Wazuh OpenClaw Autopilot
Features Use cases Docs Blog Community
Star on GitHub Deploy (Quickstart)
Features Use cases Docs Blog Community
Star on GitHub Deploy
Autonomous SOC • Open-source • Human-approved actions

Turn Wazuh alerts into cases, plans, and safe action — automatically.

Wazuh OpenClaw Autopilot adds an autonomous intelligence layer to your Wazuh SIEM using OpenClaw agents connected via MCP. It auto-triages alerts, correlates incidents, and generates response plans — with mandatory two-tier human approval before execution.

Auto-triage → severity + entities
Correlation → unified cases + timelines
Plans → risk-assessed response proposals
Evidence packs → structured JSON for audit
Prometheus → KPIs & latency metrics
Slack → approvals via Socket Mode
Deploy in minutes See features View source

What you get

7 specialized SOC agents

Triage → Correlation → Investigation → Planning → Policy guard → Human approval → Responder + Reporting.

Two-tier approvals

Every response action is gated. Autopilot proposes, humans approve, then execution happens.

Security-first networking

Localhost bindings + VPN-only MCP access — designed so nothing needs to be publicly exposed.

Operational visibility

Prometheus metrics for MTTD, MTTR, triage latency, approvals, executions and policy denies.

Quick demo flow

From alert storm → to a clean, human-approved response.

  1. Alert comes in from Wazuh
  2. Agents extract entities + correlate into a case
  3. Planner creates a response plan + risk notes
  4. Policy guard checks allow-list / deny rules
  5. Humans approve → responder executes via Wazuh Active Response
Explore use cases

Architecture

A clean separation between SIEM data, tool access, agent reasoning, and execution — with approvals in the middle.

WAZUH MANAGER ──▶ MCP SERVER ◀──▶ OPENCLAW GATEWAY ──▶ 7 SOC AGENTS
       │                 │                    │
     Alerts          Wazuh API            AI orchestration
       │                 │                    │
       ▼                 ▼                    ▼
                 AUTOPILOT RUNTIME SERVICE
          cases • evidence packs • response plans • metrics • slack

Key metrics

Expose SOC KPIs and performance indicators at /metrics.

/metrics
Prometheus endpoint
2-tier
approval workflow
MTTD
triage + correlation latency
MTTR
execution tracking
Verify installation

FAQ (for rich results)

Does Autopilot execute actions automatically?

It generates plans automatically, but response actions require mandatory human approval before execution.

Can I run it air-gapped?

Yes. Air‑gapped deployments are supported with a local LLM provider like Ollama.

Do I have to expose anything to the public internet?

No. Components are designed to bind to localhost and/or VPN-only access (e.g., Tailscale).

What SIEM does it support?

It’s built for Wazuh SIEM (Wazuh Manager 4.8.0+).