Structured Data Viewer for JSON, XML, and YAML: AIR automatically identifies structured content within evidence and opens it in a dedicated viewer. Analysts can collapse, search, and format data for clearer insight into complex artifacts like system logs or Tornado data.
Policy Cloning: Users can now duplicate any existing isolation or acquisition policy. This streamlines the creation of consistent policies across organizations or investigation scenarios, reducing configuration errors and setup time during critical incident response actions.
Bulk Import for Isolation Policy Allow Lists: Analysts can now import IP/Port or process allow lists in bulk through text or CSV input, expediting creation of large-scale isolation rules for controlled response actions.
Evidence items that contain structured content can now be examined through a dedicated viewer. When AIR detects JSON, XML, or YAML, users can click View to open a read-only panel that uses syntax highlighting, search, wrapping, and toggling between raw and formatted modes.
This improves readability of system logs, Event Viewer exports, or Tornado-acquired data, helping analysts to interpret data formats natively rather than extracting them externally. The viewer maintains forensic integrity while improving interpretability for complex datasets.
The Users table now contains fields for Created (user registration date) and Last Active (last console interaction). These additions clarify differences between login time and real-time console presence. Analysts and administrators can now see both authentication events and continuous activity, supporting audit and compliance tracking.
The “Created” column is sortable, which helps identify new or potentially unauthorized accounts swiftly. “Last Active” reflects the last heartbeat signal received from a user’s browser session, providing insight into actual system usage.
Syslog configuration updates now apply dynamically without restarting the console. This ensures uninterrupted log forwarding when updating integrations with SIEM or log management platforms during active operations.
Policy creation has been simplified with a new Duplicate action, allowing analysts to clone existing policies, including all filters, allow-list entries, and organization assignments. This is particularly valuable for large enterprises with complex, standardized configurations across multiple operational units.
To use this feature, open the Policies view, select a policy row, and choose Duplicate. The new policy opens prefilled with the selected configuration, ready for minor adjustments. It significantly reduces preparation overhead when adapting response templates across environments.
Isolation policy configuration now supports bulk entry for IP/Port and process allow lists. Investigators can paste or import multiple rows directly into the configuration dialog, where AIR validates and structures the entries automatically. This improves efficiency for incident containment planning, allowing immediate deployment of network or process restrictions at scale.
Asset list rendering performance has been optimized for high-scale environments with hundreds of online assets. Tag updates, search, and filtering now remain consistent during background polling, ensuring dependable management of large connected fleets.
A new “Created At” filter enables analysts to view tasks executed within a specific date or time range. This is useful when correlating console performance or task behavior across simultaneous acquisitions or hunts, particularly during post-incident review.
When DRONE’s global toggle is disabled during task configuration, all individual analyzers are now correctly deselected. This clarifies configuration state and prevents unintentional analyzer execution.
The Acquisition Task behavior for disk space thresholds has been updated to ensure decimal input values are handled safely. Analysts can now enter size limits more intuitively without risking misinterpretation during collection jobs.
Failure messages during partially completed acquisitions now include clear context about missing or inaccessible evidence, aiding interpretation of collection outcomes and simplifying troubleshooting during live operations.
The macOS deployment instructions now include a “Do Not Change Filename” advisory, aligning with Windows packaging consistency to prevent deployment misconfiguration for responders installed in secure macOS environments.
Exports from the Investigation Hub now cache JSON keys, improve view materialization, and reduce redundant lookups, dramatically enhancing performance when exporting findings from large-scale investigations. Analysts working with hundreds of assets and thousands of findings will experience significant speed gains during CSV export.
Evidence Repository Validation: The system no longer performs repository connection checks during interACT task setup when no repository is selected, ensuring consistent and logical validation behavior.
Asset Polling Instability: Asset tags, filters, and column selections now remain stable during polling cycles with hundreds of online assets, preventing data flicker or loss of user selections.
Syslog Configuration: Configuration updates are now applied immediately without requiring a restart, ensuring uninterrupted event forwarding.
DRONE Analyzer Toggle: Disabling the master DRONE analyzer now correctly resets each individual analyzer switch in the task creation form.
Decimal Disk Space in Policy: Acquisition tasks accept fractional disk space entries and standardize size representation across the UI and backend.
Windows DNS Evidence: Evidence collection for Windows DNS Server is restored to return expected results, improving visibility during network infrastructure investigations.
User Interface Corrections: Search results no longer display disabled configuration options, and column selections persist as expected when navigating between asset views.
Partial Task Status Clarity: Improved error messaging now differentiates between fully failed acquisitions and partially completed evidence collections to reduce confusion in investigation reports.