DRONE Integration in Tornado

Introduction

DRONE is Binalyze’s automated compromise assessment engine, originally part of AIR DRONE. It provides a decision support system that analyzes collected evidence using a library of up-to-date analyzers maintained by the Binalyze threat hunting team.

In Tornado, DRONE is embedded as a standalone binary that runs locally on the investigator’s machine. After cloud evidence is collected from platforms such as Microsoft 365, Google Workspace, Zoom, or HubSpot, DRONE analyzes the collected artifacts and produces findings classified by severity: High, Medium, Low, or Matched.

This tight integration enables investigators to go from raw cloud evidence to actionable compromise assessment findings without leaving the Tornado application.

Architecture Overview

DRONE is shipped as a platform-specific binary embedded directly into the Tornado application at build time. At runtime, Tornado extracts the binary, invokes it as a subprocess against the collected evidence, and packages the analysis results back into the case archive.

flowchart TB
    subgraph Tornado["Tornado Application"]
        UI["Frontend UI"]
        API["API Layer"]
        DM["DRONE Manager"]
        EB["Embedded DRONE Binary"]
    end

    subgraph Evidence["Evidence"]
        CasePPC["Case.ppc (ZIP)"]
        CaseDB["Case.db (SQLite)"]
        DroneDB["Drone.db (SQLite)"]
    end

    subgraph External["External Services"]
        AirPlatform["AIR Platform"]
        IHub["Investigation Hub"]
    end

    UI -->|"Select analyzers & keywords"| API
    API -->|"Start analysis task"| DM
    DM -->|"Extract & execute"| EB
    EB -->|"Read"| CasePPC
    CasePPC --- CaseDB
    EB -->|"Write"| DroneDB
    DM -->|"Add Drone.db to"| CasePPC
    AirPlatform -->|"Sync MITRE rules"| DM
    CasePPC -->|"Upload"| IHub

How It Works

The DRONE analysis workflow in Tornado follows these steps:

sequenceDiagram
    participant User
    participant TornadoUI as Tornado UI
    participant TornadoAPI as Tornado API
    participant DroneManager as DRONE Manager
    participant DroneBin as DRONE Binary

    User->>TornadoUI: Collect cloud evidence
    TornadoUI->>TornadoAPI: Collection task
    TornadoAPI-->>TornadoUI: Case.ppc created

    User->>TornadoUI: Select analyzers, keywords, MITRE
    TornadoUI->>TornadoAPI: POST /api/drone/task/assign
    TornadoAPI->>DroneManager: Create analysis task

    DroneManager->>DroneBin: Extract binary from embedded assets
    DroneManager->>DroneBin: Execute with args (analyzers, keywords, Case.ppc path)

    loop Progress Tracking
        DroneBin-->>DroneManager: Write Drone.Progress.json
        DroneManager-->>TornadoAPI: Report progress
        TornadoAPI-->>TornadoUI: Update progress bar
    end

    DroneBin-->>DroneManager: Write Drone.db (results)
    DroneManager->>DroneManager: Add Drone.db into Case.ppc
    DroneManager-->>TornadoAPI: Analysis complete
    TornadoAPI-->>TornadoUI: Show completion status

Step-by-Step

Evidence Collection — The investigator collects cloud evidence (emails, audit logs, drive files, etc.) from a supported platform. The collected data is stored in Case.db (SQLite) and packaged into Case.ppc (a ZIP archive).
Analyzer Selection — The investigator selects which analyzers to run. Tornado queries the embedded DRONE binary (drone --get-defaults) to discover available analyzers for the target platform. The investigator can also enable the MITRE ATT&CK analyzer and specify keyword search terms.
Analysis Execution — Tornado extracts the embedded DRONE binary to a temporary location, then invokes it as a subprocess with command-line arguments specifying the analyzers, keywords, MITRE rules path, CPU limit, and the path to Case.ppc.
Progress Tracking — During analysis, DRONE writes progress updates to Drone.Progress.json. Tornado reads this file periodically and reports progress back to the UI in real time.
Results Packaging — Upon completion, DRONE writes its findings to Drone.db (SQLite). Tornado then unzips the existing Case.ppc, adds Drone.db alongside Case.db, and re-creates the archive. The standalone Drone.db file is removed.
Viewing Results — The enriched Case.ppc (now containing both Case.db and Drone.db) can be uploaded to the Investigation Hub for detailed analysis and reporting.

Supported Platforms

DRONE analyzers in Tornado are organized by cloud platform. Each platform has its own set of specialized analyzers:

Platform	Internal Identifier	Evidence Types
Microsoft 365	`microsoft-365`	Exchange emails, Unified Audit Logs, OneDrive files, Teams messages
Google Workspace	`gws-parselet`	Gmail, Google Drive, Admin audit logs
Zoom	`zoom`	Meeting data, recordings, user activity
HubSpot	`hubspot`	CRM data, activity logs

When the investigator opens the analyzer selection step, Tornado automatically queries the DRONE binary for analyzers that support the current platform and presents only the relevant options.

Analyzers

DRONE includes two core analyzer components:

DRONE Analyzers

Platform-specific analyzers that query artifact tables in the collected evidence database and run data through a series of check functions. These analyzers score or flag suspicious indicators and report findings with severity classifications.

Available analyzers are dynamically loaded from the embedded DRONE binary at runtime. The binary reports its full analyzer catalog, and Tornado filters by the target platform. The Dynamo analyzer (dya) is excluded from the general list because it is handled separately as part of the MITRE ATT&CK integration.

MITRE ATT&CK Analyzer (Dynamo)

Dynamo is a rule-based analysis engine for DFIR investigations. In the context of Tornado’s cloud forensics, Dynamo executes SQL-based rules against collected forensic databases — primarily the unified_audit_logs table from Microsoft 365 Unified Audit Log data.

Each Dynamo rule:

Targets a specific evidence section (e.g., unified_audit_logs)
Executes complex SQL queries with JSON extraction against audit data
Produces scored findings mapped to MITRE ATT&CK tactics and techniques
Classifies results with severity-based detection reasons

Built-in Dynamo Rules for Microsoft 365

Rule	Description	MITRE Mapping
Suspicious Mail Forwarding Rules Detector	Detects mail forwarding rules that may indicate mailbox compromise, including external forwarding and rules created via suspicious tools	TA0009 / T1114.003
Privilege Escalation Activity Detector	Detects privilege escalation activities such as self-promotion to high-privilege roles and suspicious role assignments	TA0004 / T1078.004
Unusual Authentication Detector	Identifies unusual authentication patterns including automation tools, legacy auth protocols, and anomalous IP activity	-
Suspicious Admin Actions Detector	Flags suspicious Exchange admin actions that may indicate unauthorized configuration changes	-
Suspicious HTTP Clients in O365 User Agent	Detects requests from uncommon or suspicious HTTP clients in Office 365 user agent strings	-

MITRE Rules Sync

When connected to an AIR instance, Tornado can sync MITRE ATT&CK rules from the AIR platform. These rules are stored locally at Tornado.Tools/utils/mitre.zip and passed to the DRONE binary at analysis time. This ensures investigators always have access to the latest threat detection rules maintained by the Binalyze threat hunting team.

Severity Classifications

DRONE classifies all findings into one of four severity levels:

Severity	Description
High	Confirmed malicious behavior or artifacts indicating critical compromise
Medium	Indicators of suspicious or potentially unwanted behavior
Low	Anomalies or uncommon patterns that may warrant further investigation
Matched	Items flagged through keyword hits or custom rule matches

The minimum score threshold for reporting is configurable (default: 50, range: 10—90). Findings below this threshold are not included in the results.

Analysis Output

Drone.db

The primary output of a DRONE analysis is Drone.db, a SQLite database containing all findings from the selected analyzers. This database is automatically added to the Case.ppc archive alongside the original Case.db.

Case.ppc Structure (Post-Analysis)

Case.ppc (ZIP)
├── Case.db      # Collected evidence (emails, audit logs, drive items, etc.)
└── Drone.db     # DRONE analysis findings

Progress Tracking

During analysis, DRONE writes real-time progress updates to Drone.Progress.json as JSON lines. Each entry includes:

MatchCount — The number of findings discovered so far
Progress — The completion percentage (0—100)

Tornado reads this file periodically and updates the UI with the current progress.

Cross-Platform Support

The DRONE binary is embedded for all platforms that Tornado supports:

Platform	Architecture	Embedded Binary
Windows	amd64	`bin/drone_windows_amd64.zip`
macOS	amd64	`bin/drone_darwin_amd64.zip`
macOS	arm64 (Apple Silicon)	`bin/drone_darwin_arm64.zip`
Linux	amd64	`bin/drone_linux_amd64.zip`
Linux	arm64	`bin/drone_linux_arm64.zip`

The correct binary is selected at compile time using Go build tags. At runtime, Tornado extracts the binary to a temporary location (Tornado.Tools/ directory), executes it, and removes it after the analysis completes.

Configuration

Parameter	Default	Description
CPU Limit	60%	Maximum CPU usage allowed for the DRONE process
Minimum Score	50	Minimum score threshold for reporting findings (range: 10—90)
DRONE Version	Tracked in `dependency.json`	Currently v4.1.2

API Reference

Tornado exposes the following REST API endpoints for DRONE integration:

Method	Endpoint	Description
`GET`	`/api/drone/analyzers/:parseletName`	List available analyzers for a given platform
`POST`	`/api/drone/task/assign`	Start a DRONE analysis task
`POST`	`/api/drone/task/status`	Query the status of a running analysis task
`POST`	`/api/drone/task/cancel`	Cancel a running analysis task

Task Assignment Payload

{
  "Tasks": [{
    "Type": "drone",
    "Data": {
      "collection_task_id": "<task-id>",
      "analyzers": ["o365-sue", "o365-sdeea"],
      "mitre_analyzer_selected": true,
      "keywords": ["phishing", "forwarding"]
    }
  }]
}

Task Response

{
  "analysis_task_id": "<assignment-id>",
  "analysis_status": "completed"
}