| Issue | Possible Cause | Resolution |
|---|
| Cannot access Fleet | Internet connectivity issue or account not provisioned | Ensure your internet connection is active and that your organization administrator has provisioned your Fleet account. |
| Fleet not responding after opening | Internet connectivity issue or temporary service disruption | Verify your internet connection. If the connection is stable, wait a few minutes and try again. If the issue persists, contact Binalyze support. |
| ”Usage limit reached” message | Monthly token limit has been exceeded | Contact your organization administrator to review or increase the monthly usage limit. Usage resets at the start of each billing cycle. |
| File upload fails | File exceeds size limits or upload was interrupted | Try uploading the file again. For very large files, consider splitting archives or uploading individual files rather than large bundles. |
| Analysis appears stuck or takes very long | Large or complex files require more processing time | Large binaries, memory dumps, and extensive PCAP files may take several minutes to analyze. If analysis does not progress after 5 minutes, try aborting and re-submitting with a more specific request. |
| Fleet does not recognize the file type | File has an unusual extension or is corrupted | Fleet identifies files by content, not extension. If the file is valid, try describing the file type in your prompt (e.g., “This is a PE executable renamed to .dat”). |
| Issue | Possible Cause | Resolution |
|---|
| ”Cannot connect to AIR” error | API integration is not configured or the API key is invalid | Open Fleet’s settings and verify the AIR integration configuration. Ensure the API key is correct and has not expired. |
| Endpoint operations fail | Insufficient permissions for the configured API key | Verify that the API key has the necessary permissions for the requested operation (endpoint management, acquisition, triage, interACT). |
| Triage deployment fails | Target endpoint is offline or unreachable | Check the endpoint status in AIR. Ensure the endpoint is online and managed before deploying triage rules. |
| interACT commands time out | Endpoint is offline, under heavy load, or network latency is high | Verify endpoint connectivity in AIR. Try the command again. For long-running commands, consider breaking them into smaller operations. |
| Evidence acquisition does not start | Endpoint is offline, or another task is already running | Check the endpoint status and current task queue in AIR. Only one acquisition task can run on an endpoint at a time. |
| Issue | Possible Cause | Resolution |
|---|
| YARA rule does not compile | Syntax error in the rule | Ask Fleet to identify and fix the error: “This YARA rule won’t compile. Fix it and explain what was wrong.” |
| Sigma rule validation fails | Invalid logsource definition or detection logic | Ask Fleet to validate and fix the rule. Ensure the logsource product, category, and service fields match the Sigma specification. |
| Sigma conversion produces unexpected results | Rule uses features not supported by the target backend | Some Sigma detection features may not have direct equivalents in all SIEM query languages. Ask Fleet to simplify the detection logic for the target platform. |
| osquery query returns no results | Query references tables or columns not available on the target OS | Ask Fleet to validate the query against the osquery schema. Some tables are platform-specific (Windows-only, macOS-only, Linux-only). |
| YARA scan finds no matches | Rule is too specific, or the target files do not contain the expected patterns | Review the rule’s string definitions and conditions. Ask Fleet to suggest broader patterns or alternative detection approaches. |
| Issue | Possible Cause | Resolution |
|---|
| Fleet’s analysis seems incomplete | Request was too broad or ambiguous | Provide more specific instructions. Instead of “analyze this file,” specify what you are looking for: “Perform static analysis on this PE binary, focusing on network indicators and persistence mechanisms.” |
| Fleet asks too many questions before starting | Request is ambiguous and Fleet needs clarification | This is expected behavior. Fleet asks questions to avoid making wrong assumptions. Provide the requested context to proceed. |
| Generated detection rules have false positives | Rule logic is too broad | Ask Fleet to tighten the detection logic: “This Sigma rule is too noisy. Add filters to reduce false positives for legitimate administrative PowerShell usage.” |
| Enrichment results are limited | Observable is too new or not yet indexed by intelligence sources | Newly registered domains, recently created infrastructure, and zero-day indicators may not yet appear in reputation databases. Fleet reports what is available and notes when data is limited. |
| Issue | Possible Cause | Resolution |
|---|
| Browser cannot load a page | Target URL is unreachable, requires authentication, or blocks automated browsers | Verify the URL is accessible from a regular browser. Some sites block automated access or require CAPTCHA completion. Try a different approach or use Fleet’s web search capability instead. |
| Browser interaction fails | Page structure changed or element is not interactable | Provide more specific instructions about which element to interact with. Try using CSS selectors or describing the element’s visual position. |
| Downloaded file is empty or corrupted | Download was interrupted or the file requires authentication | Try the download again. If the file requires authentication, provide the necessary credentials in the prompt. |
If you encounter an issue not covered here:
- Check the AIR Knowledge Base — Fleet can search the knowledge base for you: “Search the knowledge base for [your issue].”
- Contact Binalyze Support — reach out to [email protected] with a description of the issue, including any error messages and the steps that led to the problem.
