What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    End User Guide CoPilot

    Taylor Walton

    21-Mar-2025

     

     

     

     


    End User Guide - CoPilot (https://github.com/socfortress/CoPilot)

     

    1. Introduction

    1.1. About CoPilot

    CoPilot is an innovative application developed by SOCFortress, designed to simplify the management of open-source security tools. As organizations increasingly rely on multiple security tools for their Security Information and Event Management (SIEM), managing these tools can become unwieldy. CoPilot addresses this challenge by acting as the central “brains” of your security stack, unifying the diverse tools you use and streamlining their management.

     

    2. Scope of the Document

    Overview

    As the number of open-source security tools grows, so does the complexity involved in managing them. Whether you're a beginner just getting started or an expert, efficiently integrating and managing these tools can be overwhelming. Tools like Wazuh, Graylog, Grafana, Shuffle, and more are powerful, but there has been no cohesive solution that brings them all together—until now.

    CoPilot fills this gap by acting as a unifying layer that interfaces between you and these tools. Rather than replacing them, it enhances their usability by leveraging their robust APIs to offer a single management platform. For instance, you can deploy Office 365 integrations using Wazuh or manage a comprehensive open-source stack provided by SOCFortress—all through one interface.

    By integrating CoPilot into your security workflow, you unlock greater customization and freedom to implement features and integrations previously limited by the tools themselves. CoPilot is an open-source solution that evolves based on user feedback and meets the community's needs.

     

    3. CoPilot Connectors

    3.1. Connectors Overview

    CoPilot Connectors are integrations within the CoPilot application that allow it to interface with various external tools and services, particularly in the open-source security realm. These connectors serve as a link between CoPilot and each individual security tool in your stack. By leveraging connectors, CoPilot can automate, manage, and unify these tools into a single interface.

    Key Functions of CoPilot Connectors:

    1. Integration with Security Tools: Connectors enable CoPilot to integrate with tools such as Wazuh, Graylog, Grafana, Shuffle, and others for streamlined management.
    2. Data Aggregation and Management: CoPilot Connectors pull data from each integrated tool, allowing you to view and manage all security information in one place.
    3. Automation of Routine Tasks: With connectors, CoPilot automates a wide range of tasks, including deploying security integrations, managing alerts, and retrieving logs from connected services.
    4. Expanding Capabilities: As new connectors are added, CoPilot's ability to integrate with a broader range of tools expands, making it a scalable solution that adapts to the evolving needs of users.

    3.2. Connectors Configurations

     

    4. Customer Provisioning

    This section provides a step-by-step guide on using CoPilot to provision a new customer. The provisioning process includes configuring the Wazuh group, setting up Graylog indices, and deploying Grafana dashboards tailored for each customer.

    Prerequisites

    Before you begin, ensure CoPilot is properly connected and verified with:

    • Wazuh Manager
    • Wazuh Worker
    • Graylog
    • Grafana

    All connections between CoPilot and these applications should be established and verified. If not, see the respective setup tutorials above.

    See the Provisioning Walkthrough Video:

    Customer Provisioning Walkthrough Video

    Step 1: Creating a Customer

    1. Set the Default Grafana URL:

      Enter the domain name or IP address used to access your Grafana instance (e.g., https://yourdomain.com).

    2. Create a New Customer:
      • Customer Code: A unique identifier that CoPilot and the integrated tools use to manage data for this customer. For example, "acme" for "Acme Corp."
      • Lowercase, No Special Characters: The code must be all lowercase with no special characters.
      • Customer Details: Provide the customer's first name and last name (required). Additional metadata fields are optional.

    Step 2: Provisioning the Customer

    1. Provision the Customer in CoPilot:

      Use CoPilot's provisioning wizard to configure essential settings:

      • Grafana Organization Name: Match this with the customer name.
      • Graylog Settings: Configure the index name (e.g., “wazuh-acme”), the number of replicas, shards, and data retention (e.g., 30 days).
      • Grafana Dashboards: Choose which pre-built dashboards to provision for this customer.
      • Wazuh Worker: Set the unique password and ports for the customer to register endpoints to the SIEM stack.
    2. Submit the Provisioning Request:

      CoPilot will then create indexes in Graylog, set up streams, and configure Wazuh groups in the background.

    3. 🚩Enable the Provisioning of Wazuh Worker and HAProxy

      If your environment has a DMZ layer, ensure that HAPROXY is also enabled during the customer provisioning

    Step 3: Verify Configuration in Grafana

    1. Check Grafana Organization and Dashboards:

      Refresh Grafana to see the newly created organization. Ensure the data source is correctly pointing to the relevant index for this customer.

    2. Customize Dashboards:

      Navigate to the dashboards under the customer's organization. You can use them as-is or customize as needed.

    Conclusion: CoPilot's provisioning feature automates the process of setting up new customers in your SIEM stack, including Wazuh, Graylog, and Grafana configurations.

    3rd Party Integrations

    Besides core open-source security tools, CoPilot can also bring in security events from external services like Office 365, Mimecast, and CrowdStrike. This allows you to centralize these events in your SIEM for a unified security view.

    Overview of Supported Third-Party Integrations

    CoPilot supports numerous third-party integrations to ingest security events, alerts, and logs from services such as:

    • Office 365: Ingest logs and alerts from services like Exchange Online, SharePoint, and OneDrive.
    • Mimecast: Capture email security events (phishing, malware, spam filtering, etc.).
    • CrowdStrike: Pull endpoint detection and response (EDR) data to track threats and vulnerabilities.

    Configuring Customer-Specific Third-Party Integrations

    Prerequisites for Integration: Make sure you have configured a customer code, provisioning settings, and necessary API access or permissions within the third-party service (e.g., Office 365 or Mimecast).

    See these videos for examples:

    Firewall Integrations

    Firewalls are crucial for monitoring network security. CoPilot supports integrating with various firewall solutions (e.g., Fortinet) to ingest logs and alerts into your SIEM.

    Overview of Supported Firewall Integrations

    Examples include FortiGate, which helps monitor network traffic, IDS/IPS alerts, and threat intelligence data.

    Configuring Customer-Specific Firewall Integrations

    Similar to other third-party integrations, ensure your customer code and prerequisites are properly set up.

    See the following video:

    Fortinet Firewall Integration with CoPilot

     

    5. Agents

    In CoPilot, agents are crucial for monitoring and managing customer endpoints (e.g., Windows servers, workstations, Linux servers, Mac machines). These endpoints run EDR agents like Wazuh and Velociraptor, allowing them to communicate with the CoPilot platform.

    Agent Details and Management

    • Agent Metadata: Each agent has metadata including Wazuh and Velociraptor IDs, version numbers, and the associated customer code.
    • Vulnerability Assessment: View and assess vulnerabilities on each endpoint, categorized by severity.
    • Security Configuration: Access Wazuh's security configuration assessments and recommended improvements.
    • Agent Upgrades: Remotely upgrade agents to ensure you have the latest versions.
    • Synchronization: Agents synchronize with the Wazuh Manager and Velociraptor server every 15 minutes, with an option for manual sync.

    Video: Agent Management and Overview

    Agent Vulnerabilities

    The Agent Vulnerabilities section provides a detailed overview of vulnerabilities on each endpoint, integrating the Exploit Prediction Scoring System (EPSS) to help prioritize remediation.

    • EPSS Score: A numerical value (0-1) indicating the likelihood a vulnerability will be exploited within 30 days.
    • Prioritization: Focus on vulnerabilities most likely to be targeted, even if their CVE scores aren't the highest.

    Integrate EPSS with Wazuh for Top-Notch Vulnerability Management

    Agent Security Configuration Assessment (SCA)

    The SCA module (powered by Wazuh) evaluates endpoint configurations against various security policies.

    • Local and Central Databases: Each Wazuh agent has a local SCA database; the server maintains a centralized SCA database.
    • Integrity Mechanisms: Two mechanisms ensure alignment between policy files and scan results, triggering alerts for discrepancies.
    • Detailed SCA Checks: Assess compliance with CIS, PCI-DSS, NIST, and more.

    Wazuh SCA and CoPilot Overview

    Agents and Velociraptor

    By integrating Velociraptor, CoPilot enables you to run remote artifact collections and commands across Windows and Linux endpoints.

    • Artifact Collection: Collect data like Chrome browsing history or installed extensions.
    • Remote Commands: Execute commands (e.g., ping or file retrieval).
    • Quarantine Management: Quarantine or un-quarantine endpoints directly from CoPilot.

    Velociraptor Integration Demo

    Active Response

    CoPilot's Active Response feature uses Wazuh to automate responses to security events on endpoints, such as blocking IP addresses via the local firewall.

    • Customizable Responses: Any event that can trigger an automation in Wazuh can be used to invoke Active Response.
    • Wide Deployment: Apply actions across a single endpoint or all endpoints in Wazuh.
    • Prerequisites: Ensure Python is installed and executables are deployed to endpoints.

    Mastering Wazuh's Active Response with CoPilot

     

    6. Cloud Security Assessment

    As cloud adoption grows, securing cloud environments is critical. CoPilot integrates with Scout Suite, an open-source tool for multi-cloud security auditing.

    Overview of Scout Suite

    Scout Suite uses cloud provider APIs to gather configuration data and identify potential risks across AWS, Azure, and Google Cloud. It simplifies finding and fixing security issues. By embedding Scout Suite within CoPilot, you can monitor and assess your cloud posture in one place.

    Simplify Cloud Security with ScoutSuite and Copilot

     

    7. Web App Vulnerability Assessment

    Securing web applications is crucial for protecting data and preventing breaches. CoPilot integrates with Nuclei, an open-source vulnerability scanner, to automate web application security assessments.

    How It Works

    • Nuclei Integration: CoPilot uses Nuclei to run comprehensive scans on target URLs.
    • Setup: Enable the Nuclei module and specify target websites.
    • Reports: View detailed scans for vulnerabilities like weak cipher suites, open ports, and exposed APIs.

    Integrating CoPilot with Nuclei for Web App Security

     

    8. Threat Intelligence

    Threat intelligence is essential for real-time identification and response to potential threats. CoPilot's Threat Intel feature enriches Wazuh events with actionable data, helping you stay proactive against attacks.

    Key Features

    • Automated Enrichment: Threat Intel data is integrated into Wazuh events using preconfigured pipelines in Graylog.
    • Flexible and Customizable: Can enrich DNS requests, firewall logs, third-party API logs, and more.
    • Scalable Integration: Subscribe to multiple threat intelligence feeds for comprehensive coverage.

    Auto-Enrich Wazuh Events with Threat Intel Feeds

     

    9. Reports

    CoPilot can generate custom reports from your Grafana dashboards. This is particularly useful for sharing insights about security posture with clients or upper management.

    Key Features

    • Customizable Reports: Select specific dashboard panels to include.
    • Dynamic Time Ranges and Organizations: Customize reports by date range and specific Grafana organizations.
    • PDF Export: Export reports as PDFs with logos and themes for professional distribution.

    Creating Custom PDF Reports in Grafana

     

    10. Alerts

    CoPilot manages alerts generated by your SIEM stack. Graylog queries the Wazuh Indexer periodically to detect alerts. When found, they appear as pending in CoPilot, which then processes them into incidents in the Incident Management platform.

    Wazuh

    Wazuh-generated alerts are captured using Graylog, then forwarded to CoPilot for incident creation and management.

    Powerful Wazuh Alert Management With CoPilot

    Configuration Details

    1. Syslog Level: Must be set to “alert.”
    2. Syslog Type: Must be “wazuh.”
    3. Event Filtering: Graylog queries the Wazuh indexer every five minutes for matching events (e.g., syslog_level=alert, syslog_type=wazuh, excluding Office 365 and vulnerability_detector).
    4. Query Validation: Validate the search query in Graylog before enabling the alert.
    5. Alert Processing: Graylog sends matching events to CoPilot as pending alerts. CoPilot then turns these into incidents within the DFIR Iris platform.
    6. Scheduler Configuration: CoPilot's scheduler runs every five minutes to process pending alerts automatically.

    Custom

    CoPilot also supports creating custom alerts based on your own criteria or integrations.

    Custom Alerts in CoPilot

    Steps to Create Custom Alerts

    1. Define Alert Criteria: Determine the key fields triggering the alert (e.g., “integration:huntress” and “level:1”).
    2. Create the Alert: Assign a name, priority, and query logic in CoPilot. Verify in Graylog to ensure correct matching events.
    3. Set Custom Fields: Add fields like customer_code and map event fields to alert fields.
    4. Deploy and Manage: Graylog runs the alert query at set intervals and sends matches to CoPilot, which generates incidents.

    Example Use Case

    You may only want to trigger alerts for critical Huntress events (level 1). Once set up, CoPilot automatically creates incidents for these events, streamlining your workflow.

     

    11. Integrating with Third Party Tools

    CoPilot leverages Shuffle to enhance your security workflows by combining AI-driven insights with robust automation.

    The Power of Integration

    • Automated Alert Handling: Automatically process and categorize alerts via Shuffle.
    • Third-Party Integrations: Connect your SIEM alerts with Jira, ConnectWise, email services, and more.
    • Efficient Incident Response: Reduce manual tasks so your team can focus on critical issues.

    Revolutionize Your SIEM Alerts: Integrate CoPilot & Shuffle

     
    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.