Beginner Guide: Run SecOps Autoresearch Live Locally¶
This guide shows exactly how to run the product every day, review findings, and triage them.
What you already have now¶
- Daily runner script:
scripts/openclaw_daily.sh - Scheduler installer:
scripts/install_openclaw_launchd.sh - Working live pipeline command:
python run_openclaw_live.py
Step 1: Activate your environment¶
Why:
- Uses the project Python environment so all scripts run with the correct dependencies.
Step 2: Run one full live pipeline¶
What this does:
- Exports native OpenClaw telemetry into local files.
- Ingests telemetry into a normalized audit stream.
- Prepares replay files used by detectors.
- Runs live-mode evaluation (
evaluate_openclaw.py --mode live). - Generates findings and updates the local SOC SQLite store.
Why:
- This is the fastest way to verify end-to-end data flow and detection output.
Step 3: Review detections¶
What this does:
- Lists finding IDs, severity, current status, and analyst disposition.
Why:
- Gives you the queue of incidents to triage.
Step 4: Inspect one finding deeply¶
Example:
What this does:
- Shows event evidence, attack types, matched rules, MITRE mapping, and notes.
Why:
- Lets you decide whether a finding is a true positive, false positive, or needs more review.
Step 5: Triage and document your decision¶
python soc_store.py set-disposition FINDING_ID true_positive
python soc_store.py set-status FINDING_ID triaged
python soc_store.py add-note FINDING_ID analyst "validated"
Why:
- Creates an audit trail of analyst decisions.
- Makes future tuning and model calibration better.
Step 6: Use one daily command¶
What this does:
- Runs the full live pipeline.
- Writes a timestamped log in
data/openclaw/logs/. - Prints the latest findings at the end.
Why --skip-export:
- Faster daily runs when your native input files are already present.
Step 7: Automate daily run on macOS¶
Install scheduler:
Check scheduler:
Tail logs:
Why:
- You get a reliable daily run without manually starting commands.
Step 8: Simulate attacks and run auto-research training¶
What this does:
- Regenerates deterministic synthetic attacks and benign traffic.
- Runs baseline benchmark with verbose per-rule output.
- Optionally builds OpenClaw attack-mix data.
- Runs quick threshold tuning (
tune.py --quick). - Re-runs benchmark to compare current quality.
Why:
- This is the fastest safe loop to improve smart detection rules.
- You can iterate using measured F1, precision, and recall instead of guessing.
Step 9: Use OpenClaw as a plugin now¶
Check malware presence:
Check data exfiltration presence:
Check both:
What this does:
- Reads the local SOC findings store.
- Filters findings for malware/exfil indicators.
- Returns a compact machine-friendly JSON response (good for integrations).
Why:
- Gives you a stable plugin interface for OpenClaw now.
- Future integrations can call this interface without changing core detection logic.
Step 10: Ask from WhatsApp-style commands¶
Local simulation (no external setup needed):
python whatsapp_openclaw_router.py --message "check malware"
python whatsapp_openclaw_router.py --message "check exfil"
python whatsapp_openclaw_router.py --message "show OCF-41B2A43C8D2C24EA"
Run webhook server for external provider integration later:
What this does:
- Parses simple chat commands.
- Calls the plugin interface.
- Returns a concise response string (ready for WhatsApp reply messages).
Why:
- Lets you keep your WhatsApp workflow while the backend remains local and secure.
- Makes provider integration (Twilio/Meta/API gateway) a thin transport layer.
Step 11: Connect real Twilio WhatsApp webhook¶
Run bridge locally:
Expose local port with ngrok in a second terminal:
Set your public URL for signature verification (replace with your ngrok URL):
Set Twilio auth token (from Twilio console):
In Twilio WhatsApp Sandbox configuration:
- Set "When a message comes in" webhook to:
https://YOUR-NGROK-ID.ngrok-free.app/twilio/whatsapp - Method:
HTTP POST
What this does:
- Twilio sends WhatsApp messages to your local bridge endpoint.
- Bridge verifies Twilio signature.
- Bridge routes text to your command handler (
check malware,check exfil, etc.). - Bridge returns TwiML reply that Twilio delivers back to WhatsApp.
Why:
- You can ask OpenClaw security questions directly in WhatsApp.
- Security checks remain local in your SecOps runtime.
Local testing without Twilio (development only):
export SECOPS_ALLOW_UNSIGNED=1
curl -X POST http://127.0.0.1:8091/twilio/whatsapp \
-H "Content-Type: application/x-www-form-urlencoded" \
--data "Body=check+malware"
Important:
- Keep
SECOPS_ALLOW_UNSIGNED=0in production.
Common daily operator flow (recommended)¶
# 1) Run pipeline (or let schedule run it)
scripts/openclaw_daily.sh --skip-export
# 2) List findings
python soc_store.py list
# 3) Triage top 1-3 HIGH findings
python soc_store.py show FINDING_ID
python soc_store.py set-disposition FINDING_ID true_positive
python soc_store.py set-status FINDING_ID triaged
python soc_store.py add-note FINDING_ID analyst "validated"
If something fails¶
- Missing venv: run
source .venv/bin/activate - No findings generated: run
python run_openclaw_live.py --verboseand inspect output - Scheduler not firing: unload/load plist again: