Autonomous SOC Layer for Wazuh using OpenClaw Agents with MCP
Auto-triage alerts • Correlate incidents • Generate response plans • Human-in-the-loop approval
AI Agent Framework GitHub · Website |
Wazuh API Bridge GitHub |
SIEM & XDR Platform Website |
Wazuh OpenClaw Autopilot adds an autonomous intelligence layer to your Wazuh SIEM. Using OpenClaw AI agents connected via the Model Context Protocol (MCP), it automatically triages alerts, correlates related incidents, and generates risk-assessed response plans—all with mandatory human approval before any action is taken.
| Capability | Description |
|---|---|
| Autonomous Triage | AI agents analyze incoming alerts, extract entities (IPs, users, hosts), and assign severity |
| Incident Correlation | Automatically link related alerts into unified cases with attack timelines |
| Response Planning | Generate risk-assessed response plans with recommended Wazuh Active Response actions |
| Human-in-the-Loop | Two-tier approval workflow ensures humans authorize every response action |
| Evidence Packs | Structured JSON evidence packages for compliance and forensics |
| Prometheus Metrics | Full observability with SOC KPIs (MTTD, MTTR, auto-triage rate) |
| Slack Integration | Real-time alerts and interactive approval buttons via Socket Mode |
WAZUH OPENCLAW AUTOPILOT
┌──────────────────────────────────────────────────────────────────────────────┐
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Wazuh │ │ MCP │ │ OpenClaw │ │
│ │ Manager │─────▶│ Server │◀────▶│ Gateway │ │
│ │ │ │ │ │ │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ Alerts Wazuh API AI Agents │
│ │ │ │
│ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ Runtime │◀─────────────────────────│ 7 SOC │ │
│ │ Service │ │ Agents │ │
│ │ │ │ │ │
│ └──────────────┘ └──────────────┘ │
│ │ │
│ ├── Cases & Evidence Packs │
│ ├── Response Plans (human approval required) │
│ ├── Prometheus Metrics (/metrics) │
│ └── Slack Notifications (Socket Mode) │
│ │
└──────────────────────────────────────────────────────────────────────────────┘
Alert Ingestion ──▶ Triage ──▶ Correlation ──▶ Investigation
│
┌────────────────────────────────┘
▼
Response Planner ──▶ Policy Guard ──▶ Human Approval ──▶ Responder
│
[Approve] [Execute]
| Agent | Function | Autonomy |
|---|---|---|
| Triage | Analyze alerts, extract IOCs, create cases | Automatic |
| Correlation | Link related alerts, build attack timelines | Automatic |
| Investigation | Deep analysis, process trees, threat intel enrichment | Automatic |
| Response Planner | Generate risk-assessed response plans | Proposal only |
| Policy Guard | Validate actions against security policies | Advisory |
| Responder | Execute Wazuh Active Response commands | Human-gated |
| Reporting | Generate SOC metrics, KPIs, shift reports | Automatic |
OpenClaw is model-agnostic and supports 10+ LLM providers. Configure your preferred provider in openclaw/openclaw.json:
| Provider | Models | Best For | API Key Env |
|---|---|---|---|
| Anthropic | claude-opus-4-5, claude-sonnet-4-5, claude-haiku-4-5 |
Recommended for SOC reasoning | ANTHROPIC_API_KEY |
| OpenAI | gpt-4o, gpt-4.5-preview, o3-mini |
General purpose, embeddings | OPENAI_API_KEY |
| Groq | llama-3.3-70b-versatile, mixtral-8x7b-32768 |
Ultra-fast inference | GROQ_API_KEY |
gemini-2.0-flash, gemini-2.0-pro |
Multimodal capabilities | GOOGLE_API_KEY |
|
| Mistral | mistral-large-latest, codestral-latest |
European provider | MISTRAL_API_KEY |
| xAI | grok-2, grok-3 |
Real-time knowledge | XAI_API_KEY |
| OpenRouter | 300+ models | Multi-provider gateway | OPENROUTER_API_KEY |
| Ollama | llama3.3, mistral, codellama |
Local/free inference | N/A |
| Together | Various open-source | Open-source hosting | TOGETHER_API_KEY |
| Cerebras | Cerebras models | Ultra-fast inference | CEREBRAS_API_KEY |
Model format is "provider/model-name". Example openclaw.json snippet:
{
"model": {
"primary": "anthropic/claude-sonnet-4-5",
"fallback": "openai/gpt-4o",
"fast": "groq/llama-3.3-70b-versatile"
}
}| Task Type | Recommended Model | Reason |
|---|---|---|
| Complex investigation | anthropic/claude-sonnet-4-5 |
Best reasoning |
| High-volume triage | groq/llama-3.3-70b-versatile |
Fast & cost-effective |
| Heartbeats/checks | anthropic/claude-haiku-4-5 |
Low cost |
| Air-gapped deployment | ollama/llama3.3 |
No external API calls |
Every response action requires explicit human authorization through a two-tier workflow:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ PROPOSED │ ───▶ │ APPROVED │ ───▶ │ EXECUTED │
│ │ │ │ │ │
│ AI generates │ │ Human clicks │ │ Human clicks │
│ response plan │ │ [Approve] │ │ [Execute] │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│ │
▼ ▼
Tier 1: Validate Tier 2: Authorize
the plan is correct actual execution
AI agents cannot execute actions autonomously. The responder capability is disabled by default and requires explicit enablement plus human approval for every action.
Tested via Wazuh MCP Server v4.0.6:
| Wazuh Version | Support Level | Notes |
|---|---|---|
| 4.14.x | Fully Supported | Recommended. All 29 MCP tools work. |
| 4.10.x – 4.13.x | Fully Supported | All features available |
| 4.8.x – 4.9.x | Fully Supported | Minimum for vulnerability tools |
| 4.0.0 – 4.7.x | Limited | 3 vulnerability tools unavailable (require Wazuh Indexer) |
| Platform | Status |
|---|---|
| Ubuntu 22.04 / 24.04 | Tested |
| Debian 11 / 12 | Tested |
| RHEL / Rocky / AlmaLinux 8/9 | Supported |
| Air-gapped (Ollama) | Supported — see Air-Gapped Deployment Guide |
| Requirement | Description |
|---|---|
| Wazuh Manager | SIEM platform (installed and running, 4.8.0+) |
| Wazuh MCP Server | MCP bridge for Wazuh API access |
| OpenClaw | AI agent framework (docs) |
| Node.js 18+ | Runtime for autopilot service |
| LLM API Key | Claude, GPT, Groq, Mistral, or Ollama (local/free) |
git clone https://github.com/gensecaihq/Wazuh-Openclaw-Autopilot.git
cd Wazuh-Openclaw-Autopilot
sudo ./install/install.shFor air-gapped or bootstrap environments (no Tailscale):
sudo ./install/install.sh --skip-tailscaleThe installer will guide you through:
- Tailscale setup (zero-trust networking — skippable with
--skip-tailscale) - MCP Server installation
- OpenClaw Gateway configuration
- Agent deployment
- Slack integration (optional)
# Edit configuration
sudo nano /etc/wazuh-autopilot/.env
# Required: Wazuh connection
WAZUH_HOST=localhost
WAZUH_PORT=55000
WAZUH_USER=wazuh-wui
WAZUH_PASS=your-password
# Required: At least one LLM provider
ANTHROPIC_API_KEY=sk-ant-... # Claude (recommended)
OPENAI_API_KEY=sk-... # GPT-4o (also used for embeddings)
# Optional: Additional providers for fallback/cost optimization
GROQ_API_KEY=gsk-... # Fast inference
MISTRAL_API_KEY=... # European provider
XAI_API_KEY=... # Grok
GOOGLE_API_KEY=... # Gemini
# Optional: Slack integration
SLACK_APP_TOKEN=xapp-...
SLACK_BOT_TOKEN=xoxb-...# Using Docker Compose
docker-compose up -d
# Or build manually
cd runtime/autopilot-service
docker build -t wazuh-autopilot .
docker run -d -p 127.0.0.1:9090:9090 --env-file .env wazuh-autopilot# Full-stack health check
./scripts/health-check.sh
# Or check individual endpoints (default port 9090, configurable via RUNTIME_PORT)
curl http://localhost:9090/health
curl http://localhost:9090/metrics| Endpoint | Method | Description |
|---|---|---|
/api/cases |
GET | List all cases |
/api/cases |
POST | Create case |
/api/cases/:id |
GET | Get case details |
/api/cases/:id |
PUT | Update case |
/api/alerts |
POST | Ingest Wazuh alert (auto-triage) |
| Endpoint | Method | Description |
|---|---|---|
/api/plans |
GET | List response plans (filter: ?state=, ?case_id=) |
/api/plans |
POST | Create response plan |
/api/plans/:id |
GET | Get plan details |
/api/plans/:id/approve |
POST | Tier 1: Approve plan |
/api/plans/:id/execute |
POST | Tier 2: Execute plan |
/api/plans/:id/reject |
POST | Reject plan |
| Endpoint | Method | Description |
|---|---|---|
/health |
GET | Service health |
/ready |
GET | Kubernetes readiness probe |
/version |
GET | Service version info |
/metrics |
GET | Prometheus metrics |
/api/responder/status |
GET | Responder capability status |
Prometheus metrics available at /metrics:
# Cases
autopilot_cases_created_total
autopilot_cases_updated_total
autopilot_alerts_ingested_total
# Two-tier approval
autopilot_plans_created_total
autopilot_plans_approved_total
autopilot_plans_executed_total
autopilot_plans_rejected_total
autopilot_plans_expired_total
# Performance
autopilot_triage_latency_seconds
autopilot_mcp_tool_call_latency_seconds
# Responder
autopilot_executions_success_total
autopilot_executions_failed_total
autopilot_responder_disabled_blocks_total
# Policy
autopilot_policy_denies_total{reason="..."}
autopilot_errors_total{component="..."}
Each case generates a structured evidence pack:
{
"schema_version": "1.0",
"case_id": "CASE-20260217-abc123",
"created_at": "2026-02-17T10:30:00Z",
"severity": "high",
"entities": [
{"type": "ip", "value": "192.168.1.100", "role": "attacker"},
{"type": "user", "value": "admin", "role": "target"}
],
"timeline": [...],
"mitre": [{"technique_id": "T1110", "tactic": "Credential Access"}],
"plans": [...],
"actions": [...]
}| Component | Binding | Access |
|---|---|---|
| OpenClaw Gateway | 127.0.0.1:18789 |
Localhost only |
| MCP Server | Tailscale IP | VPN only |
| Runtime Service | 127.0.0.1:9090 |
Localhost only |
No services are exposed to the public internet.
- Pairing mode: Devices must be explicitly approved
- Tailscale: All inter-component traffic encrypted
- Credentials: Isolated storage with 600 permissions
- Human approval: Required for all response actions
Uses Socket Mode (outbound-only, no webhooks required):
┌─────────────────┐ ┌─────────────────┐
│ Runtime Service │ ══ OUTBOUND ══════▶│ Slack API │
│ (localhost) │◀══ messages ═══════│ (WebSocket) │
└─────────────────┘ └─────────────────┘
Features:
- Real-time alert notifications
- Interactive approval buttons
- Slash commands (
/wazuh status,/wazuh approve,/wazuh execute) - No inbound ports required
├── .github/workflows/ # CI/CD pipeline
├── docker-compose.yml # Container orchestration
├── install/
│ ├── install.sh # Security-hardened installer
│ └── env.template # Environment template (port config)
├── scripts/
│ └── health-check.sh # Full-stack health check
├── openclaw/
│ ├── openclaw.json # Gateway & model configuration (multi-provider)
│ ├── openclaw-airgapped.json # Air-gapped config (Ollama only)
│ └── agents/ # 7 SOC agents + _shared/ (AGENTS.md, IDENTITY.md, TOOLS.md, HEARTBEAT.md, MEMORY.md)
├── runtime/autopilot-service/
│ ├── Dockerfile # Production container
│ ├── index.js # Main service (2400+ LOC)
│ ├── slack.js # Slack Socket Mode integration
│ └── index.test.js # Unit tests (40 tests)
├── policies/
│ ├── policy.yaml # Security policies & approvers
│ └── toolmap.yaml # MCP tool mappings
├── playbooks/ # Incident response playbooks (7 playbooks)
└── docs/ # Documentation
| Method | Use Case | Command |
|---|---|---|
| Docker Compose | Production | docker-compose up -d |
| Docker | Single container | docker run -d wazuh-autopilot |
| Systemd | Native Linux | sudo ./install/install.sh |
| Manual | Development | cd runtime/autopilot-service && npm start |
| Document | Description |
|---|---|
| QUICKSTART.md | Installation guide |
| RUNTIME_API.md | REST API reference |
| POLICY_AND_APPROVALS.md | Policy engine and approval workflow |
| SLACK_SOCKET_MODE.md | Slack Socket Mode setup |
| EVIDENCE_PACK_SCHEMA.md | Evidence pack JSON format |
| AGENT_CONFIGURATION.md | Agent file structure and customization |
| AIR_GAPPED_DEPLOYMENT.md | Air-gapped deployment with Ollama |
| MCP_INTEGRATION.md | MCP server integration |
| CLI_REFERENCE.md | Installer and CLI commands |
| OBSERVABILITY_EXPORT.md | Prometheus metrics and logging |
| SCENARIOS.md | Deployment scenarios |
| TAILSCALE_MANDATORY.md | Tailscale zero-trust networking |
| TROUBLESHOOTING.md | Troubleshooting guide |
| CHANGELOG.md | Version history |
cd runtime/autopilot-service
npm install
npm test
# Full-stack health check
./scripts/health-check.sh --quickSee CONTRIBUTING.md for guidelines.
| Channel | Purpose |
|---|---|
| GitHub Discussions | Questions, ideas, deployment help, community chat |
| GitHub Issues | Bug reports and feature requests |
- Q&A: Deployment Help & Troubleshooting
- Ideas: Feature Requests & Integration Ideas
- Show & Tell: Share Your Deployment
| Project | Description |
|---|---|
| OpenClaw | AI agent framework powering the SOC automation agents |
| Wazuh MCP Server | Model Context Protocol server for Wazuh API integration |
| OpenClaw.ai | Official OpenClaw documentation and resources |
MIT License - see LICENSE
OpenClaw • Wazuh MCP Server • Report Issue • Request Feature