Skills
Overview
Section titled “Overview”Skills are Fleet’s specialized capabilities. Each skill represents a distinct area of expertise that Fleet can invoke to perform a specific type of analysis or operation. When you make a request, Fleet automatically identifies and loads the appropriate skill based on what you need. You do not need to manually select or reference skills.
Skills are self-contained. Each one encapsulates the tools, techniques, and methodology required for its domain. Fleet loads only the skills relevant to your current task, keeping analysis focused and efficient.
Threat Intelligence Skills
Section titled “Threat Intelligence Skills”Observable Extraction and Enrichment
Section titled “Observable Extraction and Enrichment”Extract indicators of compromise (IOCs) from any source and enrich them with threat intelligence context.
Inputs: URLs, documents, text, files, or threat reports.
What it extracts: IP addresses, domain names, URLs, file hashes (MD5, SHA1, SHA256), email addresses, mutexes, registry keys, and file paths.
Enrichment process: each extracted observable is checked against multiple reputation databases and threat intelligence sources. Results include a risk score with confidence level for each indicator. Domain popularity is assessed against the Alexa Top 1M list to distinguish benign infrastructure from suspicious domains. File hashes are checked against the National Software Reference Library (NSRL) to identify known-good software.
Output formats:
- Markdown report with observables organized by type, enrichment results, and risk scores
- Text report sorted by risk score for quick triage
- STIX 2.1 bundle with full enrichment data for machine consumption
- YARA rules generated directly from enriched observables
Example prompt:
Extract and assess all observables from this URL: https://example.com/threat-reportWeb Search
Section titled “Web Search”Search the internet for the latest threat intelligence, security advisories, CVE details, and research publications.
Use cases: researching a specific threat actor, finding the latest advisories for a CVE, locating technical write-ups on a malware family, checking if a technique has been observed in the wild.
Example prompt:
Search for the latest APT29 advisories from CISA and Mandiant.Report Finder
Section titled “Report Finder”Locate, download, and convert security reports into a readable format for analysis.
Use cases: finding vendor threat reports, APT campaign analyses, CVE advisories, and incident write-ups. Reports are downloaded and converted to markdown for easy reading and further processing.
Example prompt:
Find and download the latest Mandiant report on APT29 techniques.Alexa Domain Lookup
Section titled “Alexa Domain Lookup”Check domains against the Alexa Top 1M popularity list to distinguish benign, well-known domains from potentially suspicious ones.
Use cases: filtering noise from observable extraction results, validating whether a domain is a legitimate popular service or an unknown/suspicious domain.
NSRL Hash Lookup
Section titled “NSRL Hash Lookup”Check file hashes against the National Software Reference Library (NSRL) to identify known-good software.
Use cases: filtering false positives during malware triage by identifying files that match known legitimate software distributions.
Detection Engineering Skills
Section titled “Detection Engineering Skills”YARA Rule Generation
Section titled “YARA Rule Generation”Create YARA rules from natural language descriptions, malware analysis findings, or threat intelligence.
Inputs: natural language description of what to detect, malware samples for signature extraction, threat report with IOCs.
Process: Fleet generates the rule, validates that it compiles successfully, and can optionally scan files to test for matches. If the rule has errors, Fleet identifies and fixes them.
Example prompts:
Create a YARA rule to detect in-memory execution of Mimikatz.Generate a YARA rule based on the strings and imports found in the attached binary.Sigma Rule Generation
Section titled “Sigma Rule Generation”Create Sigma detection rules from attack scenarios, threat descriptions, or log analysis.
Inputs: attack scenario description, MITRE ATT&CK technique references, sample log entries, threat intelligence.
Process: Fleet generates the Sigma rule with proper metadata (title, description, logsource, detection logic), validates it against the Sigma specification, and can convert it to Splunk SPL and Microsoft Sentinel KQL. Fleet can also test rules against sample EVTX or JSONL log files to verify they trigger correctly.
Example prompts:
Create a Sigma rule to detect encoded PowerShell execution via Event ID 4688.Build Sigma rules for each stage of this attack scenario: spearphishing -> PowerShell -> process hollowing -> scheduled task persistence -> HTTPS exfiltration.osquery Query Generation
Section titled “osquery Query Generation”Create osquery SQL queries from natural language descriptions for endpoint state inspection.
Inputs: natural language description of what to query.
Process: Fleet generates the SQL query, validates syntax and column references against the osquery schema, and provides the ready-to-use query.
Example prompt:
Write an osquery rule that lists all USB devices connected in the last 24 hours.Detection Validation
Section titled “Detection Validation”Validate and convert detection rules across formats.
Capabilities:
- YARA — validate compilation, scan files, fix syntax errors
- Sigma — validate against specification, convert to Splunk SPL and Microsoft Sentinel KQL, test against EVTX and JSONL logs
- osquery — validate SQL syntax and column references
- Suricata — validate IDS/IPS rule syntax
Forensic Analysis Skills
Section titled “Forensic Analysis Skills”Malware Reverse Engineering
Section titled “Malware Reverse Engineering”Perform deep static analysis on executable files.
Supported formats: PE (Windows), ELF (Linux), .NET assemblies, raw shellcode.
Analysis capabilities:
- PE/ELF headers, sections, imports, exports, and resources
- String extraction and classification (URLs, IPs, registry keys, file paths, encoded data)
- Entropy analysis and packer detection (UPX, Themida, ASPack, and others)
- Disassembly and decompilation
- .NET deobfuscation (SmartAssembly and similar protectors) with full C# decompilation
- API hash resolution for malware using dynamic API loading
- Capability identification: persistence mechanisms, C2 communication, process injection, privilege escalation, credential theft
- MITRE ATT&CK technique mapping
Example prompt:
Perform static analysis on the attached PE binary. Deliver: capability summary, IOC table, risk level, and MITRE ATT&CK mapping.Document Analysis
Section titled “Document Analysis”Analyze documents for embedded threats, malicious macros, and hidden payloads.
Supported formats: PDF, Microsoft Office (Word, Excel, PowerPoint, including macro-enabled variants), OLE, RTF, CAB.
Analysis capabilities:
- VBA macro extraction and deobfuscation (Base64, string concatenation, character code chains)
- Auto-execution trigger identification (AutoOpen, Document_Open, Document_Close)
- Embedded OLE object and ActiveX control detection
- External template injection analysis (T1221)
- DDE field inspection
- JavaScript extraction from PDFs
- Metadata extraction (author, timestamps, template, last saved by)
- Social engineering tactic assessment
Example prompt:
Analyze the attached macro-enabled Word document flagged by our email gateway as a suspicious invoice.Network Forensics
Section titled “Network Forensics”Analyze network captures for malicious activity, C2 communication, and data exfiltration.
Supported formats: PCAP, PCAPNG.
Analysis capabilities:
- Protocol breakdown and distribution statistics
- DNS query extraction with suspicious domain flagging
- HTTP/HTTPS request analysis (URLs, user agents, POST data, file downloads)
- TLS certificate inspection
- Connection statistics (top talkers, port usage, geographic distribution)
- C2 beacon pattern detection (regular intervals, jitter analysis)
- Data exfiltration indicators (high-entropy transfers, DNS tunneling, unusual outbound volumes)
- SMTP analysis for email-based exfiltration
Example prompt:
Analyze the attached PCAP file for C2 communication and exfiltration indicators.Host Forensics
Section titled “Host Forensics”Perform system-level forensic analysis within Fleet’s secure environment.
Capabilities:
- Filesystem timeline reconstruction (file modifications over configurable time windows)
- Rootkit detection
- System auditing and configuration review
- Metadata extraction from files and system artifacts
- Risk flagging for suspicious patterns (executables in temp directories, hidden files, SUID/SGID changes, modified authentication configs)
Example prompt:
Create a forensic timeline of files modified in the last 24 hours, focusing on IR-relevant directories.File Triage
Section titled “File Triage”Perform initial assessment of unknown files to determine their nature and risk level.
Capabilities:
- File type identification
- Hash generation (MD5, SHA1, SHA256)
- Entropy analysis (detecting encryption, compression, or packing)
- Metadata extraction (EXIF, document properties, PE timestamps)
- String extraction and classification
- Routing to specialized analysis (malware RE, document analysis) based on file type
AIR Operations Skills
Section titled “AIR Operations Skills”Endpoint Management
Section titled “Endpoint Management”List, search, and manage AIR endpoints directly from Fleet.
Operations:
- List all managed endpoints with status information
- Search endpoints by hostname, IP address, tag, operating system, or status
- Isolate endpoints from the network (maintaining AIR agent communication)
- Remove endpoint isolation
- Apply tags to endpoints for organization
- Reboot endpoints remotely
Case Management
Section titled “Case Management”Create and manage investigation cases in AIR.
Operations:
- Create new cases with title, description, and assigned endpoints
- Add endpoints to existing cases
- Update case details and status
- Close cases
Evidence Acquisition
Section titled “Evidence Acquisition”Trigger forensic evidence collection on AIR endpoints.
Operations:
- Initiate evidence acquisition using built-in acquisition profiles
- Initiate evidence acquisition using custom acquisition profiles
- Monitor task progress and status
- Review acquisition results
Triage Operations
Section titled “Triage Operations”Deploy detection rules to AIR endpoints for threat hunting.
Operations:
- Deploy YARA rules to endpoints for file and memory scanning
- Deploy Sigma rules for log-based detection
- Deploy osquery queries for endpoint state inspection
- Schedule triage scans
- Review triage results and findings
interACT
Section titled “interACT”Execute remote commands on managed AIR endpoints.
Operations:
- Establish remote command sessions on endpoints
- Execute shell commands
- Transfer files to and from endpoints
- Review command output and results
Investigation Results
Section titled “Investigation Results”Browse and analyze evidence collected through AIR.
Operations:
- Access collected evidence for specific cases and endpoints
- Browse DRONE analysis findings
- Access Investigation Hub data
- Review triage scan results
Utility Skills
Section titled “Utility Skills”Browser Automation
Section titled “Browser Automation”Control a remote browser for web-based research and evidence collection.
Capabilities:
- Navigate to URLs
- Click elements and type text
- Take viewport or full-page screenshots
- Download files from web pages
- Record browsing sessions for audit trails
See Browser Automation for full details.
Knowledge Base Search
Section titled “Knowledge Base Search”Search the AIR knowledge base for documentation, guides, and troubleshooting information.
Use cases: finding documentation on AIR features, looking up configuration guides, troubleshooting AIR issues.
Document Query
Section titled “Document Query”Extract text content from files for further analysis.
Supported formats: PDF, HTML, images (via OCR), and text files.
Use cases: extracting readable text from scanned documents, converting PDFs to searchable text, reading content from screenshots or images.