Git-Managed Triage Rules: Security and investigation teams can now connect their organization’s Git repositories (GitHub, GitLab, Azure DevOps, or Bitbucket) directly to AIR to manage YARA, Sigma, and osquery triage rules as their single source of truth. This integration supports webhook-based synchronization, secure token handling, and ownership modes such as Mirror or Fork, ensuring consistent, auditable rule management during investigations.
Syslog Event Filtering for SIEM Integrations: SIEM-connected environments can now configure which AIR events are forwarded via Syslog. Analysts can focus on critical events, such as login failures or case creation, and exclude repetitive operational data to improve visibility in Splunk, QRadar, or Microsoft Sentinel.
Analysts can now manage triage rule repositories directly within AIR using Git integrations. Supported platforms include GitHub, GitLab (both cloud and self-hosted), Azure DevOps, and Bitbucket. This update allows analysts to import rulesets as read-only Mirrors or organization-controlled Forks.
Synchronization is asynchronous and resilient, with built-in safeguards for file size and repository limits to prevent performance degradation. Webhooks have been added to trigger automatic updates upon commit or push events, and analysts can review sync details through the interface.
This feature strengthens governance and repeatability of Hunt/Triage operations by ensuring that rule sources are traceable, consistent, and version controlled — vital for regulated or multi-tenant organizations performing coordinated investigations.
The DRONE analysis component now surfaces additional metadata for Sigma-based findings, including rule Author and Status. Analysts can filter or group results based on these attributes to prioritize confirmed rules and distinguish experimental detections during evidence review.
This improvement encourages more focused security analysis workflows, ensuring organizations can tune detection interpretation based on operational relevance and reliability.
Organizations integrating AIR with external SIEM solutions can now tailor which events are transmitted through Syslog. Three filtering modes are supported: send all events (default), include only selected events, or exclude specified event types. This capability allows security operations teams to minimize noise while ensuring that critical, high-value activities—such as case creation and authentication events—are always streamed.
In addition, AIR’s analytics now report adoption statistics for this feature, helping administrators audit configuration changes through integrated usage metrics.
For security analysts, this enhancement means more concise, actionable event data reaching their SIEM, enabling faster triage and correlation within broader detection ecosystems.
License usage reporting has been refined to provide more consistent asset and server capacity data across multiple AIR Consoles sharing a license key. Server and asset counters now more accurately reflect real-time usage, helping administrators maintain compliance and visibility across distributed deployments.
Network isolation on endpoints has been enhanced to address critical security gaps. Inbound and outbound traffic is now consistently filtered, and all pre-existing TCP connections are terminated when isolation is activated.
DNS and DHCP behavior has also been improved: they can now be enabled or disabled directly from Policies. When enabled during isolation, DNS/DHCP traffic is allowed system-wide. Additionally, exclusion policies for IPs and processes are now enforced bidirectionally (both inbound and outbound).
If the exclusion policy is empty, all inbound traffic and system DNS are blocked while DHCP remains allowed. These changes ensure more consistent and reliable endpoint isolation across Linux and macOS.
Offline Responder collectors handling CSV operations now terminate gracefully when disk space is depleted. Previously, insufficient disk capacity could trigger excessive repeated logs. The updated behavior ensures immediate error signaling with accurate exit codes, helping analysts distinguish between collector failure types and maintain integrity assurance of collected evidence.
The MITRE ATT&CK database version used in task executions is now recorded in task logs and visible within Investigation Hub. This visibility helps analysts correlate findings to the correct ATT&CK version during validation, ensuring version-aligned mapping and interpretation of adversary techniques across analyses.
Improvements have been made to ensure reliable Responder service startup following Windows patching and reboots. This resolves intermittent startup timeouts that previously resulted in loss of communication between assets and the Console.
RelayPro has been strengthened with internal architecture improvements that optimize proxy performance, connection pooling, and runtime configuration. Enhanced logging and reliability safeguards were introduced to support continuous operation at scale, ensuring stable connectivity between responders and the AIR Console during active investigations and large asset populations.
Investigation Hub and Reporting: Resolved multiple issues related to report generation, including timeouts and incomplete exports when processing large datasets (80+ assets or hundreds of thousands of findings). These fixes ensure stable and complete report output within the Investigation Hub and Case Closure Reports.
Filtering Accuracy: Fixed an issue where the “NOT contains” condition in the Findings page’s Advanced Filter returned empty results. This correction restores full functionality for complex search filters used during evidence analysis.
File and Repository Explorer: File Explorer and Repository Explorer now load content automatically when accessed, removing the need for manual refresh. This streamlines evidence browsing and improves analyst efficiency when exploring disk images or evidence repositories.
Access Control and Asset Permissions: Addressed a penetration test finding indicating potential exposure of asset-group and asset-tag data to read-only roles. AIR now enforces strict access control validation to ensure users only access asset data consistent with their assigned permissions.
Asset Management and Role Permissions: Corrected permission logic preventing Organization Admin roles from successfully executing the “Create Disk Image Asset” action in SaaS environments. Role-based operations now behave consistently with configuration across deployment types.
Export Stability under Resource Load: General performance improvements were added to avoid incomplete ZIP creation or gateway timeouts during bulk export actions. These refinements help maintain system stability in high-load investigation environments.
API Token and Syslog Logging: Fixed inconsistencies where Create and Delete API Token events were not transmitted to external SIEMs via Syslog despite appearing in AIR’s local audit logs.
Audit Log Job Optimization: The DeleteOldAuditLogs job has been re-engineered to execute deletions in small batches instead of one large transaction, reducing latency and minimizing impact on shared infrastructure performance.
SRUM Collector Value Overflow: Fixed integer overflow that caused insertion errors during SRUM data processing, ensuring stability and accurate timeline analysis. Due to the complexity and high cost of creating a migration for existing console data, legacy records were not modified. As a result, previously opened cases that contain older field types may continue to experience errors related to type differences. To ensure correct functionality with the updated responder fields, customers should create new cases using the new responder configuration when encountering this issue.
Investigation Hub Evidence Refresh Issue: Fix applied so that after importing new evidences (CSV/PST), all existing evidences remain visible without requiring page refresh.
Asset Uninstall Modal: Fixed the bug where the “Uninstall Responder” modal remained open after operations completed. The modal now closes automatically, confirming successful action completion.
Responder Startup Reliability: Enhanced the Windows Responder service behavior to ensure it starts successfully after system reboots following patch installations, eliminating timeout-related communication issues.
This update includes targeted false positive corrections across several YARA and MITRE-mapped detection rules. These refinements deliver more accurate detection outcomes, reducing unnecessary findings for analysts during automated DRONE analysis workflows.
DRONE has been synchronized with the latest Sigma rule contributions from SigmaHQ and Hayabusa repositories. This ensures analysts have access to the newest community-sourced detection content aligned with current adversary techniques, extending the breadth and relevance of automated behavioral detection within AIR.