachable: The Asset agent is currently unreachable.
  3. 3.
    Update Required: The Agent on the Asset requires an update to function correctly.
  4. 4.
    Update Advised: The Agent is still functional but for full functionality an update is recommended.
  5. 5.
    Isolated: The Asset is currently isolated from network apart from communication with the AIR console only.
Installation of the AIR Agent on your assets is managed via the Assets button in the Main Menu:
Assets button in the Main Menu
The AIR Agent installer is a zero-configuration package which contains the console address already embedded in it.
You can deploy the AIR Agent in multiple ways:
  1. 1.
    Downloading an installation package (Windows, macOS, Linux, Chrome and ESXi)
  2. 2.
    Copying a PowerShell Command (Windows)
  3. 3.
    Copying a CURL Command (macOS and Linux)
  4. 4.
    Copying a WGET Command (macOS and Linux)
  5. 5.
    Downloading a PowerShell Script (Windows)
  6. 6.
    Downloading the Asset installer (macOS and Linux)
  7. 7.
    Manual installation via Active Directory/SCCM.
  8. 8.
    Generation of a shareable Deployment Link (Windows, macOS, Linux, Chrome and ESXi)

Task

Operations that are assigned to the assets by the AIR console either manually or automatically via a trigger.
Tasks could be either:
  1. 1.
    Manual: Assigned manually by users,
  2. 2.
    Scheduled: Created by users to start in the future. Scheduled tasks could either be one-time or recurring (daily/weekly/monthly).
  3. 3.
    Triggered: Assigned to as the assets as a response to a trigger request which is sent by a SIEM/SOAR/EDR solution.

Triggers (Webhooks)

Triggers are the main extensibility mechanism for AIR to receive alerts from other security suites such as SIEM/SOAR/EDRs.
A trigger is the combination of a parser, an acquisition profile, and a destination for saving the collected evidence (either local or remote).
Binalyze AIR takes this to the next level by allowing the trigger to further automate the post acquisition analysis by leveraging DRONE and MITRE&CK scanners. So in effect the alert from your security tools can launch AIR into the collection of relevant forensic data, the analysis of that data and the delivery of any DFIR findings into the Intelligence Hub with no analyst intervention whatsoever.

Triage

Searching for pieces of evidence such as a file hash, process, malicious domain at scale. AIR provides you with 'out-of-box' examples for YARA, Sigma and osquery, making it fast and easy to start sweeping your environment.

Acquisition Profile

A group of evidence types, application artifacts, and custom content items. There are acquisition profiles provided 'out-of-box' but you can also create additional ones by visiting "Integrations" in the Main Menu.

Evidence Repository

A remote location for saving evidence collected as the result of an AIR tasking. These include:
  1. 1.
    SMB
  2. 2.
    SFTP
  3. 3.
    FTPS
  4. 4.
    Amazon S3
  5. 5.
    Azure Blob
  6. 6.
    Network Shares
To create a New Repository go to Settings in the Main Menu and select Evidence Repositories from the secondary Menu. From the window 'New Repository' complete the mandatory fields and select the type of repository you with to add:
Creation of a new Evidence Repository