# SOCFortress CoPilot

> SOCFortress CoPilot documentation — operator workflows, admin/engineer configuration, and developer/AI-agent guides.

## Docs

- [Admin / Platform Guide](https://docs.socfortress.co/admin.md): Provisioning, integrations/connectors, and platform reliability for CoPilot.
- [ARCHITECTURE](https://docs.socfortress.co/architecture/ARCHITECTURE.md)
- [DATABASE SCHEMA](https://docs.socfortress.co/architecture/DATABASE_SCHEMA.md)
- [DATA FLOWS](https://docs.socfortress.co/architecture/DATA_FLOWS.md)
- [DEPLOYMENT](https://docs.socfortress.co/architecture/DEPLOYMENT.md)
- [MAP](https://docs.socfortress.co/architecture/MAP.md)
- [Customer Portal](https://docs.socfortress.co/customer-portal/index.md): Optional customer-facing UI for MSSPs to share alerts/cases, collaborate with customers, and provide real-time visibility.
- [Start here](https://docs.socfortress.co/developer/start-here.md)
- [First wins (30 minutes)](https://docs.socfortress.co/getting-started/first-wins.md): Four fast milestones to prove CoPilot is working end-to-end.
- [Install / Upgrade](https://docs.socfortress.co/getting-started/install-upgrade.md): Install SOCFortress CoPilot with Docker Compose, retrieve the initial admin password, and safely upgrade.
- [Roles & mental model](https://docs.socfortress.co/getting-started/roles-and-mental-model.md): How to think about CoPilot as a SOC operator vs. admin/engineer vs. developer.
- [Start here](https://docs.socfortress.co/getting-started/start-here.md): A guided checklist to get logs flowing, dashboards populated, and alerts/cases working in SOCFortress CoPilot.
- [Supported tool versions](https://docs.socfortress.co/getting-started/supported-tool-versions.md)
- [What is CoPilot?](https://docs.socfortress.co/getting-started/what-is-copilot.md): CoPilot is a single pane of glass for operating and integrating an open-source SOC/SIEM stack.
- [Integrations](https://docs.socfortress.co/integrations.md): Source-by-source setup guides and expectations for what data, dashboards, and alerts you get in CoPilot.
- [ADDING A CONNECTOR](https://docs.socfortress.co/integrations/ADDING_A_CONNECTOR.md)
- [Bitdefender (GravityZone)](https://docs.socfortress.co/integrations/bitdefender.md): Ingest Bitdefender GravityZone events into the SOCFortress SIEM stack via the Event Push Service connector.
- [Carbon Black Cloud](https://docs.socfortress.co/integrations/carbon-black.md): Ingest Carbon Black Cloud alerts into the SOCFortress SIEM stack.
- [Cato Networks](https://docs.socfortress.co/integrations/cato-networks.md): Ingest Cato Networks SASE events into the SOCFortress SIEM stack.
- [CrowdStrike](https://docs.socfortress.co/integrations/crowdstrike.md): Ingest CrowdStrike Falcon events using the Falcon SIEM Connector and route them into your SOCFortress SIEM stack.
- [Darktrace](https://docs.socfortress.co/integrations/darktrace.md): Ingest Darktrace alert logs (AI Analyst / Model Breach / System Status) into the SOCFortress SIEM stack.
- [Microsoft Defender for Endpoint](https://docs.socfortress.co/integrations/defender-for-endpoint.md): Ingest Microsoft Defender for Endpoint alerts into the SOCFortress SIEM stack.
- [Duo](https://docs.socfortress.co/integrations/duo.md): Ingest Duo authentication logs into the SOCFortress SIEM stack using the Duo Admin API.
- [Huntress](https://docs.socfortress.co/integrations/huntress.md): Ingest Huntress telemetry and operationalize it inside CoPilot.
- [Mimecast](https://docs.socfortress.co/integrations/mimecast.md): Ingest Mimecast security events and turn them into dashboards and alerts in CoPilot.
- [Network connectors (syslog)](https://docs.socfortress.co/integrations/network-connectors.md): Vendor-by-vendor syslog ingestion patterns and validation steps.
- [Cisco ASA (syslog)](https://docs.socfortress.co/integrations/network-connectors/cisco-asa.md)
- [Fortinet FortiGate (syslog)](https://docs.socfortress.co/integrations/network-connectors/fortigate.md)
- [OPNsense (syslog)](https://docs.socfortress.co/integrations/network-connectors/opnsense.md): Configure OPNsense to forward logs to your SIEM via remote syslog.
- [Palo Alto Networks (syslog)](https://docs.socfortress.co/integrations/network-connectors/palo-alto.md)
- [SentinelOne (syslog over TLS)](https://docs.socfortress.co/integrations/network-connectors/sentinelone.md): Forward SentinelOne alerts/events to the SIEM using TLS (mutual auth).
- [SonicWall (syslog)](https://docs.socfortress.co/integrations/network-connectors/sonicwall.md): Forward SonicWall firewall logs to the SIEM via direct syslog or syslog-ng with TLS.
- [Office 365](https://docs.socfortress.co/integrations/office-365.md): Ingest Microsoft 365 audit and sign-in telemetry, then visualize and alert on it in CoPilot.
- [SAP SIEM (Customer Data Cloud)](https://docs.socfortress.co/integrations/sap-siem.md): Collect SAP Customer Data Cloud audit events and forward them into the SOCFortress SIEM stack.
- [Wazuh (endpoints)](https://docs.socfortress.co/integrations/wazuh.md): Endpoint log ingestion and security telemetry via Wazuh.
- [Operator Guide](https://docs.socfortress.co/operator.md): Playbooks and workflows for SOC operators and analysts using CoPilot.
- [Power features](https://docs.socfortress.co/power-features.md): Add-on capabilities that extend CoPilot beyond the core ingest→detect→respond loop.
- [AI Analyst (Talon)](https://docs.socfortress.co/power-features/ai-analyst.md): Automated Tier 1 SOC analyst that investigates every alert end-to-end — from raw SIEM events to structured investigation reports with severity assessments and recommended actions.
- [AI Analyst — Notification routing](https://docs.socfortress.co/power-features/ai-analyst-notifications.md): Send Talon's investigation reports to the customer's Slack, Outlook, Teams, or any of Shuffle's 3,000+ apps based on per-customer routing rules.
- [AI Analyst — Analyst review workflow](https://docs.socfortress.co/power-features/ai-analyst-review.md): Review and grade every AI investigation, correct IOC verdicts, teach the agent with durable or one-off lessons, replay with a different template, and track feedback trends over time.
- [Atomic Red Team (detection simulation)](https://docs.socfortress.co/power-features/atomic-red-team.md): Run Atomic Red Team simulations to verify telemetry flow and validate that Wazuh detection rules fire as expected.
- [Cloud security assessment (Scout Suite)](https://docs.socfortress.co/power-features/cloud-security-assessment.md): Run Scout Suite scans inside CoPilot to generate cloud posture reports (AWS supported; Azure/GCP may be limited depending on release).
- [CoPilot Searches (threat hunting)](https://docs.socfortress.co/power-features/copilot-searches.md): Pre-built detection queries for proactive threat hunting across your Wazuh Indexer data — filterable by platform, severity, MITRE ATT&CK technique, and CVE.
- [GitHub audit](https://docs.socfortress.co/power-features/github-audit.md): Collect and review GitHub audit-related data inside CoPilot.
- [MITRE ATT&CK integration](https://docs.socfortress.co/power-features/mitre-attack.md): Technique-centric investigation and coverage lens powered by MITRE technique enrichment in Wazuh rules.
- [Microsoft Patch Tuesday](https://docs.socfortress.co/power-features/patch-tuesday.md): Track and prioritize Microsoft monthly vulnerabilities inside CoPilot.
- [Report creation](https://docs.socfortress.co/power-features/report-creation.md): Generate and export reports (often Grafana dashboards) for customers.
- [SCA Policies (CIS benchmarks)](https://docs.socfortress.co/power-features/sca-policies.md): Browse, preview, and deploy CIS benchmark policies for Wazuh Security Configuration Assessment — with automatic agent detection to see which endpoints need each policy.
- [Web vulnerability assessment (Nuclei)](https://docs.socfortress.co/power-features/web-vulnerability-assessment.md): Run Nuclei-based web vulnerability scans inside CoPilot and review findings with request/response detail.
- [Reference](https://docs.socfortress.co/reference.md): Deep links, mental models, and troubleshooting for CoPilot.
- [Troubleshooting index](https://docs.socfortress.co/reference/troubleshooting.md): Symptom → likely causes → what to check (CoPilot + SIEM stack).
- [Admins quickstart](https://docs.socfortress.co/user/admins-quickstart.md)
- [SOCFortress Capsules](https://docs.socfortress.co/user/capsules/index.md): Operator playbooks that walk you from alert → investigation → response using CoPilot.
- [Customer provisioning](https://docs.socfortress.co/user/customer-provisioning.md)
- [Features](https://docs.socfortress.co/user/features.md)
- [Navigation](https://docs.socfortress.co/user/navigation.md)
- [Operators quickstart](https://docs.socfortress.co/user/operators-quickstart.md)
- [Overview](https://docs.socfortress.co/user/overview.md)
- [Agents](https://docs.socfortress.co/user/ui/agents.md): Operator-facing views and controls for endpoints, groups, actions, and security posture.
- [CoPilot actions](https://docs.socfortress.co/user/ui/agents-copilot-actions.md): Run repeatable response actions across endpoints using CoPilot + Velociraptor, and visualize results in Grafana.
- [Detection rules (Wazuh)](https://docs.socfortress.co/user/ui/agents-detection-rules.md): View and manage Wazuh detection rules in CoPilot to tune signal vs noise.
- [Agent groups (Wazuh)](https://docs.socfortress.co/user/ui/agents-groups.md): Multi-tenant Wazuh agent groups used to apply endpoint configuration, control telemetry, and reduce SIEM noise.
- [Patch Tuesday (Microsoft)](https://docs.socfortress.co/user/ui/agents-patch-tuesday.md): Patch-cycle view that prioritizes Microsoft CVEs by urgency (P0–P3), KEV, CVSS, and EPSS.
- [SCA overview](https://docs.socfortress.co/user/ui/agents-sca-overview.md): Review Wazuh Security Configuration Assessment (SCA) posture across endpoints.
- [Sysmon config (Windows)](https://docs.socfortress.co/user/ui/agents-sysmon-config.md): Centralized Sysmon configuration management for Windows telemetry collected by Wazuh.
- [Vulnerability overview](https://docs.socfortress.co/user/ui/agents-vulnerability-overview.md): Review vulnerability posture across agents with EPSS scoring and package detail.
- [Alerting → Shuffle (notifications & automation)](https://docs.socfortress.co/user/ui/alerting-shuffle.md): How CoPilot triggers Shuffle workflows for alert/case notifications and automation.
- [Graylog Threshold Alerts](https://docs.socfortress.co/user/ui/alerts-graylog-threshold.md): How to configure Graylog threshold-based event definitions and send them to CoPilot via webhook.
- [Alerts siem](https://docs.socfortress.co/user/ui/alerts-siem.md)
- [Artifacts (Velociraptor)](https://docs.socfortress.co/user/ui/artifacts.md): Run Velociraptor artifacts from CoPilot to collect DFIR evidence from endpoints and review results.
- [External network connectors](https://docs.socfortress.co/user/ui/external-network-connectors.md)
- [External third party integrations](https://docs.socfortress.co/user/ui/external-third-party-integrations.md)
- [Graylog management (alerting)](https://docs.socfortress.co/user/ui/graylog-management.md): Define Graylog event alerts (detections) so CoPilot can ingest them into Incident Management.
- [Healthcheck (InfluxDB + Telegraf)](https://docs.socfortress.co/user/ui/healthcheck.md): Monitor endpoint and SIEM health signals via Telegraf metrics stored in InfluxDB.
- [Incident alerts](https://docs.socfortress.co/user/ui/incident-alerts.md): How to triage, filter, tag, and collaborate on alerts in SOCFortress CoPilot.
- [Incident cases](https://docs.socfortress.co/user/ui/incident-cases.md): How to build and run an investigation case by linking multiple alerts, tracking work, and generating reports.
- [Incident sources (Graylog → Alerts)](https://docs.socfortress.co/user/ui/incident-sources.md): Configure how CoPilot reads Graylog event alerts and turns them into Incident Management alerts.
- [Index management (Wazuh Indexer)](https://docs.socfortress.co/user/ui/indices-management.md): Monitor index health, disk usage by customer, and manage retention in the Wazuh Indexer.
- [Snapshot & restore (cold storage)](https://docs.socfortress.co/user/ui/indices-snapshots.md): Offload old indexes into snapshot repositories and restore them later when needed.
- [Report creation (operator)](https://docs.socfortress.co/user/ui/report-creation.md): Generate General (Grafana-to-PDF), Vulnerability, and SCA reports in CoPilot.
- [General reports (Grafana → PDF)](https://docs.socfortress.co/user/ui/report-general.md): Create PDF reports by snapshotting Grafana panels and combining them into a single document.
- [SCA reports (Wazuh)](https://docs.socfortress.co/user/ui/report-sca.md): Generate CSV reports for Security Configuration Assessment (SCA) results from Wazuh policy scans.
- [Vulnerability reports (Wazuh)](https://docs.socfortress.co/user/ui/report-vulnerability.md): Generate CSV reports from the Wazuh Vulnerability Detection module data in the Wazuh Indexer.
- [Event Search](https://docs.socfortress.co/user/ui/siem-event-search.md): Search and explore raw SIEM events across customers and event sources using Lucene queries.
- [Event Sources](https://docs.socfortress.co/user/ui/siem-event-sources.md): Configure the SIEM event sources that define where Event Search queries data from for each customer.
- [Single Sign-On (SSO)](https://docs.socfortress.co/user/ui/sso.md): Configure SSO with Azure Entra ID, Google, or Cloudflare Access so users can log in via their identity provider.
- [Tag-Based Access Control (Tag RBAC)](https://docs.socfortress.co/user/ui/tag-access.md): Restrict which alerts users and roles can see based on assigned tags.
- [Two-Factor Authentication (2FA)](https://docs.socfortress.co/user/ui/two-factor-authentication.md): Enable TOTP-based two-factor authentication on your CoPilot account using an authenticator app.
- [Videos](https://docs.socfortress.co/user/videos.md)
- [Videos](https://docs.socfortress.co/videos.md): The CoPilot YouTube playlist, summarized and organized by role.

## OpenAPI Specs

- [openapi](https://docs.socfortress.co/api-reference/openapi.json)