Binalyze AIR Release 1.8.0 Feature Highlights

Steve: Good morning, good afternoon, good evening everyone. Good to see from the participant list that we’ve got all of those timezones covered, I think. My name is Steve Jackson, I’m the VP of Growth here at Binalyze, and I’m joined today by Emre Tınaztepe, who is the Founder. And this is, I think, the fifth release review that we’re doing now, since we started in April, and the review we’re doing today is called Version 1.8.0.

So as usual, I get to do the housekeeping at the beginning. So please use the panel on the right-hand side to submit any questions or comments. Don’t be shy. It’d be good to have a discussion with you at the end of the presentation, we will answer all of the questions at the end. We also have a Discord server for more technical discussion and support queries. There is a link in the chat to the Discord server and we’d love for you to join us there and participate in that discussion. And if you’re an existing customer of Binalyze, then technical support is available, as always, from binalyze.com/support or support@binalyze.com by email, and also we now have kb.binalyze.com, which is our knowledge base, which over the coming weeks and months we’ll be expanding and growing as well.

So, 1.8.0, we will be releasing it for everyone on Monday, so that’s the 16th of August. Existing users can follow the upgrade prompt from their console. And if you’re a new user or a prospective user, then you can request a trial at binalyze.com/air.

There are six main highlights that we’re going to demonstrate for you now, or Emre is going to demonstrate for you in a few minutes. The first is we have added Docker based installation support. We have also added an organizations feature which takes us on the path towards a genuine multi-tenant solution. We’ve also added single sign-on and two-factor authentication for more enterprise-grade security; Wazuh integration support for that open-source and network capture options for the acquisition profiles. So they’re the six principle highlights of the release. There are others, if you want to see the full release notes, they’re available at the URL you see on the screen there.

And so with that brief introduction, I will pass you over to Emre and he will take you through those features now.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Emre: Thank you, Steve. Hi everyone. Thank you for joining today. We are super excited about the new release. Let me share my screen so we can jump right away to the demonstration.

Can you see it now?

Steve: It’s coming now. Yes, we got it.

Emre: All right. So the first feature, actually it’s an architectural change, so it’s a one in the product’s lifeline, but it’s enabling us to switch into the [indecipherable] version of AIR, which is [indecipherable] support. Previously, when you need to install AIR, all you needed to do was downloading an MSI file and deploy it into a Windows based server. Now, with this Docker support, you can deploy AIR into any platform that supports Docker. It’s extremely easy. Let’s do it on a machine.

So now we’ll be connecting into a Linux box and… password… Previously, you were downloading MSI package, like installing it by clicking some buttons. Here, we have completely enabled our users to scriptify this process. And even though it may be a bit like too, how do you say? Like, [indecipherable] in this version, but actually it’s enabling us to automate a lot of stuff.

So soon, in a month’s period, it will be coming up with the [indecipherable] version. And this is thanks to Docker. So in order to install the Docker version, which is 1.8.0, first, we need to run this command. In total we have four commands, and once we execute all these commands, we’ll have a new Docker instance running on this Linux box, and then we’ll complete the deployments. The second one is creating a directory and the third one, we have a Docker compose file and we’ll be pulling that from the Binalyze CDN, paste it. And then the last step, you’ll be running Docker compose, P Binalyze [indecipherable]. And so it will run in detachment. Let’s run it.

As you see, all the components of the new version is pulled and started. Now in a few seconds, we can visit this URL. Let’s paste it into our browser. Here we go. So providing the license key and providing the settings, and then creating our first user, we are good to go. As you’ve seen it’s like extremely easy. And starting from this version, you can completely automate the deployment process.

The second feature is support for organizations. Previously, AIR was… actually, originally AIR was designed to be used in enterprises as an on-prem solution. But in the last year, we have started to get a lot of requests for using AIR from a cloud environment. That’s why… and especially when it comes to the MSSPs, these companies are serving a lot of customers. So an average MSSP can have more than 30 organizations they are supporting. This feature is making their life really easy.

So for the enterprise customers, they won’t be seeing this organizations feature. We have a new dropdown here. And if you don’t have an organization added to AIR, all the experience, all the user experience is the same with the previous version. But if you go to settings, click this organizations button, you can easily create a new organization. This actually provides you with more fine grain control. So if you want to create a new organization you can easily assign an organization to a user. So that user will only be, like, only have control in that specific organization and won’t be able to access any other organization.

Let’s create a new one. It’s super easy. So all we need to do is type in the organization name and saving it. When you go to the dashboard, you’ll see any organization here. And if you go to the endpoints page, we have any organization. Clicking on this organization immediately applies a filter, just because we have just created this organization, we don’t have any endpoints here. And if you click on another one, you’ll see only the endpoints inside that organization. So as you see, a filter is automatically applied here.

And when it comes to the deployments, it’s also easy. Clicking on new endpoints, if you enable organizations feature, you see two steps here, but if you didn’t have any organizations, which is the case our enterprise customers are using, then you only see one step here. So all you need to do is, selecting this organization from this list, clicking next, and then clicking downloads gives you an MSI file. Again, it’s the same MSI with the previous version, it’s only 10 megabytes. Let me show you how it looks like.

As you see, we have an organization ID embedded into the file name. So if you pass this file into your customer as an MSSP, or if you are using it for your departments, think of like having multiple departments in multiple countries, so it can easily pass this MSI package to the deployment units. And they, again, as soon as they deploy this endpoint, either manually or using SCCM or similar platforms, you will have endpoint automatically registered back to the organization here.

And again, let’s also show the users. So when you create a new user this is not actually… this is not only users. The organizations have effect on a number of features. As an example, you can create an acquisition profile for a specific organization. You can create a triage for a specific organization. And just like that, users are also asking you to provide an organization here. By selecting the organization, this user will only have access to the organization one and won’t have access to any other organization.

The third feature is single sign-on. Even for us, AIR is running on an environment that has more than 50,000 endpoints. So when you have that many endpoints and users, then it becomes quite hard to manage different platforms separately. That’s why single sign-on was one of the requested features by one of our customers. So when you click on SSO, you can easily integrate AIR with Azure AD. And all you need to do is providing this tenant ID, client ID and client secret. Once you save this — by the way, before you enable this, we enforce you to use SSL, so first you need to switch to SSL, and then you can enable SSL feature — once you enable this, if you sign out from the platform, now we have a new button here. And clicking on sign in with Azure AD takes you directly into the portal because I’m already signed on using my Azure credentials. So it makes it really easy to add a new user.

With this feature, with the SSO feature, now we have three different types of accounts. Let’s go back to users. So previous versions, or these supported local accounts, and then we have added support for LDAP, so the local active directory. If you enable LDAP authentication, you can also create a user using the LDAP credentials. In this case AIR won’t be asking you the password, because password identifications will be performed by the local LDAP.

With the SSO, now you have a third option, and if you want to add a new user to AIR, here we have the application in our Azure AD, all we need to do is clicking this ‘assign users and groups; and adding a new user will enable those users to log into the AIR right away.

The fourth feature is… let’s go to settings and go to authentication. It’s multifactor authentication. This is these settings for enabling — enforcing, actually — the 2FA for all users, but even if this user is not, this setting is not enabled for all the users. The users of the platform can still go back to their accounts and then… let’s sign out and then log in with the local account, because previously I was signed in with the SSL. So let’s sign in with the local account now, and then click on the account. When it clicks set up 2FA you can easily use this QR code, add it to the multifactor authentication application, like basically like Google authenticator, or if you’re using [indecipherable], you can easily use this QR code, then that enables multi-program authentication.

The fifth feature is for webhooks. As you know, each month, we are adding new support for new platforms. And this one we have decided to add support for Wazuh. Wazuh is a widely used EDR, it’s open source. And it’s pretty easy to configure. Starting with this version, you can easily create a new webhook. Let’s say, Wazuh trigger. And then whenever you can easily select the organization and then create the parser, this is the latest one, and select an acquisition profile. So whenever Wazuh triggers AIR, we’ll be using this acquisition profile, and collect evidence. Once you save this, AIR creates — just like the rest of the applications, so just like all the other web hooks — it gives you a URL here. And if you go back to the integration page, we have extensive documentation about this. Let’s go to the Wazuh integration.

Basically in just three steps, if you follow the steps provided in our knowledge base, you can easily add this integration. And when you were asked about the webhook URL, all you need to do is forwarding this URL, and whenever Wazuh generates an alert AIR does not know the nature of the alert. So whenever Wazuh generates an alert, AIR is taking the lead, connecting to the endpoint, collecting evidence and then saving it to the evidence supposed to be provided by the customer, by our users.

And the sixth one is support for network capturing. We are planning two edits, when you go to endpoints. So now you have an acquire button here. In the upcoming versions, we’ll be adding a new PCAP support. So you’ll be… with just one click, you’ll be able to collect evidence, sorry, PCAP from the end points. But in this version, we have added this into the acquisition profiles. So when you create a new acquisition profile, just like the other tabs here, we have evidence plus artifact, this custom content profile.

And there’s a fourth tab for Windows, that is network capture. We support both captures. You can collect network flow, or you can also collect PCAP. As you might know, network flow is the simple version, which is a CSV file. And the PCAP is like full packet capture. Let’s enable them. So, and give it a name…

And by the way, you are not required to select any other evidence here. So you can only enable network capture and give this acquisition profile the packet capture. And selecting this, we have a default duration of 10 minutes, but you can easily change this. So let me make it one minute only, and saving it. We have a new profile here, going back to the endpoints and clicking on this, one of these pieces and selecting packet capture, that’s… as a task name, and then I’ll be saving it into this directory, PCAP one. And clicking start, it [indecipherable] attached to that end point. And just because we have selected one minute as the acquisition duration, in around one minute, we’ll have a PCAP and the NetFlow collected from that endpoint.

While it completes, let me go back to my VM and show you the experience there. So here we have our C drive. This is the directory we have selected by the way, AIR. And then here we have PCAP, cases. If you click on the network capture, you see we both have a PCAP file and we also have a CSV file. If you double click on the PCAP file, if you have Wireshark on that machine, you can easily start inspecting that PCAP file. Now remember, this is the full packet capture. So it provides a lot of information. And soon we will also have a separate webinar, demonstrating the capabilities with a use case. And that’s how easy it is to capture network effects from the endpoints.

And that’s all from my side, passing the ball to Steve, we can get questions if you have any.

Steve: Sure. let me just reshare my screen for a second, just to finish off.

So as… before we get into the questions, as Emre alluded to, we’re having a workshop for the network capture feature. That is three weeks today, actually, the 1st of September. And if there’s a link in the chat to go directly to the registration page, but you can also go to the binalyze.com/contact. And at the bottom of that page, there’s also a link to register for that workshop. So we’d love to see you there, and we will do a much more detailed scenario[based workshop around the network capture feature. So hopefully we can see you all there.

In terms of questions, I have couple that have come in. So the first one, Emre, is: will we be providing support for other SSO services, and in particular Google, and when?

Emre: Actually the first one will be Octa and Duel. So those are on the way. And actually Google is implemented, sorry. Google is already implemented, but we didn’t add it into the user interface. So the next one will be Google, and then we’ll be going with the Octa and then Duel. So those are on the way.

Steve: Great. Okay. And then the second question I have here is: will be be extending network capture to Linux and Mac?

Emre: That’s also planned. I cannot provide an ETA for that now. But this year, for sure. So the first we’ll be adding PCAP support for Linux, and when we have Mac support that will be also on the roadmap. So it’s also planned for this year.

Steve: We always get this questionnaire, Emre, so let’s just remind everyone when Mac support will be available. Is it Q4?

Emre: It’s the end of Q4, yeah.

Steve: Okay. And next question, in terms of the organization feature, is there a limit to the number of organizations and can they be nested?

Emre: Actually there is no limit to the organizations and we don’t support nesting for now. And we didn’t receive that kind of request, but we can consider… I mean, it sounds good to me, but for now we only support at one level, so there’s no nesting support.

Steve: Okay. But an unlimited number. So that’s… [indecipherable]. Quite a short, very short, question here, just is: when DRONE? [Indecipherable] means integration with with the AIR platform.

Emre: Actually it’s already on the way. So this release that will be like available next month, will come embedded with DRONE. So all the experience, the same experience you have while running DRONE on an endpoint will be exactly in the AIR, and while acquiring evidence from an endpoint, or if you want to create a timeline, you’ll see the exact settings. So analyzers will be individually enabled and disabled, and you’ll also be able to provide keywords for searching on the endpoint. So this version will come already embedded with the DRONE as an additional feature.

Steve: Okay. Everyone can expect that around the middle of next month. That’s the [indecipherable] that we’re working to at the moment. So about this time next month. Yeah. A question again on network capture: are there any limitations about the network capture, like size or duration?

Emre: For now we support… I mean, as the initial version we have provided one hour, like 60 minutes, and I think it will be more than enough, but it can be increased in the upcoming versions. But it’s not because of any limitation. It’s just as the initial version. So, but it can be extended.

Steve: Okay, good. And the last question I have here is: will we be supporting sigma rules within AIR?

Emre: That’s correct. That’s one of the things, one of the exciting things about AIR. So the upcoming versions, it’s already supported by AIR, but we had to prioritize the features in this version. So the next version of AIR will provide you to add sigma rules as triage rules. So the current version of AIR comes with [indecipherable] enabled. And the next version of DRONE will support two triage rules, Yara and Sigma. That way you’ll be able to run it through [indecipherable] using sigma rules across your enterprise. So that’s also planned for the next version, not this version, but the next version.

Steve So again, that will be in approximately one month’s time. So not long to wait for that.

Emre: That’s correct.

Steve: That’s exhausted all of my questions. If anyone else has any questions, speak now? If not, then I feel like we’re finished for this session.

Emre: Great.

Steve: No more in the chat. So I think that’s us done. So thank you everyone for attending the webinar. A reminder, again, that in three weeks’ time, we have the workshop for the network capture, hopefully we can see some of you there. And in about four weeks’ time, we’ll be doing the next release of AIR. So it’s coming thick and fast at the moment. And hopefully the roadmap is ambitious and we’re delivering as we say we will. So we’ll keep that going for the rest of the year and beyond. So once again, thank you for your time. See you all on the next one, and have a good day.

Emre: Thanks so much.

Leave a Comment