Advanced Time Display and Copy Options – The DateTime component within AIR Console now allows analysts to view and copy timestamps in multiple formats including UTC, ISO, local, and relative time. This enhancement streamlines correlation activities across multiple evidence sources and logs during complex investigations.
Improved Kerberos Event Collection for KDC Event ID 42 – Added support for critical Kerberos Key Distribution Center events (Event ID 42) within default Windows event collection profiles. This expands detection visibility for authentication downgrade or anomaly scenarios often relevant in enterprise breaches.
The DateTime display now includes a contextual pop‑over that reveals different time formats such as UTC (ISO 8601), UTC, local, relative, and timestamp representations. This multi‑format visibility simplifies event timeline correlation during investigations where evidence originates from assets in different time zones.
When copying any timestamp, AIR generates an event record, supporting operational auditing and user behavior tracking. This aids analysts by ensuring that every time reference used in investigation reports maintains forensic‑level traceability.
The predefined acquisition profiles for Full, Quick, and Compromise Assessment evidence collection now capture broader and more relevant event record IDs. The expansion improves coverage for key system, security, and application events often linked to suspicious activities or lateral movement indicators.
Analysts benefit from improved context in timeline analysis and reduced need to manually configure event lists. With 214 events in the Full profile, 78 in Quick, and 31 in Compromise Assessment, investigation teams gain deeper operational visibility while maintaining efficient collection volumes.
Event ID 42 from the Microsoft‑Windows‑Kerberos‑Key‑Distribution‑Center provider is now included in the default Windows event collection profiles. This change ensures that analysts can identify and investigate Kerberos authentication anomalies such as RC4‑HMAC downgrade attempts. The inclusion streamlines detection workflows without requiring custom configuration, strengthening security visibility across enterprise assets.
The default view within the File Explorer has been expanded to display 100 items per page by default. This change enhances usability during evidence review by reducing pagination and improving contextual visibility for analysts exploring large directory structures within acquired disk images.
File path handling has been improved when selecting multiple directories for evidence collection. The fix ensures that each directory path is independently compiled, enabling accurate retrieval of targeted evidence folders without unwanted path concatenation. Analysts can now confidently select multiple structures in a single acquisition operation with predictable results.
In certain environments, endpoint name change events could previously be triggered due to misconfigured deployments, particularly in cases involving golden image deployments that did not follow the provided deployment guidelines.This scenario could result in a high volume of asset name changes, generating excessive audit logs and triggering updates on investigations. The combination of frequent asset name updates, audit log generation, and related notifications created significant system load, leading to performance degradation.
In addition, audit log generation and event-based notifications related to endpoint name changes have been disabled, as their operational impact outweighed their functional value.
To improve overall system performance and protect core AIR functionality, endpoint name change handling on investigations and the related audit log generation have been removed, as their operational impact outweighed their functional value. Additionally, the warning status indicating a high number of endpoint name changes—this was added to provide improper golden image deployments—has been removed, as it relied on audit log data.
Underlying logic within DRONE Analyzer and evidence re‑analysis workflows has been refined to prevent nil cache entries that could cause tasks to stall. This ensures that re‑analysis operations on pre‑collected evidence now execute reliably, providing uninterrupted automation for retrospective detection.
The update improves the integrity of re‑analysis tasks, especially valuable for analysts conducting follow‑up reviews using newly released detection rules or refined analyzers.
User‑facing configuration fields governing evidence storage destinations have been adjusted for improved clarity. The previous technical naming has been aligned with more intuitive labels, reducing confusion when setting up automatic evidence uploads to external repositories. This small but impactful update enhances ease of use for analysts defining collection workflows or reviewing task configurations.
Responder Task Display Field Naming – Standardized the display text for save‑to‑type fields within evidence upload configurations. The corrected naming prevents user confusion during responder configuration.
Fixed responder registration handling for environments where multiple assets share identical cloud instance IDs. AIR now intelligently distinguishes assets based on unique identifiers derived from OpenStack UUID or other reliable metadata sources.
Addressed a race condition in Tactical Windows Legacy v3.22.0 that could trigger SQLite insert errors during rapid evidence writing. This fix improves the reliability of artifact acquisition on Windows assets.
Corrected path concatenation in File Explorer evidence collection so directories are properly resolved. Analysts can now select multiple target directories accurately.
Resolved organization selection dropdown disappearing after switching to API‑created organizations within the Console UI. Navigation now remains consistent across all organization types.
Improved handling for Audit Logs export API in SaaS mode to prevent timeouts during heavy system activity. The export now operates reliably even when continuous audit events are being written.
Fixed several summary and filtering issues on the AIR Home page including unreachable status filters and incorrect category filtering. Home Summary sections now accurately reflect asset and case status counts.
Improved Auto-Scaling and Recovery Stability for SaaS Tenants, Some SaaS tenants previously experienced extended auto-scaling and recovery durations due to a potential issue related to database connection handling during application startup.
The Dynamo Analyzer updates focus on refining detection precision and reducing noise. Obsolete functions were removed to streamline the analysis pipeline. False‑positive suppression improvements now filter benign command‑line events from common Windows system processes. A new RunMRU analyzer identifies potentially suspicious commands launched from registry RunMRU entries, giving analysts contextual insight into executed commands that may indicate persistence or manual execution attempts.
Detection for high‑risk file extensions in email attachments was expanded, enhancing visibility into initial access vectors. Overall, the update increases accuracy and ensures faster, cleaner analytical output across browser, shimcache, and process‑based evidence.
The YARA and MITRE ATT&CK analyses have been strengthened with new detections for threats such as Pulsar RAT, Interlock ransomware components, OrcaC2 implants, and CrashFix malicious extension. Analysts can now detect these families automatically during DRONE analysis without supplementary rules. Network‑based remote access tools like NetSupport now generate higher‑severity alerts given their frequent use in unauthorized remote access operations. In addition, detections for PowerShell scripts employing XOR obfuscation on Base64 payloads help spot evasion techniques in investigations. The expanded coverage reduces manual rule management and offers forensic‑level detection depth across evidence sets.
DRONE now integrates the latest Sigma rule releases from SigmaHQ and Hayabusa repositories, updating hundreds of correlation patterns for system logs and security events. These enhancements ensure that investigation teams leverage community‑validated behavioral signatures to identify new adversary techniques within collected evidence.