AIR Investigation Hub

Harness the power of consolidation, prioritization, and collaboration for efficient incident response investigations

What is AIR Investigation Hub?

AIR automates the rapid generation and presentation of a clear DFIR intelligence report directly within the Investigation Hub. This report instantly highlights DRONE's findings and consolidates all Acquisition and Triage data from multiple assets into a single view known as The Investigation Hub.
This central dashboard provides analysts with a seamless experience, allowing them to sort, filter, bookmark, and investigate the data with ease. The user-friendly interface streamlines the analysis process, empowering analysts to efficiently navigate and interpret the information to uncover insights and actionable intelligence.
The Investigation Hub provides a unified, well-organized view of assets, evidence, artifacts, and triage results within a case. This allows you to efficiently review and concentrate your investigation on pertinent details using filters and a powerful global search function, eliminating the need to switch between screens to manually piece data together.
The Intelligence Hub delivers Findings via Scores, and Verdicts derived from Binalyze AIR's Triage and DRONE analyzers, giving you a head start in any investigations.
With DRONE's proprietary analyzers, combined with YARA, Sigma, and osquery scanning, you can, at speed, analyze assets and evidence, identifying compromised machines to streamline the process of sifting through often huge data sets.
The integrated MITRE ATT&CK mapping provides context to discern the nature of threats, stay ahead of the attack's progression, and pinpoint areas needing further investigation.

The benefits of the Investigation Hub

  1. 1.
    All in one place - all AIR data acquisitions, results of DRONE analysis, and Triage scans of the assets related to a chosen case - are now available in one place, making the analysts and investigators work much faster and simpler.
  2. 2.
    Efficiency and Speed - analysts can navigate easily to a specific endpoint in the Case, but at the same time leverage information from all of their endpoints in a high-level overview of the entire Case. Therefore, much faster decisions can be made - such as where to start and focus investigations, but also where to divert resources when new information is highlighted by the Investigation Hub.
  3. 3.
    All multi-asset investigations become far more efficient within the Investigation Hub, especially as we now allow users to 'Bring Your Own Evidence' (BYOE):
    • Seamlessly import .csv files into the Investigation Hub using our data mapping service, accommodating all forms of structured .csv data.
    • Efficiently import and analyze .pst files, enabling the display of email data within the Investigation Hub for a more comprehensive examination.
  4. 4.
    The DRONE findings table can be exported from the Investigation Hub into a .csv file, enabling the integration of DRONE's analysis results into reports, SIEM, or other security tools for the development of custom alerts.

Do I have to install or update my existing Infrastructure?

The Investigation Hub is included as part of the standard AIR installation.
All of our hardware and software requirements are described here in the Setup section of the KB, no additional infrastructure updates are required.

Where to find the Investigation Hub

The Investigation Hub operates at the case level and is generated from the data collected for individual cases. To access it, navigate to 'Cases' in the Main menu. Once you've selected the case of interest, you can access the Investigation Hub via the button located at the bottom of the Secondary menu:
The Investigation Hub is found in individual Cases - In this instance the Case is called "aix".
Have you encountered any issues? -Contact our Support team at