Remote Triage
Move seamlessly from forensic evidence acquisition findings to rapid Triage across your network directly from the AIR management console.
Use existing or upload new YARA rules
By default, AIR comes with pre-defined example triage rules that you can easily select from the dropdown. You can also upload your own YARA rule file and start using it right away. While creating your new Triage rule in the AIR console make sure to specify the area that needs to be investigated (memory, file system, or both).
Native support for YARA
Binalyze AIR YARA editor comes with a number of unique features. It comes with an auto-completing, syntax highlighting YARA editor that also contains templates both for memory and file system triage. You can easily use YARA example rules and edit them based on your needs.
Binalyze AIR supports YARA+ version which provides out-of-the-box support for external variables that provide you with context for the file or process that you are scanning.
Validate YARA rules
You are not required to fix a YARA rule after assigning it to thousand of endpoints and waiting for the task to be completed. Binalyze AIR automatically validates YARA rules before assigning it to endpoints.
Triage in action
You can simply create a Triage task by navigating to the endpoints section and selecting the endpoints needed for the investigation.
