Skip to the main content.

3 min read

Binalyze AIR 4.9

Featured Image
Introduction

These latest AIR releases are all about automating the routine tasks of every AIR user, from the SOC analyst to the threat hunter. In addition to automatic evidence collection,  analysts can now also schedule tasks for Triage, disk/volume imaging, and auto asset tagging.  This ensures greater control, shifting the focus from manual to automated operations. To further streamline this process, and establish the Investigation Hub as your dedicated space to conduct every investigation, we've sunset the old reporting format. AIR’s Investigation Hub is automatically updated with findings and insights based on the tasks that are running in the background.

Additionally, we'd like to remind everyone that in the previous version, we introduced a new Docker container for the File Explorer feature. If you're interested in utilizing File Explorer, please reach out to your customer success manager.

Please read on for the details:

 

Features
  • New Task Scheduling capability integrated into the AIR tasking wizard.

    • Investigators can now use the tasking wizard to schedule the following activities:

      • Evidence collections.

      • Triage/Threat Hunting. (Credit: Turgut Ö)

      • Disk and Volume Imaging.

      • Auto Asset Tagging. 

    • Scheduled tasks can be assigned to a Case.

    • The timezone for task execution can be adjusted.

    • The recurrence rate can be set to Daily, Weekly, or Monthly.

    • The sequence can be stopped at a particular date and time or after a defined number of occurrences.

007443ef-c68e-4753-99b9-8115f6660ff5

  • New Windows evidence type

    • AIR now parses the Window $USN Journal and saves this file to the evidence repository as a .csv file for easy analysis (Credit: David C) 

ca685529-f28c-44a2-9a46-435d7cc04fad

 

  • Isolate multiple assets simultaneously 

    • Users can now select multiple assets and execute a bulk action to isolate any desired number of assets simultaneously. (Credit: Samer H) 

 

abd89546-06a0-4b6c-a96d-f363e28a9d62

  • Task renaming

    • Tasks can now be easily renamed via the edit pencil icon located within the Task Details Information tab, streamlining the renaming process for enhanced efficiency and convenience.

f62763d1-acfe-4e85-82e8-56f101a125f2

  • Auto Asset Tagging Rules added to Task Details 

    • The Auto Asset Tags used in a Tasking Assignment are now displayed under the Information tab in the Task Details window. In the example below we can see that the Tagging Rule for MSSQL Server has been run along with 25 others that are related by clicking on the ‘+25’ link.

 

bdc736e3-db14-4e90-abca-a3671975cfb6

  • Columns Headings order & stickiness 

    • We've improved the Investigation Hub tables, allowing users to rearrange columns effortlessly by dragging and dropping them into their preferred order. This personalized layout will remain 'sticky' in the user's browser, ensuring a seamless and tailored experience that is consistent across login sessions within the user's browser profile.(Credit: Allesando G)

      44409a7d-27b6-452d-8ea8-4f5de79c9da5
  • Enhanced Responder Uninstallation

    • By default, the responder uninstallation process now includes a purge/clean-up operation where certain responder application files that were not removed in earlier versions of AIR will now be purged during the process. It's important to note that evidence saved on the local asset or any external evidence repositories will remain unaffected.  (Credit: Rich G)

Enhancements
  • ESXi collections

    • We have extended the list of what we collect from ESXi from 10 to 100 items. For the full list please visit the Binalyze KB (Credit: Guo Y) 

  • MacOS Agent - Full Disk Access requests 

    • When installing an AIR responder on a T2 or later Mac, Full Disk Access is required for it to have the necessary permissions for all AIR collection types. AIR’s responder will now display the message shown below to advise the installer to:

      • Open System Settings -> Privacy & Security -> Full Disk Access to grant permission to ”air”.

      • The user will need to toggle the switch 'on' to enable Full Disk Access for the AIR responder. (Credit: Caleb T) 

cee22b33-55aa-4871-9b50-2a977efb9010

  • Binalyze MITRE ATT&CK Analyzer has seen the following updates since the last release of AIR: 4.1.0, 4.2.0, 4.2.1, 4.2.2 and 4.2.3.

Fixes
  • Bulk Action Bar re-sized and re-positioned

    • The new size and location of the Bulk Action Bar means that it no longer interferes with other information displayed in the UI. (Credit: David C) 

d6bc1164-eacd-4004-b3fd-65c18b17b233

  • Agent Update Task Errors

    • A recent Windows update affected the ability of some AIR agents to auto-update. Fixed in AIR v4.8 (Credit: Blake B)

  • Asset labeling/editing issue fixed

    • Typing a new or editing an existing asset label was problematic as the UI was not allowing time to complete typing in some instances. Fixed in AIR v4.8  (Credit: Zainal B N)