What is AIR?
Automated Investigation and Response platform
Last updated
Automated Investigation and Response platform
Last updated
Binalyze AIR is an Automated Investigation and Response platform, that provides the most complete feature set for remotely collecting 600+ different evidential artifact types, in minutes, across multiple Operating Systems platforms - It’s lightning fast and has been designed to be extremely easy to use.
AIR accelerates your investigation process via a comprehensive and integrated analyzer known as DRONE. All of the DRONE's findings, for multiple assets, are presented in a single 'pane of glass' or Investigation Hub.
AIR will perform simultaneous triage on thousands of assets using YARA, Sigma, and osquery rules.
AIR protects employee privacy with targeted collections when required, it will also capture the 'forensic state' of multiple assets and present this information in an Investigation Hub.
The Investigation Hub serves as an all-encompassing, user-friendly DFIR intelligence resource. This unifying Investigation Hub, consolidates Acquisition and Triage data from all assets, presenting it in an easily digestible format. It also integrates DRONE analyzer findings through intuitive graphical visualizations, thereby identifying the most critical machines that warrant further immediate, focused investigation or remediation. The Investigation Hub streamlines the investigative process by:
Providing actionable findings to prioritize and guide investigators,
Offering comprehensive listings of all evidential artifacts,
Including a range of advanced filtering options, and
Featuring a powerful global search capability.
The AIR console is very simple to deploy, and thanks to it being Docker-based, it can easily be deployed on-premise or on a server in AWS or Azure Clouds.
The AIR platform integrates with your existing SIEM, SOAR solutions, and many EDR products. This is done via Webhooks and a very open API access for empowering analysts to automate the response phase of IR.
So, all forensic collections can be; scheduled, automated, remote, and scalable.
With evidence hashing, AES256 encryption, and RFC3161 time-stamping, the Chain of Custody for evidence handling by AIR is completely secure.
Other key features include our patent pending Baseline Comparison technology. This allows you to be more proactive and focused in the way you target your efforts. Here, you can compare acquisitions against one another and easily identify additions, changes, and deletions to key system areas often exploited by attackers.
AIR helps you cut through the noise of security data, with live YARA, Sigma, and osquery scanning combined with rapid keyword searching, automated post-acquisition analysis, and Event Scoring.
These features all combine to enable most digital forensics investigations to be concluded in less than 4 hours - which is a dramatic improvement over what is commonly achieved today with other solutions.