Blue Team Investigation Skills

Your SOC has 6 data sources. Your analysts check them one at a time. What if your AI analyst could check all 6 in a single question?

In this lab, you build the defensive layer — 4 Blue Team skills that wire your AI analyst to Windows endpoints, Active Directory, Wazuh XDR, and Security Onion. Real event logs. Real alerts. Real network traffic flowing through your lab right now.

But the skills are just the wiring. The real lesson is what happens after you build them. You'll ask the same question two ways — once casually, once with structure — and watch the AI go from listing data to detecting automation patterns, flagging privilege risks, and categorizing traffic by intent.

By the end, you'll have 7 of 9 skills built. And you'll start to realize that the investigation quality isn't limited by your tools — it's limited by your questions.

By the end of this lab, learners will be able to:

• Explain what each of the 6 SOC data sources captures and why it matters for investigation
• Articulate the difference between sequential and parallel investigation with AI
• Create 4 Blue Team skills wired to live security data sources
• Query Windows event logs, Sysmon telemetry, Active Directory, Wazuh XDR alerts, Zeek network logs, and Suricata IDS alerts through the AI assistant
• Apply prompt engineering to transform raw security data into categorized, actionable intelligence
• Demonstrate that engineered prompts produce dramatically better analysis than general prompts across every data source

Hardware:

• 1x Kali Linux VM (claw-secops-rednode, 192.168.1.2) — jumpbox, OpenClaw host
• 2x Windows 10 VMs (win-endpoint-1/2, 192.168.3.2/3.4) — Sysmon, Wazuh Agent, Elastic Agent
• 1x Windows Server 2019 VM (win-ad-01, 192.168.2.3) — Domain Controller, threathunt.org
• 1x Ubuntu VM (Wazuh XDR, 192.168.3.3) — Wazuh Manager, API on port 55000
• 1x Ubuntu VM (Security Onion so-prod, 192.168.10.5) — Zeek + Suricata NSM

Software:

• OpenClaw AI Agent Platform (gateway + WebUI on port 18789)
• Qwen 3.5 27B LLM via OpenRouter API
• VS Code, Google Chrome with OpenClaw bookmark
• Blue Team scripts: winrm_query.py, ad_query.py, wazuh_query.py, seconion_query.py
• Python 3.12 venv with pywinrm, requests, paramiko