GitHub Repository
Source code, deployment guide, and architecture docs.
What it does
- Automated Tier 1 investigations — every OPEN alert is investigated end-to-end: SIEM raw event → IOC extraction → VirusTotal / Shodan / AbuseIPDB → MITRE ATT&CK correlation → structured report
- Two trigger paths — real-time via
POST /investigate(CoPilot calls this when an alert is created) and a 15-minute scheduled sweep as a safety net - Writes back to CoPilot — job status, full report, and enriched IOCs are persisted in CoPilot’s database via its REST API; no direct database writes
- Privacy-aware by default — an anonymizing MCP proxy intercepts raw SIEM events and replaces PII (usernames, hostnames, internal IPs) with session tokens before they reach the cloud model; a built-in deanonymize tool restores real values in the final report
- Optional local LLM analysis — if Ollama is running, the agent routes raw event interpretation through a local model instead of the cloud; no config needed if Ollama is on the same host
- Alert-type prompt templates — per-alert-type investigation guides (Sysmon Event 1, 3, 7, 11, 22) are loaded automatically based on the alert’s
rule.groupsfield; add new templates without touching code
How it works
Step 1 — Alert ingestion
Talon picks up OPEN alerts via two paths:- Real-time webhook: CoPilot calls
POST /investigatewhen an alert is created - Scheduled sweep: Every 15 minutes, Talon queries the CoPilot database for OPEN alerts with no existing investigation job
Step 2 — SIEM correlation
Talon queries OpenSearch/Wazuh for:- The raw event that triggered the alert
- Correlated events across the same asset, time window, and rule groups
- Historical context from the 30-day lookback period
Step 3 — IOC extraction & enrichment
IOCs (IPs, file hashes, domains, user accounts, commands) are extracted from the raw events and enriched via:- VirusTotal — file hash and domain reputation
- Shodan — IP exposure and service enumeration
- AbuseIPDB — IP abuse reports
Step 4 — Report generation & write-back
Talon generates a structured investigation report containing:- Executive summary
- Attack timeline
- IOC analysis with verdicts
- SIEM correlation findings
- Severity assessment with justification
- Recommended actions
Architecture
Privacy & anonymization
Raw SIEM events contain sensitive data — usernames, internal hostnames, RFC1918 IPs. Talon’s anonymizing MCP proxy intercepts all document and search results before they reach the Claude cloud API and replaces known PII fields with consistent session tokens:| Token pattern | What it replaces |
|---|---|
USER_1, USER_2, … | Usernames, account names |
HOST_1, HOST_2, … | Hostnames, computer names |
IP_INT_1, … | Internal / RFC1918 IP addresses |
EMAIL_1, … | Email addresses |
deanonymize tool to restore real names and IPs so the analyst sees accurate output.
Field definitions live in siem/anon_proxy/fields.yaml — add new fields and deploy to extend coverage.
Local LLM support (Ollama)
If Ollama is running on the same host, Talon automatically routes raw event interpretation through a local model rather than the cloud. This keeps the most sensitive step — reading the full raw event and extracting IOCs — entirely on-premises. The agent checks for Ollama at startup. If it’s not running, the investigation continues without it — no errors, no configuration required.Deployment options
| Option | Hardware | Cost | Privacy |
|---|---|---|---|
| Local Ollama | GPU required | $0 (sunk) | Best (fully on-prem) |
| RunPod cloud GPU | None | ~$0.20–0.44/hr | Good (PII already tokenized) |
| Skip (cloud only) | None | Per-investigation | Good (anonymized before cloud) |
MemPalace persistent memory
MemPalace gives the SOC agent long-term memory — past investigation outcomes, asset metadata, confirmed false positives, and IOC history are stored in a local ChromaDB + SQLite knowledge graph and retrieved automatically at the start of each investigation. This allows Talon to:- Reference prior investigations for the same alert or asset
- Avoid redundant analysis for known-good patterns
- Track remediation status across repeated investigations
CoPilot UI integration
AI Analyst page
Navigate to Incident Management → AI Analyst to access:| Tab | Purpose |
|---|---|
| Overview | Live status, architecture, capabilities, and integration details |
| Reports | Browse all investigation reports across all alerts |
| Talon Chat | Ad-hoc analyst prompts with SSE streaming responses |
Alert-level integration
When you open any alert in Incident Management → Alerts:- The AI Analyst tab appears next to Overview — if an investigation report exists, it auto-selects as the default tab with a pulsing indicator dot
- Reports show severity tag, summary, full markdown report, and recommended actions
- If multiple investigations exist for the same alert, a dropdown lets you switch between them (most recent first)
- The “Investigate with AI Analyst” button on the Overview tab triggers a new investigation on demand
Alert-type templates
Investigation templates live ingroups/copilot/prompts/. Each file is a plain-text guide with template variables that the agent fills in at runtime.
| File | Alert type |
|---|---|
sysmon_event_1.txt | Process Creation (Sysmon Event 1) |
sysmon_event_3.txt | Network Connection (Event 3) |
sysmon_event_7.txt | Image Load / DLL (Event 7) |
sysmon_event_11.txt | File Create (Event 11) |
sysmon_event_22.txt | DNS Query (Event 22) |
.txt file — no code changes required. The agent detects the type from rule.groups in the raw event and loads the matching template automatically.
Deployment
Prerequisites
- Docker
- Node.js 20+
- A running OpenSearch / Wazuh SIEM
- A running CoPilot instance (MySQL/MariaDB + FastAPI)
- A Claude Code OAuth token
Quick start
Verify
Key source files
| File | Purpose |
|---|---|
src/index.ts | Orchestrator: message loop, agent invocation |
src/channels/http.ts | HTTP channel: /investigate, /status, /jobs, /message |
src/task-scheduler.ts | 15-minute scheduled alert sweep |
src/container-runner.ts | Spawns agent containers with mounts |
groups/copilot/CLAUDE.md | SOC agent investigation workflow |
groups/copilot/.mcp.json | MCP server registry (opensearch, mysql, copilot, ollama) |
siem/anon_proxy/anon_proxy.py | Anonymizing MCP proxy |
siem/anon_proxy/fields.yaml | PII field definitions |
container/Dockerfile | Agent container image |
Per-deployment configuration
| Path | Purpose |
|---|---|
siem/.env | OpenSearch credentials |
mysql/.env | CoPilot MySQL credentials |
copilot-mcp/.env | CoPilot REST API credentials |
ollama/.env | Optional Ollama host override |
mempalace-data/ | MemPalace palace data (ChromaDB + SQLite) |
.env | Claude OAuth token, webhook URL, HTTP API key |
groups/copilot/CLAUDE.md | SOC agent identity, known assets, ongoing investigations |
groups/copilot/prompts/ | Per-alert-type investigation templates |
siem/anon_proxy/fields.yaml | PII field definitions for the anonymizing proxy |
Safety & guardrails
- Containerized isolation: Each investigation runs in an isolated Linux container with a mount allowlist controlling file system access
- No direct DB writes: All data is written back via the CoPilot REST API with proper authentication
- PII anonymization: Sensitive data is tokenized before reaching any cloud model
- Treat output as a draft: AI-generated reports should be reviewed by an analyst before action
- RBAC enforcement: All CoPilot API endpoints require
adminoranalystscope
Video context
- AI analyst (alert-context + exclusion-rule assistance): https://www.youtube.com/watch?v=-2srPC-Dw-0
- AI chatbot + MCP-style “chat with your stack”: https://www.youtube.com/watch?v=FHjD9QBaLD4
- Expanded AI companion features: https://www.youtube.com/watch?v=QaLrmSgEcLI
title: AI analyst / AI-assisted investigation description: AI-assisted workflows to speed up alert triage, investigation, and knowledge capture across your open-source SIEM stack.
CoPilot’s AI features are designed to reduce context switching and speed up common SOC workflows:- understand an alert faster (“what am I looking at?”)
- decide what to do next (“benign or investigate?”)
- generate drafts for repetitive engineering tasks (exclusions/tuning)
- chat with your stack (Wazuh, Velociraptor, CoPilot) using natural language
What it is
In the videos, AI in CoPilot shows up in two main ways:1) AI analyst (alert-focused)
AI analyst is embedded directly into CoPilot’s alert experience. Typical flow:- Open an alert
- Select the impacted asset/hostname
- Use AI analyst to generate context and suggested next steps
- summarize what triggered the detection
- explain why the behavior can be suspicious
- suggest what to validate next (triage steps)
2) AI chatbot / “chat with your stack” (tool-assisted)
CoPilot can expose an AI chatbot that can interface with:- Wazuh Manager
- Wazuh Indexer (OpenSearch)
- Velociraptor
- CoPilot
- “show me recent alerts for customer X”
- “pull surrounding events for this index document”
- “run a Velociraptor artifact on host Y”
- threat intelligence lookups (IP/domain reputation)
- cyber news summaries
- internal knowledge base search/summarization
- high-level attack surface/exposure checks
Why this is a power feature
AI assistance is most valuable after your core stack is stable:- alerts are flowing
- assets/customers are properly scoped
- investigation pivots work (index_id/index_name, artifacts, cases)
- reduce time-to-understanding for analysts
- standardize triage narratives
- accelerate tuning (without living in XML/rules all day)
Operator workflows (practical)
Triage an alert faster
- Open the alert and review key fields (command line, parent process, user, host)
- Run AI analyst to get:
- a plain-English explanation of the detection
- what makes it suspicious
- recommended validation steps
- Decide:
- escalate/investigate further, or
- mark as expected (and consider tuning)
Draft a Wazuh exclusion rule (noise reduction)
If an alert is expected/benign but noisy:- collect the key discriminators (image, command line pattern, user, parent, host group)
- generate a draft exclusion rule
- review it like code (avoid over-broad exclusions)
- deploy + validate
Chat with your stack (investigation + response)
Use the chatbot when you want to do “SOC glue work” quickly:- ask questions against recent alerts
- pivot into index logs for context
- run Velociraptor collections/artifacts without leaving CoPilot
Setup checklist (high level)
Exact steps depend on your CoPilot release, but the videos show a common pattern:-
Update your CoPilot deployment
- pull the latest images
- update
docker-compose.ymlwith the new AI/MCP service (if required)
-
Configure AI provider access
- set your model provider API key(s) (example shown in the video: OpenAI)
-
Configure stack connectivity for tool-assisted chat
- Wazuh Indexer (OpenSearch) URL + credentials
- Wazuh Manager connection details (if used)
- Velociraptor connection details
-
Validate permissions + scoping
- ensure users can only summarize/ask questions over data they’re authorized to access (multi-tenant safety)
Safety / guardrails
- Don’t paste secrets into prompts.
- Treat AI output as a draft: verify before acting.
- Be careful with exclusion rules: tune precisely to avoid blinding detections.
- Restrict access: AI can summarize sensitive customer data; enforce RBAC/tenant scoping.
Video context
- AI analyst (alert-context + exclusion-rule assistance):
- AI chatbot + MCP-style “chat with your stack” (Wazuh/Indexer/Velociraptor/CoPilot):
- Expanded AI companion features (threat intel, cyber news, knowledge base search, exposure view):
