AIR Investigation Hub

Harness the power of consolidation, prioritization, and collaboration for efficient incident response investigations

What is the AIR Investigation Hub?

AIR automates the rapid generation and presentation of a clear DFIR intelligence report directly within the Investigation Hub. This report instantly highlights DRONE's findings and consolidates all Acquisition and Triage data from multiple assets into a single view known as the Investigation Hub.

This central dashboard immediately elevates your investigation and provides analysts with a seamless experience, allowing them to; sort, exclude findings, filter, flag, bookmark, and easily investigate the data. The user-friendly interface streamlines the analysis process, empowering analysts to efficiently navigate and interpret the information to uncover insights and actionable intelligence.

The Investigation Hub provides a unified, well-organized view of assets, evidence, artifacts, and triage results within a case. This allows you to efficiently review and concentrate your investigation on pertinent details using filters and a powerful global search function, eliminating the need to manually switch between screens to piece data together.

The Intelligence Hub delivers Findings derived from Binalyze AIR's automated DRONE analyzers, giving you a head start in any investigations.

With DRONE's proprietary analyzers, combined with YARA, Sigma, and osquery scanning, you can, at speed, analyze assets and evidence, identifying compromised machines to streamline the process of sifting through often huge data sets.

The integrated MITRE ATT&CK mapping provides context to discern the nature of threats, stay ahead of the attack's progression, and pinpoint areas needing further investigation.

The benefits of the Investigation Hub

  1. All in one place - all AIR data acquisitions, results of DRONE analysis, and Triage scans of the assets related to a chosen case - are now available in one place, making the analysts and investigators work much faster and simpler.

  2. Efficiency and Speed - analysts can navigate easily to a specific endpoint in the Case, but at the same time leverage information from all of their endpoints in a high-level overview of the entire Case. Therefore, much faster decisions can be made - such as where to start and focus investigations, but also where to divert resources when new information is highlighted by the Investigation Hub.

  3. All multi-asset investigations become far more efficient within the Investigation Hub, especially as we now allow users to 'Bring Your Own Evidence' (BYOE):

    • Seamlessly import .csv files into the Investigation Hub using our data mapping service, accommodating all forms of structured .csv data.

    • Efficiently import and analyze .pst files, enabling the display of email data within the Investigation Hub for a more comprehensive examination.

  4. The DRONE findings table can be exported from the Investigation Hub into a .csv file, enabling the integration of DRONE's analysis results into reports, SIEM, or other security tools for the development of custom alerts.

Do I have to install or update my existing Infrastructure?

The Investigation Hub is included as part of the standard AIR installation.

All of our hardware and software requirements are described here in the Setup section of the KB, no additional infrastructure updates are required.

Where to find the Investigation Hub

The Investigation Hub operates at the case level and is generated from the data collected for individual cases. To access it, navigate to 'Cases' in the Main menu. Once you've selected the case of interest, you can access the Investigation Hub via the action button located in the main viewing area:


AIR is a highly collaborative platform that allows multiple users to access the system simultaneously. Each user's privileges can be finely adjusted based on roles assigned by the system's owner or administrator. As the fastest and most comprehensive DFIR platform globally, AIR's efficiency is further enhanced through team collaboration.

The Activity Feed

  • The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating; exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.

  • All of the activities are labeled and linked to the individual activity simply by clicking on it. In the example below we can see how Comment Added, Note Added, Flag Added, and Exclusion Rule Created have all been tracked as activities

Adding Comments to evidence

Comments enhance communication by allowing analysts to directly comment on findings or and tag relevant colleagues. This ensures that all discussions are captured and documented within the activity feed, promoting effective collaboration and activity tracking.

Right-click on an item and select ‘Comment’ to attach your comment to that item:

You can tag users in a comment and they can view the item by clicking on the comment in their Activity Feeds:

Each table will show all of the Activities, Comments and Flags that are relevant just to that table

Last updated