Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.clarion.cantina.xyz/llms.txt

Use this file to discover all available pages before exploring further.

This section walks through the building blocks of the platform: what each one does, how they relate, and how to put them to work.

Concepts at a glance

Two types of incoming events come from your integrations. Some integrations send alerts directly. Others send raw events (signals) that Clarion runs detections against using signal rules, turning the ones worth attention into alerts. Related alerts roll up into incidents. Agents triage and investigate using skills and tools (integrations that take action or pull additional information). Tasks track follow-up actions from agent runs. Notifications keep your team in the loop and ask for input when an agent needs approval.

Incidents

Consolidated security events that group related alerts and track response from discovery to closure.

Alerts

Individual security events from connected integrations, deduplicated and prioritized for triage.

Tasks

Work items for follow-ups, agent improvements, and operational actions.

Agents

AI responders that investigate alerts, execute response actions, and ask for approval when needed.

Skills

Reusable playbooks describing how to respond to specific situations.

Tools

Integrations agents invoke to take action, like Slack messages, DNS changes, and Jira tickets.

Notifications

In-app and external notifications, including approval and clarification requests from agents.

Settings

Configure your workspace, manage members, and enforce SSO.

How an alert becomes a response

A typical flow:
  1. Alert received: An alert arrives from a connected integration, either directly or after Clarion runs a signal rule against an incoming event.
  2. Triage: An agent picks up the alert, follows the relevant skills, and calls tools to gather context. The agent produces a triage report with disposition and recommendations.
  3. Response: The agent executes through tools (revoking a token, posting to Slack, opening a Jira ticket) or escalates to your team via notifications. Sensitive actions pause for human approval.
  4. Closure: The alert is closed when the threat is contained or ruled out. Related alerts roll up into incidents where applicable, and follow-up work is captured in tasks.
You don’t have to build any of this from scratch. Clarion ships with agent templates, signal rule libraries, and skill templates for the most common SOC workflows.