nano SIEM
Coding Agents

Coding Agents

Use Claude Code, Codex, or Cursor to author parsers, detections, and searches when running the OSS build of nano without built-in AI

Using nano with Coding Agents

The open-source build of nano ships without the built-in pivt AI assistant. The hosted product uses pivt to generate parsers from sample logs, draft detections from natural-language descriptions, and translate plain English into nPL queries. The OSS build leaves all of that to you — and a coding agent like Claude Code, OpenAI Codex, or Cursor can fill the gap.

This section shows you how to wire up a coding agent against three public reference repositories so it can do the work pivt would have done in the hosted product.

What you give up, what you get back

Hosted nano (pivt AI)OSS nano + coding agent
Generate a parser from a sample log pasteAgent reads parsers/ for examples, drafts parser.yaml, you validate with vector vrl
Draft a detection from "alert me when…"Agent reads rules/ for examples, drafts a YAML detection, nanodac validate checks it
Convert natural language to nPLAgent reads the Search Commands docs and drafts the query
Auto-tune false positivesManual review of detection matches; iterate via PR
One-click apply from the UInanodac sync from CI or a local checkout

The trade-off: the agent runs locally (or in your CI), so your log samples and detection logic never leave your environment. That's the same property that makes this approach attractive for air-gapped or compliance-bound deployments.

Reference repositories

Three public repos under github.com/nanos-sh make this workflow possible. The agent uses them as ground truth for file shapes, conventions, and examples.

RepoPurposeUsed by
parsers60+ sample parsers (parser.yaml with VRL) covering Windows, Sysmon, AWS, GCP, Okta, Palo Alto, CrowdStrike, etc.Parser authoring
rulesSample detection rules organized by MITRE tactic, licensed under DRL 1.1Detection authoring
nanodacDetection-as-code CLI with an MCP server for direct agent integrationDetection authoring + sync

Supported agents

These docs are written for any agent that can read local files and run shell commands. Tested workflows:

  • Claude Code — Anthropic's CLI; reads CLAUDE.md for repo-specific instructions, supports MCP servers
  • OpenAI Codex — reads AGENTS.md, supports MCP servers
  • Cursor — IDE-native agent; reads .cursor/rules/ and mcp-config.json
  • Kiro — reads .kiro/ (nanodac already ships with a .kiro/ directory)

Anywhere these docs reference CLAUDE.md, the equivalent file for your agent works the same way.

Where to go next

  1. Setup — clone the reference repos, wire up the nanodac MCP server, drop in agent instructions
  2. Authoring parsers — generate a new parser.yaml from a log sample
  3. Authoring detections — draft a YAML detection, validate it, ship it via nanodac sync
  4. Crafting searches — turn natural-language hunting questions into nPL queries

If you're already running detection-as-code and just want the agent integration, jump straight to Setup and then Authoring detections. For background on the underlying DaC workflow without an agent, see Detection-as-Code.

Library & Lifecycle

Categories, statuses, approvals, adaptive → library promotion, and upstream repository sync

Setup

Clone the nano reference repositories and wire up your coding agent with the nanodac MCP server

Edit this page on GitHub
On this page

On this page

Using nano with Coding AgentsWhat you give up, what you get backReference repositoriesSupported agentsWhere to go next