Pilot Security Operations Center Setup
by @teoslayer
Deploy a security operations center pipeline with 4 agents. Use this skill when: 1. User wants to set up a SOC or security monitoring pipeline 2. User is con...
clawhub install pilot-security-operations-center-setupπ About This Skill
name: pilot-security-operations-center-setup description: > Deploy a security operations center pipeline with 4 agents.
Use this skill when: 1. User wants to set up a SOC or security monitoring pipeline 2. User is configuring a log collector, threat analyzer, enforcer, or dashboard agent 3. User asks about threat detection, blocklisting, or security event correlation
Do NOT use this skill when: - User wants a single security check (use pilot-watchdog instead) - User wants to blocklist one agent (use pilot-blocklist instead) tags: - pilot-protocol - setup - security - soc license: AGPL-3.0 metadata: author: vulture-labs version: "1.0" openclaw: requires: bins: - pilotctl - clawhub homepage: https://pilotprotocol.network allowed-tools: - Bash
Security Operations Center Setup
Deploy 4 agents: collector, analyzer, enforcer, and dashboard.
Roles
| Role | Hostname | Skills | Purpose |
|------|----------|--------|---------|
| collector |
Setup Procedure
Step 1: Ask the user which role and prefix.
Step 2: Install skills:
# collector:
clawhub install pilot-event-log pilot-audit-log pilot-stream-data pilot-cron
analyzer:
clawhub install pilot-event-filter pilot-event-replay pilot-alert pilot-priority-queue
enforcer:
clawhub install pilot-blocklist pilot-quarantine pilot-webhook-bridge pilot-audit-log
dashboard:
clawhub install pilot-metrics pilot-slack-bridge pilot-network-map pilot-mesh-status
Step 3: Set hostname and write manifest to ~/.pilot/setups/security-operations-center.json.
Step 4: Handshake with adjacent agents.
Manifest Templates Per Role
collector
{
"setup": "security-operations-center", "role": "collector", "role_name": "Log Collector",
"hostname": "-collector",
"skills": {
"pilot-event-log": "Aggregate security events from all nodes.",
"pilot-audit-log": "Maintain tamper-evident event log.",
"pilot-stream-data": "Stream events to analyzer in real time.",
"pilot-cron": "Schedule periodic log sweeps."
},
"data_flows": [{ "direction": "send", "peer": "-analyzer", "port": 1002, "topic": "security-event", "description": "Raw security events" }],
"handshakes_needed": ["-analyzer"]
}
analyzer
{
"setup": "security-operations-center", "role": "analyzer", "role_name": "Threat Analyzer",
"hostname": "-analyzer",
"skills": {
"pilot-event-filter": "Filter and correlate events, detect patterns.",
"pilot-event-replay": "Replay past events for forensic investigation.",
"pilot-alert": "Emit classified threat alerts.",
"pilot-priority-queue": "Prioritize threats by severity."
},
"data_flows": [
{ "direction": "receive", "peer": "-collector", "port": 1002, "topic": "security-event", "description": "Raw events" },
{ "direction": "send", "peer": "-enforcer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts" },
{ "direction": "send", "peer": "-dashboard", "port": 1002, "topic": "threat-alert", "description": "Classified threats" }
],
"handshakes_needed": ["-collector", "-enforcer", "-dashboard"]
}
enforcer
{
"setup": "security-operations-center", "role": "enforcer", "role_name": "Threat Enforcer",
"hostname": "-enforcer",
"skills": {
"pilot-blocklist": "Add malicious IPs/agents to deny list.",
"pilot-quarantine": "Isolate compromised agents.",
"pilot-webhook-bridge": "Trigger incident webhooks.",
"pilot-audit-log": "Log all enforcement actions."
},
"data_flows": [
{ "direction": "receive", "peer": "-analyzer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts" },
{ "direction": "send", "peer": "-dashboard", "port": 1002, "topic": "enforcement-action", "description": "Actions taken" }
],
"handshakes_needed": ["-analyzer", "-dashboard"]
}
dashboard
{
"setup": "security-operations-center", "role": "dashboard", "role_name": "SOC Dashboard",
"hostname": "-dashboard",
"skills": {
"pilot-metrics": "Display threat counts, response times.",
"pilot-slack-bridge": "Send security summaries to Slack.",
"pilot-network-map": "Visualize network topology and threats.",
"pilot-mesh-status": "Show peer connectivity and encryption status."
},
"data_flows": [
{ "direction": "receive", "peer": "-analyzer", "port": 1002, "topic": "threat-alert", "description": "Classified threats" },
{ "direction": "receive", "peer": "-enforcer", "port": 1002, "topic": "enforcement-action", "description": "Actions taken" }
],
"handshakes_needed": ["-analyzer", "-enforcer"]
}
Data Flows
collector β analyzer : raw security events (port 1002)analyzer β enforcer : threat verdicts (port 1002)analyzer β dashboard : classified threats (port 1002)enforcer β dashboard : enforcement actions (port 1002)Workflow Example
# On collector:
pilotctl --json publish -analyzer security-event '{"type":"port_scan","source":"203.0.113.42","ports":1024}'
On analyzer:
pilotctl --json publish -enforcer threat-verdict '{"source":"203.0.113.42","severity":"high","action":"block"}'
On enforcer:
pilotctl --json publish -dashboard enforcement-action '{"source":"203.0.113.42","action":"blocked"}'
Dependencies
Requires pilot-protocol skill, pilotctl binary, clawhub binary, and a running daemon.