Network Communication
How Do Assets Communicate with the Console?
Section titled “How Do Assets Communicate with the Console?”All routine communication between assets and the AIR console is initiated by the assets—they do not receive incoming requests from external sources. Communication occurs through various protocols and channels:
Primary Communication Channels
Section titled “Primary Communication Channels”- HTTPS (TCP 443) – The main communication channel from assets to the console (e.g.,
yourcompany.binalyze.io).
- WebSocket over HTTPS (TCP 443) – Used for interACT features.
- NATS (TCP 4222) (Optional) – Supports real-time task pushes to assets. If this port is unavailable, AIR defaults to HTTP(S) polling for task retrieval.
- DNS (UDP/TCP 53) – Required for name resolution services.
External Communication
Section titled “External Communication”- HTTPS to
responder.cdn.binalyze.com– Used for responder updates and installation packages. If the CDN is unavailable, the AIR console acts as a fallback source.
Evidence Repository Communication (When Configured)
Section titled “Evidence Repository Communication (When Configured)”- Cloud Storage: HTTPS communication to services like Amazon S3 and Azure.
- Traditional Storage: Supported via SFTP, FTPS, or SMB.
Proxy Support
Section titled “Proxy Support”If a proxy is configured in your environment, assets can communicate using:
- HTTP
- HTTPS
- SOCKS5
Firewall Rules
Section titled “Firewall Rules”- The console installer automatically adds inbound allow rules for the required ports in the Windows Firewall.
- The responder installer does not modify firewall settings. You must ensure that enterprise firewall policies allow assets to communicate with the console over the required ports.
How Does the AIR UI Connect?
Section titled “How Does the AIR UI Connect?”The AIR user interface (UI) requires access to the following domains:
- https://binalyze.com
- https://cdn.binalyze.com
- https://one.binalyze.com
- https://kb.binalyze.com
- https://www.googletagmanager.com
Domain Functions:
Section titled “Domain Functions:”| Domain | Categories | Description |
| https://binalyze.com | UPDATE | This domain is used by AIR Server instances to check if there is any new version to update. |
| https://license.binalyze.com | LICENSE | This domain is used by AIR Server instances to check the licence information |
| https://api.binalyze.com | TIMESTAMP | This domain is used by AIR Server for RFC 3161 features which requires integration with a timestamp server. |
| https://cdn.binalyze.com | UPDATE | This domain is used by AIR Server instances to update artefacts like MITRE Attack Rules , docker compose files, update scripts, offline installer packages. |
| https://one.binalyze.com | FIS USAGE STATS FEATURE FLAGS USAGE ANALYTICS | This domain is used by AIR Server instances to
|
| https://cr.binalyze.com | UPDATE | This domain is a container registry for AIR Server instances to update server components like the application server images, database images, caching server images, etc. |
Data Transmitted:
Section titled “Data Transmitted:”| Domain | Data Sent To Domain | Data Received From Domain |
| https://binalyze.com | N/A | Version Information |
| https://license.binalyze.com | License Key | License Status Details |
| https://api.binalyze.com | RFC-3161 Timestamp Token | |
| https://cdn.binalyze.com | N/A | Installation Packages |
| https://one.binalyze.com | FIS USAGE STATS: OrganizationID’s, Case Id, License Key, CaseEventType, CaseEventTime, i.e.: "logId": 764149386100000, "type": "endpointTaskAddedToCaseEvent", "publishedDate": "2022-06-03T10:22:18.610Z", "data": { "caseId": "C-2022-0028", "endpointId": "2b2ea7b0-be61-445c-b735-ac1a9a39e448", "taskAssignmentId": "2b1d5b2c-72ac-4828-9a82-b3510ce9fd5a" }, "license": "LICENSE-KEY" FEATURE FLAGS: License Key USAGE ANALYTICS: Amplitude event structure | FEATURE FLAGS: Feature flag states USAGE ANALYTICS: N/A |
| https://cr.binalyze.com | N/A | Binary Packages |