# DRONE Integration in Tornado ## Introduction **DRONE** is Binalyze's automated compromise assessment engine, originally part of [AIR DRONE](https://kb.binalyze.com/air/features/drone/what-is-drone). It provides a decision support system that analyzes collected evidence using a library of up-to-date analyzers maintained by the Binalyze threat hunting team. In [Tornado](https://kb.binalyze.com/air/features/tornado-preview-version), DRONE is embedded as a standalone binary that runs locally on the investigator's machine. After cloud evidence is collected from platforms such as Microsoft 365, Google Workspace, Zoom, or HubSpot, DRONE analyzes the collected artifacts and produces findings classified by severity: **High**, **Medium**, **Low**, or **Matched**. This tight integration enables investigators to go from raw cloud evidence to actionable compromise assessment findings without leaving the Tornado application. *** ## Architecture Overview DRONE is shipped as a platform-specific binary embedded directly into the Tornado application at build time. At runtime, Tornado extracts the binary, invokes it as a subprocess against the collected evidence, and packages the analysis results back into the case archive. ```mermaid flowchart TB subgraph Tornado["Tornado Application"] UI["Frontend UI"] API["API Layer"] DM["DRONE Manager"] EB["Embedded DRONE Binary"] end subgraph Evidence["Evidence"] CasePPC["Case.ppc (ZIP)"] CaseDB["Case.db (SQLite)"] DroneDB["Drone.db (SQLite)"] end subgraph External["External Services"] AirPlatform["AIR Platform"] IHub["Investigation Hub"] end UI -->|"Select analyzers & keywords"| API API -->|"Start analysis task"| DM DM -->|"Extract & execute"| EB EB -->|"Read"| CasePPC CasePPC --- CaseDB EB -->|"Write"| DroneDB DM -->|"Add Drone.db to"| CasePPC AirPlatform -->|"Sync MITRE rules"| DM CasePPC -->|"Upload"| IHub ``` *** ## How It Works The DRONE analysis workflow in Tornado follows these steps: ```mermaid sequenceDiagram participant User participant TornadoUI as Tornado UI participant TornadoAPI as Tornado API participant DroneManager as DRONE Manager participant DroneBin as DRONE Binary User->>TornadoUI: Collect cloud evidence TornadoUI->>TornadoAPI: Collection task TornadoAPI-->>TornadoUI: Case.ppc created User->>TornadoUI: Select analyzers, keywords, MITRE TornadoUI->>TornadoAPI: POST /api/drone/task/assign TornadoAPI->>DroneManager: Create analysis task DroneManager->>DroneBin: Extract binary from embedded assets DroneManager->>DroneBin: Execute with args (analyzers, keywords, Case.ppc path) loop Progress Tracking DroneBin-->>DroneManager: Write Drone.Progress.json DroneManager-->>TornadoAPI: Report progress TornadoAPI-->>TornadoUI: Update progress bar end DroneBin-->>DroneManager: Write Drone.db (results) DroneManager->>DroneManager: Add Drone.db into Case.ppc DroneManager-->>TornadoAPI: Analysis complete TornadoAPI-->>TornadoUI: Show completion status ``` ### Step-by-Step 1. **Evidence Collection** -- The investigator collects cloud evidence (emails, audit logs, drive files, etc.) from a supported platform. The collected data is stored in `Case.db` (SQLite) and packaged into `Case.ppc` (a ZIP archive). 2. **Analyzer Selection** -- The investigator selects which analyzers to run. Tornado queries the embedded DRONE binary (`drone --get-defaults`) to discover available analyzers for the target platform. The investigator can also enable the MITRE ATT\&CK analyzer and specify keyword search terms. 3. **Analysis Execution** -- Tornado extracts the embedded DRONE binary to a temporary location, then invokes it as a subprocess with command-line arguments specifying the analyzers, keywords, MITRE rules path, CPU limit, and the path to `Case.ppc`. 4. **Progress Tracking** -- During analysis, DRONE writes progress updates to `Drone.Progress.json`. Tornado reads this file periodically and reports progress back to the UI in real time. 5. **Results Packaging** -- Upon completion, DRONE writes its findings to `Drone.db` (SQLite). Tornado then unzips the existing `Case.ppc`, adds `Drone.db` alongside `Case.db`, and re-creates the archive. The standalone `Drone.db` file is removed. 6. **Viewing Results** -- The enriched `Case.ppc` (now containing both `Case.db` and `Drone.db`) can be uploaded to the **Investigation Hub** for detailed analysis and reporting. *** ## Supported Platforms DRONE analyzers in Tornado are organized by cloud platform. Each platform has its own set of specialized analyzers: | Platform | Internal Identifier | Evidence Types | | ---------------- | ------------------- | ------------------------------------------------------------------- | | Microsoft 365 | `microsoft-365` | Exchange emails, Unified Audit Logs, OneDrive files, Teams messages | | Google Workspace | `gws-parselet` | Gmail, Google Drive, Admin audit logs | | Zoom | `zoom` | Meeting data, recordings, user activity | | HubSpot | `hubspot` | CRM data, activity logs | When the investigator opens the analyzer selection step, Tornado automatically queries the DRONE binary for analyzers that support the current platform and presents only the relevant options. *** ## Analyzers DRONE includes two core analyzer components: ### DRONE Analyzers Platform-specific analyzers that query artifact tables in the collected evidence database and run data through a series of check functions. These analyzers score or flag suspicious indicators and report findings with severity classifications. Available analyzers are dynamically loaded from the embedded DRONE binary at runtime. The binary reports its full analyzer catalog, and Tornado filters by the target platform. The Dynamo analyzer (`dya`) is excluded from the general list because it is handled separately as part of the MITRE ATT\&CK integration. ### MITRE ATT\&CK Analyzer (Dynamo) **Dynamo** is a rule-based analysis engine for DFIR investigations. In the context of Tornado's cloud forensics, Dynamo executes SQL-based rules against collected forensic databases -- primarily the `unified_audit_logs` table from Microsoft 365 Unified Audit Log data. Each Dynamo rule: * Targets a specific evidence section (e.g., `unified_audit_logs`) * Executes complex SQL queries with JSON extraction against audit data * Produces scored findings mapped to MITRE ATT\&CK tactics and techniques * Classifies results with severity-based detection reasons #### Built-in Dynamo Rules for Microsoft 365 | Rule | Description | MITRE Mapping | | ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | | Suspicious Mail Forwarding Rules Detector | Detects mail forwarding rules that may indicate mailbox compromise, including external forwarding and rules created via suspicious tools | TA0009 / T1114.003 | | Privilege Escalation Activity Detector | Detects privilege escalation activities such as self-promotion to high-privilege roles and suspicious role assignments | TA0004 / T1078.004 | | Unusual Authentication Detector | Identifies unusual authentication patterns including automation tools, legacy auth protocols, and anomalous IP activity | - | | Suspicious Admin Actions Detector | Flags suspicious Exchange admin actions that may indicate unauthorized configuration changes | - | | Suspicious HTTP Clients in O365 User Agent | Detects requests from uncommon or suspicious HTTP clients in Office 365 user agent strings | - | #### MITRE Rules Sync When connected to an AIR instance, Tornado can sync MITRE ATT\&CK rules from the AIR platform. These rules are stored locally at `Tornado.Tools/utils/mitre.zip` and passed to the DRONE binary at analysis time. This ensures investigators always have access to the latest threat detection rules maintained by the Binalyze threat hunting team. *** ## Severity Classifications DRONE classifies all findings into one of four severity levels: | Severity | Description | | ----------- | ------------------------------------------------------------------------ | | **High** | Confirmed malicious behavior or artifacts indicating critical compromise | | **Medium** | Indicators of suspicious or potentially unwanted behavior | | **Low** | Anomalies or uncommon patterns that may warrant further investigation | | **Matched** | Items flagged through keyword hits or custom rule matches | The minimum score threshold for reporting is configurable (default: 50, range: 10--90). Findings below this threshold are not included in the results. *** ## Analysis Output ### Drone.db The primary output of a DRONE analysis is `Drone.db`, a SQLite database containing all findings from the selected analyzers. This database is automatically added to the `Case.ppc` archive alongside the original `Case.db`. ### Case.ppc Structure (Post-Analysis) ``` Case.ppc (ZIP) ├── Case.db # Collected evidence (emails, audit logs, drive items, etc.) └── Drone.db # DRONE analysis findings ``` ### Progress Tracking During analysis, DRONE writes real-time progress updates to `Drone.Progress.json` as JSON lines. Each entry includes: * `MatchCount` -- The number of findings discovered so far * `Progress` -- The completion percentage (0--100) Tornado reads this file periodically and updates the UI with the current progress. *** ## Cross-Platform Support The DRONE binary is embedded for all platforms that Tornado supports: | Platform | Architecture | Embedded Binary | | -------- | --------------------- | ----------------------------- | | Windows | amd64 | `bin/drone_windows_amd64.zip` | | macOS | amd64 | `bin/drone_darwin_amd64.zip` | | macOS | arm64 (Apple Silicon) | `bin/drone_darwin_arm64.zip` | | Linux | amd64 | `bin/drone_linux_amd64.zip` | | Linux | arm64 | `bin/drone_linux_arm64.zip` | The correct binary is selected at compile time using Go build tags. At runtime, Tornado extracts the binary to a temporary location (`Tornado.Tools/` directory), executes it, and removes it after the analysis completes. *** ## Configuration | Parameter | Default | Description | | ------------- | ---------------------------- | -------------------------------------------------------------- | | CPU Limit | 60% | Maximum CPU usage allowed for the DRONE process | | Minimum Score | 50 | Minimum score threshold for reporting findings (range: 10--90) | | DRONE Version | Tracked in `dependency.json` | Currently v4.1.2 | *** ## API Reference Tornado exposes the following REST API endpoints for DRONE integration: | Method | Endpoint | Description | | ------ | ------------------------------------ | --------------------------------------------- | | `GET` | `/api/drone/analyzers/:parseletName` | List available analyzers for a given platform | | `POST` | `/api/drone/task/assign` | Start a DRONE analysis task | | `POST` | `/api/drone/task/status` | Query the status of a running analysis task | | `POST` | `/api/drone/task/cancel` | Cancel a running analysis task | ### Task Assignment Payload ```json { "Tasks": [{ "Type": "drone", "Data": { "collection_task_id": "", "analyzers": ["o365-sue", "o365-sdeea"], "mitre_analyzer_selected": true, "keywords": ["phishing", "forwarding"] } }] } ``` ### Task Response ```json { "analysis_task_id": "", "analysis_status": "completed" } ``` *** ## Further Reading * [What is DRONE?](https://kb.binalyze.com/air/features/drone/what-is-drone) * [What is an Analysis Pipeline?](https://kb.binalyze.com/air/features/drone/what-is-an-analysis-pipeline) * [DRONE Analyzers](https://kb.binalyze.com/air/features/drone/analyzers) * [Tornado Overview](https://kb.binalyze.com/air/features/tornado-preview-version)