Binalyze AIR v5.19

What’s New?

• Expanded Windows Clipboard History visibility: AIR now surfaces Clipboard History and Clipboard Activity artifacts in Investigation Hub. This helps analysts review copied text activity, user workflow context, and clipboard-related evidence when investigating suspicious behavior on Windows assets.

• S3-compatible evidence repository support: AIR now supports custom S3-compatible storage providers, including common object storage platforms that use S3-compatible APIs. This gives security teams more flexibility when storing collected evidence in restricted, hybrid, or customer-managed environments.

• Improved export workflows for reporting and correlation: Export behavior has been expanded with configurable CSV delimiters, UTF-8 BOM support, timezone options, and column-selection-aware exports. Analysts can now generate cleaner, locale-compatible outputs that better match what they see in AIR.

• Configurable audit logging: Administrators can now control which audit events are written to the Audit Log. This helps reduce noise, focus on high-value security events, and support compliance-driven monitoring requirements.

• More controlled auto asset tagging: Auto Asset Tagging can now be managed more selectively, allowing teams to enable or disable specific tagging rules. This helps SOC and MSSP teams apply automation more precisely across different customer or organizational environments.

New Features & Improvements

Investigation Hub

Investigator Toolbox for In-Hub Analysis

Investigation Hub now includes entry points for an Investigator Toolbox from evidence detail views. Analysts can open selected field values in the toolbox directly from the evidence context, reducing the need to copy values into external utilities during an investigation.

This improvement supports faster evidence review by keeping common analysis actions close to the data. Values such as encoded strings, timestamps, hashes, IP addresses, domains, registry paths, and other artifacts can be reviewed with less context switching.

For investigation teams, this improves continuity during evidence-based investigations. Analysts can move from observation to enrichment more quickly while preserving the context of the case and the original evidence item.

Export Options for Investigation Reporting

AIR export workflows now provide more flexibility for teams that rely on CSV outputs for reporting, correlation, and downstream analysis. Exports can be configured with delimiter options such as comma, semicolon, tab, or pipe, and can include UTF-8 BOM support for improved compatibility with regional spreadsheet settings.

This is valuable for organizations using Turkish or European locale settings, where spreadsheet tools may expect semicolon-separated files. Analysts can produce files that open correctly without manual conversion steps.

Export workflows also include timezone-related controls for Investigation Hub flag exports, helping analysts generate outputs that match investigation and reporting requirements across different operating regions.

Exports Now Respect Visible Column Selection

Non-Investigation Hub exports now support exporting the columns currently visible in the UI. When analysts hide columns through column selection, exported CSV files can now reflect that visible selection instead of always exporting every available column.

This improves data minimization and reporting accuracy. Analysts can export only the fields needed for a report or handoff, reducing unnecessary internal identifiers, sensitive values, or irrelevant operational data in exported files.

Evidence Collection

Windows Clipboard History Evidence

AIR now integrates Windows Clipboard History evidence into the acquisition profile and Investigation Hub. Clipboard History and Clipboard Activity are available as Windows artifact sources, with parsed activity status values displayed in a readable format.

This helps analysts review clipboard-related user activity when Clipboard History is available on the asset. Clipboard evidence can support investigations involving copied commands, copied URLs, copied identifiers, or other text values that may be relevant to adversary techniques or unauthorized activity.

The new evidence appears in Investigation Hub under the Windows evidence navigation structure and uses the standard evidence grid experience. Analysts can review, filter, and correlate clipboard-related records with other collected evidence in the same case.

Evidence Repository and Storage

S3-Compatible Evidence Repositories

AIR now supports a dedicated S3-compatible evidence repository type. Administrators can configure a custom endpoint, provider name, and region for object storage platforms that use S3-compatible APIs.

This expands evidence repository options beyond standard cloud storage configurations. Organizations using providers such as Backblaze B2, Pure Storage, MinIO, Wasabi, Cloudflare R2, or similar S3-compatible services can configure evidence upload destinations more directly.

Custom Azure Blob Storage Domains

AIR now supports custom Azure Blob Storage domains in evidence repository configuration. This addresses environments that use custom storage domains instead of the standard public Azure Blob Storage domain format.

This is important for organizations operating in restricted or contained network environments. Administrators can configure storage destinations that match their network architecture, allowing acquisition workflows to upload evidence without requiring workarounds.

Evidence Repository Filtering, Sorting, and Last-Used Details

Evidence repository lists now provide improved filtering and sorting for S3-compatible providers. Repository type and provider values are handled more consistently, including provider names entered as free text.

Repositories can also be sorted by last-used information, helping administrators quickly identify active storage destinations and review repository usage patterns. This is useful in environments with multiple organizations, storage providers, or regional evidence destinations.

Access, Authentication, and Governance

SSO Custom Claim Mapping

Administrators can now define custom claim mappings for SSO providers. AIR supports mapping identity provider attributes to expected AIR fields such as email, first name, last name, and groups.

This improves compatibility with identity providers that use different claim or attribute names. Administrators can adapt AIR to existing identity configurations without requiring custom changes or provider-specific workarounds.

The improvement supports both OIDC and SAML-based SSO configurations and helps enterprise teams integrate AIR into established authentication environments more efficiently.

Self-Service 2FA Device Change

Users can now change their authenticator device through a guided self-service flow. The user verifies the current authenticator code, scans a new authenticator secret, and confirms the new code before the old secret is replaced.

This provides a graceful transition when users replace a phone, move to a new authenticator application, or update corporate devices. The old authenticator remains valid until the new one is verified, so the account does not lose 2FA protection during the change.

Personal Access Token Access Control

AIR now includes a dedicated privilege for managing personal access tokens. Administrators can control whether users can view, create, edit, or delete personal access tokens.

This gives security teams more precise control over API access and automation credentials. Organizations can limit token management to approved roles while preserving existing operational workflows for users who require token-based integrations.

Configurable Audit Logging

Administrators can now configure which event types are written to the Audit Log. The new event filter supports logging all events, logging only selected events, or logging all events except selected events.

This helps teams reduce audit noise and focus on activity that matters most to their governance, compliance, and security monitoring requirements. Changes to audit logging configuration are themselves recorded, helping maintain traceability over audit policy changes.

License Usage Banners

AIR now provides clearer license usage notifications through visible banners at higher usage thresholds. These banners help administrators understand when asset usage is approaching important license limits.

Asset and Task Management

Selective Auto Asset Tagging Rules

Auto Asset Tagging can now be controlled at the rule level. Administrators can enable or disable individual rules instead of relying only on a global auto-tagging switch.

This helps teams run only the tagging rules that are relevant to a specific environment, organization, or customer. MSSP teams can reduce noisy tagging behavior and test new rules without activating every rule in the library.

Bug Fixes

• Investigation Hub advanced filters: Fixed an issue where invalid filter options could appear for some columns in the advanced filter panel.

• Investigation Hub exclusion activity: Fixed an issue where exclusion rule creation activity was displayed incorrectly and was not clickable in the Activity view.

• Investigation Hub flags after organization changes: Fixed an issue where incorrect flags could be shown or assigned after changing an investigation organization.

• DRONE analysis rerun at scale: Fixed a case-level DRONE re-analysis workflow that generated one request and one toast per asset assignment. The workflow now batches the action more effectively and shows a single summary notification, improving usability in large cases.

• Exclusion rule modal usability: Improved the Exclusion Rule modal layout so action controls remain accessible on common screen sizes and users do not need to search for the submit action inside the scroll area.

• Exclusion toast behavior: Exclusion confirmation toasts now auto-dismiss after a short duration instead of remaining on screen indefinitely.

• Export timestamp precision: Fixed an issue where some exported date and time formats did not include seconds. Exported timestamps now provide consistent precision across supported timezone options.

• Matched policies after isolation actions: Fixed an issue where the Matched Policies section disappeared after isolate or unisolate actions until the page was refreshed.

• Policy search: Fixed an issue where searching on the Policies page did not filter the displayed policy list.

• Cases page search field: Fixed a UI issue where the search input on the Cases page was too narrow, making typed text difficult to see.

• Task Details table spacing: Adjusted default table spacing on the Task Details page to improve readability and screen usage.

• interACT REST polling: Fixed an issue where public interACT REST API polling could continue returning an in-progress state after the command had already completed.

• MITRE ATT&CK database version validation: Fixed an issue where the API accepted a non-existent MITRE ATT&CK database version before task creation. Invalid versions are now validated earlier.

• Backup restore completeness: Fixed an issue where a backup archive could miss the primary database dump in larger environments, causing restore results to appear incomplete in the UI.

• Backup creation options: Removed a misleading unused database option from the backup creation workflow to reduce confusion and avoid unnecessary backup size growth.

• Application health after install or upgrade: Fixed a health check validation issue that could cause an application container to be reported as unhealthy after a fresh installation or upgrade.

• Evidence repository configuration: Fixed and refined S3-compatible repository form behavior, provider display, and save handling for repository configuration workflows.

• Custom Azure Blob Storage validation: Fixed validation so custom Azure Blob Storage domains can be used where supported by the evidence repository configuration.