Correlation Skills & The Debugging Challenge

Individual data sources tell fragments. Windows events show a logon. Wazuh flags an alert. Zeek logs a connection. But no single source answers: what happened?

In this lab, you build the skills that connect the fragments — correlation skills that pull from all 6 data sources and construct unified investigation timelines. Then something breaks. A skill you create doesn't appear. No error message. No warning. Just silence.

Finding and fixing that failure is the most transferable lesson in this entire learning path. Because in production, AI tools don't crash loudly — they fail quietly. And the analyst who can diagnose "why doesn't the AI see my skill?" is the one who keeps the SOC running.

By the end, all 9 skills are built. Your AI security analyst is complete.

By the end of this lab, learners will be able to:

• Explain why single-source investigation misses patterns that cross-source correlation catches
• Create correlation skills that query multiple data sources in a single investigation
• Build an executive reporting skill for structured security assessments
• Diagnose a silently failing skill with no error message
• Identify and fix a YAML formatting error that prevents skill loading
• Verify all 9 skills are loaded and functional in the OpenClaw WebUI

Hardware:

• 1x Kali Linux VM (claw-secops-rednode, 192.168.1.2) — jumpbox, OpenClaw host
• 2x Windows 10 VMs (win-endpoint-1/2, 192.168.3.2/3.4) — Sysmon, Wazuh Agent, Elastic Agent
• 1x Windows Server 2019 VM (win-ad-01, 192.168.2.3) — Domain Controller, threathunt.org
• 1x Ubuntu VM (Wazuh XDR, 192.168.3.3) — Wazuh Manager, API on port 55000
• 1x Ubuntu VM (Security Onion so-prod, 192.168.10.5) — Zeek + Suricata NSM

Software:

• OpenClaw AI Agent Platform (gateway + WebUI on port 18789)
• Qwen 3.5 27B LLM via OpenRouter API
• VS Code, Google Chrome with OpenClaw bookmark
• All 4 helper scripts: winrm_query.py, ad_query.py, wazuh_query.py, seconion_query.py
• Python 3.12 venv with pywinrm, requests, paramiko