Fleet AI

Overview

Fleet is an AI capability integrated directly into the AIR platform starting from version 4.41. It will provide contextual support for Digital Forensics and Incident Response (DFIR) workflows, including rule generation, evidence triage, and investigation guidance. Fleet is available from every page of the Console and is enabled for licensed, online environments, but users can choose to disable it at any time.

Architecture and Design

Fleet will be a multi-agent system built on GPT-4, accessed securely through the OpenAI ChatGPT API. It is enhanced with our Model Context Protocol (MCP), which will, in the future, allow it to interpret investigation-specific metadata, including:

• Case information

• Asset data

• Evidence findings

• Active rules and results

No customer data is stored or shared externally. All requests are routed via AIR proxy services using JWT-authenticated and scoped API calls. Support for private LLM deployments, BYOAI (Bring Your Own AI), is planned.

Capabilities

Fleet's initial release consists of one specialized AI agent:

• The Blacklight Detection Engineer: Generates YARA, Sigma, and osquery rules based on natural language prompts.

Future agents will provide:

• DFIR Guidance: Offering step-by-step investigation advice based on the current console context.

• Evidence Interpretation: To assist in understanding analysis results and suggesting relevant next steps.

• Case-Aware Support: This will maintain awareness of ongoing investigations and recommend appropriate actions.

Available Tasks

Fleet currently supports the following tasks:

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press the spacebar again to drop the item in its new position, or press the Escape key to cancel.

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press the spacebar again to drop the item in its new position, or press the Escape key to cancel.

If the Triage Rule wizard is active, generated rules can be directly injected for use and saved to your triage library.

Security Considerations

Fleet has been designed with a security-first architecture:

• Proxy-based AI routing: All AI communication passes through AIR-managed proxies.

• Data handling: No persistent storage or transmission of sensitive data to OpenAI.

• Scoped access: Uses scoped, JWT-authenticated API calls.

• Policy control: AI can be disabled via the system policy manager.

Activation

Fleet is active by default if the environment is:

• Licensed and online

• Running version 4.41 or later

Fleet is accessed via the Fleet icon on any Console page or via the keyboard shortcut revealed by hovering over the icon. No additional installation or configuration is required.

Roadmap

Upcoming Fleet capabilities include:

• Task orchestration (e.g., launch acquisitions, timelines, interACT)

• Threat intelligence correlation and enrichment

• Investigation-specific AI personas

• Bring Your Own AI (BYOAI) on-prem deployment for complete isolation

Example Prompts

Below are example queries Fleet can respond to:

• Create a YARA rule to detect the execution of Mimikatz in memory.

• Create an osquery rule that lists all USB devices connected in the last 24 hours.

• What does finding T1059.001 mean in the MITRE ATT&CK framework?

• Suggest next steps based on multiple “RDP brute force” findings.

Requirements

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press the spacebar again to drop the item in its new position, or press the Escape key to cancel.

To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press the spacebar again to drop the item in its new position, or press the Escape key to cancel.

Known Limitations

• Fleet does not yet support executing tasks directly (planned)

• Output is limited to the current session context unless otherwise stated

• Custom private LLM hosting is not yet available (planned)