AIR - v5.10 Release Notes

What’s New?

• Google Cloud Platform (GCP) Support: AIR now extends its cloud forensics and asset management capabilities to Google Cloud Platform. Security and investigation teams can now enumerate, sync, and deploy Responders directly to their GCP assets, enabling consistent, forensically sound evidence collection and incident investigation across multi-cloud environments.

• interACT 2FA Disable Option: Allows global administrators to disable Two-Factor Authentication (2FA) for interACT access when operational flexibility is required during live-response investigations.

• Automatic Evidence Repository Folder Creation: The online acquisition process now supports automatic creation of an additional normalized organization-level folder in repositories. Collected evidence is grouped under this organizational context, making repository maintenance more predictable and ensuring clear separation between multi-tenant evidence uploads.
  A new setting is now available to help customers better organize artifacts uploaded to the Evidence Repository after Acquisition. Customers can configure a custom folder naming template by selecting from available variables and defining the folder name format themselves.

   

New Features & Improvements

AIR – Integrations

Google Cloud Platform Support

The addition of Google Cloud Platform (GCP) integration brings full cloud forensics parity with existing AWS and Azure support. Analysts can now establish visibility into GCP assets, synchronize them with the AIR Console, and deploy Responders for data acquisition and incident response workflows. The integration leverages service accounts and organization-level synchronization to ensure investigator access is forensically sound and within tenant authorization boundaries.

Once configured, analysts can manage their GCP accounts via the Cloud Platforms page—performing synchronization, asset enumeration, and deployment directly through the AIR interface. This feature improves investigation readiness across hybrid or multi-cloud environments, reducing manual configuration overhead during critical incident investigations.

Application Information API

A new API endpoint provides authenticated systems and administrators with core version and configuration information about their AIR deployment. The API returns details such as console version, responder version, and active feature flags across the tenant environment. This serves as a foundational mechanism for integration partners and support automation—enabling both configuration validation and automated platform health monitoring.

For organizations integrating AIR with orchestration systems, this API helps verify feature availability before initiating evidence collection or response workflows, ensuring compatibility and auditability during automated operations.

AIR – Settings

interACT 2FA Enforcement

Administrators now have granular control over Two-Factor Authentication (2FA) for users leveraging interACT. The new setting allows global administrators to disable Two-Factor Authentication (2FA) for interACT access when operational flexibility is required during live-response investigations.

AIR – Asset & Task Management

Automatic Evidence Repository Folder Creation

The online acquisition process now supports automatic creation of an additional normalized organization-level folder in repositories. Collected evidence is grouped under this organizational context, making repository maintenance more predictable and ensuring clear separation between multi-tenant evidence uploads.
A new setting is now available to help customers better organize artifacts uploaded to the Evidence Repository after Acquisition. Customers can configure a custom folder naming template by selecting from available variables and defining the folder name format themselves.
The naming template always includes a timestamp (mandatory), and users can optionally add variables such as Task Name, Case Name, and Acquisition Profile to create clearer and more structured evidence folders. Folder names are limited to 50 characters.

AIR – User Experience Improvements

Resizable Modal Pages

The AIR Console’s modal pages are now fully resizable. Analysts reviewing collected evidence or findings can adjust the panel dimension for better visibility of artifact details or visual data such as screenshots and event matrices. This enhancement enhances usability during in-depth investigative reviews where comparison between multiple views or correlated data points is necessary.

User Search Field for Case Visibility

Investigation managers can now search the user list when assigning case visibility. This feature adds a responsive search bar within the assignment modal, enabling faster and more accurate selection in accounts with extensive user bases. The enhancement improves access management speed during time-sensitive investigations and reduces operational friction in large collaborative environments.

Search Count for Acquisition Profile Evidence Groups

Previously, when assigning a user to a case, the user list did not include a search functionality, making it difficult to find a specific user. With this update, a search field has been added to the user list, allowing users to quickly find and assign the desired user to a case.

TACTICAL – Windows Evidence Analysis

Enhanced Evidence Context Availability

Improvements to Windows evidence processing address inconsistencies in how UserAssist and Amcache artifacts are parsed and presented. Timestamp and metadata normalization ensures these artifacts align correctly within investigative timelines, reducing ambiguity during activity reconstruction. This results in a more reliable interpretation of user execution and application usage on Windows assets.

Bug Fixes

• Duplicate Endpoint Registration Conflict : Fixed an issue where Linux assets with unique responder IDs were assigned the same Endpoint ID, causing visibility conflicts and continuous audit log generation. The updated logic ensures unique endpoint registration across redeployments, preserving accurate asset representation within the console.

• UserAssist Focus Time Conversion : Addressed incorrect conversion of Focus Time values in the UI. Metrics now accurately reflect recorded milliseconds, resolving analytical inconsistencies during timeline correlation or application activity reviews.

• DRONE YARA Recursion Logic: Fixed an infinite recursion logic issue when scanning root directories in DRONE Yara analysis configurations. Scans now properly adhere to defined recursion levels, improving performance and preventing unintended recursive loops.

• Shellbag Timestamp Alignment: DRONE now consistently uses slot_modified_time across all Shellbag-related findings. This provides investigators a reliable timestamp metric for access chronology during Windows environment analysis.

• Event Log Search Result Handling: Addressed additional error conditions that occasionally caused “No Records Found” messages during event record access. UI synchronization now ensures consistent linkage between findings and underlying records.

• Sigma XML Key/Value Filtering: Improved XML key/value handling in Sigma parser to correctly evaluate multi-key comparisons. The updated logic ensures more accurate correlation for WMI persistence detection cases and similar behavioral rules.

• Amcache Inconsistency Fix: Corrected parsing mismatches leading to missing Amcache entries compared to third-party tools. Analysts now receive a more comprehensive and validated dataset during Windows artifact review.

Binalyze MITRE ATT&CK Analyzer is now at version 11.5.0

Dynamo Analyzer

The Dynamo Analyzer received maintenance updates focusing on rule accuracy and identification breadth. Legacy detections tied to administrative share naming have been removed, while SRUM analysis references were standardized across application, network, and timeline dimensions. Additionally, detection coverage now includes a broader set of known hacker tool names to support proactive identification of malicious utilities during automated analysis.

MITRE ATT&CK Analyzer / YARA

The updated ATT&CK and YARA definitions expand recognition across several adversary techniques used by groups such as Tomiris. The analyzer now detects the JLORAT infector implant, ReverseSocks5 proxy utilities, and kernel drivers associated with privilege escalation or stealth behaviors. Rule refinements include additional suspicious keywords such as “ReverseShell” used in executable build paths. Together, these updates enhance AIR’s ability to expose covert persistence and remote access mechanisms unseen by prior rule sets.

Sigma

DRONE now integrates the latest Sigma rule corpus from both SigmaHQ and Hayabusa repositories. This ensures continuous alignment with community detection research and provides analysts with up-to-date behavioral coverage for Windows event patterns and adversary techniques.