Collect over 300 different types of evidence under 10 minutes.
What is Binalyze AIR?
AIR is an "Automated Incident Response" platform that provides the complete feature set for:
- Remotely collecting 300+ evidence types in minutes,
- Capturing the "Forensic State" of an endpoint as a well-organized HTML/JSON report,
- Performing triage on thousands of endpoints using YARA,
- Integrating with SIEM/SOAR/EDR products for automating the response phase IR,
- Enriching alerts for eliminating false positives,
- Investigating pre-cursors generated by other security products.
What does this pack do?
You can use two features of Binalyze AIR within CORTEX XSoar:
1. Acquisition
One of the core features of AIR is collecting evidence remotely. This feature is made possible by "Acquisition Profiles," a group of different evidence categories. Using the AIR's UI, you can create, update, and delete custom Acquisition Profiles tailored to your unique needs. Specify the evidence categories, settings, and parameters relevant to your investigation.
With this integration, you can use your custom profiles as well as following preset profiles:
- Full,
- Quick,
- Memory (RAM + PageFile),
- Event Logs,
- Browsing History,
- Compromise Assessment.
2. Isolation
Endpoint isolation works by terminating all connections of an endpoint and not allowing any new connections.
- When an endpoint is isolated, you can still perform tasks such as Acquisition.
For more information, please refer to Knowledge Base
What is Binalyze AIR?
AIR is an "Automated Incident Response" platform that provides the complete feature set for:
- Remotely collecting 300+ evidence types in minutes,
- Capturing the "Forensic State" of an endpoint as a well-organized HTML/JSON report,
- Performing triage on thousands of endpoints using YARA,
- Integrating with SIEM/SOAR/EDR products for automating the response phase IR,
- Enriching alerts for eliminating false positives,
- Investigating pre-cursors generated by other security products.
What does this pack do?
You can use two features of Binalyze AIR within Cortex XSIAM:
1. Acquisition
One of the core features of AIR is collecting evidence remotely. This feature is made possible by "Acquisition Profiles," a group of different evidence categories. Using the AIR's UI, you can create, update, and delete custom Acquisition Profiles tailored to your unique needs. Specify the evidence categories, settings, and parameters relevant to your investigation.
With this integration, you can use your custom profiles as well as following preset profiles:
- Full,
- Quick,
- Memory (RAM + PageFile),
- Event Logs,
- Browsing History,
- Compromise Assessment.
2. Isolation
Endpoint isolation works by terminating all connections of an endpoint and not allowing any new connections.
- When an endpoint is isolated, you can still perform tasks such as Acquisition.
For more information, please refer to Knowledge Base
