DRONE Integration in Tornado
Introduction
DRONE is Binalyze's automated compromise assessment engine, originally part of AIR DRONE. It provides a decision support system that analyzes collected evidence using a library of up-to-date analyzers maintained by the Binalyze threat hunting team.
In Tornado, DRONE is embedded as a standalone binary that runs locally on the investigator's machine. After cloud evidence is collected from platforms such as Microsoft 365, Google Workspace, Zoom, or HubSpot, DRONE analyzes the collected artifacts and produces findings classified by severity: High, Medium, Low, or Matched.
This tight integration enables investigators to go from raw cloud evidence to actionable compromise assessment findings without leaving the Tornado application.
Architecture Overview
DRONE is shipped as a platform-specific binary embedded directly into the Tornado application at build time. At runtime, Tornado extracts the binary, invokes it as a subprocess against the collected evidence, and packages the analysis results back into the case archive.
How It Works
The DRONE analysis workflow in Tornado follows these steps:
Step-by-Step
Evidence Collection -- The investigator collects cloud evidence (emails, audit logs, drive files, etc.) from a supported platform. The collected data is stored in
Case.db(SQLite) and packaged intoCase.ppc(a ZIP archive).Analyzer Selection -- The investigator selects which analyzers to run. Tornado queries the embedded DRONE binary (
drone --get-defaults) to discover available analyzers for the target platform. The investigator can also enable the MITRE ATT&CK analyzer and specify keyword search terms.Analysis Execution -- Tornado extracts the embedded DRONE binary to a temporary location, then invokes it as a subprocess with command-line arguments specifying the analyzers, keywords, MITRE rules path, CPU limit, and the path to
Case.ppc.Progress Tracking -- During analysis, DRONE writes progress updates to
Drone.Progress.json. Tornado reads this file periodically and reports progress back to the UI in real time.Results Packaging -- Upon completion, DRONE writes its findings to
Drone.db(SQLite). Tornado then unzips the existingCase.ppc, addsDrone.dbalongsideCase.db, and re-creates the archive. The standaloneDrone.dbfile is removed.Viewing Results -- The enriched
Case.ppc(now containing bothCase.dbandDrone.db) can be uploaded to the Investigation Hub for detailed analysis and reporting.
Supported Platforms
DRONE analyzers in Tornado are organized by cloud platform. Each platform has its own set of specialized analyzers:
Microsoft 365
microsoft-365
Exchange emails, Unified Audit Logs, OneDrive files, Teams messages
Google Workspace
gws-parselet
Gmail, Google Drive, Admin audit logs
Zoom
zoom
Meeting data, recordings, user activity
HubSpot
hubspot
CRM data, activity logs
When the investigator opens the analyzer selection step, Tornado automatically queries the DRONE binary for analyzers that support the current platform and presents only the relevant options.
Analyzers
DRONE includes two core analyzer components:
DRONE Analyzers
Platform-specific analyzers that query artifact tables in the collected evidence database and run data through a series of check functions. These analyzers score or flag suspicious indicators and report findings with severity classifications.
Available analyzers are dynamically loaded from the embedded DRONE binary at runtime. The binary reports its full analyzer catalog, and Tornado filters by the target platform. The Dynamo analyzer (dya) is excluded from the general list because it is handled separately as part of the MITRE ATT&CK integration.
MITRE ATT&CK Analyzer (Dynamo)
Dynamo is a rule-based analysis engine for DFIR investigations. In the context of Tornado's cloud forensics, Dynamo executes SQL-based rules against collected forensic databases -- primarily the unified_audit_logs table from Microsoft 365 Unified Audit Log data.
Each Dynamo rule:
Targets a specific evidence section (e.g.,
unified_audit_logs)Executes complex SQL queries with JSON extraction against audit data
Produces scored findings mapped to MITRE ATT&CK tactics and techniques
Classifies results with severity-based detection reasons
Built-in Dynamo Rules for Microsoft 365
Suspicious Mail Forwarding Rules Detector
Detects mail forwarding rules that may indicate mailbox compromise, including external forwarding and rules created via suspicious tools
TA0009 / T1114.003
Privilege Escalation Activity Detector
Detects privilege escalation activities such as self-promotion to high-privilege roles and suspicious role assignments
TA0004 / T1078.004
Unusual Authentication Detector
Identifies unusual authentication patterns including automation tools, legacy auth protocols, and anomalous IP activity
-
Suspicious Admin Actions Detector
Flags suspicious Exchange admin actions that may indicate unauthorized configuration changes
-
Suspicious HTTP Clients in O365 User Agent
Detects requests from uncommon or suspicious HTTP clients in Office 365 user agent strings
-
MITRE Rules Sync
When connected to an AIR instance, Tornado can sync MITRE ATT&CK rules from the AIR platform. These rules are stored locally at Tornado.Tools/utils/mitre.zip and passed to the DRONE binary at analysis time. This ensures investigators always have access to the latest threat detection rules maintained by the Binalyze threat hunting team.
Severity Classifications
DRONE classifies all findings into one of four severity levels:
High
Confirmed malicious behavior or artifacts indicating critical compromise
Medium
Indicators of suspicious or potentially unwanted behavior
Low
Anomalies or uncommon patterns that may warrant further investigation
Matched
Items flagged through keyword hits or custom rule matches
The minimum score threshold for reporting is configurable (default: 50, range: 10--90). Findings below this threshold are not included in the results.
Analysis Output
Drone.db
The primary output of a DRONE analysis is Drone.db, a SQLite database containing all findings from the selected analyzers. This database is automatically added to the Case.ppc archive alongside the original Case.db.
Case.ppc Structure (Post-Analysis)
Progress Tracking
During analysis, DRONE writes real-time progress updates to Drone.Progress.json as JSON lines. Each entry includes:
MatchCount-- The number of findings discovered so farProgress-- The completion percentage (0--100)
Tornado reads this file periodically and updates the UI with the current progress.
Cross-Platform Support
The DRONE binary is embedded for all platforms that Tornado supports:
Windows
amd64
bin/drone_windows_amd64.zip
macOS
amd64
bin/drone_darwin_amd64.zip
macOS
arm64 (Apple Silicon)
bin/drone_darwin_arm64.zip
Linux
amd64
bin/drone_linux_amd64.zip
Linux
arm64
bin/drone_linux_arm64.zip
The correct binary is selected at compile time using Go build tags. At runtime, Tornado extracts the binary to a temporary location (Tornado.Tools/ directory), executes it, and removes it after the analysis completes.
Configuration
CPU Limit
60%
Maximum CPU usage allowed for the DRONE process
Minimum Score
50
Minimum score threshold for reporting findings (range: 10--90)
DRONE Version
Tracked in dependency.json
Currently v4.1.2
API Reference
Tornado exposes the following REST API endpoints for DRONE integration:
GET
/api/drone/analyzers/:parseletName
List available analyzers for a given platform
POST
/api/drone/task/assign
Start a DRONE analysis task
POST
/api/drone/task/status
Query the status of a running analysis task
POST
/api/drone/task/cancel
Cancel a running analysis task
Task Assignment Payload
Task Response
Further Reading
Last updated
Was this helpful?