AI Investigation Layer

Give your AI agents structured access to your SIEM.

Vigil Connect sits on top of Wazuh, Elastic, or Splunk. Your AI agents get clean JSON alerts and a structured API. No new agents on endpoints.

Connect your SIEMView on GitHub
vigil connector add wazuh --name prod --indexer-url https://wazuh:9200 --indexer-user admin --indexer-pass <pass>

How it works

Three steps to AI-powered investigation.

01

Connect

Point Vigil at your existing Wazuh or Elastic deployment.

vigil connector add wazuh
02

Investigate

AI agents read structured JSON alerts directly.

vigil feed alerts --severity high --output json
03

Act

Acknowledge false positives, escalate real threats, get full log context.

vigil feed context <alert-id> --window 10m --output json

Supported SIEMs

Works with your existing stack.

Wazuh

Available now

Full support. Alerts via OpenSearch, context via archives.

Elastic

Available now

Full support. Security alerts via .alerts-security index, ancestor-based context.

Splunk

Coming soon

Integration in progress.

Microsoft Sentinel

Coming soon

Integration in progress.

Design decision

AI reads raw JSON better than normalized schemas.

Every SIEM uses different field names. Building a normalization layer takes months and breaks with every SIEM version upgrade. A normalized schema is a bet that you can predict every field an AI agent will ever need — and that bet always loses.

Instead, Vigil passes raw alert JSON to the AI. Claude reads Wazuh's rule.description and Elastic's kibana.alert.rule.name equally well. The model understands structure without being told what the structure means.

The only fields Vigil extracts: id, severity, source_siem, and raw — the entire original alert, untouched.

Investigation flow

The full workflow in three commands.

terminal
# Step 1: Get recent high-severity alerts
vigil feed alerts --severity high --since 1h --output json

# Step 2: Investigate a specific alert (get surrounding raw logs)
vigil feed context <alert-id> --window 10m --output json

# Step 3: Acknowledge or escalate
vigil alerts acknowledge <id> --note "False positive — dev build server"

Claude Code integration

Deploy with Claude Code in one command.

After running, Claude Code knows how to deploy agents, add connectors, and investigate alerts. No MCP server. No running process. Just instructions.

npx @vigil/skill
Connect your SIEMRead the docs