{"id":35616194,"url":"https://github.com/secmon-lab/warren","last_synced_at":"2026-05-09T03:01:02.596Z","repository":{"id":305058325,"uuid":"1015692343","full_name":"secmon-lab/warren","owner":"secmon-lab","description":"AI-powered security alert management that reduces noise and accelerates response time","archived":false,"fork":false,"pushed_at":"2026-05-02T01:44:35.000Z","size":12668,"stargazers_count":118,"open_issues_count":2,"forks_count":6,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-02T02:22:58.622Z","etag":null,"topics":["ai","llm","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secmon-lab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-07T22:36:59.000Z","updated_at":"2026-05-02T01:44:38.000Z","dependencies_parsed_at":"2025-07-18T05:49:29.686Z","dependency_job_id":"314ace77-a403-4049-8174-b46c37ca79d9","html_url":"https://github.com/secmon-lab/warren","commit_stats":null,"previous_names":["secmon-lab/warren"],"tags_count":23,"template":false,"template_full_name":null,"purl":"pkg:github/secmon-lab/warren","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secmon-lab%2Fwarren","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secmon-lab%2Fwarren/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secmon-lab%2Fwarren/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secmon-lab%2Fwarren/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secmon-lab","download_url":"https://codeload.github.com/secmon-lab/warren/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secmon-lab%2Fwarren/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32805514,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T08:22:46.396Z","status":"online","status_checked_at":"2026-05-09T02:00:06.633Z","response_time":123,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","llm","security"],"created_at":"2026-01-05T05:08:14.468Z","updated_at":"2026-05-09T03:01:02.544Z","avatar_url":"https://github.com/secmon-lab.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Warren\n\nAI-native security alert management — not just AI-assisted, but built from the ground up to let AI agents perform the work of security analysts.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./doc/images/logo3.png\" height=\"128\" /\u003e\n\u003c/p\u003e\n\n1. **Alert ingestion** — Security products (GuardDuty, SIEM, EDR, etc.) send alerts to Warren via webhook\n2. **AI triage** — LLM generates a summary, queries threat intelligence for enrichment, and assigns severity\n3. **Investigation** — Enriched alerts appear in Slack or the Web UI as tickets. Team members review them and can chat with the AI agent to dig deeper using integrated tools and data sources\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./doc/images/concept.png\" width=\"700\" alt=\"Warren: AI Security Alert Triage\" /\u003e\n\u003c/p\u003e\n\n\n## Why Warren?\n\nSecurity teams drown in alerts. Analysts spend most of their time on repetitive triage — classifying, enriching, and closing alerts that turn out to be noise.\n\nWarren addresses this by **decomposing the security analyst's workflow into discrete, composable stages** and rebuilding each stage as an AI-native process:\n\n| Traditional Workflow | Warren's Approach |\n|---|---|\n| Analyst manually classifies incoming alerts | **Policies + AI enrichment** automatically transform, contextualize, and classify alerts |\n| Analyst queries threat intel tools one by one | **AI agents orchestrate tool calls** across multiple sources in parallel |\n| Analyst writes up findings from memory | **LLM synthesizes** enrichment results into structured conclusions |\n| Knowledge lives in individual analysts' heads | **Agent memory system** accumulates and scores organizational knowledge |\n| Triage decisions are inconsistent across shifts | **Triage policies** enforce standardized decision criteria |\n\nThis is not a generic AI agent with security tools bolted on. Warren is purpose-built for the security operations domain, with specialized context engineering, memory architecture, and workflow orchestration designed for how alert investigation actually works.\n\n## How It Works\n\n### Slack-Based Multi-Agent Investigation\n\nWarren operates as a **Slack-native multi-agent system**. When an alert arrives, it is posted to a Slack channel with AI-generated analysis. Team members interact with Warren directly in Slack threads — `@warren` triggers an investigation agent that can delegate work to specialized sub-agents in parallel:\n\n```\nUser asks @warren in Slack thread\n  └─ Orchestrator Agent\n       ├─ BigQuery Agent  → query audit logs, access patterns\n       ├─ Falcon Agent    → pull EDR endpoint data from CrowdStrike\n       ├─ Slack Agent     → search related conversations\n       └─ Direct tools    → VirusTotal, OTX, Shodan, AbuseIPDB, URLScan\n```\n\nEach sub-agent autonomously decides what queries to run and how to interpret results. Real-time progress traces in the Slack thread show what the agent is doing as it works.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./doc/images/slack.png\" width=\"600\" alt=\"Slack integration with interactive investigation\" /\u003e\n\u003c/p\u003e\n\n### Agent Memory\n\nAgents **learn from every investigation**. After each execution, an LLM-driven reflection extracts claims — self-contained facts like *\"SSH brute force from this CIDR range has been seen weekly and is always noise\"*. Claims are stored with vector embeddings and quality scores that evolve over time: helpful memories get boosted, harmful ones get penalized and eventually pruned.\n\nThe result: agents get better at their job over time. Common false positive patterns are recognized faster. Environment-specific knowledge accumulates without manual curation.\n\n### Alert Processing Pipeline\n\nBefore alerts reach Slack, they pass through a policy-driven pipeline:\n\n1. **Ingest Policy** (Rego/OPA) — transform and filter raw webhook data\n2. **Metadata Generation** — LLM fills missing titles and descriptions\n3. **Enrichment** — parallel multi-agent investigation (same system as above)\n4. **Triage Policy** (Rego/OPA) — publish, archive, or decline\n\nPolicies are written in **Rego** and deployable without code changes. Alerts arrive in Slack already investigated and contextualized.\n\n### Web UI \u0026 Continuous Improvement\n\nA React-based dashboard for alert management, ticket workflow with structured findings, and interactive AI chat.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./doc/images/dashboard2.png\" width=\"600\" alt=\"Warren Dashboard\" /\u003e\n\u003c/p\u003e\n\nEach investigation feeds back into the system: **agent memory** captures patterns, a **tag system** classifies alerts for workflow tracking, and **resolved tickets** with structured conclusions build organizational knowledge that benefits the entire team.\n\n## Quick Start\n\n```bash\n# Prerequisites\nexport PROJECT_ID=your-gcp-project\ngcloud auth application-default login\ngcloud services enable aiplatform.googleapis.com --project=$PROJECT_ID\n\n# Run Warren (in-memory storage, no auth)\ndocker run -d -p 8080:8080 \\\n  -v ~/.config/gcloud:/home/nonroot/.config/gcloud:ro \\\n  -e WARREN_GEMINI_PROJECT_ID=$PROJECT_ID \\\n  -e WARREN_NO_AUTHENTICATION=true \\\n  -e WARREN_NO_AUTHORIZATION=true \\\n  -e WARREN_ADDR=127.0.0.1:8080 \\\n  ghcr.io/secmon-lab/warren:latest serve\n\n# Send test alert\ncurl -X POST http://localhost:8080/hooks/alert/raw/test \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"title\": \"SSH brute force\", \"source_ip\": \"45.227.255.100\"}'\n```\n\nVisit http://127.0.0.1:8080 to access the dashboard.\n\n## Integrations\n\n### Alert Ingestion\n\n- **Webhook (raw JSON)** — any HTTP POST with JSON body\n- **Google Cloud Pub/Sub** — subscribe to alert topics\n- **AWS SNS** — receive alerts via SNS HTTP endpoint\n\n### Threat Intelligence Tools\n\n- [**VirusTotal**](./pkg/tool/vt/README.md) — IP, domain, file hash, URL reputation lookup\n- [**AlienVault OTX**](./pkg/tool/otx/README.md) — IPv4/IPv6, domain, hostname, file hash indicators\n- [**URLScan.io**](./pkg/tool/urlscan/README.md) — submit and analyze suspicious URLs\n- [**Shodan**](./pkg/tool/shodan/README.md) — internet-facing host, domain, and device search\n- [**AbuseIPDB**](./pkg/tool/ipdb/README.md) — IP address reputation scoring\n- [**abuse.ch MalwareBazaar**](./pkg/tool/abusech/README.md) — malware hash lookup\n- [**WHOIS**](./pkg/tool/whois/README.md) — domain and IP registration lookup\n\n### Code \u0026 Device Tools\n\n- [**GitHub App**](./pkg/tool/github/README.md) — code search, issue search, file content retrieval, commit history, file blame\n- [**Microsoft Intune**](./pkg/tool/intune/README.md) — device compliance status, sign-in history\n- [**Slack Message Search**](./pkg/tool/slack/README.md) — search workspace messages for context\n\n### Sub-Agents\n\n- [**BigQuery Agent**](./pkg/agents/bigquery/README.md) — query security log data via natural language\n- [**CrowdStrike Falcon Agent**](./pkg/agents/falcon/README.md) — query EDR incidents, alerts, and endpoint events\n- [**Slack Search Agent**](./pkg/agents/slack/README.md) — search and summarize Slack conversations\n\n### Collaboration \u0026 UI\n\n- **Slack** — native bot with interactive buttons, thread-based investigation, real-time progress traces\n- **Web UI** — React dashboard for alert management, ticket workflow, AI chat\n- **GraphQL API** — programmatic access to alerts, tickets, knowledge\n\n### Infrastructure\n\n- **Vertex AI (Gemini)** — LLM for alert analysis, metadata generation, agent orchestration\n- **Cloud Firestore** — persistent storage for alerts, tickets, knowledge, agent memory\n- **Cloud Run** — serverless deployment\n- **Cloud Storage** — alert data archival\n- **MCP** — extend agent tools via [Model Context Protocol](./doc/operation/mcp.md)\n\n## Documentation\n\n| Category | Documents |\n|----------|-----------|\n| **Start Here** | [Getting Started](./doc/getting-started.md) — Your first alert in 5 minutes |\n| **Concepts** | [Core Concepts](./doc/concepts.md) — Alerts, tickets, pipeline, clustering |\n| **Operations** | [Alert Investigation](./doc/operation/alert-investigation.md) · [Policy Guide](./doc/operation/policy.md) · [Knowledge Management](./doc/operation/knowledge.md) · [MCP Integration](./doc/operation/mcp.md) |\n| **Deployment** | [GCP Setup](./doc/deployment/gcp.md) · [Slack Integration](./doc/deployment/slack.md) |\n| **Reference** | [Configuration](./doc/reference/configuration.md) · [API \u0026 Webhooks](./doc/reference/api.md) · [Chat Strategies](./doc/strategy/README.md) |\n\n## License\n\nApache 2.0 License\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecmon-lab%2Fwarren","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecmon-lab%2Fwarren","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecmon-lab%2Fwarren/lists"}