SOCFortress CoPilot Architecture
Overview
CoPilot is a “single pane of glass” security operations platform. It centralizes data from Wazuh, Graylog, Velociraptor, Grafana, InfluxDB, and other tools, provides alert/case management, and adds automation such as scheduled collectors, active response, and report generation. The backend is a FastAPI service with a MySQL database and MinIO object storage. The UI is a Vue 3 SPA, with an optional customer-facing portal. Key entry points:- Backend runtime:
backend/copilot.py - Frontend app:
frontend/src - Customer portal app:
customer_portal/src
Tech Stack
Backend
- FastAPI, Starlette, Uvicorn: API server and routing.
backend/copilot.py - SQLModel + SQLAlchemy: ORM and DB access.
backend/app/db - Alembic: DB migrations.
backend/alembic - APScheduler: background job scheduling.
backend/app/schedulers/scheduler.py - MySQL: primary database.
docker-compose.yml,backend/app/db/db_session.py - MinIO: object storage for case/report artifacts, sysmon configs, Velociraptor artifacts.
backend/app/data_store - Loguru: logging.
backendmodules - Requests/HTTPX: integrations with external systems.
backend/app/connectors/*/utils,backend/app/integrations/*
Frontend
- Vue 3 + TypeScript + Vite: SPA.
frontend/package.json,frontend/src - Pinia: state management.
frontend/src/stores - Naive UI + Tailwind CSS: UI components and styling.
frontend/package.json,frontend/tailwind.config.js - Axios: API client.
frontend/src/api - Cypress + Vitest: tests.
frontend/cypress,frontend/vitest.config.ts
Customer Portal (Optional)
- Vue 3 + Vite + Pinia + Naive UI.
customer_portal/package.json,customer_portal/src
Directory Layout & Responsibilities
Root
docker-compose.yml: default deployment stack (backend, frontend, MySQL, MinIO, MCP, Nuclei)..env.example: required runtime configuration for connectors and services.build-dockers.sh: build utility script.
Backend
backend/copilot.py: application entrypoint, API router mount, startup/shutdown hooks.backend/settings.py: local env loading (not the primary runtime env in Docker).backend/app/routers/*: API route modules for each feature/integration.backend/app/auth/*: authentication, user/role management.backend/app/db/*: sessions, migrations, bootstrapping, and data seeding.backend/app/schedulers/*: APScheduler instance, scheduled jobs, job metadata models.backend/app/connectors/*: connectors for platform services (Wazuh, Graylog, Grafana, etc.).backend/app/integrations/*: third‑party integrations and per‑customer integration config.backend/app/network_connectors/*: “network connectors” with customer‑scoped auth keys and configs.backend/app/customer_provisioning/*: provisioning workflows for external services (Graylog, Grafana, Portainer, Wazuh manager).backend/app/stack_provisioning/graylog/*: content packs, pipelines, streams, and input templates for Graylog.backend/app/agents/*: Wazuh and Velociraptor agent management, SCA, vulnerabilities.backend/app/incidents/*: incident management (cases, alerts, tags, reports).backend/app/active_response/*: automation scripts and invoke endpoints.backend/app/data_store/*: MinIO storage (cases, templates, artifacts).backend/app/threat_intel/*: EPSS, VirusTotal, SOCFortress threat intel.backend/app/integrations/copilot_mcp/*: local and cloud MCP queries.
Frontend
frontend/src/router/index.ts: primary navigation and feature routes.frontend/src/api/endpoints/*: typed API clients for each backend domain.frontend/src/components/*: feature UI modules (alerts, cases, agents, connectors, integrations, etc.).frontend/src/views/*: route views; corresponds closely to backend feature areas.frontend/.env.example: API base URL and UI behavior.
Customer Portal
customer_portal/src/router/index.ts: simple login + alerts/cases/agents views.customer_portal/src/views/*: customer‑limited UI.
Core Runtime Flows
Startup
backend/copilot.pyloads env vars and initializes FastAPI.- On startup event:
- Creates MySQL database and user if needed.
backend/app/db/db_setup.py - Applies Alembic migrations.
backend/app/db/db_setup.py - Creates MinIO buckets.
backend/app/data_store/data_store_setup.py - Seeds connectors, roles, available integrations, available network connectors.
backend/app/db/db_setup.py,backend/app/db/db_populate.py - Ensures admin and scheduler users.
backend/app/db/db_setup.py - Initializes APScheduler and schedules enabled jobs.
backend/app/schedulers/scheduler.py
- Creates MySQL database and user if needed.
- Static mount:
scoutsuite-reportdirectory for cloud security assessment outputs.backend/copilot.py
Auth & Authorization
- JWT auth with OAuth2 password flow.
backend/app/auth/utils.py - Roles/scopes:
admin,analyst,scheduler,customer_user. - Routes use
Security(AuthHandler().get_current_user, scopes=[...])orrequire_any_scope(...).
API Routing
FastAPIapp mounts a single APIRouter at/api.- Each domain lives in
backend/app/routers/*.pyand delegates to feature modules inbackend/app/<domain>/*. - Frontend API clients match route structure.
frontend/src/api/endpoints/*
Background Jobs
- APScheduler runs inside the FastAPI app.
- Job metadata is stored in MySQL and loaded on startup.
backend/app/schedulers/scheduler.py - Jobs invoke integration collectors and internal maintenance:
- Agent sync (Wazuh + Velociraptor)
- Wazuh index resize
- Alert creation collection
- Snapshot schedule execution
- Integration collectors (Duo, Darktrace, Cato, Huntress, Carbon Black, etc.)
- Job definitions live in
backend/app/schedulers/services/*.
Integrations & Connectors
- Connectors are core service connections (Wazuh, Graylog, Grafana, etc.) stored in
ConnectorsDB table. - Connectors are seeded from env vars on startup.
backend/app/db/db_populate.py - Each connector implements a verify function in
backend/app/connectors/<service>/utils/universal.pyand is mapped inbackend/app/connectors/services.py. - Integration settings are customer‑scoped and stored in
CustomerIntegrations/CustomerIntegrationsMetatables.
Data Storage
- MySQL for all operational data (users, integrations, connectors, alerts/cases, scheduler metadata).
- MinIO for case artifacts, report templates, sysmon configs, Velociraptor artifacts.
backend/app/data_store - Local filesystem:
scoutsuite-reportdirectory for report outputs.
Major User‑Facing Features (Admin UI)
- Overview dashboard and system health.
- Connectors management (test/verify/update).
- Wazuh management: rules, groups, Sysmon config, MITRE browsing.
- Graylog management, metrics, pipelines, streams, inputs.
- Alerts and SIEM views, MITRE/Atomic Red Team views.
- Incident management: sources, alerts, cases, tags, comments, reports, data store.
- Agents (Wazuh + Velociraptor), SCA, vulnerabilities, data store.
- Artifacts and file collection.
- Active response actions.
- External services: third‑party integrations and network connectors.
- Reporting (Grafana dashboards, case reports, vuln/SCA reports).
- Scheduler management.
- Cloud security assessment (ScoutSuite).
- Web vulnerability assessment (Nuclei).
- GitHub Audit.
- Customer portal branding/settings.
- License management.
Customer Portal Features
- Login and role‑restricted access for
customer_user. - Views for alerts, cases, case details, and agents.
- Separate SPA served by
copilot-customer-portalcontainer.
Integrations & Open Source Services
Wazuh
- Connector:
backend/app/connectors/wazuh_manager/*andbackend/app/connectors/wazuh_indexer/* - Auth: API token cached in memory with TTL; requests via
requests. - Wazuh manager routes:
backend/app/connectors/wazuh_manager/routes/*andbackend/app/routers/wazuh_manager.py. - Wazuh indexer routes:
backend/app/connectors/wazuh_indexer/routes/*.
Graylog
- Connector:
backend/app/connectors/graylog/* - Event shipper: GELF TCP to Graylog input.
backend/app/connectors/event_shipper/*,backend/app/integrations/utils/event_shipper.py - Graylog provisioning: content packs, pipelines, streams, inputs.
backend/app/stack_provisioning/graylog/* - Graylog API management used in routes and service modules.
Grafana
- Connector:
backend/app/connectors/grafana/* - Reporting endpoints for orgs/dashboards/panels and iframe generation.
backend/app/routers/grafana.py,frontend/src/components/reportCreation
Velociraptor
- Connector:
backend/app/connectors/velociraptor/* - Agent management + artifacts; artifacts also stored in MinIO.
backend/app/agents/velociraptor/*,backend/app/data_store
Shuffle
- Connector:
backend/app/connectors/shuffle/* - Endpoints for Shuffle metadata.
backend/app/routers/shuffle.py
InfluxDB
- Connector:
backend/app/connectors/influxdb/* - Healthcheck and monitoring endpoints.
backend/app/routers/influxdb.py,frontend/src/components/healthcheck
Portainer
- Connector:
backend/app/connectors/portainer/* - Customer provisioning workflows can call Portainer.
backend/app/customer_provisioning/services/portainer.py
Nuclei
- Integration:
backend/app/integrations/nuclei/*andbackend/app/routers/nuclei.py - Container present in
docker-compose.ymlascopilot-nuclei-module.
ScoutSuite
- Integration:
backend/app/integrations/scoutsuite/*andbackend/app/routers/scoutsuite.py - Outputs served from
scoutsuite-reportstatic mount.
Threat Intel
- VirusTotal, EPSS, SOCFortress.
backend/app/threat_intel/*
MCP (CoPilot AI)
- Local MCP service container configured in Docker.
- Backend routes call
backend/app/integrations/copilot_mcp/services/copilot_mcp.pyto query local OpenSearch/MySQL/Wazuh/Velociraptor or cloud threat intel endpoints.
Configuration Management & Secrets
.envprovides connector URLs, API keys, DB creds, MinIO creds, MCP settings..env.exampledocuments expected values.- Frontend uses
VITE_API_URLto target the backend. - TLS handled by
copilot-frontendcontainer; TLS cert/key paths are configurable indocker-compose.ymland documented in README.
Deployment (Docker Compose)
copilot-backend: FastAPI service on port 5000.copilot-frontend: Vue app with TLS, ports 80/443.copilot-mysql: MySQL 8.copilot-minio: object storage.copilot-nuclei-module: web vulnerability scanner module.copilot-mcp: MCP service for AI queries.- Optional
copilot-customer-portalfor customer‑facing UI.
Extension Points
Add a New Connector
- Add connector metadata in
backend/app/db/db_populate.py. - Add verification logic in
backend/app/connectors/<new_service>/utils/universal.py. - Map the connector name in
backend/app/connectors/services.py. - Provide routes in
backend/app/connectors/<new_service>/routesandbackend/app/routers/<new_service>.pyas needed. - Add frontend UI and API client in
frontend/src/componentsandfrontend/src/api/endpoints.
Add a New Integration (Per‑Customer)
- Add integration metadata in
backend/app/db/db_populate.py. - Add models/schema in
backend/app/integrations/modelsandbackend/app/integrations/schema. - Add integration service/routes in
backend/app/integrations/<integration_name>. - Expose route in
backend/app/routers/<integration_name>.py. - Add scheduled collection jobs if needed:
backend/app/schedulers/services/*andbackend/app/schedulers/scheduler.py.
Add a New Scheduler Job
- Implement job function in
backend/app/schedulers/services. - Add to
known_jobsinbackend/app/schedulers/scheduler.py. - Add function mapping in
get_function_by_name. - Expose job control in
backend/app/schedulers/routes/scheduler.py.
Add a New Customer Portal Feature
- Add backend route with
customer_userrole scope. - Add UI in
customer_portal/src/viewsand wire incustomer_portal/src/router/index.ts.
