LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • What is the AIR Investigation Hub?
  • The benefits of the Investigation Hub
  • Do I have to install or update my existing Infrastructure?
  • Where to find the Investigation Hub
  • Collaboration
  • The Activity Feed
  • Adding Comments to evidence

Was this helpful?

Export as PDF
  1. AIR
  2. Features

AIR Investigation Hub

Harness the power of consolidation, prioritization, and collaboration for efficient incident response investigations

PreviousAudit Event AnalyzerNextUsing the AIR Investigation Hub

Last updated 11 months ago

Was this helpful?

What is the AIR Investigation Hub?

AIR automates the rapid generation and presentation of a clear DFIR intelligence report directly within the Investigation Hub. This report instantly highlights DRONE's findings and consolidates all Acquisition and Triage data from multiple assets into a single view known as the Investigation Hub.

This central dashboard immediately elevates your investigation and provides analysts with a seamless experience, allowing them to; sort, exclude findings, filter, flag, bookmark, and easily investigate the data. The user-friendly interface streamlines the analysis process, empowering analysts to efficiently navigate and interpret the information to uncover insights and actionable intelligence.

The Investigation Hub provides a unified, well-organized view of assets, evidence, artifacts, and triage results within a case. This allows you to efficiently review and concentrate your investigation on pertinent details using filters and a powerful global search function, eliminating the need to manually switch between screens to piece data together.

The Intelligence Hub delivers Findings derived from Binalyze AIR's automated DRONE analyzers, giving you a head start in any investigations.

With DRONE's proprietary analyzers, combined with YARA, Sigma, and osquery scanning, you can, at speed, analyze assets and evidence, identifying compromised machines to streamline the process of sifting through often huge data sets.

The integrated MITRE ATT&CK mapping provides context to discern the nature of threats, stay ahead of the attack's progression, and pinpoint areas needing further investigation.

The benefits of the Investigation Hub

  1. All in one place - all AIR data acquisitions, results of DRONE analysis, and Triage scans of the assets related to a chosen case - are now available in one place, making the analysts and investigators work much faster and simpler.

  2. Efficiency and Speed - analysts can navigate easily to a specific endpoint in the Case, but at the same time leverage information from all of their endpoints in a high-level overview of the entire Case. Therefore, much faster decisions can be made - such as where to start and focus investigations, but also where to divert resources when new information is highlighted by the Investigation Hub.

  3. All multi-asset investigations become far more efficient within the Investigation Hub, especially as we now allow users to 'Bring Your Own Evidence' (BYOE):

    • Seamlessly import .csv files into the Investigation Hub using our data mapping service, accommodating all forms of structured .csv data.

    • Efficiently import and analyze .pst files, enabling the display of email data within the Investigation Hub for a more comprehensive examination.

  4. The DRONE findings table can be exported from the Investigation Hub into a .csv file, enabling the integration of DRONE's analysis results into reports, SIEM, or other security tools for the development of custom alerts.

Do I have to install or update my existing Infrastructure?

The Investigation Hub is included as part of the standard AIR installation.

Where to find the Investigation Hub

The Investigation Hub operates at the case level and is generated from the data collected for individual cases. To access it, navigate to 'Cases' in the Main menu. Once you've selected the case of interest, you can access the Investigation Hub via the action button located in the main viewing area:

Collaboration

AIR is a highly collaborative platform that allows multiple users to access the system simultaneously. Each user's privileges can be finely adjusted based on roles assigned by the system's owner or administrator. As the fastest and most comprehensive DFIR platform globally, AIR's efficiency is further enhanced through team collaboration.

The Activity Feed

  • The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating; exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.

  • All of the activities are labeled and linked to the individual activity simply by clicking on it. In the example below we can see how Comment Added, Note Added, Flag Added, and Exclusion Rule Created have all been tracked as activities

Adding Comments to evidence

Comments enhance communication by allowing analysts to directly comment on findings or and tag relevant colleagues. This ensures that all discussions are captured and documented within the activity feed, promoting effective collaboration and activity tracking.

Right-click on an item and select ‘Comment’ to attach your comment to that item:

You can tag users in a comment and they can view the item by clicking on the comment in their Activity Feeds:

Each table will show all of the Activities, Comments and Flags that are relevant just to that table

All of our hardware and software requirements are described here in the , no additional infrastructure updates are required.

Setup section of the KB
What is the AIR Investigation Hub?
The benefits of
AIR Investigation Hub
Do I have to install or update my existing infrastructure?
Where to find the Investigation Hub
Investigation Hub: The Dashboard
The Investigation Hub button is found in individual Cases - In this instance, the Case is called "DayOne".