LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Navigating the Investigation Hub
  • 1. Header
  • 2. Secondary Menu
  • 3. The Dashboard and Widgets
  • DRONE Finding Types
  • 4. Evidence
  • 5. The Findings and Evidence Results Tables
  • Flags
  • Exclusions
  • Exclusion Methods:
  • 1. Exclude by Rule
  • 2. Individual Exclusions
  • Management and Audibility:
  • Notes
  • User generated Findings
  • 6. MITRE ATT&CK
  • 7. Details View
  • 8. Advanced Filters
  • Regex Operator Support in Advanced Filters
  • Example Use Cases
  • Example Use Cases and Syntax Explained:
  • 9. Automatic Report Generation - Wizard

Was this helpful?

Export as PDF
  1. AIR
  2. Features
  3. AIR Investigation Hub

Using the AIR Investigation Hub

PreviousAIR Investigation HubNextInvestigation Hub – Data Usage Statistics Dashboard

Last updated 1 month ago

Was this helpful?

The Investigation Hub offers a centralized and well-organized interface to manage all case-related elements, including assets, evidence, artifacts, and triage results. It simplifies the investigative process by providing efficient filtering options and a robust global search feature, eliminating the need to switch between tools or manually piece together information from various sources.

This hub is designed to elevate the investigative process by seamlessly integrating additional data sources and context through data-importing capabilities. This means you can augment your analysis by importing relevant data and context, ensuring that you have access to a comprehensive and updated information set for your investigation.

The Investigation Hub is not static, it is a living and breathing space that will ingest and consolidate every report allocated to a case as the investigation progresses.

The remainder of this page delves into the various sections that comprise the displayed information. It's beneficial to become familiar with this layout to easily locate the specific data you're interested in. Given the diverse nature of investigative needs, users may employ various methods to explore this data.

Read more; you may find the article titled '' to be a valuable example of one such approach.

Navigating the Investigation Hub

Within this article, we will delve into the different perspectives offered by the Investigation Hub and provide suggestions on how users can effectively utilize its functionality.

The Investigation Hub can be broken down into six sections:

  1. Header

  2. Secondary Menu

  3. Dashboard & Widgets

  4. Evidence

  5. Findings & Results Table

  6. MITRE ATT&CK

  7. Details View

  8. Automated Report Generation

1. Header

The Header is a persistent element across all views within the Investigation Hub.

To the right of the AIR icon is a Global Search input box. This search capability is highly versatile, enabling users to perform searches across all data within the Investigation Hub for the current case. This encompasses acquisition and triage data, as well as any imported data and findings identified by DRONE, ensuring a comprehensive and integrated approach to investigations.

The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.

  • All of the activities are labeled and linked to the individual activity simply by clicking on it. In the example below, we can see how the user has filtered to 'Only me', showing all activity with the newest first:

Notifications are accessed via the bell notifications icon, which displays a count (up to 99) of the unread notifications.

To the right of the Notifications icon is the name of the Organizational environment in which the user is working. From this link, the user can access the Organization Settings, change the Organization, or add a new one.

Towards the right side of Activities, users have the option to modify time zone settings for all timestamps within the hub, should the need arise.

2. Secondary Menu

At the top of the Secondary Menu, the name of the current case (e.g., 'DayOne' in this example) is prominently displayed. From here, users can choose the view to display in the main viewing window of the Investigation Hub, selecting from:

  • Dashboard

  • Reports

  • Findings

  • Exclusions

  • Evidence

Live Import Progress

As seen below, the Secondary Menu shows 'live import progress' directly next to the case title. This provides immediate visibility into active tasks without needing to refresh or switch views.

When hovering over the data import icon, users will now see a clear visual status:

  • A green tick indicates that the import has successfully completed.

  • A spinning circle of dots signifies that the import is still in progress.

The bottom half of the Secondary Menu is dedicated to applying Global Filters to the current case, enhancing the ability to narrow down the displayed information. Users can filter by:

  • Asset

  • Finding Type

  • Flag

  • Dates and Times

  • Creator

These filtering options, combined with the logical AND switch, enable users to customize and refine the display to show only the most relevant items based on multiple selected criteria. This structured approach helps streamline navigation and improves the efficiency of the investigative process in the Investigation Hub.

Global Filters: Filtering by Assets introduces a tertiary menu, allowing users to delve deeper into data granularity. This menu enables the selection or exclusion of specific information for analysis within the Investigation Hub, focusing on particular assets. Following this, a 'quaternary menu' becomes available, offering the ability to further refine the view by filtering through individual tasks associated with a chosen asset. This layered approach to filtering ensures that users can precisely tailor the data they review, making their investigative process more focused and efficient.

3. The Dashboard and Widgets

The Dashboard provides investigators with a high-level overview of their case, highlighting key issues and investigative opportunities. It features dynamic widgets that automatically update as new evidence and artifacts are added, ensuring that investigators have the most current information at their disposal.

The action buttons on the Dashboard page enable three key activities:

  1. Import .csv or .pst Files: Add these files directly to your case.

  2. Generate Reports: Access the report generation wizard.

  3. Export Flags to .csv: Export all flagged items, including bookmarks.

Additionally, the Overview widget allows for filtering by operating system, giving you a quick overview of key statistics for the case.

The Finding Type widget on the dashboard categorizes and filters findings as either DRONE automated, user-generated, or both. This widget simplifies the review process by presenting findings according to their severity levels:

  • Red: Indicates High severity

  • Orange: Denotes Medium severity

  • Blue: Represents Low severity

  • Dark Orange: Signifies Matched (keyword/Triage hit)

Each item within the widget is clickable, and the filtered results are displayed on the Findings page.

Note: User-generated findings are a new feature introduced in version 4.13.

Additionally, version 4.13 streamlines the display of findings by reducing the number of Finding categories from eight to just the four through the following re-mapping:

  • Dangerous & High → High

  • Suspicious & Medium → Medium

  • Matched → Matched

  • Rare, Relevant & Low → Low

This simplification helps clarify the severity of findings, enhancing the investigative workflow.

DRONE Finding Types

  • High: Flags threats that pose immediate and significant risks, demanding urgent action to prevent or mitigate severe impacts. Example: An IIS process executing cmd.exe or powershell.exe, which could indicate a web shell.

  • Medium: Targets activities that deviate from expected norms and could be indicative of potential threats, suggesting a need for deeper scrutiny. Example: A running unsigned process located in a temporary folder, or use of known hacking tools like "mimikatz."

  • Low: Identifies less critical but still unusual activities that could benefit from further investigation to clarify their nature and intent. Example: System-level processes initiated by non-privileged users, or processes operating from non-existent directories.

  • Matched: Involves confirmed matches to predefined security rules, keywords, hashes, or patterns within the analyzed data, signaling recognized threat indicators. Example: A detected scheduled task named "MalwareTask*" that aligns with a user-defined keyword "MalwareTask*".

The MITRE ATT&CK widget provides an invaluable overview by displaying how many findings within a case have been mapped to various Tactic and Techniques from the MITRE ATT&CK framework. This framework is a globally recognized knowledge base of adversary tactics and techniques based on real-world observations. It is used extensively for threat modeling and cybersecurity defense.

By incorporating the MITRE ATT&CK widget into the dashboard, investigators can quickly identify patterns and methods used in cyber attacks, facilitating a deeper understanding of the threat landscape. This visibility enables users to align their defense strategies more accurately with the tactics and techniques that adversaries are most likely to use, improving the effectiveness of their security measures. The widget's ability to show the distribution of findings across different categories not only helps in pinpointing vulnerabilities but also aids in prioritizing responses to the most critical threats based on the observed attack patterns.

The Top Asset Breakdown widget highlights the most significant assets within the current case, emphasizing those with the most severe issues. This feature provides a clear and concise view of critical vulnerabilities, helping investigators prioritize their response efforts based on the urgency and impact of the identified problems.

The "Flags" widget provides a comprehensive overview of all flagged items, each accompanied by their respective counts. This widget allows for the customization of flags by users, who can modify both the name and color of each flag to suit their needs.

The default "Bookmark" flag is pre-established and cannot be edited. Additional custom flags, once created, are stored and listed within the library for easy access.

*Note: Flags are configured at the Organization level, so are not just case-specific. Therefore, any edits or deletions to flags will have a global effect for the Organization and are only permitted for users with Case Management privileges. This ensures consistent flagging practices across all cases and preserves the integrity of the flagging system.

4. Evidence

Under the heading Evidence, all of the evidence items that have been collected as part of a tasking, even where there has been a null return, will be displayed.

A count will be displayed next to each evidence item to indicate the number of associated Findings. For example, in the screenshot below, there are 14 high-priority Findings for Persistence>Scheduled Tasks, 3 medium-priority Findings for Persistence>Registry, and other items are shown with counts but have no Findings associated. This feature helps to quickly identify and prioritize areas of interest within the evidence.

Triage results and Imported evidence items are also displayed in this Evidence section

Within the Secondary Menu, users have the flexibility to dynamically include or exclude case assets, including imported evidence like .pst or .csv files. Assets are categorized either by the operating system or by the name of the imported evidence for ease of management. In the example above, the Windows asset called RichardBurton has been deselected so none of the evidence from this asset will be displayed in any of the Findings views.

  • Other Evidence is a category for items that are Findings without a dedicated entry in the Investigation Hub.

    • All findings without a specific category will be grouped under 'Other Evidence'. This ensures every finding is allocated an evidence record within a category, allowing the total count of findings on the Investigation dashboard to match the number shown in the evidence list accurately.

5. The Findings and Evidence Results Tables

Within the Secondary Menu, Findings are categorized and displayed alongside a count for each evidence type where applicable. The severity of each Finding is color-coded for quick identification:

  • Red: Indicates High severity

  • Orange: Denotes Medium severity

  • Blue: Represents Low severity

  • Pink: Signifies Matched (keyword hit)

This system allows for an immediate visual assessment of the evidence's priority level.

Under the Evidence sub-heading section the secondary menu will display all of the evidence items that have been collected as part of a tasking, even where there has been a null return. In the example below we can see that the Hide Empty Pages filter has been activated.

In the screenshot shown above, the acquired evidence from the App Compat Cache has been highlighted for focused viewing. As a result, the main viewing area is exclusively dedicated to displaying all the evidence gathered from the App Compat Cache. In this particular example, one 'Matched' item has been singled out, and its comprehensive details are presented in the section below in the 'Details' tab.

It's important to highlight that in this scenario, the table has been sorted based on the findings column to order the view by the severity of the findings. Additionally, users have the flexibility to rearrange and resize columns according to their preferences. Furthermore, users can customize which columns are visible in the table using the Column Chooser feature, which is available on all pages with tables within the Investigation Hub.

The Evidence section displays both triage results and imported evidence items, offering comprehensive insight into gathered data.

Highlighted in the above screenshot, additional table functionality enhances user interaction and data management:

  • Flag Column: This column showcases flagged items and enables filtering and sorting based on flag status.

  • Magnifying Glass Icon: Offers extensive filtering and searching capabilities with options like Contains, Does Not Contain, Starts With, Ends With, Equals, and more, allowing precise control over displayed data.

  • Dockable Details Pane: Users can choose to dock this pane on the right side or at the bottom of the window. Clicking the icon toggles the Details pane's orientation from vertical to horizontal and vice versa, adapting to user preference and screen layout.

  • Filtered Items Reminder: A helpful reminder of the currently applied filters, ensuring users are aware of the viewing context.

  • Date & Time Picker: Allows users to narrow down evidence to specific time periods, facilitating focused analysis.

  • Created By Column: In the Findings table the Created By column will show if the finding was generated by DRONE or a user.

  • Highlight to search: This allows users to highlight text in the Investigation Hub tables, as shown below, right-click on the selecton, select the magnifying glass that appears and then choose to "Search in Findings table, Search in the Investigation Hub, Search in Google or search in Virus Total.

Fullscreen Evidence Tables: Users can view evidence tables in full-screen mode, ideal for large datasets with multiple columns and rows. This feature maximizes screen space, allowing easier navigation and analysis of complex data without the need for scrolling or resizing. To exit fullscreen mode, simply click the Exit-Fullscreen icon.

Sticky Column Headings: The selection and position of columns will remain saved in your browser across all AIR sessions unless you clear your browser cookies. This ensures your preferred layout and data organization stay consistent, enhancing both efficiency and user experience.

Flags

The Investigation Hub flagging feature allows users to create custom flags to mark evidence and findings they deem significant during an investigation. This flagging functionality can be used to filter by flags and facilitates collaboration with other investigators, helping to mark items for re-examination or highlighting important details for potential inclusion in reports.

Users create custom flags by right-clicking on a finding or evidence item, selecting ‘Add/Remove Flag’, and then creating a name, description, and color for the flag from the 11 default options, or click the '+' to select your own colour from a palette:

Multiple items can be flagged simultaneously using the Bulk Actions bar:

  • Hovering over the flag of a flagged item in the table view will reveal:

    • The name of the flag

    • Who created the flag

    • The date & time it was created

  • Flags are saved at the Organization level in Libraries, therefore they will be available to all cases created in the same Organization.

  • Creating new flags or editing existing flags can be done in Libraries if the user has Case Management privileges.

  • The Bookmark Flag is the only fixed/permanent flag.

  • Users can use the advanced filter to include or exclude flagged items in the Investigation Hub table views, enhancing the ability to focus on prioritized or highlighted evidence.

Exclusions

AIR's DRONE capability enhances decision support by leveraging built-in YARA, Sigma, and osquery rules to quickly identify compromised assets. By analyzing evidence, DRONE generates Findings that highlight key investigative opportunities, helping prioritize and streamline investigations efficiently.

During an investigation, users may encounter Findings that are not relevant to their case. The Investigation Hub allows them to exclude these Findings, helping investigators stay focused on pertinent information.

Exclusion Methods:

AIR offers two exclusion methods:

  1. Exclusion Rules – Allows exclusion of a Finding either by its location/path OR, regardless of its location, based on the finding itself.

  2. Individual Exclusions – This method allows users to manually exclude any Findings within a case, based on their specific needs or investigation requirements, without the need to create a rule.

1. Exclude by Rule

  • Right-click on a Finding and choose "Exclude by Rule" from the context menu.

  • Exclude by: Customize the exclusion based on the path in two ways: On the specific path, which excludes an item only if found in that particular location, or based on the finding, which excludes the item regardless of where it is found on the asset.

  • Scope: Decide whether to exclude from just this case, all cases within the organization.

  • Target: Apply the rule to the selected asset, or all assets in the case.

  • (Exclusion by hash value is coming soon)

2. Individual Exclusions

This method allows users to manually exclude any Findings within individual cases, based on their specific needs or investigation requirements, without the need to create a rule.

Right-click on a Finding and choose "Exclude" from the context menu.

Users can either select an existing reason for exclusion or create a new one. Any newly added reason will be saved and included in the list of available exclusion reasons for future use.

Management and Audibility:

  • All excluded Findings are removed from the Findings table and added to the Exclusions table (directly below Findings in the Secondary Menu) as shown below. This feature enables teams to cross-validate and resolve discrepancies as needed.

  • At the top of the page, users can click "Manage Rules" to modify or delete Exclusion Rules. However, individual exclusions cannot be edited—they can only be deleted. This allows users to refine exclusion settings while maintaining control over how findings are managed.

  • In the Organization Library under "Finding Exclusions Rules," users can change the scope from Case to Organization, apply exclusions from one asset to all assets in the organization, or completely delete rules if they have "Case Management" privileges.

  • In the Organization Library, users can also select Exclusion Rules to delete via the Bulk Action Bar as shown below.

Tooltips are provided throughout to guide users in utilizing these customizable options effectively. After an exclusion is applied, users have a brief opportunity to undo the operation or close the notification, ensuring that actions are deliberate and retrievable.

This Exclusions Capability significantly streamlines the investigative process, allowing investigators to maintain focus on essential evidence while managing irrelevant data efficiently.

Notes

The Notes feature enhances collaboration by allowing users to attach notes to any evidence item or Finding, without the requirement for the item to be bookmarked. These notes are accessible to the entire team working on the case and are displayed in the Notes column of the table view.

This feature is particularly useful for enhancing communication within the team, as it allows for the sharing of insights and observations directly alongside the relevant evidence. Furthermore, notes can be seamlessly integrated into reports through AIR’s “Generate Report” feature, which supports the creation of customizable reports. Additionally, notes can be exported for external use.

Overall, the Notes feature in AIR 4.13 streamlines case documentation and enhances the reporting process, making it an essential tool for collaborative investigations.

User generated Findings

In previous versions of AIR, the decision-support system, including the automated evidence analyzers known as DRONE, helped users prioritize their investigative steps. With the release of AIR 4.13, users now have the capability to generate their own Findings, enhancing the depth of investigations by incorporating personal insights, organizational context, or specific investigative details.

For instance, from the Evidence page, users can right-click on an item and select "Mark as Finding" to manually allocate a Finding to it. This process involves several steps:

  • Selecting a Finding Type: Users choose from pre-defined types such as High, Medium, Low, or Matched.

  • Adding a Description/Label: This describes or labels the Finding for clarity and reference.

  • Detailing the Path and Associating with MITRE ATT&CK TTP: Users can specify the file path and link the Finding to a specific tactic or technique from the MITRE ATT&CK framework.

  • Setting a Date: Users can also include the date when the Finding was identified or marked.

Upon confirming with "OK", the Finding type is displayed in the "Finding Type" column within the Evidence page, along with a column indicating who created the Finding. These user-generated Findings are then added to the "Findings" window, where they are distinguishable by a "created by" column, which shows whether a Finding is from DRONE or user-generated, and identifies the creator. This allows for efficient tracking and searching using the column search functionality.

Additionally, these Findings are reflected in the Dashboard widget, where users can filter to view "All" findings or specifically search across DRONE or user-generated Findings using the provided tabs. This new feature in AIR 4.13 significantly empowers users to tailor their investigative processes with enriched data and personalized analysis.

6. MITRE ATT&CK

7. Details View

To match your viewing preferences and monitor setup, the Details view for selected evidence items is both dockable and detachable. You can either open a separate, independent window to display the evidence details or use the icon shown below to toggle the position of the Details window.

Dockable Evidence Details Window: This feature allows you to toggle the Details window between a vertical display on the right side of the browser window and a horizontal display at the bottom. Simply click the icon to switch between these views.

In the Details window, there may be occasions when some fields are empty. To minimize clutter from these empty fields, you can use the 'Hide Empty Fields' feature. This option allows you to clean up the interface by displaying only those fields that contain information.

Detachable Evidence Details Window: This feature allows users to open evidence details in a standalone window that can be resized and repositioned anywhere on the screen(s) for improved clarity. The window maintains its form even when displaying new evidence items. Clicking on a new row in the table updates the detached details view to match the newly selected item. This flexibility allows investigators to compare multiple pieces of evidence side by side, improving the overall analysis process.

Details View Example:

The screenshot above displays an example of a typical details view of a file selected in the table view. This particular file is a Scheduled Task entry which has a DRONE Finding Type 'High'.

The term "Digital Sign Status As Text" refers to the description of the status of a digital signature in text form. When you encounter "Bad Digest" as the status, it indicates an issue with the digital signature of a file or document.

Specifically, "Bad Digest" means that the hash value calculated from the downloaded or retrieved file does not match the hash value that was originally used when signing the document or file. This discrepancy suggests that the file may have been altered or corrupted after it was signed. Consequently, the integrity of the file is in question, and it can no longer be trusted as authentic or unmodified from its signed state. This status is a critical indicator in digital security practices, especially when verifying the legitimacy and integrity of software downloads and updates.

Searching the hash value revealed in the details window across the Investigation Hub immediately reveals other Findings associated with this file:

Now we can see that there are two High Findings that are mapped to MITRE ATT&CK Tactics and Techniques shown.

8. Advanced Filters

The advanced filter save feature boosts efficiency by enabling users to save and share custom filters within an AIR organization. This functionality streamlines data analysis, promotes consistency, and enhances collaboration throughout the investigative process.

The Advanced Filter window remains visible as you build the filter and you can reposition it.

Each Advanced Filter is specific to the table it is built in eg; an advanced filter you build in Findings will not be available to you in the Browser Artifact table.

Filters can be saved and then later selected from the drop-down list.

Add items to Advanced Filters directly from the Details window using the filter icon:

Regex Operator Support in Advanced Filters

The Investigation Hub includes regex (regular expression) operator support within the Advanced Filters section. This enables more powerful and flexible data filtering across cases, triage results, and evidence views.

How It Works: Regex filtering is available via the existing Contains filter dropdown, with the following operator options:

  • Doesn't match RegEx (case sensitive)

  • Matches RegEx (case sensitive)

  • Doesn't match RegEx (case insensitive)

  • Matches RegEx (case insensitive)

These options allow you to create highly granular search conditions, ideal for forensic analysts dealing with variable or loosely structured data inputs.

Example Use Cases

Locate executables matching a naming convention: ^cmd.*.exe$

Identify registry keys containing GUIDs: [A-Fa-f0-9]{8}-([A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}

Example Use Cases and Syntax Explained:

  • Locate executables matching a naming convention Regex: ^cmd.*\.exe$ Explanation:

    • ^ anchors the match to the start of the string

    • cmd looks for the literal text "cmd"

    • .* matches any number of any characters (except newline)

    • \.exe matches the literal file extension .exe (note the backslash escapes the dot)

    • $ anchors the match to the end of the string

    • Use case: Filters for files like cmd.exe, cmd123.exe, or cmd_tool.exe

  • Identify registry keys containing GUIDs Regex: [A-Fa-f0-9]{8}-([A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12} Explanation:

    • [A-Fa-f0-9]{8} matches 8 hexadecimal characters

    • - matches a literal hyphen

    • ([A-Fa-f0-9]{4}-){3} matches three groups of 4 hex characters followed by a hyphen

    • [A-Fa-f0-9]{12} matches the final 12 hex characters

    • Use case: Matches standard Windows GUIDs like f81d4fae-7dec-11d0-a765-00a0c91e6bf6

9. Automatic Report Generation - Wizard

AIR's automated report generation feature alongside the Compromise Assessment Report template efficiently populates reports with relevant investigation information, offering pre-built, customizable sections tailored to different stakeholders and audiences.

Generating a Report: Users can initiate report generation from the Secondary Menu under "Reports" or directly from the Dashboard action button using AIR’s Compromise Assessment report template. The report generation process has been refined to allow for greater customization and flexibility:

  1. Initial Setup and Customization:

  • Include all findings from the Investigation Hub, encompassing DRONE findings and user-generated findings, excluding any that have been previously filtered out.

  • Filter which assets and associated tasks to include based on relevance to the report.

  • Apply additional filters by the severity of findings and by flags to tailor the content further.

  1. Inclusion of Evidence:

  • Users can choose to incorporate evidence linked to flagged items, enhancing the report with crucial items of note that may not be categorized as findings.

  1. Report Customization:

    • Add a company logo to the report, enabling service providers to brand reports for their clients.

    • Name the report and set the date/time to ensure clarity and relevance.

    • Select specific sections to include in the report based on the intended audience, ensuring the content is appropriate and targeted.

Final Steps and Editing: Once the report is generated by clicking <Generate Report>, it remains fully editable within an HTML iframe editor. This flexibility allows analysts and responders to append additional analysis notes, recommendations, and other pertinent information as needed.

Post-Creation Options:

  • Save: Saves the current HTML version of the report, allowing further modifications in the future.

  • Export PDF: Converts the report into a PDF file for distribution or archiving.

Both HTML and PDF versions of the report can be managed, edited, generated, exported, and deleted from the "Reports" tab in the Secondary Menu of the Investigation Hub.

This wizard-driven approach not only simplifies the report generation process but also provides users with powerful tools to create detailed, customized reports that meet specific requirements, all within a few clicks.

Fullscreen Evidence Table Icon
Sticky Column Headings & Column Chooser

MITRE ATT&CK serves as a global resource for adversary tactics and techniques, guiding threat models and methodologies across industries. Integrated with AIR, it continuously maps findings to ATT&CK, enhancing detection with up-to-date YARA rules for IoCs and TTPs. DRONE's implementation scans assets and processes using crafted rules, with automated rule updates in AIR. You can read more about DRONE in this blog, '.

Detachable Evidence Details Window
Automated Compromise Assessment with DRONE'
Investigating a malware attack using Binalyze Air's Investigation Hub
Investigation Hub: The Dashboard
Investigation Hub: Header
Investigation Hub: Activity Filters
Data import still in progress
Data imports are up-to-date
Investigation Hub: Granular Filtering
Scheduled Tasks highlighted with 14 Findings identified by DRONE
Other Evidence displayed in the Investigation Hub
Right-click on selected data in the table to be presented with search options
Adding a flag to a Finding with a color from the palette
Flagging via the Bulk Action bar
Hovering over a flag to reveal details
Custom Flag Sets are managed from Libraries
Advanced Filtering for items with or without Flags
Following a right-click on a Low Finding two exclusion methods are avaiable.
The Exclude by Rule option
The Exclude option
Choose the exclusion reason or Add new exclusion reason
All active exclusions are shown in the Exclusions table
Investigation Hub: MITRE ATT&CK mapping
The Hide Empty Fields option and the Dockable icon to relocate the position of the Details window
Regex (regular expression) operator support within the Advanced Filters