The default configuration file (config/default.yaml) contains all settings for a Triage Warden deployment. Copy this file and customize it for your environment.
Sensitive values should use environment variable interpolation: ${ENV_VAR_NAME}.
operation_mode: supervised
Mode Description
assistedAI observes and suggests only, no automated actions supervisedLow-risk actions automated, high-risk requires approval autonomousFull automation for configured incident types
max_concurrent_incidents: 50
Maximum number of incidents being processed at the same time. Increase for high-volume environments; decrease to limit resource usage.
External service integrations. Each connector follows the same structure:
connectors:
<connector_name>:
connector_type: <type>
enabled: true
base_url: <url>
api_key: ${API_KEY_ENV_VAR}
api_secret: ""
timeout_secs: 30
settings:
<connector-specific settings>
Field Type Description
connector_typeString Connector implementation to use enabledBoolean Whether this connector is active base_urlString Base URL for the service API api_keyString API key or username (use ${ENV_VAR}) api_secretString API secret or password (use ${ENV_VAR}) timeout_secsInteger HTTP request timeout in seconds settingsMap Connector-specific settings
connectors:
jira:
connector_type: jira
enabled: true
base_url: https://your-company.atlassian.net
api_key: ${JIRA_API_KEY}
timeout_secs: 30
settings:
project_key: SEC
default_issue_type: Incident
connectors:
virustotal:
connector_type: virustotal
enabled: true
base_url: https://www.virustotal.com
api_key: ${VIRUSTOTAL_API_KEY}
timeout_secs: 30
settings:
cache_ttl_secs: 3600
connectors:
splunk:
connector_type: splunk
enabled: true
base_url: https://splunk.company.com:8089
api_key: ${SPLUNK_TOKEN}
settings:
index: main
earliest_time: -24h
connectors:
crowdstrike:
connector_type: crowdstrike
enabled: true
base_url: https://api.crowdstrike.com
api_key: ${CS_CLIENT_ID}
api_secret: ${CS_CLIENT_SECRET}
llm:
provider: anthropic
model: claude-3-5-sonnet-20241022
api_key: ${ANTHROPIC_API_KEY}
base_url: ""
max_tokens: 4096
temperature: 0.1
Field Description
providerLLM provider: anthropic, openai, or local modelModel identifier api_keyAPI key (use ${ENV_VAR}) base_urlCustom endpoint URL for local/self-hosted models max_tokensMaximum tokens in LLM responses temperatureSampling temperature (lower = more deterministic)
policy:
guardrails_path: config/guardrails.yaml
default_approval_level: analyst
auto_approve_low_risk: true
confidence_threshold: 0.9
Field Description
guardrails_pathPath to the guardrails configuration file default_approval_levelDefault approval level for unknown actions (analyst, senior, manager) auto_approve_low_riskWhether low-risk actions can be auto-approved confidence_thresholdMinimum AI confidence for auto-approval (0.0-1.0)
logging:
level: info
json_format: false
# file_path: /var/log/triage-warden/triage-warden.log
Field Description
levelLog level: trace, debug, info, warn, error json_formatUse structured JSON format (recommended for production) file_pathOptional log file path; omit to log to stdout
database:
url: sqlite://triage-warden.db?mode=rwc
max_connections: 10
run_migrations: true
Field Description
urlDatabase connection string max_connectionsConnection pool size run_migrationsWhether to run migrations on startup
Database URL format
SQLite (dev) sqlite://triage-warden.db?mode=rwcPostgreSQL (prod) postgres://user:pass@host:5432/triage_warden
api:
port: 8080
host: "0.0.0.0"
enable_swagger: true
timeout_secs: 30
Field Description
portTCP port to listen on hostBind address (0.0.0.0 for all interfaces, 127.0.0.1 for localhost only) enable_swaggerServe Swagger UI at /swagger-ui timeout_secsHTTP request timeout in seconds