Enhanced interACT Session Visibility: When reviewing historical interACT sessions, the session header now displays the specific task name, helping analysts quickly identify which live-response session they are reviewing—especially when multiple sessions are open in separate tabs. This enhancement improves investigation context and analyst efficiency.
Analysts and administrators can now securely add and manage Trusted Certificate Authorities directly within the AIR Console. Previously, this capability was restricted under proxy configuration, limiting flexibility for enterprises performing SSL inspection without proxies or those utilizing self-signed certificates. The new implementation introduces a certificate store independent of proxy settings, ensuring forensically sound authentication and minimizing reliance on manual container-level changes.
With this enhancement, organizations using strict SSL inspection or network monitoring can now deploy AIR without interruptions to licensing or updates. This proactive measure enhances compliance and operational continuity in high-security environments.
In multi-session environments where analysts review past interACT activities, identifying the correct investigation session can be challenging. AIR now surfaces the task name (for example, “AX-Day2.2”) directly in the session header and browser tab. This improvement enhances visibility and supports faster navigation between concurrent evidence reviews.
For investigation workflows, this means analysts can immediately differentiate and correlate live-response sessions without confusion, improving auditability and speed during case validation or retrospective analysis.
The Registered At field has been added to the Advanced Filters of the Assets page. Analysts can now filter assets based on their registration timestamp, allowing time-based scoping for both live and historical analysis. This feature streamlines investigation scoping, particularly useful when identifying assets registered during or after a known incident window.
Tag search capabilities have been extended to include the content of tags rather than only their names. This improvement increases flexibility when classifying or correlating assets, especially in environments with rich tagging datasets. Analysts can quickly locate assets linked by contextual tag descriptions, enabling faster triage and focused response workflows.
Large Dataset Upload Timeout: Resolved an issue where large acquisition datasets exceeded timeout thresholds during upload or manual PPC processing. Upload stability and dataset handling within Investigation Hub have been improved to maintain continuity across extended acquisitions.
Windows Volume Imaging Issue: Fixed a Windows-specific image acquisition bug that caused unexpected failures during remote imaging tasks, ensuring consistent evidence capture across platforms.
“Key Not Found” and Authorization Errors in Console UI: Addressed errors occurring after version upgrades and during access to the Assets > Disk Images menu, affecting console usability and access control verification. Global Admin accounts now have consistent authorization visibility.
Git Repository Fork Mode Configuration: Resolved a configuration issue preventing edits to repositories in Fork mode where the system incorrectly enforced sync interval parameters.
AWS Integration Regional Limitation: Corrected the synchronization behavior that was prematurely terminating global scans if a single AWS region returned an explicit deny response. AIR now continues enumeration across other regions unaffected.
Investigation Hub Data Handling Errors: Fixed the reported null property and missing field exceptions in task processing and data publishing services. These stability fixes ensure that investigation data imports and evidence processing continue without interruption.
Audit Log Performance Enhancements: Improved the search and pagination performance for audit logs in environments with very large asset counts. Query execution and caching have been optimized to reduce latency and prevent timeout errors.
Responder Unisolation Feedback: Enhanced feedback visibility during asset unisolation attempts. Responders now display clear status information when unisolation fails or is incomplete, improving clarity during containment and recovery operations.
The DRONE Tornado Analyzer now includes new detections focused on Microsoft 365 event telemetry. Analysts can identify unauthorized configuration changes such as modifications to audit log settings, narrowing of cmdlet auditing, external sharing misconfigurations, and reduced retention policies. These detections are critical for identifying unauthorized administrative activity and potential configuration weakening tactics observed in cloud investigations.
Additional correlation improvements flag brute-force login attempts, missed MFA flows, suspicious OAuth consent grants, and mailbox permission changes commonly associated with persistence techniques in business email compromise incidents.
The integrated Sigma detection library has been synchronized with the latest rule updates from the SigmaHQ and Hayabusa repositories. This alignment expands coverage across both endpoint and cloud telemetry sources, bringing enhanced detection insight into unauthorized script execution, privilege escalation, and registry modification behaviors.
Version 13.0.1 introduces YARA-based detection for Covenant C2 Grunt HTTP stager and implant activities. These additional signatures support early identification of adversary-controlled command-and-control frameworks during evidence analysis, increasing the confidence and precision of post-incident findings.