What is an Analysis Pipeline?
Brief overview of DRONES's Analysis Pipeline
Traditional security tools often rely heavily on signature-based detection—a method that struggles to keep pace with modern, fast-evolving threats. Binalyze AIR addresses this challenge by incorporating DRONE, an advanced automated analyzer designed to rapidly evaluate collected evidence with forensic precision.
The Analysis Pipeline Approach
At the heart of DRONE is the Analysis Pipeline, a modular evaluation framework that scrutinizes each evidence item across multiple stages. Each stage, or pipeline, targets a specific category or characteristic, such as suspicious processes, unusual network behavior, file anomalies, or signs of persistence.
As the evidence progresses through these pipelines, DRONE applies a combination of proprietary analyzers, YARA rules, Sigma rules, and osquery-based logic to assess the forensic significance of each artifact. When an issue is detected, it is logged as a finding, with one of four possible severity classifications:
High – Confirmed malicious behavior or artifacts indicating critical compromise.
Medium – Indicators of suspicious or potentially unwanted behavior.
Low – Anomalies or uncommon patterns that may warrant further investigation.
Matched – Items flagged through either:
Keyword hits, where the evidence matches one or more pre-defined text, wildcard, or regular expression patterns, or
Triage rule matches, where custom YARA, Sigma, or osquery rules are applied at the time of acquisition or through manual triage, identify relevant indicators.
This Matched category is particularly powerful as it allows analysts to surface evidence linked to threat hunting hypotheses, indicators of compromise (IOCs), or tactical queries — even when the finding does not yet have a known severity. It ensures investigators never miss contextually important clues, even if those clues are not immediately classifiable as high or medium severity.
Findings in the Investigation Hub
All findings, including "Matched" hits, are made available in the Investigation Hub — AIR’s unified workspace that consolidates triage results, acquisition data, and analysis verdicts from multiple assets and cases. The integration of severity-scored and keyword/triage-matched results enables faster triage, prioritization, and response, especially across large-scale or multi-asset investigations.
This methodical and automated analysis pipeline ensures forensically sound, scalable, and efficient evidence evaluation, helping analysts quickly home in on what matters most
Last updated
Was this helpful?