Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.socfortress.co/llms.txt

Use this file to discover all available pages before exploring further.

Talon is an automated AI SOC analyst built by SOCFortress for CoPilot. It runs as a background service alongside CoPilot — pulling raw events from your Wazuh/OpenSearch SIEM, enriching them with threat intelligence, correlating across your environment, and writing structured investigation reports with severity assessments and recommended actions directly back into CoPilot.

GitHub Repository

Source code, deployment guide, and architecture docs.

What it does

  • Automated Tier 1 investigations — every OPEN alert is investigated end-to-end: SIEM raw event → IOC extraction → VirusTotal / Shodan / AbuseIPDB → MITRE ATT&CK correlation → structured report
  • Two trigger paths — real-time via POST /investigate (CoPilot calls this when an alert is created) and a 15-minute scheduled sweep as a safety net
  • Writes back to CoPilot — job status, full report, and enriched IOCs are persisted in CoPilot’s database via its REST API; no direct database writes
  • Privacy-aware by default — an anonymizing MCP proxy intercepts raw SIEM events and replaces PII (usernames, hostnames, internal IPs) with session tokens before they reach the cloud model; a built-in deanonymize tool restores real values in the final report
  • Optional local LLM analysis — if Ollama is running, the agent routes raw event interpretation through a local model instead of the cloud; no config needed if Ollama is on the same host
  • Alert-type prompt templates — per-alert-type investigation guides (Sysmon Event 1, 3, 7, 11, 22) are loaded automatically based on the alert’s rule.groups field; add new templates without touching code

How it works

Step 1 — Alert ingestion

Talon picks up OPEN alerts via two paths:
  1. Real-time webhook: CoPilot calls POST /investigate when an alert is created
  2. Scheduled sweep: Every 15 minutes, Talon queries the CoPilot database for OPEN alerts with no existing investigation job

Step 2 — SIEM correlation

Talon queries OpenSearch/Wazuh for:
  • The raw event that triggered the alert
  • Correlated events across the same asset, time window, and rule groups
  • Historical context from the 30-day lookback period

Step 3 — IOC extraction & enrichment

IOCs (IPs, file hashes, domains, user accounts, commands) are extracted from the raw events and enriched via:
  • VirusTotal — file hash and domain reputation
  • Shodan — IP exposure and service enumeration
  • AbuseIPDB — IP abuse reports

Step 4 — Report generation & write-back

Talon generates a structured investigation report containing:
  • Executive summary
  • Attack timeline
  • IOC analysis with verdicts
  • SIEM correlation findings
  • Severity assessment with justification
  • Recommended actions
The report, job status, and enriched IOCs are written back to CoPilot via the CoPilot MCP server.

Architecture

┌──────────────────────────────────────────────────────┐
│                  CoPilot (FastAPI)                    │
│                                                      │
│  Alert created → POST /investigate ──────────────┐   │
│  GET /status, GET /jobs/:alertId ← Talon HTTP API│   │
│                                                  │   │
│  Write-back API (MCP tools):                     │   │
│    POST /api/ai_analyst/jobs         ←───────────┘   │
│    POST /api/ai_analyst/reports                      │
│    POST /api/ai_analyst/iocs                         │
│  MySQL: ai_analyst_job / report / ioc                │
└───────────────────────┬──────────────────────────────┘
                        │ read-only MCP        ▲ REST write-back
                        ▼                      │
┌──────────────────────────────────────────────────────┐
│                    Talon (Node.js)                    │
│                                                      │
│  HTTP channel (port 3100)                            │
│    POST /investigate  ← CoPilot triggers this        │
│    POST /message      ← ad-hoc analyst prompts       │
│    GET  /status       ← queue + job overview         │
│                                                      │
│  Scheduled task (every 15 min)                       │
│    Queries MySQL for OPEN alerts with no job row     │
│    Runs full investigation per alert                 │
│                                                      │
│  SOC agent (containerized)                           │
│    groups/copilot/CLAUDE.md  ← investigation flow    │
│    groups/copilot/prompts/   ← per-alert templates   │
└──────────────────────────────────────────────────────┘
         │ MCP tools (read-only)

┌──────────────────────────────────────────────────────┐
│  opensearch-mcp    — raw SIEM queries                │
│  opensearch_anon   — anonymizing proxy (PII→tokens)  │
│  mysql-mcp         — CoPilot DB (alerts, assets)     │
│  copilot-mcp       — CoPilot REST API write-back     │
│  ollama (optional) — local LLM for sensitive data    │
│  mempalace         — persistent investigation memory │
└──────────────────────────────────────────────────────┘

Privacy & anonymization

Raw SIEM events contain sensitive data — usernames, internal hostnames, RFC1918 IPs. Talon’s anonymizing MCP proxy intercepts all document and search results before they reach the Claude cloud API and replaces known PII fields with consistent session tokens:
Token patternWhat it replaces
USER_1, USER_2, …Usernames, account names
HOST_1, HOST_2, …Hostnames, computer names
IP_INT_1, …Internal / RFC1918 IP addresses
EMAIL_1, …Email addresses
Security-critical values — file hashes, external IPs, domains, process paths, rule metadata — pass through unchanged so threat intel lookups work normally. Before the final report is written, the agent calls a built-in deanonymize tool to restore real names and IPs so the analyst sees accurate output. Field definitions live in siem/anon_proxy/fields.yaml — add new fields and deploy to extend coverage.

Local LLM support (Ollama)

If Ollama is running on the same host, Talon automatically routes raw event interpretation through a local model rather than the cloud. This keeps the most sensitive step — reading the full raw event and extracting IOCs — entirely on-premises. The agent checks for Ollama at startup. If it’s not running, the investigation continues without it — no errors, no configuration required.

Deployment options

OptionHardwareCostPrivacy
Local OllamaGPU required$0 (sunk)Best (fully on-prem)
RunPod cloud GPUNone~$0.20–0.44/hrGood (PII already tokenized)
Skip (cloud only)NonePer-investigationGood (anonymized before cloud)

MemPalace persistent memory

MemPalace gives the SOC agent long-term memory — past investigation outcomes, asset metadata, confirmed false positives, and IOC history are stored in a local ChromaDB + SQLite knowledge graph and retrieved automatically at the start of each investigation. This allows Talon to:
  • Reference prior investigations for the same alert or asset
  • Avoid redundant analysis for known-good patterns
  • Track remediation status across repeated investigations

CoPilot UI integration

AI Analyst page

Navigate to Incident Management → AI Analyst to access:
TabPurpose
OverviewLive status, architecture, capabilities, and integration details
ReportsBrowse all investigation reports across all alerts
Talon ChatAd-hoc analyst prompts with SSE streaming responses

Alert-level integration

When you open any alert in Incident Management → Alerts:
  1. The AI Analyst tab appears next to Overview — if an investigation report exists, it auto-selects as the default tab with a pulsing indicator dot
  2. Reports show severity tag, summary, full markdown report, and recommended actions
  3. If multiple investigations exist for the same alert, a dropdown lets you switch between them (most recent first)
  4. The “Investigate with AI Analyst” button on the Overview tab triggers a new investigation on demand

Alert-type templates

Investigation templates live in groups/copilot/prompts/. Each file is a plain-text guide with template variables that the agent fills in at runtime.
FileAlert type
sysmon_event_1.txtProcess Creation (Sysmon Event 1)
sysmon_event_3.txtNetwork Connection (Event 3)
sysmon_event_7.txtImage Load / DLL (Event 7)
sysmon_event_11.txtFile Create (Event 11)
sysmon_event_22.txtDNS Query (Event 22)
To add a new alert type, create the corresponding .txt file — no code changes required. The agent detects the type from rule.groups in the raw event and loads the matching template automatically.

Deployment

Prerequisites

  • Docker
  • Node.js 20+
  • A running OpenSearch / Wazuh SIEM
  • A running CoPilot instance (MySQL/MariaDB + FastAPI)
  • A Claude Code OAuth token

Quick start

git clone https://github.com/taylorwalton/talon.git talon
cd talon
npm install && npm run build
Then configure credentials: 
# SIEM (OpenSearch)
bash siem/setup.sh

# CoPilot database
bash mysql/setup.sh

# CoPilot REST API
bash copilot-mcp/setup.sh

# MemPalace persistent memory
bash mempalace/setup.sh

# Build the agent container
CONTAINER_RUNTIME=docker ./container/build.sh
See the full deployment guide for detailed steps including OAuth token setup, mount allowlist configuration, systemd/launchd service setup, and Ollama integration.

Verify

# Health check (unauthenticated)
curl http://localhost:3100/health

# Test SIEM connectivity
curl -s -N -X POST http://localhost:3100/message \
  -H "Content-Type: application/json" \
  -H "x-api-key: $TALON_API_KEY" \
  -d '{"message": "Check cluster health", "sender": "test"}'

Key source files

FilePurpose
src/index.tsOrchestrator: message loop, agent invocation
src/channels/http.tsHTTP channel: /investigate, /status, /jobs, /message
src/task-scheduler.ts15-minute scheduled alert sweep
src/container-runner.tsSpawns agent containers with mounts
groups/copilot/CLAUDE.mdSOC agent investigation workflow
groups/copilot/.mcp.jsonMCP server registry (opensearch, mysql, copilot, ollama)
siem/anon_proxy/anon_proxy.pyAnonymizing MCP proxy
siem/anon_proxy/fields.yamlPII field definitions
container/DockerfileAgent container image

Per-deployment configuration

PathPurpose
siem/.envOpenSearch credentials
mysql/.envCoPilot MySQL credentials
copilot-mcp/.envCoPilot REST API credentials
ollama/.envOptional Ollama host override
mempalace-data/MemPalace palace data (ChromaDB + SQLite)
.envClaude OAuth token, webhook URL, HTTP API key
groups/copilot/CLAUDE.mdSOC agent identity, known assets, ongoing investigations
groups/copilot/prompts/Per-alert-type investigation templates
siem/anon_proxy/fields.yamlPII field definitions for the anonymizing proxy

Safety & guardrails

  • Containerized isolation: Each investigation runs in an isolated Linux container with a mount allowlist controlling file system access
  • No direct DB writes: All data is written back via the CoPilot REST API with proper authentication
  • PII anonymization: Sensitive data is tokenized before reaching any cloud model
  • Treat output as a draft: AI-generated reports should be reviewed by an analyst before action
  • RBAC enforcement: All CoPilot API endpoints require admin or analyst scope

Video context

title: AI analyst / AI-assisted investigation description: AI-assisted workflows to speed up alert triage, investigation, and knowledge capture across your open-source SIEM stack.

CoPilot’s AI features are designed to reduce context switching and speed up common SOC workflows:
  • understand an alert faster (“what am I looking at?”)
  • decide what to do next (“benign or investigate?”)
  • generate drafts for repetitive engineering tasks (exclusions/tuning)
  • chat with your stack (Wazuh, Velociraptor, CoPilot) using natural language

What it is

In the videos, AI in CoPilot shows up in two main ways:

1) AI analyst (alert-focused)

AI analyst is embedded directly into CoPilot’s alert experience. Typical flow:
  1. Open an alert
  2. Select the impacted asset/hostname
  3. Use AI analyst to generate context and suggested next steps
It can help:
  • summarize what triggered the detection
  • explain why the behavior can be suspicious
  • suggest what to validate next (triage steps)
The same area can also support workflows like drafting Wazuh exclusion rules for noisy/expected behavior.

2) AI chatbot / “chat with your stack” (tool-assisted)

CoPilot can expose an AI chatbot that can interface with:
  • Wazuh Manager
  • Wazuh Indexer (OpenSearch)
  • Velociraptor
  • CoPilot
This makes it possible to ask questions like:
  • “show me recent alerts for customer X”
  • “pull surrounding events for this index document”
  • “run a Velociraptor artifact on host Y”
…and have CoPilot handle the underlying API/tool calls. The chatbot can also be extended with additional “tools” (as shown in the videos), such as:
  • threat intelligence lookups (IP/domain reputation)
  • cyber news summaries
  • internal knowledge base search/summarization
  • high-level attack surface/exposure checks

Why this is a power feature

AI assistance is most valuable after your core stack is stable:
  • alerts are flowing
  • assets/customers are properly scoped
  • investigation pivots work (index_id/index_name, artifacts, cases)
Once that foundation is in place, AI can:
  • reduce time-to-understanding for analysts
  • standardize triage narratives
  • accelerate tuning (without living in XML/rules all day)

Operator workflows (practical)

Triage an alert faster

  1. Open the alert and review key fields (command line, parent process, user, host)
  2. Run AI analyst to get:
    • a plain-English explanation of the detection
    • what makes it suspicious
    • recommended validation steps
  3. Decide:
    • escalate/investigate further, or
    • mark as expected (and consider tuning)

Draft a Wazuh exclusion rule (noise reduction)

If an alert is expected/benign but noisy:
  1. collect the key discriminators (image, command line pattern, user, parent, host group)
  2. generate a draft exclusion rule
  3. review it like code (avoid over-broad exclusions)
  4. deploy + validate

Chat with your stack (investigation + response)

Use the chatbot when you want to do “SOC glue work” quickly:
  • ask questions against recent alerts
  • pivot into index logs for context
  • run Velociraptor collections/artifacts without leaving CoPilot

Setup checklist (high level)

Exact steps depend on your CoPilot release, but the videos show a common pattern:
  1. Update your CoPilot deployment
    • pull the latest images
    • update docker-compose.yml with the new AI/MCP service (if required)
  2. Configure AI provider access
    • set your model provider API key(s) (example shown in the video: OpenAI)
  3. Configure stack connectivity for tool-assisted chat
    • Wazuh Indexer (OpenSearch) URL + credentials
    • Wazuh Manager connection details (if used)
    • Velociraptor connection details
  4. Validate permissions + scoping
    • ensure users can only summarize/ask questions over data they’re authorized to access (multi-tenant safety)

Safety / guardrails

  • Don’t paste secrets into prompts.
  • Treat AI output as a draft: verify before acting.
  • Be careful with exclusion rules: tune precisely to avoid blinding detections.
  • Restrict access: AI can summarize sensitive customer data; enforce RBAC/tenant scoping.

Video context