Investigation Hub
Harness the power of consolidation, prioritization, and collaboration for efficient incident response investigations
What is the AIR Investigation Hub?
AIR automates the rapid generation and presentation of a clear DFIR intelligence report directly within the Investigation Hub. This report instantly highlights DRONE's findings and consolidates all Acquisition and Hunt/Triage data from multiple assets into a single view known as the Investigation Hub.
This central dashboard immediately elevates your investigation, providing analysts with a seamless experience that allows them to sort, exclude findings, filter, flag, bookmark, and easily investigate the data. The user-friendly interface streamlines the analysis process, empowering analysts to efficiently navigate and interpret the information to uncover insights and actionable intelligence.
The Investigation Hub offers a unified and well-organized view of assets, evidence, artifacts, and triage results within a case. This allows you to efficiently review and concentrate your investigation on pertinent details using filters and a powerful global search function, eliminating the need to switch between screens to piece data together manually.
The Intelligence Hub delivers Findings derived from AIR's automated DRONE analyzers, giving you a head start in any investigations.
With DRONE's proprietary analyzers, combined with YARA, Sigma, and osquery scanning, you can analyze assets and evidence at speed, identifying compromised machines to streamline the process of sifting through often massive datasets.
The integrated MITRE ATT&CK mapping provides context to discern the nature of threats, stay ahead of the attack's progression, and pinpoint areas needing further investigation.
The benefits of the Investigation Hub
All in one place - all AIR data acquisitions, results of DRONE analysis, and Hunt/Triage scans of the assets related to a chosen case - are now available in one place, making the analysts and investigators work much faster and simpler.
Efficiency and Speed - analysts can easily navigate to a specific endpoint in the Case while simultaneously leveraging information from all their endpoints in a high-level overview of the entire Case. Therefore, much faster decisions can be made, such as where to start and focus investigations, but also where to divert resources when the Investigation Hub highlights new information.
All multi-asset investigations become far more efficient within the Investigation Hub, especially as we now allow users to 'Bring Your Own Evidence' (BYOE):
Seamlessly import .csv files into the Investigation Hub using our data mapping service, accommodating all forms of structured .csv data.
Efficiently import and analyze .pst files, enabling the display of email data within the Investigation Hub for a more comprehensive examination.
The DRONE findings table can be exported from the Investigation Hub into a .csv file, enabling the integration of DRONE's analysis results into reports, SIEM, or other security tools for the development of custom alerts.
Do I have to install or update my existing Infrastructure?
The Investigation Hub is included as part of the standard AIR installation.
All of our hardware and software requirements are described here in the Setup section of the KB, no additional infrastructure updates are required.
Where to find the Investigation Hub
The Investigation Hub operates at the case level and is generated from the data collected for individual cases. To access it, navigate to 'Cases' in the Main menu. Once you've selected the case of interest, you can access the Investigation Hub via the action button located in the main viewing area:
Managing Case Access
When creating a new case, users can set the visibility to either Public to Organization (all users have access) or Private (restricted to specific users). This initial setting determines who can view and work on the case.
To manage case access after creation:
Navigate to Cases from the Main Menu.
Select a case to open the Case Details panel.
In the Overview tab, scroll to the Users section.
Click "+ Add Members" (or the assigned user count) to open the Assign Users modal.
The modal reflects the case's current visibility settings:
Private cases display only the users who have been specifically assigned access.
Public cases show all users within the organization as having access.
From this modal, you can:
Search for users using the search bar to quickly find team members in large organizations.
Assign users by clicking "+ Assign" next to their name to grant access.
Unassign users by clicking to remove their access from the case.
This allows investigation managers to adjust case visibility at any time, adding or removing team members as the investigation evolves.
Collaboration
AIR is a highly collaborative platform that allows multiple users to access the system simultaneously. Each user's privileges can be finely adjusted based on roles assigned by the system's owner or administrator. As the fastest and most comprehensive DFIR platform globally, AIR's efficiency is further enhanced through team collaboration.
Real Time User Presence
Analysts can see real-time user presence, comment updates, and evidence flag changes as they occur. These live updates let multiple investigators work on the same evidence simultaneously, with all actions—notes, findings, and flag changes—appearing instantly for every connected user.
In the Investigation Hub screenshot above, three users are active in this case. Their profile icons show not only who is present but also where each person is working in real time. One user is viewing the Findings page, another is in System Info, and a third is examining the Amcache File evidence. This gives immediate visibility into team activity and helps prevent duplicated effort during collaborative investigations.
The Activity Feed
The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.
All activities are labeled and linked to their corresponding individual activity by simply clicking on them. In the example below, we can see how Comment Added, Note Added, Flag Added, and Exclusion Rule Created have all been tracked as activities.
Adding Comments to the Evidence
Comments enhance communication by allowing analysts to directly comment on findings and tag relevant colleagues. This ensures that all discussions are captured and documented within the activity feed, promoting effective collaboration and activity tracking.
Right-click on an item and select ‘Comment’ to attach your comment to that item:
You can tag users in a comment, and they can view the item by clicking on the comment in their Activity Feeds:
Each table will show all of the Activities, Comments, and Flags that are relevant just to that table
Last updated
Was this helpful?