Category: Release Notes – AIR

Binalyze AIR v5.21

What’s New?

  • Automatic Responder update exclusion rules help protect critical assets during maintenance windows. Administrators can now define named, policy-style rules that automatically exclude matching assets from automatic Responder updates. This is especially valuable for production systems such as messaging clusters, infrastructure services, and other sensitive assets where an unscheduled Responder restart could disrupt investigation readiness or business operations.

  • Expanded macOS artifact coverage improves visibility into user activity. AIR now expands KnowledgeC collection coverage with additional macOS activity streams, including application focus, web usage, lock and power state indicators, audio output, media activity, and modern macOS activity streams. This gives analysts broader context when reconstructing user activity during security investigations.

  • Task memory-limit configuration is available across acquisition, Hunt/Triage, and Full Text Search workflows. Memory-limit settings are now available in task advanced options and policy configuration. This helps administrators control task impact on production assets while preserving the ability to collect and analyze evidence at scale.

  • Linux file system enumeration now includes mounted local filesystems. File System Enumeration on Linux assets now covers eligible local mounted disks and volumes, not only the root filesystem. Virtual, pseudo, volatile, container, and network filesystems remain excluded by default to avoid unstable runtime trees and performance issues.

New Features & Improvements

AIR Console — Asset and Responder Administration

Automatic Responder Update Exclusion Rules

AIR now supports automatic Responder update exclusion based on saved asset filter rules. Administrators can define one or more named rules under asset update settings, and any asset that matches an enabled rule is automatically excluded from automatic Responder updates.

This improvement is designed for environments where critical systems must be updated only during approved maintenance windows. For example, an administrator can create a rule that matches assets tagged as production infrastructure or sensitive Linux servers. Newly registered assets or assets that receive matching tags later are handled automatically, without requiring manual bulk updates.

The rule-based exclusion is additive with the existing per-asset manual exclusion flag. Manual Responder update actions remain available, so administrators can still update excluded assets deliberately when they are ready.

The asset detail page now also shows which update exclusion rules match the selected asset. This gives administrators a clear explanation of why an asset is being skipped by the automatic update workflow.

Safer Bulk Uninstall and Purge Operations

Bulk uninstall, purge, and uninstall-with-purge operations now support an optional maximum matched-asset assertion. If the filter matches more assets than the configured threshold, AIR stops the operation before making changes.

This is useful for cleanup scripts and scheduled administration workflows where filters may evolve over time. Administrators can use the assertion as a guardrail to prevent accidental removal of more assets than intended.

When no assets match the filter, AIR now returns a clearer not-found response instead of silently proceeding. This helps administrators identify filter mistakes before they rely on automation.

Policy-Based Memory Limit Configuration for Tasks

Memory limit configuration is now available in task advanced options and policy configuration. AIR also passes resource-limit fields through Hunt/Triage and Full Text Search task flows so the configured limits are preserved when tasks are submitted.

This improvement helps administrators control resource consumption on production assets. For investigation teams, it supports safer evidence collection and analysis by reducing the chance that long-running or high-volume tasks consume more memory than expected.

Administrators can configure these limits as part of task or policy settings, depending on the workflow. Existing task behavior remains unchanged when no limit is configured.

Improved First Responder Deployment Experience

The empty asset page now updates the “Deploy your first Responder” action correctly when license capabilities or permissions are available. This improves the onboarding experience for newly deployed AIR tenants and reduces confusion for administrators who have the required access but previously saw the action disabled.

Updated AIR For Chrome Extension Store Link

The Deploy > Chrome package page now points to the updated official Chrome Web Store listing for the AIR For Chrome extension. Quick Deployment actions such as Copy Link to Chrome Store and Add to Chrome now open the updated extension URL.

This ensures administrators and analysts are directed to the current official AIR For Chrome extension when deploying the standalone collector.

Settings and Administration

Additional Month-First Date Formats

User date and time preferences now include additional month-first date format options. These formats better support users in regions where month-first dates are the standard.

Users can select these formats from Profile > Date & Time Preferences. This improves readability in investigation timelines, reports, and operational views for teams that use month-first date conventions.

Improved License Validation Feedback

License validation now preserves the license server’s response more accurately when the license key is invalid or not found. AIR now distinguishes invalid-license scenarios from license server connectivity issues more clearly.

This reduces troubleshooting time for administrators and support teams by pointing them toward the correct root cause, such as an invalid key or capacity condition, instead of suggesting a network issue.

Improved Console Address Certificate Import Flow

The Console Address certificate import flow now handles custom PFX imports more reliably when the Console Address itself is unchanged. The import modal also prevents the PFX password from appearing in the browser URL.

This improves both usability and credential handling for administrators configuring Console Address certificates under Settings > General > Connection > Console Address.

Responder and Evidence Collection

Expanded macOS KnowledgeC Artifact Coverage

AIR expands macOS KnowledgeC parsing with additional high-value activity streams. New parsed streams include application focus, web usage, device lock state, power connection state, battery percentage, audio output route, media now-playing activity, application media usage, and application intents where present on the asset.

These artifacts help analysts build a more complete timeline of user activity and system state during an investigation. For example, application focus and media usage can help confirm whether a user was active, which applications were in use, and how activity correlates with other evidence.

Raw KnowledgeC data collection remains available, while the expanded parsed coverage makes more of the data directly searchable and usable inside AIR workflows.

Linux Shell History Collection for Domain and NSS Users

Linux shell history collection now accounts for user home directories that exist under /home even when the user is not listed in the local password file. This improves coverage for environments that resolve users through directory services or similar identity integrations.

For investigation teams, this reduces the chance of missing command history from domain or externally managed users whose home directories are present on disk. The collector keeps discovery bounded by scanning immediate home directories rather than recursively walking the entire filesystem.

Linux File System Enumeration Now Includes Mounted Local Filesystems

Linux File System Enumeration now enumerates the root filesystem plus eligible local mounted filesystems. Previously, mount points such as /mnt, /media, /srv, and /afs could appear as single directory entries while their mounted contents were absent from FileSystemEnumeration.csv.

AIR applies a Linux-specific traversal policy for eligible local mounts while continuing to exclude virtual, pseudo, volatile, container, and network filesystems by default. Darwin and AIX root-device behavior is unchanged.

For investigation teams, this improves filesystem visibility on Linux assets where evidence is spread across multiple mounted disks or volumes, without expanding collection into unstable runtime or network-backed trees.

Responder Upgrade Safety on Linux Hosts

Linux Responders no longer flush the full connection tracking table on every service start. The cleanup now runs only when isolation artifacts are present and cleanup is actually required.

This change prevents brief network disruptions on NAT-dependent production workloads during Responder updates. It is especially relevant for customers running clustered infrastructure where even a sub-second connection reset can cause service impact.

DRONE Event Classification Improvement

DRONE now classifies Windows Event ID 104 as “Event Log Cleared” only when the provider matches the Windows event log provider. This prevents unrelated USB or smart card driver events from being reported as event log clearing activity.

This reduces false positives and helps analysts focus on activity that is more likely to be relevant during an investigation.

Bug Fixes

  • Audit log event filtering now behaves more consistently across Console processes. Customer-reported issues where event filter settings appeared stale or inconsistent after changes have been addressed. Saved audit log event filter settings are now invalidated across running processes, and the settings read path reflects the latest saved configuration more reliably. This improves confidence when administrators use “Log only selected events” or “Log all except selected events” to reduce audit log noise.

  • Audit log filtering controls now better preserve administrator intent. AIR improves handling around audit event selection modes so administrators can switch between logging modes with less risk of losing or misapplying selected event filters.

  • Outbound connector validation has been hardened across AIR Console integrations. AIR now applies a secure-by-default outbound destination validator to Console-initiated requests, including Git repository validation, event subscriptions, evidence repository validation, directory services validation, syslog validation, proxy validation, and related connector checks. SaaS deployments block non-public and cloud-metadata destinations, while on-premise deployments preserve legitimate internal connectivity with configurable allow-list controls.

  • Investigation Hub query handling has been secured and parameterized. Time-based and second-order query injection paths in Investigation Hub timeline count and finding exclusion-rule workflows have been fixed. Stored values are treated as untrusted at use time, and affected query paths now use safer parameter handling.

  • Investigation Hub object-scope checks have been tightened. AIR now enforces authorization more consistently when listing, creating, or applying Investigation Hub exclusion rules and when building asset summary data. This prevents users from expanding results or writing exclusion rules outside their permitted investigation scope.

  • Stored script execution in Investigation Hub asset filters has been fixed. Asset and assignment names displayed in the Evidence Assets filter are now escaped before highlighting. Server-side validation was also added to prevent unsafe asset-name input in section creation workflows. This protects analysts from stored script execution when viewing investigation report-generation filters.

  • Investigation Hub search results now open records more reliably on large datasets. AIR optimized the search-to-grid path so selecting artifact search hits is less likely to result in a timeout or an empty records view when matching data exists.

  • The “New evidence has been added” toast no longer appears incorrectly for task-assignment investigations. AIR now suppresses this notification for investigations that are permanently scoped to a single task assignment, avoiding confusion when the initial import completes while an analyst is already viewing the Investigation Hub.

  • Findings CSV export no longer duplicates the “Flags” column. Exported findings now contain a single human-readable Flags column, allowing the CSV to be re-imported without duplicate-header errors.

  • The Platform “Add to Filter” action in finding details now creates a valid advanced filter. AIR now falls back to an allowed operation when the requested filter operation is not supported by the selected field.

  • Remote repository browsing no longer shows stale results during rapid search or navigation. AIR now ignores superseded repository list responses so slow responses from earlier requests do not overwrite newer search results.

  • Date pattern changes no longer fail because of unchanged profile name fields. Date and time preference saves now submit only the relevant preference data, so users with identity-provider-managed names containing restricted characters can still update date formatting.

  • Additional month-first date formats are now available. Users can choose formats such as month/day/year and month-day-year variants from Date & Time Preferences.

  • Invalid license keys now produce clearer validation messages. AIR no longer reports a license server connectivity problem when the server is reachable and the actual issue is an invalid or missing license key.

  • PFX import no longer exposes the PFX password in the URL. The certificate import modal prevents native form submission and keeps sensitive certificate passwords out of client-visible locations.

  • The “Deploy your first Responder” button now updates correctly on new tenants. The empty asset page now reflects current permissions and license features reactively, so eligible administrators can start deployment without refreshing or navigating away.

  • Responder reinstall handling on Linux has been improved. AIR addresses a scenario where an older Responder process could remain running after uninstall and block the newly installed service from starting because the previous process still held the runtime lock.

  • Responder updates are safer for NAT-dependent Linux workloads. A startup cleanup path that could briefly reset established network flows on certain Linux hosts has been fixed. Customers running affected Responder versions should upgrade to the fixed Responder release before resuming automatic updates on sensitive clustered workloads.

  • DRONE no longer reports unrelated USB or smart card driver events as event log clearing. Event classification now checks the provider, reducing false positives in Windows event analysis.

  • A restrictive Permissions-Policy response header has been added. AIR now explicitly disables access to browser features such as geolocation, camera, microphone, payment, USB, and motion sensors unless they are intentionally enabled in the future.

  • Console-initiated outbound requests now sanitize failure behavior more consistently. Connector validation paths no longer rely on inconsistent destination filtering, reducing internal reachability exposure in SaaS environments.

  • API token metadata visibility has been improved for integrations. External consumers can retrieve token details such as expiration date, enabling better token renewal warnings and reducing failed automation caused by expired credentials.

  • Background worker consistency for audit logging has been improved. Multiple Console containers and workers now receive audit log setting changes more reliably, reducing discrepancies between saved settings and logged events.

Binalyze AIR v5.18

AIR v5.18 focuses on faster investigation workflows, stronger large-environment scalability, improved responder communication, expanded MITRE ATT&CK database management, and more flexible isolation controls. This release helps cybersecurity and investigation teams work across large asset estates with greater confidence, while giving administrators more control over authentication, evidence repositories, policies, and operational visibility.

Binalyze AIR v5.17

What’s New?

  • Structured Data Viewer for JSON, XML, and YAML: AIR automatically identifies structured content within evidence and opens it in a dedicated viewer. Analysts can collapse, search, and format data for clearer insight into complex artifacts like system logs or Tornado data.

  • Policy Cloning: Users can now duplicate any existing isolation or acquisition policy. This streamlines the creation of consistent policies across organizations or investigation scenarios, reducing configuration errors and setup time during critical incident response actions.

  • Bulk Import for Isolation Policy Allow Lists: Analysts can now import IP/Port or process allow lists in bulk through text or CSV input, expediting creation of large-scale isolation rules for controlled response actions.

New Features & Improvements


Investigation Hub

Structured Data Viewer – JSON, XML, and YAML

Evidence items that contain structured content can now be examined through a dedicated viewer. When AIR detects JSON, XML, or YAML, users can click View to open a read-only panel that uses syntax highlighting, search, wrapping, and toggling between raw and formatted modes.

This improves readability of system logs, Event Viewer exports, or Tornado-acquired data, helping analysts to interpret data formats natively rather than extracting them externally. The viewer maintains forensic integrity while improving interpretability for complex datasets.


Settings

User Visibility Enhancements

The Users table now contains fields for Created (user registration date) and Last Active (last console interaction). These additions clarify differences between login time and real-time console presence. Analysts and administrators can now see both authentication events and continuous activity, supporting audit and compliance tracking.

The “Created” column is sortable, which helps identify new or potentially unauthorized accounts swiftly. “Last Active” reflects the last heartbeat signal received from a user’s browser session, providing insight into actual system usage.

Syslog Configuration Persistence

Syslog configuration updates now apply dynamically without restarting the console. This ensures uninterrupted log forwarding when updating integrations with SIEM or log management platforms during active operations.


Policies

Policy Duplication

Policy creation has been simplified with a new Duplicate action, allowing analysts to clone existing policies, including all filters, allow-list entries, and organization assignments. This is particularly valuable for large enterprises with complex, standardized configurations across multiple operational units.

To use this feature, open the Policies view, select a policy row, and choose Duplicate. The new policy opens prefilled with the selected configuration, ready for minor adjustments. It significantly reduces preparation overhead when adapting response templates across environments.

Bulk Import for Isolation Allow Lists

Isolation policy configuration now supports bulk entry for IP/Port and process allow lists. Investigators can paste or import multiple rows directly into the configuration dialog, where AIR validates and structures the entries automatically. This improves efficiency for incident containment planning, allowing immediate deployment of network or process restrictions at scale.


Assets & Task Management

Asset List and Tagging Stability

Asset list rendering performance has been optimized for high-scale environments with hundreds of online assets. Tag updates, search, and filtering now remain consistent during background polling, ensuring dependable management of large connected fleets.

Creation Date Filters for Tasks

A new “Created At” filter enables analysts to view tasks executed within a specific date or time range. This is useful when correlating console performance or task behavior across simultaneous acquisitions or hunts, particularly during post-incident review.

DRONE Analyzer State Synchronization

When DRONE’s global toggle is disabled during task configuration, all individual analyzers are now correctly deselected. This clarifies configuration state and prevents unintentional analyzer execution.


Responder and Evidence Collection

Disk Space Validation Improvements

The Acquisition Task behavior for disk space thresholds has been updated to ensure decimal input values are handled safely. Analysts can now enter size limits more intuitively without risking misinterpretation during collection jobs.

Enhanced Failure Feedback in Acquisition Tasks

Failure messages during partially completed acquisitions now include clear context about missing or inaccessible evidence, aiding interpretation of collection outcomes and simplifying troubleshooting during live operations.

macOS Deployment Guidance

The macOS deployment instructions now include a “Do Not Change Filename” advisory, aligning with Windows packaging consistency to prevent deployment misconfiguration for responders installed in secure macOS environments.


Investigation Management

Improved Data Export Performance

Exports from the Investigation Hub now cache JSON keys, improve view materialization, and reduce redundant lookups, dramatically enhancing performance when exporting findings from large-scale investigations. Analysts working with hundreds of assets and thousands of findings will experience significant speed gains during CSV export.


Bug Fixes

  • Evidence Repository Validation: The system no longer performs repository connection checks during interACT task setup when no repository is selected, ensuring consistent and logical validation behavior.

  • Asset Polling Instability: Asset tags, filters, and column selections now remain stable during polling cycles with hundreds of online assets, preventing data flicker or loss of user selections.

  • Syslog Configuration: Configuration updates are now applied immediately without requiring a restart, ensuring uninterrupted event forwarding.

  • DRONE Analyzer Toggle: Disabling the master DRONE analyzer now correctly resets each individual analyzer switch in the task creation form.

  • Decimal Disk Space in Policy: Acquisition tasks accept fractional disk space entries and standardize size representation across the UI and backend.

  • Windows DNS Evidence: Evidence collection for Windows DNS Server is restored to return expected results, improving visibility during network infrastructure investigations.

  • User Interface Corrections: Search results no longer display disabled configuration options, and column selections persist as expected when navigating between asset views.

  • Partial Task Status Clarity: Improved error messaging now differentiates between fully failed acquisitions and partially completed evidence collections to reduce confusion in investigation reports.



Binalyze AIR v5.16

What’s New?

  • AIR File Explorer XFS Partition Support: Added support for recognizing and parsing XFS partitions in disk images. Analysts can now browse and analyze evidence from XFS-based assets directly within AIR File Explorer.

  • Expanded Windows evidence coverage in Baseline Comparison: Baseline Comparison is enhanced with support for 40+ new Windows evidence sources, along with new section constants and table-to-section mappings to extend comparison coverage across file system activity, registry artifacts, system and network data, SRUM, and other forensic evidence sources. macOS section constants and mappings were also reformatted for improved consistency.

  • Enhanced RelayPro: Upgraded RelayPro with a new toolchain and dependency improvements enhances responder–console communication security and reliability. This ensures uninterrupted evidence transfers and more resilient responder connectivity during large-scale, distributed investigations.

New Features & Improvements


Expanded Windows evidence coverage in Baseline Comparison

Baseline Comparision coverage was significantly expanded through the addition of more than 40 new Windows evidence items with appropriate identifier fields and ignore fields mappings introduced to support accurate comparison behavior across a broader set of artifacts. To enable these new evidence types throughout the comparison pipeline, 12 new Windows section constants and related table-to-section mappings were also added. In addition, macOS section constants and table mappings were reformatted for more consistent alignment and improved maintainability.

The newly supported Windows evidence sources were added across multiple investigation areas, including file system and user activity artifacts such as crash dumps, recycle bin, system restore, downloads, shell bags, LNK files, and jump list data; registry artifacts such as AppCompatCache, UserAssist, Recent Docs, Typed URLs, Office MRU, and Open/Save MRU; system and network data including processes, TCP/UDP tables, ARP table, and volumes; SRUM-based usage artifacts covering application, network, timeline, energy, and connectivity data; and other high-value sources such as Amcache, browser downloads, dependency manifests, PowerShell ConsoleHost history, and user access logs. Through this expansion, broader visibility into Windows activity and configuration data was enabled, allowing change analysis to be performed with greater depth and consistency.

AIR File Explorer XFS Partition Support Improvements

Full disk images containing XFS partitions can now be opened in AIR File Explorer, and file types within those partitions are displayed correctly. This improvement was implemented to address cases where XFS-based evidence could be accessed, but file type information was not visible, limiting file review and triage during investigations. With this enhancement, evidence stored on XFS partitions can be examined more effectively, enabling faster validation of file contents and improving confidence in incident analysis for security analysts.


Responder Communication Optimization

RelayPro Dependency and Toolchain Upgrades

This release introduces an updated RelayPro component version that enhances responder–console communication reliability and strengthens encryption handling. The updated communication stack ensures secure transmission during live-response operations and improves failover handling for responders working through restrictive networks.

For investigation teams, this means greater confidence in evidence integrity and session reliability during real-time analysis or containment workflows. RelayPro’s enhanced dependency security reduces the risk of communication errors, ensuring uninterrupted connectivity between distributed responders and the AIR Console.

Prevent Avoidable HTTP Requests from Responder

Optimizations have been added to reduce redundant responder–console communication. Responders now suppress duplicate status reports and disable unnecessary retry attempts when a request fails with permanent error conditions (for example, 404, 403, 401 responses). This improvement reduces network overhead during widespread deployments and speeds up recovery during transient connectivity disruptions.


Bug Fixes

  • Incorrect Task Status Display: Resolved an issue where task statuses under Cases → Tasks appeared inconsistent when the main task was cancelled. Statuses now correctly reflect task outcomes across all views.

  • Proxy Configuration Not Applied to External Services: Corrected a defect where AIR Console’s proxy settings did not apply to outbound traffic for feature management and analytics services. Proxy enforcement is now consistent across all external integrations.

  • Investigation Hub Report Generation: Fixed a failure that prevented report generation from evidence sources while reports from findings succeeded. Evidence-based reports now generate reliably.

  • Acquisition Task Report Loading: Addressed an issue where the Investigation Hub report for certain acquisition tasks remained in a loading state. Reports now open consistently within the console.

  • Chrome History Acquisition Integrity: Improved file copy process for the Chrome History database to reduce the risk of corrupted SQLite files, ensuring analysts can examine browser activity with full integrity preservation.



Binalyze AIR v5.15

What’s New?

  • Enhanced interACT Session Visibility: When reviewing historical interACT sessions, the session header now displays the specific task name, helping analysts quickly identify which live-response session they are reviewing—especially when multiple sessions are open in separate tabs. This enhancement improves investigation context and analyst efficiency.

New Features & Improvements


AIR Settings

Independent Universal Trusted Certificate Store

Analysts and administrators can now securely add and manage Trusted Certificate Authorities directly within the AIR Console. Previously, this capability was restricted under proxy configuration, limiting flexibility for enterprises performing SSL inspection without proxies or those utilizing self-signed certificates. The new implementation introduces a certificate store independent of proxy settings, ensuring forensically sound authentication and minimizing reliance on manual container-level changes.

With this enhancement, organizations using strict SSL inspection or network monitoring can now deploy AIR without interruptions to licensing or updates. This proactive measure enhances compliance and operational continuity in high-security environments.


interACT

Display interACT Task Name in Historic Session Headers

In multi-session environments where analysts review past interACT activities, identifying the correct investigation session can be challenging. AIR now surfaces the task name (for example, “AX-Day2.2”) directly in the session header and browser tab. This improvement enhances visibility and supports faster navigation between concurrent evidence reviews.

For investigation workflows, this means analysts can immediately differentiate and correlate live-response sessions without confusion, improving auditability and speed during case validation or retrospective analysis.


Asset Management

Expanded Asset Filter Options

The Registered At field has been added to the Advanced Filters of the Assets page. Analysts can now filter assets based on their registration timestamp, allowing time-based scoping for both live and historical analysis. This feature streamlines investigation scoping, particularly useful when identifying assets registered during or after a known incident window.

Enhanced Auto Asset Tag Search

Tag search capabilities have been extended to include the content of tags rather than only their names. This improvement increases flexibility when classifying or correlating assets, especially in environments with rich tagging datasets. Analysts can quickly locate assets linked by contextual tag descriptions, enabling faster triage and focused response workflows.


Bug Fixes

  • Large Dataset Upload Timeout: Resolved an issue where large acquisition datasets exceeded timeout thresholds during upload or manual PPC processing. Upload stability and dataset handling within Investigation Hub have been improved to maintain continuity across extended acquisitions.

  • Windows Volume Imaging Issue: Fixed a Windows-specific image acquisition bug that caused unexpected failures during remote imaging tasks, ensuring consistent evidence capture across platforms.

  • “Key Not Found” and Authorization Errors in Console UI: Addressed errors occurring after version upgrades and during access to the Assets > Disk Images menu, affecting console usability and access control verification. Global Admin accounts now have consistent authorization visibility.

  • Git Repository Fork Mode Configuration: Resolved a configuration issue preventing edits to repositories in Fork mode where the system incorrectly enforced sync interval parameters.

  • AWS Integration Regional Limitation: Corrected the synchronization behavior that was prematurely terminating global scans if a single AWS region returned an explicit deny response. AIR now continues enumeration across other regions unaffected.

  • Investigation Hub Data Handling Errors: Fixed the reported null property and missing field exceptions in task processing and data publishing services. These stability fixes ensure that investigation data imports and evidence processing continue without interruption.

  • Audit Log Performance Enhancements: Improved the search and pagination performance for audit logs in environments with very large asset counts. Query execution and caching have been optimized to reduce latency and prevent timeout errors.

  • Responder Unisolation Feedback: Enhanced feedback visibility during asset unisolation attempts. Responders now display clear status information when unisolation fails or is incomplete, improving clarity during containment and recovery operations.



Binalyze MITRE ATT&CK Analyzer is now at version 13.0.1

Microsoft 365 Detection Enhancements

The DRONE Tornado Analyzer now includes new detections focused on Microsoft 365 event telemetry. Analysts can identify unauthorized configuration changes such as modifications to audit log settings, narrowing of cmdlet auditing, external sharing misconfigurations, and reduced retention policies. These detections are critical for identifying unauthorized administrative activity and potential configuration weakening tactics observed in cloud investigations.

Additional correlation improvements flag brute-force login attempts, missed MFA flows, suspicious OAuth consent grants, and mailbox permission changes commonly associated with persistence techniques in business email compromise incidents.

Sigma Rule Updates

The integrated Sigma detection library has been synchronized with the latest rule updates from the SigmaHQ and Hayabusa repositories. This alignment expands coverage across both endpoint and cloud telemetry sources, bringing enhanced detection insight into unauthorized script execution, privilege escalation, and registry modification behaviors.

MITRE ATT&CK Analyzer / YARA Enhancements

Version 13.0.1 introduces YARA-based detection for Covenant C2 Grunt HTTP stager and implant activities. These additional signatures support early identification of adversary-controlled command-and-control frameworks during evidence analysis, increasing the confidence and precision of post-incident findings.

Binalyze AIR v5.14

What’s New?

  • Git-Managed Triage Rules: Security and investigation teams can now connect their organization’s Git repositories (GitHub, GitLab, Azure DevOps, or Bitbucket) directly to AIR to manage YARA, Sigma, and osquery triage rules as their single source of truth. This integration supports webhook-based synchronization, secure token handling, and ownership modes such as Mirror or Fork, ensuring consistent, auditable rule management during investigations.

  • Syslog Event Filtering for SIEM Integrations: SIEM-connected environments can now configure which AIR events are forwarded via Syslog. Analysts can focus on critical events, such as login failures or case creation, and exclude repetitive operational data to improve visibility in Splunk, QRadar, or Microsoft Sentinel.


New Features & Improvements

Hunt/Triage

Git-Managed Triage Rules

Analysts can now manage triage rule repositories directly within AIR using Git integrations. Supported platforms include GitHub, GitLab (both cloud and self-hosted), Azure DevOps, and Bitbucket. This update allows analysts to import rulesets as read-only Mirrors or organization-controlled Forks.

Synchronization is asynchronous and resilient, with built-in safeguards for file size and repository limits to prevent performance degradation. Webhooks have been added to trigger automatic updates upon commit or push events, and analysts can review sync details through the interface.

This feature strengthens governance and repeatability of Hunt/Triage operations by ensuring that rule sources are traceable, consistent, and version controlled — vital for regulated or multi-tenant organizations performing coordinated investigations.

Sigma Rule Metadata in Findings

The DRONE analysis component now surfaces additional metadata for Sigma-based findings, including rule Author and Status. Analysts can filter or group results based on these attributes to prioritize confirmed rules and distinguish experimental detections during evidence review.

This improvement encourages more focused security analysis workflows, ensuring organizations can tune detection interpretation based on operational relevance and reliability.


Settings and Integration

Syslog Event Filtering for SIEM Integration

Organizations integrating AIR with external SIEM solutions can now tailor which events are transmitted through Syslog. Three filtering modes are supported: send all events (default), include only selected events, or exclude specified event types. This capability allows security operations teams to minimize noise while ensuring that critical, high-value activities—such as case creation and authentication events—are always streamed.

In addition, AIR’s analytics now report adoption statistics for this feature, helping administrators audit configuration changes through integrated usage metrics.

For security analysts, this enhancement means more concise, actionable event data reaching their SIEM, enabling faster triage and correlation within broader detection ecosystems.

License Usage and Capacity Consistency

License usage reporting has been refined to provide more consistent asset and server capacity data across multiple AIR Consoles sharing a license key. Server and asset counters now more accurately reflect real-time usage, helping administrators maintain compliance and visibility across distributed deployments.

Network Isolation Improvements (Linux & macOS)

Network isolation on endpoints has been enhanced to address critical security gaps. Inbound and outbound traffic is now consistently filtered, and all pre-existing TCP connections are terminated when isolation is activated.

DNS and DHCP behavior has also been improved: they can now be enabled or disabled directly from Policies. When enabled during isolation, DNS/DHCP traffic is allowed system-wide. Additionally, exclusion policies for IPs and processes are now enforced bidirectionally (both inbound and outbound).

If the exclusion policy is empty, all inbound traffic and system DNS are blocked while DHCP remains allowed. These changes ensure more consistent and reliable endpoint isolation across Linux and macOS.


Responder and Tactical Components

Improved Collector Behavior Under Disk Space Constraints

Offline Responder collectors handling CSV operations now terminate gracefully when disk space is depleted. Previously, insufficient disk capacity could trigger excessive repeated logs. The updated behavior ensures immediate error signaling with accurate exit codes, helping analysts distinguish between collector failure types and maintain integrity assurance of collected evidence.

MITRE Version Visibility in Task Logs

The MITRE ATT&CK database version used in task executions is now recorded in task logs and visible within Investigation Hub. This visibility helps analysts correlate findings to the correct ATT&CK version during validation, ensuring version-aligned mapping and interpretation of adversary techniques across analyses.

Responder Service Start Reliability on Windows

Improvements have been made to ensure reliable Responder service startup following Windows patching and reboots. This resolves intermittent startup timeouts that previously resulted in loss of communication between assets and the Console.


RelayPro

RelayPro Operational Enhancements

RelayPro has been strengthened with internal architecture improvements that optimize proxy performance, connection pooling, and runtime configuration. Enhanced logging and reliability safeguards were introduced to support continuous operation at scale, ensuring stable connectivity between responders and the AIR Console during active investigations and large asset populations.


Bug Fixes

  • Investigation Hub and Reporting: Resolved multiple issues related to report generation, including timeouts and incomplete exports when processing large datasets (80+ assets or hundreds of thousands of findings). These fixes ensure stable and complete report output within the Investigation Hub and Case Closure Reports.

  • Filtering Accuracy: Fixed an issue where the “NOT contains” condition in the Findings page’s Advanced Filter returned empty results. This correction restores full functionality for complex search filters used during evidence analysis.

  • File and Repository Explorer: File Explorer and Repository Explorer now load content automatically when accessed, removing the need for manual refresh. This streamlines evidence browsing and improves analyst efficiency when exploring disk images or evidence repositories.

  • Access Control and Asset Permissions: Addressed a penetration test finding indicating potential exposure of asset-group and asset-tag data to read-only roles. AIR now enforces strict access control validation to ensure users only access asset data consistent with their assigned permissions.

  • Asset Management and Role Permissions: Corrected permission logic preventing Organization Admin roles from successfully executing the “Create Disk Image Asset” action in SaaS environments. Role-based operations now behave consistently with configuration across deployment types.

  • Export Stability under Resource Load: General performance improvements were added to avoid incomplete ZIP creation or gateway timeouts during bulk export actions. These refinements help maintain system stability in high-load investigation environments.

  • API Token and Syslog Logging: Fixed inconsistencies where Create and Delete API Token events were not transmitted to external SIEMs via Syslog despite appearing in AIR’s local audit logs.

  • Audit Log Job Optimization: The DeleteOldAuditLogs job has been re-engineered to execute deletions in small batches instead of one large transaction, reducing latency and minimizing impact on shared infrastructure performance.

  • SRUM Collector Value Overflow: Fixed integer overflow that caused insertion errors during SRUM data processing, ensuring stability and accurate timeline analysis. Due to the complexity and high cost of creating a migration for existing console data, legacy records were not modified. As a result, previously opened cases that contain older field types may continue to experience errors related to type differences. To ensure correct functionality with the updated responder fields, customers should create new cases using the new responder configuration when encountering this issue.

  • Investigation Hub Evidence Refresh Issue: Fix applied so that after importing new evidences (CSV/PST), all existing evidences remain visible without requiring page refresh.

  • Asset Uninstall Modal: Fixed the bug where the “Uninstall Responder” modal remained open after operations completed. The modal now closes automatically, confirming successful action completion.

  • Responder Startup Reliability: Enhanced the Windows Responder service behavior to ensure it starts successfully after system reboots following patch installations, eliminating timeout-related communication issues.



Binalyze MITRE ATT&CK Analyzer is now at version 12.5.2

MITRE ATT&CK Analyzer / YARA

This update includes targeted false positive corrections across several YARA and MITRE-mapped detection rules. These refinements deliver more accurate detection outcomes, reducing unnecessary findings for analysts during automated DRONE analysis workflows.

Sigma

DRONE has been synchronized with the latest Sigma rule contributions from SigmaHQ and Hayabusa repositories. This ensures analysts have access to the newest community-sourced detection content aligned with current adversary techniques, extending the breadth and relevance of automated behavioral detection within AIR.

Binalyze AIR v5.13

New Features & Improvements


AIR Console

MITRE ATT&CK Rules Download Optimization and Resilience

The AIR Console now manages MITRE ATT&CK Rules package downloads more efficiently, with improved retry logic and automatic validation of transferred data. This helps investigation teams working with MITRE ATT&CK–based analyses retrieve required rule packs faster and with higher reliability. Both SaaS and on‑prem deployments benefit from improved throughput and reduced risk of incomplete downloads.

Binalyze AIR v5.12

What’s New?

  • Advanced Time Display and Copy Options – The DateTime component within AIR Console now allows analysts to view and copy timestamps in multiple formats including UTC, ISO, local, and relative time. This enhancement streamlines correlation activities across multiple evidence sources and logs during complex investigations.

  • Improved Kerberos Event Collection for KDC Event ID 42 – Added support for critical Kerberos Key Distribution Center events (Event ID 42) within default Windows event collection profiles. This expands detection visibility for authentication downgrade or anomaly scenarios often relevant in enterprise breaches.

New Features & Improvements


Evidence Acquisition & Display Enhancements

Enhance DateTime Component with Detailed Time Display and Formatting Options

The DateTime display now includes a contextual pop‑over that reveals different time formats such as UTC (ISO 8601), UTC, local, relative, and timestamp representations. This multi‑format visibility simplifies event timeline correlation during investigations where evidence originates from assets in different time zones.

When copying any timestamp, AIR generates an event record, supporting operational auditing and user behavior tracking. This aids analysts by ensuring that every time reference used in investigation reports maintains forensic‑level traceability.


Event Log Collection Enhancements

Event Logs Collection Refactor for Windows Profiles

The predefined acquisition profiles for Full, Quick, and Compromise Assessment evidence collection now capture broader and more relevant event record IDs. The expansion improves coverage for key system, security, and application events often linked to suspicious activities or lateral movement indicators.

Analysts benefit from improved context in timeline analysis and reduced need to manually configure event lists. With 214 events in the Full profile, 78 in Quick, and 31 in Compromise Assessment, investigation teams gain deeper operational visibility while maintaining efficient collection volumes.

Support Microsoft KDC Event ID 42 in Default Windows Event Collection

Event ID 42 from the Microsoft‑Windows‑Kerberos‑Key‑Distribution‑Center provider is now included in the default Windows event collection profiles. This change ensures that analysts can identify and investigate Kerberos authentication anomalies such as RC4‑HMAC downgrade attempts. The inclusion streamlines detection workflows without requiring custom configuration, strengthening security visibility across enterprise assets.


File Explorer Improvements

Increase Default Number of Items per Page

The default view within the File Explorer has been expanded to display 100 items per page by default. This change enhances usability during evidence review by reducing pagination and improving contextual visibility for analysts exploring large directory structures within acquired disk images.

File Explorer Multiple Directory Selection Fix

File path handling has been improved when selecting multiple directories for evidence collection. The fix ensures that each directory path is independently compiled, enabling accurate retrieval of targeted evidence folders without unwanted path concatenation. Analysts can now confidently select multiple structures in a single acquisition operation with predictable results.


System and Performance Enhancements

Improved Endpoint Name Change Handling to Enhance System Performance

In certain environments, endpoint name change events could previously be triggered due to misconfigured deployments, particularly in cases involving golden image deployments that did not follow the provided deployment guidelines.This scenario could result in a high volume of asset name changes, generating excessive audit logs and triggering updates on investigations. The combination of frequent asset name updates, audit log generation, and related notifications created significant system load, leading to performance degradation.

In addition, audit log generation and event-based notifications related to endpoint name changes have been disabled, as their operational impact outweighed their functional value.

To improve overall system performance and protect core AIR functionality, endpoint name change handling on investigations and the related audit log generation have been removed, as their operational impact outweighed their functional value. Additionally, the warning status indicating a high number of endpoint name changes—this was added to provide improper golden image deployments—has been removed, as it relied on audit log data.


DRONE Analysis Improvements

Rule Package Updates and Stability Improvements

Underlying logic within DRONE Analyzer and evidence re‑analysis workflows has been refined to prevent nil cache entries that could cause tasks to stall. This ensures that re‑analysis operations on pre‑collected evidence now execute reliably, providing uninterrupted automation for retrospective detection.

The update improves the integrity of re‑analysis tasks, especially valuable for analysts conducting follow‑up reviews using newly released detection rules or refined analyzers.


Responder Component Improvements

Field Naming Enhancement for saveToType and saveToURL

User‑facing configuration fields governing evidence storage destinations have been adjusted for improved clarity. The previous technical naming has been aligned with more intuitive labels, reducing confusion when setting up automatic evidence uploads to external repositories. This small but impactful update enhances ease of use for analysts defining collection workflows or reviewing task configurations.


Bug Fixes

  •  Responder Task Display Field Naming – Standardized the display text for save‑to‑type fields within evidence upload configurations. The corrected naming prevents user confusion during responder configuration.

  • Fixed responder registration handling for environments where multiple assets share identical cloud instance IDs. AIR now intelligently distinguishes assets based on unique identifiers derived from OpenStack UUID or other reliable metadata sources.

  • Addressed a race condition in Tactical Windows Legacy v3.22.0 that could trigger SQLite insert errors during rapid evidence writing. This fix improves the reliability of artifact acquisition on Windows assets.

  • Corrected path concatenation in File Explorer evidence collection so directories are properly resolved. Analysts can now select multiple target directories accurately.

  • Resolved organization selection dropdown disappearing after switching to API‑created organizations within the Console UI. Navigation now remains consistent across all organization types.

  • Improved handling for Audit Logs export API in SaaS mode to prevent timeouts during heavy system activity. The export now operates reliably even when continuous audit events are being written.

  • Fixed several summary and filtering issues on the AIR Home page including unreachable status filters and incorrect category filtering. Home Summary sections now accurately reflect asset and case status counts.

  • Improved Auto-Scaling and Recovery Stability for SaaS Tenants, Some SaaS tenants previously experienced extended auto-scaling and recovery durations due to a potential issue related to database connection handling during application startup.



Binalyze MITRE ATT&CK Analyzer is now at version 12.4.0

Dynamo Analyzer

The Dynamo Analyzer updates focus on refining detection precision and reducing noise. Obsolete functions were removed to streamline the analysis pipeline. False‑positive suppression improvements now filter benign command‑line events from common Windows system processes. A new RunMRU analyzer identifies potentially suspicious commands launched from registry RunMRU entries, giving analysts contextual insight into executed commands that may indicate persistence or manual execution attempts.

Detection for high‑risk file extensions in email attachments was expanded, enhancing visibility into initial access vectors. Overall, the update increases accuracy and ensures faster, cleaner analytical output across browser, shimcache, and process‑based evidence.

MITRE ATT&CK Analyzer / YARA

The YARA and MITRE ATT&CK analyses have been strengthened with new detections for threats such as Pulsar RAT, Interlock ransomware components, OrcaC2 implants, and CrashFix malicious extension. Analysts can now detect these families automatically during DRONE analysis without supplementary rules. Network‑based remote access tools like NetSupport now generate higher‑severity alerts given their frequent use in unauthorized remote access operations. In addition, detections for PowerShell scripts employing XOR obfuscation on Base64 payloads help spot evasion techniques in investigations. The expanded coverage reduces manual rule management and offers forensic‑level detection depth across evidence sets.

Sigma Rules

DRONE now integrates the latest Sigma rule releases from SigmaHQ and Hayabusa repositories, updating hundreds of correlation patterns for system logs and security events. These enhancements ensure that investigation teams leverage community‑validated behavioral signatures to identify new adversary techniques within collected evidence.

Binalyze AIR v5.11

What’s New?

  • Google Cloud Storage support – AIR now supports evidence upload and archival to Google Cloud Storage. This provides analysts and investigation teams with greater flexibility in selecting secure cloud repositories for collected evidence, improving integration with multi-cloud environments and accelerating post-incident data availability for review.

  • Golden Image hostname conflict alert – AIR automatically identifies assets that share duplicated hostnames due to image deployment errors and raises a visible alert within the Console. This ensures analysts can maintain asset integrity during investigations and prevents misattribution of evidence sources.

  • Asset menu restructuring – The redesigned Asset view separates Assets into three intuitive sections: Devices, Disk Images, and Cloud Assets. This streamlined layout helps analysts quickly locate relevant evidence sources, assess responder status, and initiate investigation workflows with improved clarity.

New Features & Improvements


AIR Console – Management

Golden Image Hostname Conflict Alert for Devices

AIR now detects when identical hostnames appear across multiple assets, often due to improper image cloning. When such a condition occurs, AIR displays a clear alert in the Console interface. This helps maintain evidence integrity by preventing investigators from assigning findings to misidentified assets.

For investigation teams, this feature eliminates ambiguity during timeline analysis or DRONE comparison tasks by ensuring each asset’s identity remains unique and traceable across evidence collections and response actions.

Asset Menu Changes

The Asset section of AIR Console has been restructured to separate Devices, Disk Images, and Cloud Assets into distinct categories. Each category includes its own tree view, preset filters, and tailored data grid columns. This structural clarity allows analysts to navigate large environments efficiently, identify responder connectivity status, and focus on relevant evidence sources.

Add Task ID Filter to Get Tasks by Case ID API

The backend API now supports filtering tasks within a specific investigation by task ID. This accelerates evidence tracking, allowing analysts to isolate relevant processing events or review discrete acquisitions as part of automated investigation pipelines.

By refining task selection, investigation teams can quickly pinpoint and validate the execution of evidence collection steps within complex multi-asset operations, improving overall investigative precision.

Filter Users with Role Tag

A new filter capability based on user roles has been added to the management interface. Investigation administrators can now quickly locate users or analysts with specific access permissions, streamlining audit reviews and response approvals.

This enhancement supports improved operational security and control, ensuring that only authorized users are assigned investigation privileges aligned with their organizational roles.


AIR Console & Responder – Evidence Repository

Google Cloud Storage Support

Analysts can now store investigation evidence directly in Google Cloud Storage, extending AIR’s existing multi-cloud compatibility. This enhancement simplifies integration for organizations using Google Cloud as part of their security data infrastructure.

During evidence acquisition or upload task configuration, users can define a Google Cloud Storage repository as the destination. This capability helps ensure forensically sound, integrity-preserving preservation of large evidence sets across global cloud environments while supporting compliance and retention requirements.

For more details: Knowledge Base


Bug Fixes

  • Timeline date selection ignores empty range and snaps to nearest date – Resolved an issue in the Timeline view that caused selected empty date ranges to automatically shift to the nearest available data range. The Timeline now respects the exact range selected by the analyst and accurately displays empty periods when applicable, ensuring chronological integrity during investigation review.

  • Tasks page unresponsive under high task volume – Fixed an issue where the Tasks page failed to load or become unresponsive after a large number of tasks were executed. The performance of task listing and pagination has been improved to support high-volume investigation environments reliably.


Binalyze MITRE ATT&CK Analyzer is now at version 11.6.0

Dynamo Analyzer

The DRONE analysis engine introduces refined detection criteria for process anomalies on Windows. Priority-based process checks have been removed to reduce false alerts, while new logic identifies suspicious process paths and command-line attributes that may indicate adversary use of system binaries for unauthorized activity. Additional enhancements include matching administrative share access events and identifying tool names linked to known privilege escalation or lateral movement behaviors. DRONE also now detects PuTTY host key caches, highlighting potential unauthorized remote access operations.

Sigma

Sigma detection rules have been fully synchronized with the latest repositories from SigmaHQ and Hayabusa. This update expands AIR’s coverage for modern adversary techniques and ensures more consistent cross-referencing with current MITRE ATT&CK mappings during investigation correlation.

Binalyze AIR v5.10

AIR – v5.10 Release Notes

What’s New?

  • Google Cloud Platform (GCP) Support: AIR now extends its cloud forensics and asset management capabilities to Google Cloud Platform. Security and investigation teams can now enumerate, sync, and deploy Responders directly to their GCP assets, enabling consistent, forensically sound evidence collection and incident investigation across multi-cloud environments.

  • interACT 2FA Disable Option: Allows global administrators to disable Two-Factor Authentication (2FA) for interACT access when operational flexibility is required during live-response investigations.

  • Custom Evidence Collection Naming: A new capability in Settings → Console Settings → Features allows users to customize how evidence files and folders are named—whether saved locally on assets or uploaded to remote Evidence Repositories. Users can define a naming template by combining text with variables such as Timestamp, Organization Name, Task Name, Asset Name, and Case ID. Using / in the template creates folder structures for logical organization. This improves repository maintenance and ensures clear separation of evidence in multi-tenant environments. Folder names are limited to 50 characters.

  • Full Text Search: Enables investigators to search both file contents and metadata on remote assets using keywords or regex patterns. This allows targeted searches across documents, configuration files, logs, and other text-based data to quickly identify indicators of compromise, policy violations, or evidence of data exfiltration. The feature supports keyword and pattern matching, reusable search profiles, file-type filtering, and cross-platform investigations for faster, more focused evidence discovery.


New Features & Improvements


AIR – Integrations

Google Cloud Platform Support

The addition of Google Cloud Platform (GCP) integration brings full cloud forensics parity with existing AWS and Azure support. Analysts can now establish visibility into GCP assets, synchronize them with the AIR Console, and deploy Responders for data acquisition and incident response workflows. The integration leverages service accounts and organization-level synchronization to ensure investigator access is forensically sound and within tenant authorization boundaries.

Once configured, analysts can manage their GCP accounts via the Cloud Platforms page—performing synchronization, asset enumeration, and deployment directly through the AIR interface. This feature improves investigation readiness across hybrid or multi-cloud environments, reducing manual configuration overhead during critical incident investigations.

Application Information API

A new API endpoint provides authenticated systems and administrators with core version and configuration information about their AIR deployment. The API returns details such as console version, responder version, and active feature flags across the tenant environment. This serves as a foundational mechanism for integration partners and support automation—enabling both configuration validation and automated platform health monitoring.

For organizations integrating AIR with orchestration systems, this API helps verify feature availability before initiating evidence collection or response workflows, ensuring compatibility and auditability during automated operations.


AIR – Settings

interACT 2FA Enforcement

Administrators now have granular control over Two-Factor Authentication (2FA) for users leveraging interACT. The new setting allows global administrators to disable Two-Factor Authentication (2FA) for interACT access when operational flexibility is required during live-response investigations.


AIR – Asset & Task Management

Custom Evidence Collection Naming

A new capability in Settings → Console Settings → Features allows users to customize how evidence files and folders are named—whether saved locally on assets or uploaded to remote Evidence Repositories. Users can define a naming template by combining text with variables such as Timestamp, Organization Name, Task Name, Asset Name, and Case ID. Using / in the template creates folder structures for logical organization. This improves repository maintenance and ensures clear separation of evidence in multi-tenant environments. Folder names are limited to 50 characters.


Full Text Search

Allows investigators to search both file contents and metadata on remote assets using keywords or regex patterns. This allows targeted searches across documents, configuration files, logs, and other text-based data to quickly identify indicators of compromise, policy violations, or evidence of data exfiltration. The feature supports keyword and pattern matching, reusable search profiles, file-type filtering, and cross-platform investigations for faster, more focused evidence discovery.


AIR – User Experience Improvements

Resizable Modal Pages

The AIR Console’s modal pages are now fully resizable. Analysts reviewing collected evidence or findings can adjust the panel dimension for better visibility of artifact details or visual data such as screenshots and event matrices. This enhancement enhances usability during in-depth investigative reviews where comparison between multiple views or correlated data points is necessary.

User Search Field for Case Visibility

Investigation managers can now search the user list when assigning case visibility. This feature adds a responsive search bar within the assignment modal, enabling faster and more accurate selection in accounts with extensive user bases. The enhancement improves access management speed during time-sensitive investigations and reduces operational friction in large collaborative environments.

Search Count for Acquisition Profile Evidence Groups

AIR now displays the number of search results within each acquisition profile evidence group. This improvement provides analysts immediate feedback about the completeness and scope of captured evidence, significantly improving validation before moving into deeper analysis or correlation workflows. Investigation teams benefit from faster confirmation of expected data coverage across selected evidence categories.


TACTICAL – Windows Evidence Analysis

Enhanced Evidence Context Availability

Improvements to Windows evidence processing address inconsistencies in how UserAssist and Amcache artifacts are parsed and presented. Timestamp and metadata normalization ensures these artifacts align correctly within investigative timelines, reducing ambiguity during activity reconstruction. This results in a more reliable interpretation of user execution and application usage on Windows assets.


Bug Fixes

  • Duplicate Endpoint Registration Conflict : Fixed an issue where Linux assets with unique responder IDs were assigned the same Endpoint ID, causing visibility conflicts and continuous audit log generation. The updated logic ensures unique endpoint registration across redeployments, preserving accurate asset representation within the console.

  • UserAssist Focus Time Conversion : Addressed incorrect conversion of Focus Time values in the UI. Metrics now accurately reflect recorded milliseconds, resolving analytical inconsistencies during timeline correlation or application activity reviews.

  • DRONE YARA Recursion Logic: Fixed an infinite recursion logic issue when scanning root directories in DRONE Yara analysis configurations. Scans now properly adhere to defined recursion levels, improving performance and preventing unintended recursive loops.

  • Shellbag Timestamp Alignment: DRONE now consistently uses slot_modified_time across all Shellbag-related findings. This provides investigators a reliable timestamp metric for access chronology during Windows environment analysis.

  • Event Log Search Result Handling: Addressed additional error conditions that occasionally caused “No Records Found” messages during event record access. UI synchronization now ensures consistent linkage between findings and underlying records.

  • Sigma XML Key/Value Filtering: Improved XML key/value handling in Sigma parser to correctly evaluate multi-key comparisons. The updated logic ensures more accurate correlation for WMI persistence detection cases and similar behavioral rules.

  • Amcache Inconsistency Fix: Corrected parsing mismatches leading to missing Amcache entries compared to third-party tools. Analysts now receive a more comprehensive and validated dataset during Windows artifact review.



Binalyze MITRE ATT&CK Analyzer is now at version 11.5.0

Dynamo Analyzer

The Dynamo Analyzer received maintenance updates focusing on rule accuracy and identification breadth. Legacy detections tied to administrative share naming have been removed, while SRUM analysis references were standardized across application, network, and timeline dimensions. Additionally, detection coverage now includes a broader set of known hacker tool names to support proactive identification of malicious utilities during automated analysis.

MITRE ATT&CK Analyzer / YARA

The updated ATT&CK and YARA definitions expand recognition across several adversary techniques used by groups such as Tomiris. The analyzer now detects the JLORAT infector implant, ReverseSocks5 proxy utilities, and kernel drivers associated with privilege escalation or stealth behaviors. Rule refinements include additional suspicious keywords such as “ReverseShell” used in executable build paths. Together, these updates enhance AIR’s ability to expose covert persistence and remote access mechanisms unseen by prior rule sets.

Sigma

DRONE now integrates the latest Sigma rule corpus from both SigmaHQ and Hayabusa repositories. This ensures continuous alignment with community detection research and provides analysts with up-to-date behavioral coverage for Windows event patterns and adversary techniques.