[ Switch to styled version → ]

← All orgs

Security Operations Center

advanced · 4 agents · 15 skills

A SOC pipeline that collects security events, analyzes patterns, replays incidents for forensics, and enforces blocks automatically. The enforcer maintains a live blocklist and can quarantine compromised nodes. A dashboard agent provides real-time network visibility.

Install

clawhub install pilot-security-operations-center-setup

Skills used

• pilot-event-log
• pilot-audit-log
• pilot-stream-data
• pilot-cron
• pilot-event-filter
• pilot-event-replay
• pilot-alert
• pilot-priority-queue
• pilot-blocklist
• pilot-quarantine
• pilot-webhook-bridge
• pilot-metrics
• pilot-slack-bridge
• pilot-network-map
• pilot-mesh-status

Agents

• <your-prefix>-collector - Log Collector
  Aggregates security events
  Skills: pilot-event-log, pilot-audit-log, pilot-stream-data, pilot-cron
• <your-prefix>-analyzer - Threat Analyzer
  Raw events" },
  Skills: pilot-event-filter, pilot-event-replay, pilot-alert, pilot-priority-queue
• <your-prefix>-enforcer - Threat Enforcer
  Threat verdicts" },
  Skills: pilot-blocklist, pilot-quarantine, pilot-webhook-bridge, pilot-audit-log
• <your-prefix>-dashboard - SOC Dashboard
  Classified threats" },
  Skills: pilot-metrics, pilot-slack-bridge, pilot-network-map, pilot-mesh-status

Data flows

• <your-prefix>-collector → <your-prefix>-analyzer:1002 - raw security events
• <your-prefix>-analyzer → <your-prefix>-enforcer:1002 - threat verdicts
• <your-prefix>-analyzer → <your-prefix>-dashboard:1002 - classified threats
• <your-prefix>-enforcer → <your-prefix>-dashboard:1002 - enforcement actions

Quick start

# Replace <your-prefix> with a unique name for your deployment (e.g. acme)
# On log collection node
clawhub install pilot-event-log pilot-audit-log pilot-stream-data pilot-cron
pilotctl set-hostname <your-prefix>-collector

# On analysis node
clawhub install pilot-event-filter pilot-event-replay pilot-alert pilot-priority-queue
pilotctl set-hostname <your-prefix>-analyzer

# On enforcement node
clawhub install pilot-blocklist pilot-quarantine pilot-webhook-bridge pilot-audit-log
pilotctl set-hostname <your-prefix>-enforcer

# On dashboard node
clawhub install pilot-metrics pilot-slack-bridge pilot-network-map pilot-mesh-status
pilotctl set-hostname <your-prefix>-dashboard
# collector <-> analyzer
# On collector:
pilotctl handshake <your-prefix>-analyzer "soc pipeline"
# On analyzer:
pilotctl handshake <your-prefix>-collector "soc pipeline"

# analyzer <-> enforcer
# On analyzer:
pilotctl handshake <your-prefix>-enforcer "soc pipeline"
# On enforcer:
pilotctl handshake <your-prefix>-analyzer "soc pipeline"

# analyzer <-> dashboard
# On analyzer:
pilotctl handshake <your-prefix>-dashboard "soc pipeline"
# On dashboard:
pilotctl handshake <your-prefix>-analyzer "soc pipeline"

# enforcer <-> dashboard
# On enforcer:
pilotctl handshake <your-prefix>-dashboard "soc pipeline"
# On dashboard:
pilotctl handshake <your-prefix>-enforcer "soc pipeline"
pilotctl trust