Using the AIR Investigation Hub
Last updated
Was this helpful?
Last updated
Was this helpful?
The Investigation Hub offers a centralized and well-organized interface to manage all case-related elements, including assets, evidence, artifacts, and triage results. It simplifies the investigative process by providing efficient filtering options and a robust global search feature, eliminating the need to switch between tools or manually piece together information from various sources.
This hub is designed to elevate the investigative process by seamlessly integrating additional data sources and context through data-importing capabilities. This means you can augment your analysis by importing relevant data and context, ensuring that you have access to a comprehensive and updated information set for your investigation.
The Investigation Hub is not static, it is a living and breathing space that will ingest and consolidate every report allocated to a case as the investigation progresses.
The remainder of this page delves into the various sections that comprise the displayed information. It's beneficial to become familiar with this layout to easily locate the specific data you're interested in. Given the diverse nature of investigative needs, users may employ various methods to explore this data.
Read more; you may find the article titled '' to be a valuable example of one such approach.
Within this article, we will delve into the different perspectives offered by the Investigation Hub and provide suggestions on how users can effectively utilize its functionality.
The Investigation Hub can be broken down into six sections:
Header
Secondary Menu
Dashboard & Widgets
Evidence
Findings & Results Table
MITRE ATT&CK
Details View
Automated Report Generation
The Header is a persistent element across all views within the Investigation Hub.
To the right of the AIR icon is a Global Search input box. This search capability is highly versatile, enabling users to perform searches across all data within the Investigation Hub for the current case. This encompasses acquisition and triage data, as well as any imported data and findings identified by DRONE, ensuring a comprehensive and integrated approach to investigations.
The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.
All of the activities are labeled and linked to the individual activity simply by clicking on it. In the example below, we can see how the user has filtered to 'Only me', showing all activity with the newest first:
Notifications are accessed via the bell notifications icon, which displays a count (up to 99) of the unread notifications.
To the right of the Notifications icon is the name of the Organizational environment in which the user is working. From this link, the user can access the Organization Settings, change the Organization, or add a new one.
Towards the right side of Activities, users have the option to modify time zone settings for all timestamps within the hub, should the need arise.
At the top of the Secondary Menu, the name of the current case (e.g., 'DayOne' in this example) is prominently displayed. From here, users can choose the view to display in the main viewing window of the Investigation Hub, selecting from:
Dashboard
Reports
Findings
Exclusions
Evidence
The bottom half of the Secondary Menu is dedicated to applying Global Filters to the current case, enhancing the ability to narrow down the displayed information. Users can filter by:
Asset
Finding Type
Flag
Dates and Times
Creator
These filtering options, combined with the logical AND switch, enable users to customize and refine the display to show only the most relevant items based on multiple selected criteria. This structured approach helps streamline navigation and improves the efficiency of the investigative process in the Investigation Hub.
Global Filters: Filtering by Assets introduces a tertiary menu, allowing users to delve deeper into data granularity. This menu enables the selection or exclusion of specific information for analysis within the Investigation Hub, focusing on particular assets. Following this, a 'quaternary menu' becomes available, offering the ability to further refine the view by filtering through individual tasks associated with a chosen asset. This layered approach to filtering ensures that users can precisely tailor the data they review, making their investigative process more focused and efficient.
The Dashboard provides investigators with a high-level overview of their case, highlighting key issues and investigative opportunities. It features dynamic widgets that automatically update as new evidence and artifacts are added, ensuring that investigators have the most current information at their disposal.
The action buttons on the Dashboard page enable three key activities:
Import .csv or .pst Files: Add these files directly to your case.
Generate Reports: Access the report generation wizard.
Export Flags to .csv: Export all flagged items, including bookmarks.
Additionally, the Overview widget allows for filtering by operating system, giving you a quick overview of key statistics for the case.
The Finding Type widget on the dashboard categorizes and filters findings as either DRONE automated, user-generated, or both. This widget simplifies the review process by presenting findings according to their severity levels:
Red: Indicates High severity
Orange: Denotes Medium severity
Blue: Represents Low severity
Dark Orange: Signifies Matched (keyword/Triage hit)
Each item within the widget is clickable, and the filtered results are displayed on the Findings page.
Additionally, version 4.13 streamlines the display of findings by reducing the number of Finding categories from eight to just the four through the following re-mapping:
Dangerous & High → High
Suspicious & Medium → Medium
Matched → Matched
Rare, Relevant & Low → Low
This simplification helps clarify the severity of findings, enhancing the investigative workflow.
High: Flags threats that pose immediate and significant risks, demanding urgent action to prevent or mitigate severe impacts. Example: An IIS process executing cmd.exe or powershell.exe, which could indicate a web shell.
Medium: Targets activities that deviate from expected norms and could be indicative of potential threats, suggesting a need for deeper scrutiny. Example: A running unsigned process located in a temporary folder, or use of known hacking tools like "mimikatz."
Low: Identifies less critical but still unusual activities that could benefit from further investigation to clarify their nature and intent. Example: System-level processes initiated by non-privileged users, or processes operating from non-existent directories.
Matched: Involves confirmed matches to predefined security rules, keywords, hashes, or patterns within the analyzed data, signaling recognized threat indicators. Example: A detected scheduled task named "MalwareTask*" that aligns with a user-defined keyword "MalwareTask*".
The MITRE ATT&CK widget provides an invaluable overview by displaying how many findings within a case have been mapped to various Tactic and Techniques from the MITRE ATT&CK framework. This framework is a globally recognized knowledge base of adversary tactics and techniques based on real-world observations. It is used extensively for threat modeling and cybersecurity defense.
By incorporating the MITRE ATT&CK widget into the dashboard, investigators can quickly identify patterns and methods used in cyber attacks, facilitating a deeper understanding of the threat landscape. This visibility enables users to align their defense strategies more accurately with the tactics and techniques that adversaries are most likely to use, improving the effectiveness of their security measures. The widget's ability to show the distribution of findings across different categories not only helps in pinpointing vulnerabilities but also aids in prioritizing responses to the most critical threats based on the observed attack patterns.
The Top Asset Breakdown widget highlights the most significant assets within the current case, emphasizing those with the most severe issues. This feature provides a clear and concise view of critical vulnerabilities, helping investigators prioritize their response efforts based on the urgency and impact of the identified problems.
The "Flags" widget provides a comprehensive overview of all flagged items, each accompanied by their respective counts. This widget allows for the customization of flags by users, who can modify both the name and color of each flag to suit their needs.
The default "Bookmark" flag is pre-established and cannot be edited. Additional custom flags, once created, are stored and listed within the library for easy access.
*Note: Flags are configured at the Organization level, so are not just case-specific. Therefore, any edits or deletions to flags will have a global effect for the Organization and are only permitted for users with Case Management privileges. This ensures consistent flagging practices across all cases and preserves the integrity of the flagging system.
Under the heading Evidence, all of the evidence items that have been collected as part of a tasking, even where there has been a null return, will be displayed.
A count will be displayed next to each evidence item to indicate the number of associated Findings. For example, in the screenshot below, there are 14 high-priority Findings for Persistence>Scheduled Tasks, 3 medium-priority Findings for Persistence>Registry, and other items are shown with counts but have no Findings associated. This feature helps to quickly identify and prioritize areas of interest within the evidence.
Triage results and Imported evidence items are also displayed in this Evidence section
Within the Secondary Menu, users have the flexibility to dynamically include or exclude case assets, including imported evidence like .pst or .csv files. Assets are categorized either by the operating system or by the name of the imported evidence for ease of management. In the example above, the Windows asset called RichardBurton has been deselected so none of the evidence from this asset will be displayed in any of the Findings views.
Other Evidence is a category for items that are Findings without a dedicated entry in the Investigation Hub.
All findings without a specific category will be grouped under 'Other Evidence'. This ensures every finding is allocated an evidence record within a category, allowing the total count of findings on the Investigation dashboard to match the number shown in the evidence list accurately.
Within the Secondary Menu, Findings are categorized and displayed alongside a count for each evidence type where applicable. The severity of each Finding is color-coded for quick identification:
Red: Indicates High severity
Orange: Denotes Medium severity
Blue: Represents Low severity
Pink: Signifies Matched (keyword hit)
This system allows for an immediate visual assessment of the evidence's priority level.
Under the Evidence sub-heading section the secondary menu will display all of the evidence items that have been collected as part of a tasking, even where there has been a null return. In the example below we can see that the Hide Empty Pages filter has been activated.
In the screenshot shown above, the acquired evidence from the App Compat Cache has been highlighted for focused viewing. As a result, the main viewing area is exclusively dedicated to displaying all the evidence gathered from the App Compat Cache. In this particular example, one 'Matched' item has been singled out, and its comprehensive details are presented in the section below in the 'Details' tab.
It's important to highlight that in this scenario, the table has been sorted based on the findings column to order the view by the severity of the findings. Additionally, users have the flexibility to rearrange and resize columns according to their preferences. Furthermore, users can customize which columns are visible in the table using the Column Chooser feature, which is available on all pages with tables within the Investigation Hub.
The Evidence section displays both triage results and imported evidence items, offering comprehensive insight into gathered data.
Highlighted in the above screenshot, additional table functionality enhances user interaction and data management:
Flag Column: This column showcases flagged items and enables filtering and sorting based on flag status.
Magnifying Glass Icon: Offers extensive filtering and searching capabilities with options like Contains, Does Not Contain, Starts With, Ends With, Equals, and more, allowing precise control over displayed data.
Dockable Details Pane: Users can choose to dock this pane on the right side or at the bottom of the window. Clicking the icon toggles the Details pane's orientation from vertical to horizontal and vice versa, adapting to user preference and screen layout.
Filtered Items Reminder: A helpful reminder of the currently applied filters, ensuring users are aware of the viewing context.
Date & Time Picker: Allows users to narrow down evidence to specific time periods, facilitating focused analysis.
Created By Column: In the Findings table the Created By column will show if the finding was generated by DRONE or a user.
Highlight to search: This allows users to highlight text in the Investigation Hub tables, as shown below, right-click on the selecton, select the magnifying glass that appears and then choose to "Search in Findings table, Search in the Investigation Hub, Search in Google or search in Virus Total.
Fullscreen Evidence Tables: Users can view evidence tables in full-screen mode, ideal for large datasets with multiple columns and rows. This feature maximizes screen space, allowing easier navigation and analysis of complex data without the need for scrolling or resizing. To exit fullscreen mode, simply click the Exit-Fullscreen icon.
Sticky Column Headings: The selection and position of columns will remain saved in your browser across all AIR sessions unless you clear your browser cookies. This ensures your preferred layout and data organization stay consistent, enhancing both efficiency and user experience.
The Investigation Hub flagging feature allows users to create custom flags to mark evidence and findings they deem significant during an investigation. This flagging functionality can be used to filter by flags and facilitates collaboration with other investigators, helping to mark items for re-examination or highlighting important details for potential inclusion in reports.
Users create custom flags by right-clicking on a finding or evidence item, selecting ‘Add/Remove Flag’, and then creating a name, description, and color for the flag from the 11 default options, or click the '+' to select your own colour from a palette:
Multiple items can be flagged simultaneously using the Bulk Actions bar:
Hovering over the flag of a flagged item in the table view will reveal:
The name of the flag
Who created the flag
The date & time it was created
Flags are saved at the Organization level in Libraries, therefore they will be available to all cases created in the same Organization.
Creating new flags or editing existing flags can be done in Libraries if the user has Case Management privileges.
The Bookmark Flag is the only fixed/permanent flag.
Users can use the advanced filter to include or exclude flagged items in the Investigation Hub table views, enhancing the ability to focus on prioritized or highlighted evidence.
AIR's DRONE capability enhances decision support by leveraging built-in YARA, Sigma, and osquery rules to quickly identify compromised assets. By analyzing evidence, DRONE generates Findings that highlight key investigative opportunities, helping prioritize and streamline investigations efficiently.
During an investigation, users may encounter Findings that are not relevant to their case. The Investigation Hub allows them to exclude these Findings, helping investigators stay focused on pertinent information.
AIR offers two exclusion methods:
Exclusion Rules – Allows exclusion of a Finding either by its location/path OR, regardless of its location, based on the finding itself.
Individual Exclusions – This method allows users to manually exclude any Findings within a case, based on their specific needs or investigation requirements, without the need to create a rule.
Right-click on a Finding and choose "Exclude by Rule" from the context menu.
Exclude by: Customize the exclusion based on the path in two ways: On the specific path, which excludes an item only if found in that particular location, or based on the finding, which excludes the item regardless of where it is found on the asset.
Scope: Decide whether to exclude from just this case, all cases within the organization.
Target: Apply the rule to the selected asset, or all assets in the case.
(Exclusion by hash value is coming soon)
This method allows users to manually exclude any Findings within individual cases, based on their specific needs or investigation requirements, without the need to create a rule.
Right-click on a Finding and choose "Exclude" from the context menu.
Users can either select an existing reason for exclusion or create a new one. Any newly added reason will be saved and included in the list of available exclusion reasons for future use.
All excluded Findings are removed from the Findings table and added to the Exclusions table (directly below Findings in the Secondary Menu) as shown below. This feature enables teams to cross-validate and resolve discrepancies as needed.
At the top of the page, users can click "Manage Rules" to modify or delete Exclusion Rules. However, individual exclusions cannot be edited—they can only be deleted. This allows users to refine exclusion settings while maintaining control over how findings are managed.
In the Organization Library under "Finding Exclusions Rules," users can change the scope from Case to Organization, apply exclusions from one asset to all assets in the organization, or completely delete rules if they have "Case Management" privileges.
In the Organization Library, users can also select Exclusion Rules to delete via the Bulk Action Bar as shown below.
Tooltips are provided throughout to guide users in utilizing these customizable options effectively. After an exclusion is applied, users have a brief opportunity to undo the operation or close the notification, ensuring that actions are deliberate and retrievable.
This Exclusions Capability significantly streamlines the investigative process, allowing investigators to maintain focus on essential evidence while managing irrelevant data efficiently.
The Notes feature enhances collaboration by allowing users to attach notes to any evidence item or Finding, without the requirement for the item to be bookmarked. These notes are accessible to the entire team working on the case and are displayed in the Notes column of the table view.
This feature is particularly useful for enhancing communication within the team, as it allows for the sharing of insights and observations directly alongside the relevant evidence. Furthermore, notes can be seamlessly integrated into reports through AIR’s “Generate Report” feature, which supports the creation of customizable reports. Additionally, notes can be exported for external use.
Overall, the Notes feature in AIR 4.13 streamlines case documentation and enhances the reporting process, making it an essential tool for collaborative investigations.
In previous versions of AIR, the decision-support system, including the automated evidence analyzers known as DRONE, helped users prioritize their investigative steps. With the release of AIR 4.13, users now have the capability to generate their own Findings, enhancing the depth of investigations by incorporating personal insights, organizational context, or specific investigative details.
For instance, from the Evidence page, users can right-click on an item and select "Mark as Finding" to manually allocate a Finding to it. This process involves several steps:
Selecting a Finding Type: Users choose from pre-defined types such as High, Medium, Low, or Matched.
Adding a Description/Label: This describes or labels the Finding for clarity and reference.
Detailing the Path and Associating with MITRE ATT&CK TTP: Users can specify the file path and link the Finding to a specific tactic or technique from the MITRE ATT&CK framework.
Setting a Date: Users can also include the date when the Finding was identified or marked.
Upon confirming with "OK", the Finding type is displayed in the "Finding Type" column within the Evidence page, along with a column indicating who created the Finding. These user-generated Findings are then added to the "Findings" window, where they are distinguishable by a "created by" column, which shows whether a Finding is from DRONE or user-generated, and identifies the creator. This allows for efficient tracking and searching using the column search functionality.
Additionally, these Findings are reflected in the Dashboard widget, where users can filter to view "All" findings or specifically search across DRONE or user-generated Findings using the provided tabs. This new feature in AIR 4.13 significantly empowers users to tailor their investigative processes with enriched data and personalized analysis.
To match your viewing preferences and monitor setup, the Details view for selected evidence items is both dockable and detachable. You can either open a separate, independent window to display the evidence details or use the icon shown below to toggle the position of the Details window.
Dockable Evidence Details Window: This feature allows you to toggle the Details window between a vertical display on the right side of the browser window and a horizontal display at the bottom. Simply click the icon to switch between these views.
In the Details window, there may be occasions when some fields are empty. To minimize clutter from these empty fields, you can use the 'Hide Empty Fields' feature. This option allows you to clean up the interface by displaying only those fields that contain information.
Detachable Evidence Details Window: This feature allows users to open evidence details in a standalone window that can be resized and repositioned anywhere on the screen(s) for improved clarity. The window maintains its form even when displaying new evidence items. Clicking on a new row in the table updates the detached details view to match the newly selected item. This flexibility allows investigators to compare multiple pieces of evidence side by side, improving the overall analysis process.
Details View Example:
The screenshot above displays an example of a typical details view of a file selected in the table view. This particular file is a Scheduled Task entry which has a DRONE Finding Type 'High'.
The term "Digital Sign Status As Text" refers to the description of the status of a digital signature in text form. When you encounter "Bad Digest" as the status, it indicates an issue with the digital signature of a file or document.
Specifically, "Bad Digest" means that the hash value calculated from the downloaded or retrieved file does not match the hash value that was originally used when signing the document or file. This discrepancy suggests that the file may have been altered or corrupted after it was signed. Consequently, the integrity of the file is in question, and it can no longer be trusted as authentic or unmodified from its signed state. This status is a critical indicator in digital security practices, especially when verifying the legitimacy and integrity of software downloads and updates.
Searching the hash value revealed in the details window across the Investigation Hub immediately reveals other Findings associated with this file:
Now we can see that there are two High Findings that are mapped to MITRE ATT&CK Tactics and Techniques shown.
The advanced filter save feature boosts efficiency by enabling users to save and share custom filters within an AIR organization. This functionality streamlines data analysis, promotes consistency, and enhances collaboration throughout the investigative process.
The Advanced Filter window remains visible as you build the filter and you can reposition it.
Each Advanced Filter is specific to the table it is built in eg; an advanced filter you build in Findings will not be available to you in the Browser Artifact table.
Filters can be saved and then later selected from the drop-down list.
Add items to Advanced Filters directly from the Details window using the filter icon:
The Investigation Hub includes regex (regular expression) operator support within the Advanced Filters section. This enables more powerful and flexible data filtering across cases, triage results, and evidence views.
How It Works: Regex filtering is available via the existing Contains filter dropdown, with the following operator options:
Doesn't match RegEx (case sensitive)
Matches RegEx (case sensitive)
Doesn't match RegEx (case insensitive)
Matches RegEx (case insensitive)
These options allow you to create highly granular search conditions, ideal for forensic analysts dealing with variable or loosely structured data inputs.
Locate executables matching a naming convention: ^cmd.*.exe$
Identify registry keys containing GUIDs: [A-Fa-f0-9]{8}-([A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
Locate executables matching a naming convention
Regex: ^cmd.*\.exe$
Explanation:
^ anchors the match to the start of the string
cmd looks for the literal text "cmd"
.* matches any number of any characters (except newline)
\.exe matches the literal file extension .exe (note the backslash escapes the dot)
$ anchors the match to the end of the string
Use case: Filters for files like cmd.exe, cmd123.exe, or cmd_tool.exe
Identify registry keys containing GUIDs
Regex: [A-Fa-f0-9]{8}-([A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
Explanation:
[A-Fa-f0-9]{8} matches 8 hexadecimal characters
- matches a literal hyphen
([A-Fa-f0-9]{4}-){3} matches three groups of 4 hex characters followed by a hyphen
[A-Fa-f0-9]{12} matches the final 12 hex characters
Use case: Matches standard Windows GUIDs like f81d4fae-7dec-11d0-a765-00a0c91e6bf6
AIR's automated report generation feature alongside the Compromise Assessment Report template efficiently populates reports with relevant investigation information, offering pre-built, customizable sections tailored to different stakeholders and audiences.
Generating a Report: Users can initiate report generation from the Secondary Menu under "Reports" or directly from the Dashboard action button using AIR’s Compromise Assessment report template. The report generation process has been refined to allow for greater customization and flexibility:
Initial Setup and Customization:
Include all findings from the Investigation Hub, encompassing DRONE findings and user-generated findings, excluding any that have been previously filtered out.
Filter which assets and associated tasks to include based on relevance to the report.
Apply additional filters by the severity of findings and by flags to tailor the content further.
Inclusion of Evidence:
Users can choose to incorporate evidence linked to flagged items, enhancing the report with crucial items of note that may not be categorized as findings.
Report Customization:
Add a company logo to the report, enabling service providers to brand reports for their clients.
Name the report and set the date/time to ensure clarity and relevance.
Select specific sections to include in the report based on the intended audience, ensuring the content is appropriate and targeted.
Final Steps and Editing: Once the report is generated by clicking <Generate Report>, it remains fully editable within an HTML iframe editor. This flexibility allows analysts and responders to append additional analysis notes, recommendations, and other pertinent information as needed.
Post-Creation Options:
Save: Saves the current HTML version of the report, allowing further modifications in the future.
Export PDF: Converts the report into a PDF file for distribution or archiving.
Both HTML and PDF versions of the report can be managed, edited, generated, exported, and deleted from the "Reports" tab in the Secondary Menu of the Investigation Hub.
This wizard-driven approach not only simplifies the report generation process but also provides users with powerful tools to create detailed, customized reports that meet specific requirements, all within a few clicks.
MITRE ATT&CK serves as a global resource for adversary tactics and techniques, guiding threat models and methodologies across industries. Integrated with AIR, it continuously maps findings to ATT&CK, enhancing detection with up-to-date YARA rules for IoCs and TTPs. DRONE's implementation scans assets and processes using crafted rules, with automated rule updates in AIR. You can read more about DRONE in this blog, '.
