LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • PART 1
  • Binalyze AIR Post-Deployment Configuration Guide
  • 1. Organizations/Tenants
  • 2. Single Sign-On (SSO)
  • 3. Two-Factor Authentication (2FA)
  • 4. Responder Management & Updates
  • 5. Create Exception Rules for Binalyze AIR in EDR/AV Systems
  • 6. Evidence Repositories
  • 7. Assets
  • 8. Cases
  • 9. Libraries
  • 10. Integrations (Automation)
  • 11. Triage
  • 12. Auto Asset Tagging
  • 13. Policies
  • 14. Additional Configurations
  • PART 2
  • AIR setup Checklist
  • Priority 1: Core Setup
  • Priority 2: Security Enhancements
  • Priority 3: Automation and Advanced Features
  • Priority 4: Ongoing/regular checks

Was this helpful?

Export as PDF
  1. AIR
  2. AIR Setup

Post-Deployment Configuration Guide

PreviousTwo-factor authentication (2FA)NextUsing AIR CLI on Binalyze AIR Console

Last updated 1 month ago

Was this helpful?

This document has two parts: The first is a guide to the key post-deployment configuration settings available after installing the AIR console.

The second part is a prioritized checklist of settings to review and adjust based on your specific needs.

PART 1

Binalyze AIR Post-Deployment Configuration Guide

1. Organizations/Tenants

After installing the Binalyze AIR console, an Organization is automatically created to help structure and manage your assets and cases. Your next step should be to navigate to the settings in the upper right corner of the AIR Console to ensure all configurations meet your specific needs.

If you're using AIR to support multiple customers or tenants, this is also the time to create and set up additional organizations for each customer. Additional tenants can be added at any time as your needs evolve.

These settings also provide important information, such as the Deployment Token, Shareable Deployment Page URL, and options to add a Relay Server or manage specific users.

For MSSPs, a new Organization should be created for each client engagement. Enterprise clients may only need one Organization but can create additional ones if required.

2. Single Sign-On (SSO)

Using Single Sign-On (SSO) is optional in AIR but is available for those who want to implement it. You can integrate with either:

  • Azure AD:

  • Okta SSO:

For more details, visit the.

3. Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is not required if SSO is implemented. However, if you are not using SSO and wish to utilize the built-in remediation capability, interACT, enabling 2FA is mandatory. Enabling 2FA is also recommended to strengthen user account protection and general security.

4. Responder Management & Updates

The Assets Summary window on the home page of the AIR UI will show assets to be in either one of 2 states:

  • Managed: The asset's responder has been successfully deployed to the device and is ready to collect tasking assignments from the console.

  • Unmanaged: The asset is discovered by enumerating Active Directory but does not have the AIR responder deployed.

The Assets Summary will also report the asset as:

  • Off-Network: Responder has supplied data to the console via an Off-Network Acquisition or Triage task.

  • Unreachable: The asset's responder is currently unreachable. If an Asset's responder fails to connect to the Binalyze AIR console for over 30 days, its status changes to "unreachable." Until then, its status will be managed as online or offline.

  • Update Required: The responder on the asset requires an update to function correctly.

  • Update Advised: The responder is still functional but for full functionality, an update is recommended.

  • Isolated: The asset is currently isolated from the network apart from communication with the AIR console only.

Responders deployed to assets can be updated in three ways:

  1. Manual Updates: Assign an upgrade task to specific assets.

  2. Automatic Updates: Configure automatic updates for all deployed Responders.

  3. SCCM

5. Create Exception Rules for Binalyze AIR in EDR/AV Systems

To ensure seamless operation and maximize the effectiveness of Binalyze AIR in your investigations, it is important to allow-list AIR components in your security tools. Binalyze AIR collects and analyzes extensive forensic data from assets, which may involve activities like executing binaries, creating temporary files, and accessing sensitive directories. These actions can trigger alerts in EDR or AV solutions, potentially disrupting forensic processes and delaying incident response. Configuring exception rules for Binalyze AIR in your security systems, prevents such interference, ensuring fast and complete evidence acquisition without compromising the investigation process.

6. Evidence Repositories

Binalyze AIR allows you to store collected evidence either on the local machine where the task was executed or in external repositories. Supported external storage options include:

  • SMB

  • SFTP

  • FTPS

  • AWS S3

  • Azure Blob

7. Assets

AIR-supported assets include traditional computers, workstations, and servers running Windows, Linux, IBM AIX, or macOS, as well as off-network or cloud-based systems (e.g., AWS EC2 and Azure VMs) running the same operating systems.

Disk images (e.g., RAW, VMDK, E01, Ex01) are also supported for importing into the AIR File Explorer.

After creating an Organization, deploy AIR Responders to assets. Note that assets are associated with a single Organization but can appear in multiple Cases.

8. Cases

Cases in Binalyze AIR manage acquisitions, triages, interACT sessions, comparisons, scheduled tasks, case notes, and assigned users. Cases with no tasks performed will appear empty, while active cases will display all of the assets associated with the Case and all of their individual task assignments.

One of the Case Assets ‘Action Buttons’ will launch the Investigation Hub for that case.

9. Libraries

Libraries in Binalyze AIR store reusable resources like acquisition profiles, triage rules, interACT files, and more, ensuring easy access and consistency across investigations. Now is the time to create, upload, and configure your triage rules for efficient threat hunting, fine-tune your acquisition profiles, and add any Auto Asset Tags you want to apply during responder deployment.

10. Integrations (Automation)

Binalyze AIR supports automation through integrations, including:

11. Triage

12. Auto Asset Tagging

The Auto Asset Tagging task will run immediately after Responders are installed, this helps organize and manage assets within AIR. It automates the tagging process based on predefined rules.

The process, along with manual tagging, can also be executed on-demand at a later time for individual or multiple assets.

13. Policies

AIR policies allow you to configure settings such as:

  • Saving collected evidence to a local repository or external repository.

  • Sending files collected by interACT to a download location or evidence repository.

  • Resource limits for CPU, bandwidth, and disk space.

  • Enabling compression and encryption.

  • Configuring IP, port, and process allow lists for isolation policies.

14. Additional Configurations

Additional configurations that may be necessary include:

Console Proxy Settings

  • When using web proxies, configure the AIR console with the correct proxy and SSL/TLS settings. Administrators can enter proxy details (IP, port, username, password) and import SSL/TLS certificates in PEM, DER, or PKCS formats.

Tamper Detection and Uninstallation Password

  • With Tamper Detection switched on, the Responder will notify AIR of attempts to interfere with its normal operation.

Chain of Custody using RFC3161 Timestamping

  • The RFC3161 timestamping feature provides proof that the data existed at a particular moment in time and when combined with hashing that it has not changed.

SMTP Server Configuration

  • Specifying an SMTP server will allow AIR to send password-reset emails to users.

Syslog/SIEM Integration

  • Integrate with Syslog or SIEM systems for centralized audit logging. Ensure both TCP and UDP protocols are configured correctly.

  • Logs from AIR should be forwarded to ensure security monitoring and compliance tracking.

Frank.AI Integration

  • Enhanced AI Assistance with Frank, your reliable investigation copilot, can be toggled on or off.

Users and Roles Management

  • AIR enables the creation of users and their assignment to specific Roles and Organizations. Roles offer granular control, with 109 adjustable privileges

Backup Settings

  • Configure database backup settings. Schedule regular backups or run an instant backup. View your backup history and statuses.

Active Directory Integration

  • Integrate Active Directory to mirror your organizational structure. This simplifies management by grouping assets based on AD units.

  • Validate that assets are correctly categorized and managed through AD synchronization.

  • This integration also allows authorized users to log in to AIR using their Active Directory credentials.

PART 2

AIR setup Checklist

Following on from the Binalyze AIR Post-Deployment Configuration Guide above, here is a prioritized checklist to ensure thorough configuration before operational use:

Priority 1: Core Setup

  1. Organization Setup

  1. Console Proxy Settings

  1. Check the Health of Docker Containers

  1. Responder Deployment

  1. Active Directory Integration

  1. Users and Roles Management

  1. Case Management

  1. Evidence Repository Configuration

  1. Backup Configuration

Priority 2: Security Enhancements

  1. Single Sign-On (SSO)

  1. Two-Factor Authentication (2FA)

  1. Tamper Detection and Uninstallation Password

  1. SSL/TLS Configuration

  1. SMTP Server Configuration

  1. Chain of Custody using RFC3161 Timestamping

Priority 3: Automation and Advanced Features

  1. Frank.AI Integration

  1. API and Webhook Integrations

  1. Auto Asset Tagging

  1. Triage Library Setup

  1. Policy Management

  1. Syslog/SIEM Integration

Priority 4: Ongoing/regular checks

  1. Version Updates

  1. Responder Health

  1. AIR Audit Logs Backup

This prioritized checklist ensures that your Binalyze AIR instance is fully configured and optimized for operational use, covering core setup, security enhancements, automation, and advanced features.

Visit this page for the full list of items to exclude:

Visit this page for information about .

For cloud-based deployments, it is recommended to use cloud-based repositories like AWS S3 or Azure Blob instead of SMB, SFTP, or FTPS. More details can be found in the.

For deployment instructions, refer to the.

API Tokens:

Webhooks (Triggers):

Triage functionality allows for quick and effective threat hunting across assets. For more information, see the.

Details can be found in the.

For more information, see the.

Check/Configure your Organization settings in the Main Menu.

For MSSPs, set up a new Organization for each client. For enterprises, ensure the appropriate organizational structure is established.

Check/configure proxy server settings if using web proxies within your network.

Run sudo docker ps to list all active Docker containers and check their current status, identifying any that aren't running as expected.

Deploy AIR Responders to all assets (Windows, Linux, macOS, IBM AIX, Cloud Systems).

Check the status of assets and ensure they are connected and associated with the correct Organization(s).

Create Exception Rules for Binalyze AIR in EDR/AV Systems.

Integrate AD to mirror your organizational structure.

Validate AD synchronization and ensure assets are categorized correctly.

Configure roles with appropriate privileges for granular control.

Create users and assign them to roles and organizations.

Set up a Case(s) to manage your investigations these will act as containers for tasks such as acquisitions, triages, interACT sessions, and scheduled tasks.

Assign users to specific cases.

Configure external repositories (SMB, SFTP, FTPS, AWS S3, Azure Blob) to store collected evidence.

Prefer cloud-based repositories for cloud deployments.

Schedule regular backups of the AIR database.

Validate backup settings and review backup history.

Consider an approach for backing up AIR audit logs which the system will only keep for 3 months.

Optional: Configure SSO using Azure AD or Okta for centralized authentication.

Enable 2FA for users if SSO is not implemented, especially if using interACT.

Enable tamper detection to monitor for unauthorized interference with Responders (It is off by default).

Set an uninstallation password to prevent unauthorized removal of Responders.

Configure proxy server and SSL/TLS settings, including importing necessary certificates.

Set up an SMTP server to enable AIR to send password reset and other critical emails.

Enable RFC3161 timestamping to ensure data integrity and proof of existence.

Enable or disable Frank, the AI investigation assistant, based on your needs.

Set up API tokens for automation and Webhooks (Triggers) for real-time event management. (The API is the recommended method for integration, preferred over Webhooks for most use cases)

Configure Auto Asset Tagging to organize and manage assets efficiently.

Enable, write, upload, and configure your triage rules in AIR Libraries for efficient threat hunting.

Establish and configure policies for evidence storage, resource limits, encryption, and isolation settings.

Integrate AIR with Syslog or SIEM systems for centralized audit logging and monitoring.

New releases generally occur once or twice a month - be sure to use the most up-to-date version to ensure the best feature sets, fixes, and performance.

Use the Assets Summary widget on the Home page to manage the status of your deployed responders.

AIR audit logs are saved to the console’s PostgreSQL database and retained for 3 months after which they are deleted, so please arrange to back them up if required. Please see to learn more

Azure Integration Guide
Okta SAML 2.0 SSO Integration
SSO Integrations Guide
AIR Responder Exception Rules
AIR Network Communication and Firewall Rules
Evidence Repositories Guide
AIR Responder Deployment Guide
API Documentation
Webhooks Documentation
Triage Guide
Auto Asset Tagging Guide
Policies Guide
this KB page