Skip to main content
CoPilot is easiest to learn if you separate it into two jobs:
  1. Operate incidents (alerts → cases → evidence → response)
  2. Make incidents possible (connect sources/integrations so alerts flow)

The mental model (visual)

CoPilot becomes intuitive when you see it as two loops that share the same data:

Admin / Platform loop

You make detection possible.
1

Connect & verify

Integrations + syslog connectors are healthy.
2

Ingest & route

Streams/pipelines route logs where they should go.
3

Provision & visualize

Customers/tenants, dashboards, indices, retention.
4

Enable alerting

Event definitions + notifications are configured.
5

Tune & maintain

Reduce noise, validate coverage, keep things reliable.

Operator loop

You run incidents.
1

Alert appears

New alert lands in Incident Management.
2

Triage

Decide: true positive? priority? scope?
3

Case work

Create a case, collect artifacts/evidence.
4

Respond

Contain, eradicate, recover.
5

Feedback

Feed improvements back into tuning/detections.

How alerts become cases (the shared pipeline)

1

1) Data arrives

Endpoints (Wazuh), API integrations (O365/Mimecast/Huntress/CrowdStrike), and syslog devices (FortiGate/PAN‑OS/ASA).
2

2) Normalize & route

Graylog streams/pipelines normalize fields and route logs.
3

3) Detect

Graylog Event Definitions evaluate conditions and generate events.
4

4) Persist

Alerts are written to gl-events*.
5

5) Operate

CoPilot surfaces alerts → operators create/work cases → response.

“Where do I click?” (quick map)

Operators

Incident Management → Alerts → Cases

Admins / engineers

Provisioning → Integrations → Connectors → Indices

Developers

Architecture → Data flows → Connectors

SOC operator / analyst

You spend most of your time in Incident Management. You care about:
  • Is this alert real?
  • What’s the blast radius?
  • What evidence do I need?
  • What do I do next?
Start here:

Admin / engineer

You care about data onboarding and reliability. You care about:
  • Are sources connected and healthy?
  • Are parsing / streams / pipelines configured correctly?
  • Are indices and retention behaving?
  • Is each customer/tenant provisioned correctly?
Start here:

Developer / AI agent

You are extending or modifying CoPilot. You care about:
  • Architecture + data flows
  • Schema changes (Alembic as source of truth)
  • Adding a connector safely
Start here: