Investigation Hub
Harness the power of consolidation, prioritization, and collaboration for efficient incident response investigations

What is the AIR Investigation Hub?
AIR automates the rapid generation and presentation of a clear DFIR intelligence report directly within the Investigation Hub. This report instantly highlights DRONE's findings and consolidates all Acquisition and Triage data from multiple assets into a single view known as the Investigation Hub.
This central dashboard immediately elevates your investigation, providing analysts with a seamless experience that allows them to sort, exclude findings, filter, flag, bookmark, and easily investigate the data. The user-friendly interface streamlines the analysis process, empowering analysts to efficiently navigate and interpret the information to uncover insights and actionable intelligence.
The Investigation Hub offers a unified and well-organized view of assets, evidence, artifacts, and triage results within a case. This allows you to efficiently review and concentrate your investigation on pertinent details using filters and a powerful global search function, eliminating the need to switch between screens to piece data together manually.
The Intelligence Hub delivers Findings derived from AIR's automated DRONE analyzers, giving you a head start in any investigations.
With DRONE's proprietary analyzers, combined with YARA, Sigma, and osquery scanning, you can analyze assets and evidence at speed, identifying compromised machines to streamline the process of sifting through often massive datasets.
The integrated MITRE ATT&CK mapping provides context to discern the nature of threats, stay ahead of the attack's progression, and pinpoint areas needing further investigation.
The benefits of the Investigation Hub
All in one place - all AIR data acquisitions, results of DRONE analysis, and Triage scans of the assets related to a chosen case - are now available in one place, making the analysts and investigators work much faster and simpler.
Efficiency and Speed - analysts can easily navigate to a specific endpoint in the Case while simultaneously leveraging information from all their endpoints in a high-level overview of the entire Case. Therefore, much faster decisions can be made, such as where to start and focus investigations, but also where to divert resources when the Investigation Hub highlights new information.
All multi-asset investigations become far more efficient within the Investigation Hub, especially as we now allow users to 'Bring Your Own Evidence' (BYOE):
Seamlessly import .csv files into the Investigation Hub using our data mapping service, accommodating all forms of structured .csv data.
Efficiently import and analyze .pst files, enabling the display of email data within the Investigation Hub for a more comprehensive examination.
The DRONE findings table can be exported from the Investigation Hub into a .csv file, enabling the integration of DRONE's analysis results into reports, SIEM, or other security tools for the development of custom alerts.
Do I have to install or update my existing Infrastructure?
The Investigation Hub is included as part of the standard AIR installation.
All of our hardware and software requirements are described here in the Setup section of the KB, no additional infrastructure updates are required.
Where to find the Investigation Hub
The Investigation Hub operates at the case level and is generated from the data collected for individual cases. To access it, navigate to 'Cases' in the Main menu. Once you've selected the case of interest, you can access the Investigation Hub via the action button located in the main viewing area:

Collaboration
AIR is a highly collaborative platform that allows multiple users to access the system simultaneously. Each user's privileges can be finely adjusted based on roles assigned by the system's owner or administrator. As the fastest and most comprehensive DFIR platform globally, AIR's efficiency is further enhanced through team collaboration.
The Activity Feed
The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.

All activities are labeled and linked to their corresponding individual activity by simply clicking on them. In the example below, we can see how Comment Added, Note Added, Flag Added, and Exclusion Rule Created have all been tracked as activities.
Adding Comments to the Evidence
Comments enhance communication by allowing analysts to directly comment on findings and tag relevant colleagues. This ensures that all discussions are captured and documented within the activity feed, promoting effective collaboration and activity tracking.
Right-click on an item and select ‘Comment’ to attach your comment to that item:
You can tag users in a comment, and they can view the item by clicking on the comment in their Activity Feeds:
Each table will show all of the Activities, Comments, and Flags that are relevant just to that table
Last updated
Was this helpful?