Investigation Hub - New Features
The Investigation Hub in AIR is the central point for initiating and concluding all your investigations. As the core of AIR, it enhances your investigative process by integrating comprehensive insights and prioritized data with robust collaboration features. Equipped with advanced navigation features like sophisticated search options and dynamic filters, the Investigation Hub is indispensable for smooth and efficient case management, boosting productivity and connecting all investigative activities seamlessly.
The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating; exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.
All of the activities are labeled and linked to the individual activity simply by clicking on it. In the example below we can see how Comment Added, Note Added, Flag Added, and Exclusion Rule Created have all been tracked as activities
Comments enhance communication by allowing analysts to directly comment on findings or/and tag relevant colleagues. This ensures that all discussions are captured and documented within the activity feed, promoting effective collaboration and transparent activity tracking.
Right-click on an item and select ‘Comment’ to attach your comment to that item:
You can tag users in a comment and they can view the item by clicking on the comment in their Activity Feeds:
Each table will show all of the Activities, Comments and Flags that are relevant just to that table
To manage the often extensive data from Event Logs, we've introduced a Column Chooser feature. This allows users to customize their view by selecting specific data fields from the Details view that they want to display in columns. This makes it easier to sort, filter, and analyze the desired relevant log data.
Columns selected will then be available if the user needs to export the table.
These metadata fields are now also available to use in Advanced Filters
Users can highlight text within tables and instantly search for it within the same table, across the entire Investigation Hub, or externally on Google or VirusTotal. This feature streamlines the research process and eliminates the need to toggle between different platforms.
Away from the Investigation Hub other new features include:
Triage rules in the AIR console can now be associated with Tags, which help in organizing rules and filtering when required. This enhancement aids in managing the rules more efficiently and allows for streamlined searches and better organization within the console.
When creating a Triage Rule the UI allows the user to filter existing rules by their associated Tags.
The Triage Rule Library now includes Preset Filters in the secondary menu, allowing users to organize rules hierarchically. By incorporating a colon in their tags, users can structure and categorize rules more efficiently. For example, the tag "APT26:Tim:hashset" helps organize related rules under a structured hierarchy, enhancing navigation and accessibility in the library.
The ESXi parser has been added to the AIR platform, allowing for the import of tasks from off-network ESXi collectors and their presentation in the Investigation Hub.
Learn more about our ESXi collector here.
Binalyze MITRE ATT&CK Analyzer has been updated to version 5.3.1 (31/05/24)
For details please see the changelog in the Binalyze KB.
Expose more action buttons on the Asset Info page
Additional Action Buttons have been introduced to the Asset page to improve usability and immediate access to the most commonly selected actions.
Improvements to the Details View
Each item's title is displayed in light grey text, making the more critical information in darker text stand out for easier reading and quick reference.
The "Show or Hide Empty Fields" view option helps to declutter the display by allowing users to hide fields that contain no data, thus reducing visual noise and focusing attention on fields with relevant information.
Advanced Filter improvements
The advanced filter save feature boosts efficiency by enabling users to save and share custom filters within an AIR organization. This functionality streamlines data analysis, promotes consistency, and enhances collaboration throughout the investigative process.
The Advanced Filter window remains visible as you build the filter and you can reposition it.
Each Advanced Filter is specific to the table it is built in eg; an advanced filter you build in Findings will not be available to you in the Browser Artifact table.
Filters can be saved and then later selected from the drop-down list.
Add items to Advanced Filters directly from the Details window using the filter icon:
Timeline date/time picker bug is fixed