Using the Investigation Hub
The Investigation Hub offers a centralized and well-organized interface to manage all case-related elements, including assets, evidence, artifacts, and triage results. It simplifies the investigative process by providing efficient filtering options and a robust global search feature, eliminating the need to switch between tools or manually piece together information from various sources.
This hub is designed to enhance the investigative process by seamlessly integrating additional data sources and context through data import capabilities. This means you can augment your analysis by importing relevant data and context, ensuring that you have access to a comprehensive and updated information set for your investigation.
The Investigation Hub is not static; it is a living and breathing space that will ingest and consolidate every report allocated to a case as the investigation progresses.
The remainder of this page delves into the various sections that comprise the displayed information. It's beneficial to become familiar with this layout to locate the specific data you're interested in easily. Given the diverse nature of investigative needs, users may employ various methods to explore this data.
Read more; you may find the article titled 'Investigating a malware attack using Binalyze Air's Investigation Hub' to be a valuable example of one such approach.
Navigating the Investigation Hub
In this article, we will explore the various perspectives presented by the Investigation Hub and offer suggestions on how users can effectively utilize its features.
The Investigation Hub can be broken down into six sections:
Header
Secondary Menu
Dashboard & Widgets
Evidence
Findings & Results Table
MITRE ATT&CK
Details View
Automated Report Generation
1. Header
The Header is a persistent element across all views within the Investigation Hub.
To the right of the AIR icon and Organization Name is a Global Search input box. This search capability is highly versatile, enabling users to perform searches across all data within the Investigation Hub for the current case. This encompasses acquisition and triage data, as well as any imported data and findings identified by DRONE, ensuring a comprehensive and integrated approach to investigations.
The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.
All activities are labeled and linked to their corresponding individual activity by simply clicking on them. In the example below, we can see how the user has filtered to 'Only me', showing all activity with the newest first:
Notifications are accessed via the bell notifications icon, which displays a count (up to 99) of the unread messages.
To the right of the Notifications icon is the name of the Organizational environment in which the user is working. From this link, users can access the Organization Settings, change their organization, or add a new one.
Towards the right side of Activities, users have the option to modify time zone settings for all timestamps within the hub, should the need arise.
2. Secondary Menu
At the top of the Secondary Menu, the name of the current case (e.g., 'DayOne' in this example) is prominently displayed. From here, users can choose the view to display in the main viewing window of the Investigation Hub, selecting from:
Dashboard
Reports
Findings
Exclusions
Evidence
The bottom half of the Secondary Menu is dedicated to applying Global Filters to the current case, enhancing the ability to narrow down the displayed information. Users can filter by:
Asset
Finding Type
Flag
Dates and Times
Creator
These filtering options, combined with the logical AND switch, enable users to customize and refine the display to show only the most relevant items based on multiple selected criteria. This structured approach helps streamline navigation and improve the efficiency of the investigative process in the Investigation Hub.
Global Filters in Investigation Hub
Global Filters are positioned at the top of the Investigation Hub, directly below the section title. This placement ensures they remain visible and readily accessible across all views.
These filters allow users to refine data in the tables below by criteria such as Assets, Evidence Category, Finding Type, MITRE mapping, Flags, and Date & Time. The Evidence Category filter enables more targeted investigation by isolating specific types of evidence. Filter selections persist across Investigation Hub views for seamless navigation and analysis.
3. The Dashboard and Widgets
The Dashboard provides investigators with a high-level overview of their case, highlighting key issues and investigative opportunities. It features dynamic widgets that automatically update as new evidence and artifacts are added, ensuring that investigators have the most current information at their disposal.
The action buttons on the Dashboard page enable three key activities:
Import .csv or .pst Files: Add these files directly to your case.
Generate Reports: Access the report generation wizard.
Export Flags to .csv: Export all flagged items, including bookmarks.
Additionally, the Overview widget allows for filtering by operating system, giving you a quick overview of key statistics for the case.
The Finding Type widget on the dashboard categorizes and filters findings as either DRONE automated, user-generated, or both. This widget simplifies the review process by presenting findings according to their severity levels:
Red: Indicates High severity
Orange: Denotes Medium severity
Blue: Represents Low severity
Dark Orange: Signifies Matched (keyword/Triage hit)
Each item within the widget is clickable, and the filtered results are displayed on the Findings page.
DRONE Finding Types
High: Flags threats that pose immediate and significant risks, demanding urgent action to prevent or mitigate severe impacts. Example: An IIS process executing
cmd.exeorpowershell.exe, which could indicate a web shell.Medium: Targets activities that deviate from expected norms and could be indicative of potential threats, suggesting a need for deeper scrutiny. Example: A running unsigned process located in a temporary folder, or the use of known hacking tools, such as "mimikatz."
Low: Identifies less critical but still unusual activities that could benefit from further investigation to clarify their nature and intent. Example: System-level processes initiated by non-privileged users, or processes operating from non-existent directories.
Matched: Involves confirmed matches to predefined security rules, keywords, hashes, or patterns within the analyzed data, signaling recognized threat indicators. Example: A detected scheduled task named "MalwareTask*" that aligns with a user-defined keyword "MalwareTask*".
The MITRE ATT&CK widget provides an invaluable overview by displaying how many findings within a case have been mapped to various Tactic and Techniques from the MITRE ATT&CK framework. This framework is a globally recognized knowledge base of adversary tactics and techniques based on real-world observations. It is used extensively for threat modeling and cybersecurity defense.
By incorporating the MITRE ATT&CK widget into the dashboard, investigators can quickly identify patterns and methods used in cyber attacks, facilitating a deeper understanding of the threat landscape. This visibility enables users to align their defense strategies more accurately with the tactics and techniques that adversaries are most likely to use, improving the effectiveness of their security measures. The widget's ability to display the distribution of findings across different categories not only helps pinpoint vulnerabilities but also aids in prioritizing responses to the most critical threats based on observed patterns of attack.
The Top Asset Breakdown widget highlights the most significant assets within the current case, emphasizing those with the most severe issues. This feature provides a clear and concise view of critical vulnerabilities, helping investigators prioritize their response efforts based on the urgency and impact of the identified problems.
The "Flags" widget provides a comprehensive overview of all flagged items, each accompanied by its respective count. This widget enables users to customize flags, allowing them to modify both the name and color of each flag to suit their specific needs.
The default "Bookmark" flag is pre-established and cannot be edited. Additional custom flags, once created, are stored and listed within the library for easy access.
*Note: Flags are configured at the Organization level, so they are not just case-specific. Therefore, any edits or deletions to flags will have a global effect for the Organization and are only permitted for users with Case Management privileges. This ensures consistent flagging practices across all cases, preserving the integrity of the flagging system.
4. Evidence
Under the heading "Evidence," all evidence items collected as part of a tasking, even those with a null return, will be displayed.
A count will be displayed next to each evidence item to indicate the number of associated Findings. For example, in the screenshot below, there are 14 high-priority Findings for Persistence>Scheduled Tasks, 3 medium-priority Findings for Persistence>Registry, and other items are shown with counts but have no Findings associated. This feature helps to identify and prioritize areas of interest within the evidence quickly.
Triage results and Imported evidence items are also displayed in this Evidence section.
Within the Secondary Menu, users have the flexibility to dynamically include or exclude case assets, including imported evidence like .pst or .csv files. Assets are categorized either by the operating system or by the name of the imported evidence for ease of management. In the example above, the Windows asset called RichardBurton has been deselected so none of the evidence from this asset will be displayed in any of the Findings views.
Other Evidence is a category for items that are Findings without a dedicated entry in the Investigation Hub.
All findings without a specific category will be grouped under 'Other Evidence'. This ensures that every finding is allocated an evidence record within a category, allowing the total count of findings on the Investigation dashboard to accurately match the number shown in the evidence list.
5. The Findings and Evidence Results Tables
Within the Secondary Menu, Findings are categorized and displayed alongside a count for each evidence type where applicable. The severity of each Finding is color-coded for quick identification:
Red: Indicates High severity
Orange: Denotes Medium severity
Blue: Represents Low severity
Pink: Signifies Matched (keyword hit)
This system allows for an immediate visual assessment of the evidence's priority level.
Under the Evidence subheading section, the secondary menu will display all evidence items collected as part of a task, even if a null return has occurred. In the example below, we can see that the Hide Empty Pages filter has been activated.
In the screenshot shown above, the acquired evidence from the App Compat Cache has been highlighted for focused viewing. As a result, the main viewing area is exclusively dedicated to displaying all the evidence gathered from the App Compat Cache. In this particular example, one 'Matched' item has been singled out, and its comprehensive details are presented in the section below in the 'Details' tab.
It's essential to note that in this scenario, the table has been sorted by the findings column to order the view by the severity of the findings. Additionally, users have the flexibility to rearrange and resize columns according to their preferences. Furthermore, users can customize which columns are visible in the table using the Column Chooser feature, which is available on all pages with tables within the Investigation Hub.
The Evidence section displays both triage results and imported evidence items, offering comprehensive insight into gathered data.
Highlighted in the above screenshot, additional table functionality enhances user interaction and data management:
Flag Column: This column displays flagged items and allows filtering and sorting by flag status.
Magnifying Glass Icon: Offers extensive filtering and searching capabilities with options such as Contains, Does Not Contain, Starts With, Ends With, Equals, and more, allowing precise control over the displayed data.
Dockable Details Pane: Users can choose to dock this pane on the right side or at the bottom of the window. Clicking the icon toggles the Details pane's orientation from vertical to horizontal and vice versa, adapting to user preference and screen layout.
Filtered Items Reminder: A helpful reminder of the currently applied filters, ensuring users are aware of the viewing context.
Date & Time Picker: Allows users to narrow down evidence to specific time periods, facilitating focused analysis.
Relative time filtering: In addition to absolute date and time selection, the Investigation Hub supports relative time filtering. Analysts can quickly apply dynamic ranges, such as “Last 5 minutes,” “Last 7 days,” or “Next 30 minutes,” by clicking on (blue) timestamps within tables. This flexible, context-aware filtering is especially useful for timeline analysis and reviewing live evidence.
Created By Column: In the Findings table, the Created By column indicates whether DRONE or a user generated the finding.
Highlight to search: This allows users to highlight text in the Investigation Hub tables, as shown below, right-click on the selection, select the magnifying glass that appears, and then choose to "Search in Findings table, Search in the Investigation Hub, Search in Google, or Search in Virus Total.
Fullscreen Evidence Tables: Users can view evidence tables in full-screen mode, ideal for large datasets with multiple columns and rows. This feature maximizes screen space, allowing easier navigation and analysis of complex data without the need for scrolling or resizing. To exit full-screen mode, simply click the Exit Fullscreen icon.
Sticky Column Headings: The selection and position of columns will remain saved in your browser across all AIR sessions unless you clear your browser cookies. This ensures that your preferred layout and data organization remain consistent, enhancing both efficiency and the user experience.
Flags
The Investigation Hub flagging feature allows users to create custom flags to mark evidence and findings they deem significant during an investigation. This flagging functionality can be used to filter by flags and facilitates collaboration with other investigators, helping to mark items for re-examination or highlighting important details for potential inclusion in reports.
Users create custom flags by right-clicking on a finding or evidence item, selecting ‘Add/Remove Flag’, and then making a name, description, and color for the flag from the 11 default options, or clicking the '+' to select your own colour from a palette:
Multiple items can be flagged simultaneously using the Bulk Actions bar:
Hovering over the flag of a flagged item in the table view will reveal:
The name of the flag
Who created the flag
The date & time it was created
Flags are saved at the Organization level in Libraries; therefore, they will be available to all cases created in the same Organization.
Creating new flags or editing existing flags can be done in Libraries if the user has Case Management privileges.
The Bookmark Flag is the only fixed/permanent flag.
Users can use the advanced filter to include or exclude flagged items in the Investigation Hub table views, enhancing the ability to focus on prioritized or highlighted evidence.
Exclusions
AIR's DRONE capability enhances decision support by leveraging built-in YARA, Sigma, and osquery rules to quickly identify compromised assets. By analyzing evidence, DRONE generates Findings that highlight key investigative opportunities, helping prioritize and streamline investigations efficiently.
During an investigation, users may encounter Findings that are not relevant to their case. The Investigation Hub allows them to exclude these Findings, helping investigators stay focused on pertinent information.
Exclusion Methods:
AIR offers two exclusion methods:
Exclusion Rules – Allows exclusion of a Finding either by its location/path, OR, regardless of its location, based on the finding itself.
Individual Exclusions – This method allows users to manually exclude any Findings within a case, based on their specific needs or investigation requirements, without the need to create a rule.
1. Exclude by Rule
Right-click on a Finding and choose "Exclude by Rule" from the context menu.
Exclude by: Customize the exclusion based on the path in two ways: On the specific path, which excludes an item only if found in that particular location, or based on the finding, which excludes the item regardless of where it is found on the asset.
Scope: Decide whether to exclude just this case or all cases within the organization.
Target: Apply the rule to the selected asset, or all assets if applicable.
(Exclusion by hash value is coming soon)
2. Individual Exclusions
This method allows users to manually exclude any Findings within individual cases, based on their specific needs or investigation requirements, without the need to create a rule.
Right-click on a Finding and choose "Exclude" from the context menu.
Users can either select an existing reason for exclusion or create a new one. Any newly added reason will be saved and included in the list of available exclusion reasons for future use.
Management and Audibility:
All excluded Findings are removed from the Findings table and added to the Exclusions table (directly below Findings in the Secondary Menu) as shown below. This feature enables teams to cross-validate and resolve discrepancies as needed.
At the top of the page, users can click "Manage Rules" to modify or delete Exclusion Rules. However, individual exclusions cannot be edited—they can only be deleted. This allows users to refine exclusion settings while maintaining control over how findings are managed.
In the Organization Library under "Finding Exclusions Rules," users can change the scope from Case to Organization, apply exclusions from one asset to all assets in the organization, or completely delete rules if they have "Case Management" privileges.
In the Organization Library, users can also select Exclusion Rules to delete via the Bulk Action Bar as shown below.
Tooltips are provided throughout to guide users in utilizing these customizable options effectively. After an exclusion is applied, users have a brief opportunity to undo the operation or close the notification, ensuring that actions are deliberate and retrievable.
This Exclusions Capability significantly streamlines the investigative process, allowing investigators to maintain focus on essential evidence while managing irrelevant data efficiently.
Notes
The Notes feature enhances collaboration by allowing users to attach notes to any evidence item or Finding, without requiring the item to be bookmarked. These notes are accessible to the entire team working on the case and are displayed in the Notes column of the table view.
This feature is handy for enhancing communication within the team, as it allows for the sharing of insights and observations directly alongside the relevant evidence. Furthermore, notes can be seamlessly integrated into reports through AIR’s “Generate Report” feature, which supports the creation of customizable reports. Additionally, notes can be exported for external use.
Overall, the Notes feature in AIR 4.13 streamlines case documentation and enhances the reporting process, making it an essential tool for collaborative investigations.
User-generated Findings
In previous versions of AIR, the decision-support system, including the automated evidence analyzers known as DRONE, helped users prioritize their investigative steps. With the release of AIR 4.13, users now have the capability to generate their own Findings, enhancing the depth of investigations by incorporating personal insights, organizational context, or specific investigative details.
For instance, from the Evidence page, users can right-click on an item and select "Mark as Finding" to manually allocate a Finding to it. This process involves several steps:
Selecting a Finding Type: Users choose from pre-defined types such as High, Medium, Low, or Matched.
Adding a Description/Label: This provides a clear and concise description or label for the Finding, facilitating clarity and reference.
Detailing the Path and Associating with MITRE ATT&CK TTP: Users can specify the file path and link the Finding to a specific tactic or technique from the MITRE ATT&CK framework.
Setting a Date: Users can also include the date when the Finding was identified or marked.
Upon confirming with "OK", the Finding type is displayed in the "Finding Type" column within the Evidence page, along with a column indicating who created the Finding. These user-generated Findings are then added to the "Findings" window, where they are distinguishable by a "created by" column, which shows whether a Finding is from DRONE or user-generated, and identifies the creator. This allows for efficient tracking and searching using the column search functionality.
Additionally, these Findings are reflected in the Dashboard widget, where users can filter to view "All" findings or specifically search across DRONE or user-generated Findings using the provided tabs. This new feature in AIR 4.13 significantly empowers users to tailor their investigative processes with enriched data and personalized analysis.
6. MITRE ATT&CK
MITRE ATT&CK serves as a global resource for adversary tactics and techniques, guiding threat models and methodologies across industries. Integrated with AIR, it continuously maps findings to ATT&CK, enhancing detection with up-to-date YARA rules for IoCs and TTPs. DRONE's implementation scans assets and processes using crafted rules, with automated rule updates in AIR. You can read more about DRONE in this blog, 'Automated Compromise Assessment with DRONE'.
MITRE Heatmap
The MITRE ATT&CK heatmap is an integrated visual tool within the Findings section of the Investigation Hub that maps DRONE-generated findings to MITRE ATT&CK techniques and sub-techniques. It visually indicates which techniques are involved in the current case, based on the volume of findings, enabling analysts to quickly assess the breadth and focus of an attack.
Each technique in the heatmap corresponds to a cell, and its color intensity represents the number of findings mapped to that technique. This allows analysts to see at a glance which areas of the ATT&CK framework are most heavily implicated in the investigation.
Analytical Value of Heatmaps
Immediate Threat Context: The heatmap adds actionable context by connecting raw findings with attacker behaviors defined in the MITRE ATT&CK framework. This helps analysts:
Understand the “how” of the attack (techniques)
Spot patterns across multiple assets
Recognize potential blind spots in detection coverage
Gap Identification: By visualizing unused or sparsely populated techniques, SOC teams can identify gaps in evidence collection, detection logic, or attacker behaviors that have not yet been fully uncovered.
Investigation Prioritization: Supports strategic triage by letting analysts focus first on high-volume techniques associated with high-severity findings.
Configurable Visualization Options
To enhance usability and relevance, the heatmap offers several customization controls:
Sort Techniques by Volume:
Techniques can be sorted in either ascending or descending order by associated findings.
Helps in prioritizing analysis — either by focusing on the most prevalent threats first or identifying less common, potentially stealthier techniques.
Toggle Empty Techniques:
Analysts can hide or display techniques with zero associated findings, reducing visual noise and emphasizing active threat vectors.
Toggle Sub-techniques:
Enables a granular view by revealing or hiding sub-techniques under each parent tactic.
Supports more precise mapping of attack behavior and facilitates deeper root cause analysis.
These options are beneficial when navigating investigations that involve high asset counts or extensive data volumes, allowing teams to zero in on critical patterns efficiently
7. Details View
To match your viewing preferences and monitor setup, the Details view for selected evidence items is both dockable and detachable. You can either open a separate, independent window to display the evidence details or use the icon shown below to toggle the position of the Details window.
Dockable Evidence Details Window: This feature allows you to toggle the Details window between a vertical display on the right side of the browser window and a horizontal display at the bottom. Simply click the icon to switch between these views.
In the Details window, there may be occasions when some fields are empty. To minimize clutter from these empty fields, you can use the 'Hide Empty Fields' feature. This option allows you to clean up the interface by displaying only those fields that contain information.
Detachable Evidence Details Window: This feature allows users to open evidence details in a standalone window that can be resized and repositioned anywhere on the screen(s) for improved clarity. The window maintains its form even when displaying new evidence items. Clicking on a new row in the table updates the detached details view to match the newly selected item. This flexibility allows investigators to compare multiple pieces of evidence side by side, improving the overall analysis process.
Details View Example:
The screenshot above displays an example of a typical details view of a file selected in the table view. This particular file is a Scheduled Task entry which has a DRONE Finding Type 'High'.
The term "Digital Sign Status As Text" refers to the description of the status of a digital signature in text form. When you encounter "Bad Digest" as the status, it indicates an issue with the digital signature of a file or document.
Specifically, "Bad Digest" means that the hash value calculated from the downloaded or retrieved file does not match the hash value used initially when signing the document or file. This discrepancy suggests that the file may have been altered or corrupted after it was signed. Consequently, the integrity of the file is in question, and it can no longer be trusted as authentic or unmodified from its signed state. This status is a critical indicator in digital security practices, especially when verifying the legitimacy and integrity of software downloads and updates.
Searching the hash value revealed in the details window across the Investigation Hub immediately reveals other Findings associated with this file:
Now we can see that there are two High Findings that are mapped to MITRE ATT&CK Tactics and Techniques, as shown.
8. Advanced Filters
The advanced filter save feature boosts efficiency by enabling users to save and share custom filters within a AIR organization. This functionality streamlines data analysis, promotes consistency, and enhances collaboration throughout the investigative process.
The Advanced Filter window remains visible as you build the filter, and you can reposition it.
Each Advanced Filter is specific to the table in which it is built; for example, an Advanced Filter you build in Findings will not be available to you in the Browser Artifact table.
Filters can be saved and then later selected from the drop-down list.
Add items to Advanced Filters directly from the Details window using the filter icon:
Regex Operator Support in Advanced Filters
The Investigation Hub includes support for regular expression (regex) operators within the Advanced Filters section. This enables more powerful and flexible data filtering across cases, triage results, and evidence views.
How It Works: Regex filtering is available via the existing Contains filter dropdown, with the following operator options:
Doesn't match RegEx (case sensitive)
Matches RegEx (case sensitive)
Doesn't match RegEx (case insensitive)
Matches RegEx (case insensitive)
These options enable you to create highly granular search conditions, which are ideal for forensic analysts working with variable or loosely structured data inputs.
Example Use Cases
Locate executables matching a naming convention: ^cmd.*.exe$
Identify registry keys containing GUIDs: [A-Fa-f0-9]{8}-([A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
Example Use Cases and Syntax Explained:
Locate executables matching a naming convention Regex:
^cmd.*\.exe$Explanation:^anchors the match to the start of the stringcmdlooks for the literal text"cmd".*matches any number of any characters (except newline)\.exematches the literal file extension.exe(Note the backslash escapes the dot)$anchors the match to the end of the stringUse case: Filters for files like
cmd.exe,cmd123.exe, orcmd_tool.exe
Identify registry keys containing GUIDs Regex:
[A-Fa-f0-9]{8}-([A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}Explanation:[A-Fa-f0-9]{8}matches 8 hexadecimal characters-matches a literal hyphen([A-Fa-f0-9]{4}-){3}matches three groups of 4 hex characters followed by a hyphen[A-Fa-f0-9]{12}matches the final 12 hex charactersUse case: Matches standard Windows GUIDs like
f81d4fae-7dec-11d0-a765-00a0c91e6bf6
9. Automatic Report Generation - Wizard
AIR's automated report generation feature, alongside the Compromise Assessment Report template, efficiently populates reports with relevant investigation information, offering pre-built, customizable sections tailored to different stakeholders and audiences.
Generating a Report: Users can initiate report generation from the Secondary Menu under "Reports" or directly from the Dashboard action button using AIR’s Compromise Assessment report template. The report generation process has been refined to allow for greater customization and flexibility:
Initial Setup and Customization:
Include all findings from the Investigation Hub, encompassing DRONE findings and user-generated findings, excluding any that have been previously filtered out.
Filter which assets and associated tasks to include based on relevance to the report.
Apply additional filters by severity of findings and flags to further tailor the content.
Inclusion of Evidence:
Users can choose to incorporate evidence linked to flagged items, enhancing the report with crucial items of note that may not be categorized as findings.
Report Customization:
Add a company logo to the report, allowing service providers to brand their reports for clients.
Name the report and set the date/time to ensure clarity and relevance.
Select specific sections to include in the report based on the intended audience, ensuring the content is relevant and tailored to their needs.
Final Steps and Editing: Once the report is generated by clicking <Generate Report>, it remains fully editable within an HTML iframe editor. This flexibility allows analysts and responders to append additional analysis notes, recommendations, and other pertinent information as needed.
Post-Creation Options:
Save: Saves the current HTML version of the report, allowing further modifications in the future.
Export PDF: Converts the report into a PDF file for distribution or archiving.
Both HTML and PDF versions of the report can be managed, edited, generated, exported, and deleted from the "Reports" tab in the Secondary Menu of the Investigation Hub.
This wizard-driven approach not only simplifies the report generation process but also provides users with powerful tools to create detailed, customized reports that meet specific requirements, all within a few clicks.
Last updated
Was this helpful?