Maintenance Mode for Device Assets: Analysts can now place assets into Maintenance Mode to safely prevent task execution while performing diagnostics or hardware maintenance. This prevents interference from live data collection or unintentional evidence overwrites during sensitive investigation windows. interACT and log gathering remain available, ensuring forensic continuity.
Global Search for Acquisition Profile Evidence Groups: Analysts can perform consolidated searches across all acquisition profiles and their associated evidence groups, significantly improving visibility and retrieval in large-scale investigations.
Acquire Evidence Menu Expansion: The “Acquire Evidence” section in the Quick Start menu now expands to show “From Device,” “From Disk Image,” and “From Cloud” options. This clearly differentiates evidence collection sources and helps analysts plan data acquisition strategies across hybrid infrastructures.
Device, Disk Image, and Cloud Menus in Navigation: The Asset menu has been redesigned to display Device, Disk Image, and Cloud as distinct top-level entries. This makes it faster for analysts to locate and manage specific asset types during ongoing operations.
Feedback Form and UI Flow Updates: A new feedback form enables analysts to provide direct, feature-level feedback from within AIR (limited to five submissions per day). The updated Resource Center layout ensures better visibility without obstructing navigation.
Maintenance Mode allows assets to be temporarily excluded from receiving automated tasks during planned maintenance or diagnostic sessions. Once activated, the mode restricts all actions except interACT and log gathering to preserve system stability and investigation continuity. Scheduled or bulk tasks automatically skip maintained assets, ensuring analysts prevent any accidental evidence interruption.
This feature addresses operational challenges where cloned or duplicated asset instances could previously respond with conflicting data. By isolating assets, analysts maintain chain-of-custody and ensure collected information remains contextually accurate. Maintenance Mode status is easily visible within filters and device details pages, supporting transparent asset control across large environments.
The “Acquire Evidence” section inside the Quick Start panel now expands into three distinct options—From Device, From Disk Image, and From Cloud. Each option guides analysts toward the applicable evidence acquisition path, allowing more targeted data gathering depending on the investigative context.
The new hierarchy promotes workflow clarity and improves onboarding for analysts operating across hybrid or multi-cloud environments. “From Disk Image” and “From Cloud” are marked as “Coming Soon,” preparing users for upcoming capabilities while maintaining consistent navigation design.
The primary navigation has been redesigned to replace the single “Asset” entry with separate Device, Disk Image, and Cloud menus. This ensures analysts can quickly access asset categories relevant to their operations without applying additional filters.
Device entries are drawn directly from responder APIs, while disk image and cloud asset types are sourced from the consolidated assets dataset. The design improves scalability for incident response workflows where analysts may manage thousands of distinct artifacts across asset classes.
With this improvement, global search queries now return results for acquisition profile evidence groups. Analysts gain high-level visibility into evidence created under different profiles, making it easier to identify connections and perform comprehensive cross-case comparisons during active investigations.
This version introduces a built-in feedback mechanism that allows analysts to share direct insights from within the AIR Console. Each user may submit feedback up to five times per day, and entries are sent securely to the internal support channel for review.
Role and identification details have been enriched in token creation APIs to facilitate more consistent audit and authorization tracking across integrated systems. Analysts managing automation or delegated investigation tasks benefit from clearer accountability for token-based operations.
UI Overlap on New Policy Page: Corrected layout issue where Organization dropdown overlapped the Notifications panel, improving visual clarity and usability.
Schedule Task Duplication: Fixed a backend issue that caused duplicate tasks to appear during scheduled scans once execution began. The process now ensures each scheduled task instance triggers a single execution record.
Task Assignment in Offline Environments: Resolved an offline mode error preventing task assignment when exclusion files were inaccessible. Analysts can now run full or offline collection workflows without interruption.
Shareable Deployment Page Fixes: Corrected link behaviors causing broken or misleading redirects on shareable deployment pages. Asset links now behave consistently without exposing dummy login screens or undefined version indicators. Download links for release certificates now correctly trigger downloads.
Keyword Upload Validation: Improved keyword upload validation for acquisitions. Blank lines and unsupported characters are now automatically sanitized, preventing acquisition task failures.
Hunt/Triage Update Warning Message: Refined warning messages when updating Hunt/Triage rules created by other users, ensuring clearer communication about organization-level permissions.
Resource Center Icon Alignment: Adjusted UI positioning of the Resource Center element so that navigation controls remain accessible on smaller screens.
Detection logic has been expanded to include broader identification of hacker and remote monitoring management tools, with refined application name analysis to increase coverage. These enhancements improve the analyst’s ability to uncover unauthorized remote access utilities and misused commercial tools within collected evidence. Additional tuning enhances detection for crypto-mining related domains across network and DNS artifacts.
New detection rules cover Akira_V2 ransomware variants, along with associated binaries and ransom notes. Updates also enhance identification of PowerShell abuse techniques—such as AMSI bypass and ETW logging disablement—improving visibility into stealth tactics used on Windows assets. Detection of backdoors and implants like PlushDaemon, EdgeStepper, and C# AdaptixC2 frameworks expands the platform’s insight into advanced intrusion activity. Continuous refinement of driver-based threats such as Ollama.sys and hlpdrv.sys delivers deeper defensive analytics for kernel-level attacks.
DRONE now includes the latest Sigma rule updates from both SigmaHQ and Hayabusa repositories. These updates extend behavioral coverage across event and log-based detections, ensuring analysts can continuously correlate current adversary techniques against timeline evidence within AIR’s Investigation Hub.