Terminology
Defender
Section titled “Defender”How Fleet addresses you, the user. In every interaction, Fleet refers to the person it is assisting as “Defender,” reflecting its role as a SOC Analyst working alongside security professionals.
A specialized capability that Fleet can invoke to perform a specific type of analysis or operation. Each skill represents a distinct area of expertise, such as YARA rule generation, malware reverse engineering, network forensics, or AIR endpoint management. Skills are self-contained: Fleet automatically selects and loads the appropriate skill based on your request. You do not need to manually specify which skill to use.
See Skills for the complete list of available skills.
Recipe
Section titled “Recipe”A pre-built, multi-step workflow that chains multiple skills together to accomplish a common task from start to finish. Recipes encode proven methodologies for tasks like “triage a PE binary,” “process an APT threat report,” or “acquire evidence from an endpoint.” When your request matches a known recipe, Fleet follows the established workflow automatically, ensuring consistent and thorough results.
See Recipes for the complete list of available recipes.
Quickstart
Section titled “Quickstart”A pre-configured prompt card displayed on the new chat screen. Each quickstart provides a ready-to-use prompt (and often a sample file) that demonstrates a specific Fleet capability. Quickstarts are designed to help new users explore what Fleet can do and to provide experienced users with one-click access to common workflows.
See Quickstarts for the complete list of available quickstarts.
Session
Section titled “Session”A single conversation thread with Fleet. Each session maintains its own context: the messages exchanged, files uploaded, analysis results produced, and workspace state. Context is scoped to the session and does not carry over to other sessions.
Workspace
Section titled “Workspace”The file storage area associated with your Fleet session. All files you upload, analysis outputs Fleet generates, and reports it writes are saved to the workspace. The workspace is organized by date folders and is accessible through the file tree in the sidebar. You can browse, download, copy, move, and delete files from the workspace.
See Workspace & Terminal for details.
Terminal
Section titled “Terminal”An interactive shell session inside Fleet’s secure environment. The terminal provides a full Linux command-line interface where you can run commands directly, inspect files, and perform manual analysis alongside Fleet’s automated workflows. Multiple terminal tabs can be open simultaneously.
See Workspace & Terminal for details.
Attachment
Section titled “Attachment”A file uploaded to Fleet for analysis. You can attach files by dragging and dropping them into the prompt input area, using the attachment button, or selecting a sample file from a quickstart card. Fleet accepts any file type, including executables, documents, archives, network captures, event logs, detection rules, images, and text files.
Observable
Section titled “Observable”An indicator of compromise (IOC) extracted from evidence during analysis. Observables include IP addresses, domain names, URLs, file hashes (MD5, SHA1, SHA256), email addresses, mutexes, registry keys, and file paths. Fleet extracts observables automatically during threat intelligence workflows and can enrich them with reputation data and risk scores.
Enrichment
Section titled “Enrichment”The process of augmenting extracted observables with additional context from reputation databases and threat intelligence sources. During enrichment, Fleet checks each observable against multiple data sources to determine whether it is known-malicious, suspicious, or benign. The result is a risk score with a confidence level for each observable.
Structured Threat Information Expression (STIX) is a standardized language and format for representing and sharing cyber threat intelligence. Fleet can generate STIX 2.1 bundles from extracted observables, producing machine-readable threat intelligence packages that can be imported into SIEM platforms, threat intelligence platforms (TIPs), and other security tools.
MITRE ATT&CK
Section titled “MITRE ATT&CK”The MITRE ATT&CK framework is a globally recognized knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Fleet maps its analysis findings to ATT&CK techniques and tactics, providing standardized context that helps analysts understand the nature of threats, assess coverage gaps, and prioritize defensive actions.
AIR’s suite of integrated analyzers that automatically assess collected evidence. DRONE findings are surfaced in the AIR Investigation Hub. When Fleet is connected to AIR, it can browse and analyze DRONE results as part of investigation workflows.
Investigation Hub
Section titled “Investigation Hub”The centralized dashboard in AIR that consolidates acquisition data, DRONE findings, and triage results from multiple assets into a single view. Fleet can access Investigation Hub data when connected to AIR, enabling AI-assisted analysis of consolidated investigation results.
interACT
Section titled “interACT”AIR’s remote command execution feature that allows running shell commands on managed endpoints. Fleet can initiate interACT sessions, execute commands, and transfer files to and from endpoints when connected to AIR.
Acquisition Profile
Section titled “Acquisition Profile”A collection of evidence types grouped into a reusable set for forensic evidence collection in AIR. Fleet can trigger evidence acquisition using built-in or custom acquisition profiles when connected to AIR.
Triage
Section titled “Triage”The process of deploying detection rules (YARA, Sigma, osquery) to AIR endpoints for rapid scanning and threat hunting. Fleet can create triage rules, deploy them to endpoints, and review the results.