The AIR Console now manages MITRE ATT&CK Rules package downloads more efficiently, with improved retry logic and automatic validation of transferred data. This helps investigation teams working with MITRE ATT&CK–based analyses retrieve required rule packs faster and with higher reliability. Both SaaS and on‑prem deployments benefit from improved throughput and reduced risk of incomplete downloads.
For investigators, the workflow remains familiar—files can be accessed as before—but with improved backend resilience that prevents partial or failed transfers during case setup or rule package preparation.
Several backend reliability upgrades improve job queue processing for evidence analysis tasks. Internal job queues now remain paused until the Console completes its initialization sequence, ensuring that task execution begins only after all supporting services and handlers are fully ready. This eliminates transient startup errors that could interrupt ongoing evidence correlation or report generation.
In addition, enhanced Redis management provides persistent connections with automatic reconnection and graceful shutdown handling. For investigation teams, this results in more predictable response times, fewer processing delays, and stable operation throughout large‑scale evidence analysis or remote tasking.
Responders now include improved logic for downloading MITRE ATT&CK Rules rule packages directly from the Console. The adjustment reinforces download integrity checks and error handling, ensuring that field‑deployed Responders continue to receive complete and verified rule sets even when bandwidth conditions fluctuate.
Analysts can rely on the updated Responder behavior when conducting concurrent deployments—automation processes now manage retries transparently without interrupting evidence collection or analysis.
Isolation tasks now sever existing network connections instantly while maintaining console visibility. When triggered from the AIR Console, the isolation command enforces immediate disconnection rather than waiting for session idle timeouts. This enables faster containment and limits adversary access during active compromise scenarios.
For investigation teams, this capability enables surgical containment—Responders stay reachable through the investigation, allowing analysts to continue evidence collection and validation even while an asset remains isolated from external communications.
Additional error handling mechanisms improve the robustness of Redis‑based caching and synchronization processes used by AIR Console. These refinements prevent stale or orphaned connections and ensure all cache operations shut down cleanly, eliminating residual session locks that could previously delay queue releases or backend synchronization.
The Analyzer now includes expanded detection coverage for multiple adversary toolsets. New and refined rules enhance visibility into DeskRAT activity, a Golang‑based remote access threat associated with TransparentTribe (APT36), and broadened LockBit 5.0 variant identification across Windows and Linux environments. Additional patterns expand recognition of reconnaissance scripts performing host and network enumeration, now including Python sources. Version 12.5.0 further introduces updated definitions for MuddyWater operations, including Bugsleep backdoor and GhostFetch loader components, improving attribution confidence and categorization accuracy. Minor tuning refines YARA rule quality and reduces false positives.
DRONE incorporates the most recent rule updates from both SigmaHQ and Hayabusa repositories. These continuous updates maintain alignment with community‑endorsed detection analytics, ensuring that new adversary behaviors are promptly reflected in investigation findings and Hunt/Triage rule evaluations.
Dynamo Analyzer’s classification models have been refined for large file transfer and sharing services, providing more accurate domain categorization and improved mapping to MITRE tactics. These changes help analysts to better contextualize outbound activity related to data exfiltration or lateral tool sharing during investigations.