AI Assistant
Overview
Section titled “Overview”AI Assistant is a chat-based AI helper integrated into the AIR Console. It uses an OpenAI model customized for Digital Forensics and Incident Response (DFIR) workflows. AI Assistant is available from every page of the Console via the AI Assistant icon or the keyboard shortcut revealed by hovering over the icon.
AI Assistant is enabled by default for SaaS customers. Self-hosted (on-prem) deployments require an OpenAI API key to be configured before the feature becomes available (see Configuration below).
Architecture and Design
Section titled “Architecture and Design”AI Assistant is a simple chatbot powered by an OpenAI model, accessed securely through the OpenAI API. It does not include a multi-agent system, orchestrator, or Model Context Protocol (MCP) integration. It cannot read or act on any data inside AIR — all responses are based solely on the user’s prompt and the model’s training data.
For SaaS environments, all requests are routed via AIR proxy services using JWT-authenticated and scoped API calls. No customer data is stored or shared externally.
Self-hosted (on-prem) customers must provide their own OpenAI API key (see Configuration below).
Capabilities
Section titled “Capabilities”AI Assistant is a conversational helper that can assist analysts with the following topics:
- DFIR Q&A: Answer DFIR-related questions and explain concepts.
- Rule Drafting: Help draft YARA, Sigma, and osquery rules from a natural-language description. Generated rules must be copied and saved manually — there is no direct integration with the Hunt/Triage Rule wizard.
- MITRE ATT&CK Guidance: Explain MITRE ATT&CK techniques and suggest relevant detection strategies.
- Investigation Advice: Suggest investigation steps based on what the user describes in the chat. These suggestions are based on the model’s general knowledge, not on real case context.
Example Use Cases
| Use Case | Description |
|---|---|
| Detection Rule Drafting | Ask AI Assistant to draft YARA, Sigma, or osquery rules from IoCs, behaviors, or MITRE TTPs |
| DFIR Q&A | Get clarifications on DFIR concepts and best practices |
| MITRE ATT&CK Exploration | Understand specific techniques and their relevance to an investigation |
| Hunt/Triage Strategy Discussion | Discuss recommendations based on MITRE coverage, OS specifics, or asset profiles |
Security Considerations
Section titled “Security Considerations”AI Assistant is designed with a security-first architecture:
- Proxy-based AI routing: All AI communication passes through AIR-managed proxies.
- Data handling: User input is sent to OpenAI as-is. AIR does not filter, redact, or persist chat content. Avoid pasting sensitive case data, credentials, or PII into the chat.
- Scoped access: Uses scoped, JWT-authenticated API calls.
- Policy control: AI can be disabled via the system policy manager.
Configuration
Section titled “Configuration”SaaS customers: No additional configuration is required. AI requests are proxied through AIR services automatically.
Self-hosted (on-prem) customers: You must provide your own OpenAI API key. Navigate to Settings > Features > AI Assistant and enter your OpenAI API Key to enable AI Assistant functionality.
The OpenAI API key is encrypted at rest in the Console database. It is never returned to the browser after configuration.
Once configured, the Settings page no longer displays the input field. Instead, it shows API key is configured along with Replace and Remove actions:
- Replace: Opens an input field to enter a new key.
- Remove: Clears the stored key and disables AI Assistant.
Chat Session Behavior
Section titled “Chat Session Behavior”Chat conversations are ephemeral. AI Assistant does not store any chat history — closing the chat panel discards the active conversation, and there is no way to restore a previous one. Users can also manually clear the current conversation at any time by clicking the trash icon at the top-left of the chat panel.
Example Prompts
Section titled “Example Prompts”Below are example queries AI Assistant can respond to:
- Create a YARA rule to detect the execution of Mimikatz in memory.
- Create an osquery rule that lists all USB devices connected in the last 24 hours.
- What does finding T1059.001 mean in the MITRE ATT&CK framework?
- Suggest next steps based on multiple “RDP brute force” findings.
Requirements
Section titled “Requirements”| Requirement | Details |
|---|---|
| Internet Connectivity | Required for AI proxying |
| Licensing | Included in AIR subscription |
| Configuration | None for SaaS (enabled by default) |
For self-hosted (on-prem) deployments, internet connectivity to the OpenAI API is required, and an OpenAI API key must be configured before AI Assistant becomes available.
Known Limitations
Section titled “Known Limitations”- AI Assistant has no access to AIR case data, asset information, evidence files, or rule execution results.
- AI Assistant cannot trigger any actions in AIR (no acquisitions, hunts, or task creation).
- Generated rules must be copied and saved manually — there is no direct integration with the Hunt/Triage Rule wizard.