AIR

· پراستفاده‌ترین #291

Forensic evidence collected, triaged, and cased — automatically

تحلیل دادهپشتیبانیDeveloperSecurityاتوماسیون

Binalyze AIR is an enterprise Digital Forensics & Incident Response platform that lets security teams collect evidence from remote endpoints, run triage scans, manage investigation cases, and execute live forensic commands — all without physical access. Connect AIR to Actionist and your agent can trigger acquisitions the moment an alert fires, pull triage results into your SOC dashboard, create and populate cases automatically, and run YARA hunts across your entire fleet while your analysts focus on decisions, not logistics.

استفاده از AIR با Actionist بازدید از AIR

میانگین زمان صرفه‌جویی‌شده

10 ساعت

برای هر نفر · در هر ماه

تقریبا 1 روز کاری برگشتی

کار دستی را حذف می‌کند. AIR automation eliminates the manual steps of logging into the console to trigger acquisitions, polling for completion, downloading evidence files, and creating case records — each of which previously required an analyst's direct attention for every incident.

زمان‌بندی

عامل AIR شما چه چیزهایی را خودکار اجرا می‌کند

یک هفته کارهای زمان‌بندی‌شده که عامل Actionist از طرف شما اجرا می‌کند.

28کارهای زمان‌بندی‌شده

7عامل‌های فعال

24/7همیشه روشن

عامل‌ها

چهارشنبه–جمعه

چهارشنبه

پنجشنبه

جمعه

10a

11a

12p

گردش‌کارهای چنداپلیکیشنی

AIR × همه اپلیکیشن‌های دیگر شما

اتوماسیون‌های سرتاسری که چند اپلیکیشن را به هم وصل می‌کنند؛ هرکدام یک خروجی واقعی کسب‌وکار.

6گردش‌کارها

9اپلیکیشن‌های درگیر

حدود 23 ساعتصرفه‌جویی در هفته

6نقش‌های پوشش‌داده‌شده

برای موفقیت مشتری

ویژه4 اپلیکیشن

Breach alert to contained endpoint in 5 minutes

When a customer's security operations team emails the IR hotline about a suspected compromise, the agent reads the email, queries AIR for the named endpoint, triggers an immediate triage scan, and posts the first findings to Slack before the analyst has finished their coffee — then blocks the Google Calendar of the IR team for a two-hour response window so no conflicting meetings interrupt containment. By the time a human joins the Slack thread, the agent has already identified the highest-severity finding and flagged it for priority action.

حدود 6 ساعت

زمانی که تیم شما هر هفته و به‌صورت خودکار پس می‌گیرد

جریان کار

تریگر·When a new email arrives in the IR hotline Gmail inbox reporting a suspected endpoint compromise

تریگر

مرحله 1

Gmail

Detect new security incident email in IR hotline inbox

خواندن

مرحله 2

AIR

Start triage scan on reported endpoint

نوشتن

مرحله 3

AIR

Get triage results once scan completes

نوشتن

مرحله 4

Slack

Post triage findings summary to #incident-response channel

نوشتن

مرحله 5

Google Calendar

Block 2-hour response window for IR team

نتیجه

Get triage results once scan completesPost triage findings summary to #incident-response channelBlock 2-hour response window for IR team

برد اصلی

صرفه‌جویی در هر اجرا

45 دقیقه

اجرا در هفته

~8×

First findings in 5 minutes, not 45

اجرا توسطCustomer Support Agent

بازگشت سرمایه

صرفه‌جویی

چیزی که تیم شما پس می‌گیرد: کارهای دستی‌ای که حذف می‌شوند و ارزشی که ایجاد می‌شود.

بدون Actionist

کاری که امروز دستی انجام می‌دهید

با Actionist

کاری که عامل شما برایتان اجرا می‌کند

Sales
18 دقیقه در هفته
Manual case metrics pull
Sales engineers export AIR case stats by hand each week to build proof-of-value reports for prospects.
عامل Sales
۰ دقیقه
Agent delivers case metrics on demand
Agent queries AIR for closed cases, extracts MTTC and evidence counts, and formats a proof-of-value summary for each prospect meeting.
Marketing
13 دقیقه در هفته
Threat-data blog research
Content team manually requests anonymised incident data from the IR team each month to write data-backed blog posts.
عامل Marketing
۰ دقیقه
Agent mines cases for content
Agent pulls anonymised triage findings from AIR, extracts threat-pattern stats, and drafts a data-backed article draft without involving the IR team.
Customer Support
18 دقیقه در هفته
Incident intake and routing
Support analysts manually read security incident emails, log them in AIR, and assign the case to the right IR engineer.
عامل Customer Support
۰ دقیقه
Agent triages and routes instantly
Agent reads the incoming email, opens an AIR case, triggers a triage scan on the named endpoint, and pings the IR lead in Slack — all within 90 seconds.
Human Resources
7 دقیقه در هفته
Offboarding endpoint check
HR manually coordinates with IT to trigger an AIR triage scan on a departing employee's laptop before it is wiped.
عامل Human Resources
۰ دقیقه
Agent runs offboarding scan automatically
Agent detects the offboarding flag in the HR system, triggers an AIR triage scan on the endpoint, and logs the result to the departing employee's record before IT wipes the device.
Finance
13 دقیقه در هفته
Incident cost data gathering
Finance team manually asks the IR team for acquisition counts and response hours after each incident to calculate cyber-insurance loss costs.
عامل Finance
۰ دقیقه
Agent extracts IR cost data from cases
Agent reads closed AIR case data — acquisition count, evidence volume, timeline — and populates the incident cost model automatically after each case is closed.
Operations
25 دقیقه در هفته
Asset-to-policy reconciliation
Operations engineer manually compares the CMDB asset list against AIR-registered endpoints each quarter and applies missing policies one by one.
عامل Operations
۰ دقیقه
Agent reconciles and applies policies
Agent compares the asset sheet against AIR registrations, applies the correct department policy to each new endpoint, and logs any gap to a Notion remediation backlog.
Legal
6 دقیقه در هفته
Evidence chain-of-custody prep
Legal team manually requests acquisition hashes and timestamps from the IR team before each litigation hold or regulatory submission.
عامل Legal
۰ دقیقه
Agent builds chain-of-custody records
Agent reads completed acquisitions from the AIR case, computes evidence hashes, and outputs a formatted chain-of-custody document ready for legal review.

+ صدها اتوماسیون دیگر AIR

میانگین ماهانه

10 ساعت / نفر / ماه

میانگین ماهانه

10 ساعت / نفر / ماه

محاسبه‌گر

محاسبه کنید تیم شما چه چیزی ذخیره می‌کند

اندازه تیم

10 نفر

نرخ ساعتی

20 دلار / ساعت

ساعت ذخیره‌شده / هفته

ساعت ذخیره‌شده / سال

1,250

بازگشت سالانه

$25,000

بر اساس الگوی رایج استفاده تیمی از AIR: کارهای قابل مشاهده به‌علاوه چند اتوماسیون دیگر که عامل اجرا می‌کند: حدود2.5 ساعت / نفر / هفته کار اداری خودکار می‌شود.

اتصال

چطور AIR را به Actionist وصل کنید

روش اتصالی را انتخاب کنید که با محیط کاری شما سازگار است.

The fastest path to your AIR estate. Actionist installs the Binalyze AIR MCP server and authenticates via your organisation's API token in a single flow — no manual credential rotation, and every AIR action the agent needs is immediately available.

Open the Apps tab

Find AIR in the Apps library and click Connect. MCP is selected by default.

Enter your AIR API token

In Binalyze AIR, navigate to Settings → API Tokens, generate a token with 'Read Cases', 'Write Acquisitions', and 'Manage Assets' scopes, and paste it into the Actionist prompt.

Test the connection

Actionist runs a read-only call to verify the handshake. You're ready.

اکشن‌ها

15 اکشن که عامل شما می‌تواند اجرا کند

عملیات خواندن و نوشتنی که برای عامل Actionist شما در دسترس است.

تریگرها

7 رویداد که عامل شما می‌تواند به آن واکنش نشان دهد

رویدادهایی که عامل شما زیر نظر می‌گیرد و در پاسخ به آن‌ها اکشن اجرا می‌کند.

مهارت‌ها

مهارت‌هایی که با AIR خوب کار می‌کنند

مهارت‌های قابل استفاده مجدد عامل که کنار این اپلیکیشن مفید هستند.

AI Persona OS

Gives the AIR-connected agent a configurable security analyst persona — useful for tuning how the agent communicates triage findings to different audiences from SOC analysts to executives.

QVeris Official

Discovers and calls real-time threat-intelligence APIs at runtime, letting the agent enrich AIR findings with live reputation data without hard-coding tool integrations.

Decision Trees

Structures the agent's containment and escalation decisions — for example, choosing between a triage scan and a full acquisition based on finding severity and endpoint criticality.

سرورهای MCP

سرورهای MCP سازگار با AIR

Actionist را به سرورهای MCP ساخته‌شده برای این اپلیکیشن یا پیرامون آن وصل کنید.

UK Air Quality MCP Server from MCPBundles

رسمی

Provides real-time UK air quality sensor data — unrelated to Binalyze AIR but included as a name-collision disambiguation for teams building environmental monitoring workflows alongside their DFIR tooling.

air

رسمی

Compresses and optimises tool output from read, grep, diff, and bash commands — useful for reducing token overhead when the AIR agent processes large forensic text outputs.

airblackbox/air-blackbox-mcp

رسمی

Scans Python AI agent code against EU AI Act compliance requirements across 6 articles — helps security teams validate that their Actionist workflows meet regulatory obligations before deployment.

پرسش‌ها

پرسش‌ها درباره AIR + Actionist

What credentials does Actionist need to connect to Binalyze AIR?

Actionist connects using a Binalyze AIR API token generated under Settings → API Tokens in your AIR console. Grant only the scopes your workflows require — for example 'cases:read' and 'acquisitions:write' for a triage-and-case workflow. The token is stored encrypted in Actionist's credential vault and is never logged.

Can the agent trigger acquisitions on any endpoint, or only ones I specify?

The agent triggers acquisitions only on endpoints you explicitly name in the workflow, either by hostname or asset ID pulled from your AIR asset list. It does not enumerate and sweep your entire estate unless you configure a step that reads the full asset list and iterates it — that decision stays with you, not the agent.

How do I avoid accidentally triggering duplicate acquisitions on the same endpoint?

Check for an existing 'running' acquisition on the target endpoint using the List acquisitions action before triggering a new one. If the agent finds an active job, it can wait for completion rather than stacking a second collection — add a conditional step that skips the trigger if any acquisition for that endpoint has status 'running' or 'queued'.

What evidence artefacts can the Download evidence file action retrieve?

Binalyze AIR can collect memory dumps, full or partial disk images, volatile-data packages (running processes, network connections, open files), event logs, browser artefacts, and custom acquisition profiles. The Download evidence file action retrieves whichever artefact type the acquisition profile captured — the available files are listed in the acquisition result before you call the download step.

Does running a triage scan affect endpoint performance?

Binalyze AIR is designed for low-impact remote collection and triage. The agent that runs on the endpoint uses a throttled I/O mode to avoid disrupting production workloads. That said, for memory-intensive acquisitions on database servers, schedule the collection during a maintenance window or use AIR's throttle-level setting — set it via the acquisition profile before the agent triggers the job.

Can I scope triage scans to a specific department or network segment?

Yes — use the Tag asset action to label endpoints by department or VLAN, then scope your triage scan to assets carrying that tag. The Start triage scan action accepts asset-filter parameters including tags, OS type, and last-seen window, so the agent never sweeps beyond the intended scope.

How are YARA rules managed when running a YARA scan via the agent?

YARA rules are stored and versioned in Binalyze AIR's rule library under the Threat Hunting section. When the agent calls Run YARA scan, it references a rule set by ID — create and test the rule in the AIR console first, then use its ID in the Actionist workflow. This keeps rule governance in the hands of your threat-intel team while the agent handles the execution and result routing.

What happens if an endpoint goes offline while the agent is waiting for an acquisition to complete?

If the endpoint disconnects mid-acquisition, AIR fires the 'Endpoint went offline mid-acquisition' trigger. Configure a handler workflow that downloads whatever evidence was already collected, hashes it, and flags the case with a 'partial collection' label. The agent can also alert the SOC channel with the percentage of evidence captured before the disconnect, helping the team decide whether to re-acquire or proceed with partial data.