Using CLI on Console

Overview

AIR CLI is a command-line utility that enables system administrators to manage and troubleshoot the AIR Console. It provides several operations such as restoring backups, managing users, adjusting security settings, and toggling system features. The tool is executed inside the container where the AIR application runs.

How to Access AIR CLI

To open the AIR CLI, execute the following command on the AIR Console host machine:

sudo docker exec -ti binalyze-air-app-1 /air-cli

This will launch an interactive command-line interface (CLI) where you can select from available operations using a menu.

1. Restore Using a Backup File

This operation allows you to restore the entire AIR Console system from a backup file. It can be useful in disaster recovery scenarios or when migrating between environments.

Before using this option, you must copy the backup file into the container using the following command (replace {{BACKUP_FILE_PATH}} with the actual file path):

docker cp {{BACKUP_FILE_PATH}} binalyze-air_app_1:/air.backup

Once the file is copied, you can select this option in the CLI and follow the prompts.

Example input/output:

1 ? I would like to... restore using a backup file
2 ? Please enter the path of file (Just press "Enter" to use the default) /air-backup.abf
3 ? Please provide the MongoDB URI (Just press "Enter" to use the default) mongodb://air.mongodb.server/airdb

4 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://air-
data:#DBPASSWORD#@air.data-master.server:5432/airdb

5 ? Please provide the backed up MongoDB name (Just press "Enter" to use the default) airdb
6 ? Please provide the MongoDB name to restore (Just press "Enter" to use the default) airdb
7 ? This operation will drop your current database and restore the provided backup. Are you sure to continue?
Yes
8
9 (...)
10
11 Restore operation started.
12 .env file restored.
13 Data directory (data.zip) restore started.
14 Data directory restored. Path: /binalyze-air
15
16 postgresql.dump extraction started.
17 postgresql.dump extraction completed.
18 PostgreSQL restore started.
19
20 (...)
21
22 2025-04-17T18:42:59.626+0000 3375 document(s) restored successfully. 0 document(s) failed to restore.
23 MongoDB restore completed.
24 Restore operation completed!

You can access the article with details about this operation here: Restore AIR Backup using the CLI | Knowledge Base

2. Reset Local User Password

This option allows you to reset the password of a local user account. The new password is temporary, and the user will be required to change it upon their next login. This is especially helpful if a user forgets their password.

Example input/output:

1 ? I would like to... reset password for a user
2 ? Please provide a username binalyze
3 ? Please provide a password *********
4 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://air-
data:#DBPASSWORD#@air.data-master.server:5432/airdb
5 Password for user 'binalyze' updated.
6 Password reset operation completed!

3. Reset Local User TFA

This option resets two-factor authentication (TFA) for a specified user. It is useful if the user loses access to their authenticator device and cannot log in.

1 ? I would like to... reset TFA for a user
2 ? Please provide a username binalyze
3 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://air-
data:#DBPASSWORD#@air.data-master.server:5432/airdb
4 TFA reset operation completed!

4. Enable/Disable IP Restriction Settings

You can use this option to enable or disable IP restriction for accessing the console. When enabled, only allowed IP addresses can connect to the AIR Console interface.

Example input/output:

1 ? I would like to... set ip restriction settings
2 ? What would you like to do? Disable
3 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://air-
data:#DBPASSWORD#@air.data-master.server:5432/airdb
4 IP restriction settings is disabled.
5 Set IP Restriction Successfully completed!

5. Reset Statistics Start Date

This option allows you to reset the start date used for the Activity Dashboard. The date will be set to the time you run this command.

Example input/output:

1 ? I would like to... reset statistics start date
2 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://air-
data:#DBPASSWORD#@air.data-master.server:5432/airdb
3 Statistics Start Date is 2025-04-17T18:48:54.688Z.
4 Statistics Start Date Reset Successfully completed!

6. Enable/Disable Console Port Settings

This option allows you to enable or disable the UI access port 8443 settings.

Example input/output

1 ? I would like to... set console port settings
2 ? What would you like to do? Disable

3 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://airdata:#
DBPASSWORD#@air.data-master.server:5432/airdb
4 Console port settings is disabled.

5 Please restart the app for the settings to take effect.

6 Set Console Port Successfully completed!

7. Turn On/Off Features

This option allows you to toggle features. You will be presented with a list of available features and can enable/disable them individually.

Available feature flags include:

investigation-hub-data-access
investigation-findings-object-columns
cloud-forensics
investigation-event-records-details-columns
purge-without-uninstall
skip-2fa-for-api-users
user-management-via-api
userflow
auth-management-via-api
isolation-allowed-list
cloud-forensics-trial
relay-server
investigation-hub-generate-report
linux-isolation
sample-feature
disk-image-asset-type
frank-ai
consolidated-report
locard
integra-ui
activity-overview
sentry-monitoring
backward-compatibility
investigation-hub-import-evidence

Example input/output:

1 ? I would like to... turn on/off features for offline installations
2 ? Select a feature to turn on/off (Use arrow keys)
3 ❯ (...)
4 ? Select a feature to turn on/off sample-feature
5 ? What would you like to do? Disable
6 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://air-
data:#DBPASSWORD#@air.data-master.server:5432/airdb
7 Feature flags updated.
8 Turn on/off feature flag completed!

8. Update MITRE Rules

This operation updates the MITRE ATT&CK rules used by the AIR Console manually.

🔄 You must first download the MITRE rules file from: https://cdn.binalyze.com/dfir-mitre-attack-rules/mitre.zip

Then, copy it into the container using the command below (replace {{MITRE_FILE_PATH}} with your actual file path):

docker cp {{MITRE_FILE_PATH}} binalyze-air_app_1:/mitre.zip

After that, run the CLI and follow the prompts to complete the update.

Example input/output:

1 ? I would like to... update mitre rules
2 ? Please enter the path of file (Just press "Enter" to use the default) /mitre.zip
3 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://air-
data:#DBPASSWORD#@air.data-master.server:5432/airdb
4
5 Current Mitre version: 9.1.3
6 New Mitre version: 9.1.4
7 Restart the AIR app container to apply the new ruleset.
8 Update Mitre rules completed!

9. Change Users’ Organization

This command enables you to transfer one or more users to a different organization by specifying their email addresses and the new organization ID.

Example input/output:

1 ? I would like to... change users organization
2 ? Please provide a email(s), for multiple please use comma seperated emails test@dummy.com
3 ? Please provide a organizationId 0
4 ? Please provide the PostgreSQL URI (Just press "Enter" to use the default) postgresql://air-
data:#DBPASSWORD#@air.data-master.server:5432/airdb
5 #1 Users will be updated
6 List: test@dummy.com
7 Update in progress....
8 #1 Users were updated:
9 Update progress done!
10 Change user organizations operation completed!