Fleet AI
Fleet.AI: Logo
Overview
Section titled “Overview ”Fleet is an AI capability integrated directly into the AIR platform starting from version 4.41. It will provide contextual support for Digital Forensics and Incident Response (DFIR) workflows, including rule generation, evidence triage, and investigation guidance. Fleet is available from every page of the Console and is enabled for licensed, online environments, but users can choose to disable it at any time.
Architecture and Design
Section titled “Architecture and Design”Fleet will be a multi-agent system built on GPT-4, accessed securely through the OpenAI ChatGPT API. It is enhanced with our Model Context Protocol (MCP), which will, in the future, allow it to interpret investigation-specific metadata, including:
- Case information
- Asset data
- Evidence findings
- Active rules and results
No customer data is stored or shared externally. All requests are routed via AIR proxy services using JWT-authenticated and scoped API calls. Support for private LLM deployments, BYOAI (Bring Your Own AI), is planned.
Capabilities
Section titled “Capabilities”Fleet’s initial release consists of one specialized AI agent:
- The Blacklight Detection Engineer: Generates YARA, Sigma, and osquery rules based on natural language prompts.
Future agents will provide:
- DFIR Guidance: Offering step-by-step investigation advice based on the current console context.
- Evidence Interpretation: To assist in understanding analysis results and suggesting relevant next steps.
- Case-Aware Support: This will maintain awareness of ongoing investigations and recommend appropriate actions.
Available Tasks
Fleet currently supports the following tasks:
| Detection Rule Generation | YARA, Sigma, and OSQuery rules derived from IoCs, behaviors, or MITRE TTPs |
| DFIR Q&A | Clarifications on DFIR concepts and best practices |
| Contextual Recommendations | Actionable suggestions based on selected findings or case state |
| Hunt/Triage Strategy Advice | Recommendations based on MITRE coverage, OS specifics, or asset profile |
If the Hunt/Triage Rule wizard is active, generated rules can be directly injected for use and saved to your hunt/triage library.
Security Considerations
Section titled “Security Considerations”Fleet has been designed with a security-first architecture:
- Proxy-based AI routing: All AI communication passes through AIR-managed proxies.
- Data handling: No persistent storage or transmission of sensitive data to OpenAI.
- Scoped access: Uses scoped, JWT-authenticated API calls.
- Policy control: AI can be disabled via the system policy manager.
Activation
Section titled “Activation”Fleet is active by default if the environment is:
- Licensed and online
- Running version 4.41 or later
Fleet is accessed via the Fleet icon on any Console page or via the keyboard shortcut revealed by hovering over the icon. No additional installation or configuration is required.
Roadmap
Section titled “Roadmap”Upcoming Fleet capabilities include:
- Task orchestration (e.g., launch acquisitions, timelines, interACT)
- Threat intelligence correlation and enrichment
- Investigation-specific AI personas
- Bring Your Own AI (BYOAI) on-prem deployment for complete isolation
Example Prompts
Section titled “Example Prompts”Below are example queries Fleet can respond to:
- Create a YARA rule to detect the execution of Mimikatz in memory.
- Create an osquery rule that lists all USB devices connected in the last 24 hours.
- What does finding T1059.001 mean in the MITRE ATT&CK framework?
- Suggest next steps based on multiple “RDP brute force” findings.
Requirements
Section titled “Requirements”| AIR Version | 4.41+ |
| Internet Connectivity | Required (for AI proxying) |
| Licensing | Included in AIR subscription |
| Configuration | None (enabled by default) |
Known Limitations
Section titled “Known Limitations”- Fleet does not yet support executing tasks directly (planned)
- Output is limited to the current session context unless otherwise stated
- Custom private LLM hosting is not yet available (planned)