SOCFortress CoPilot Docs Are Live: How to Get Value Fast
We just launched the new SOCFortress CoPilot documentation site:
If you’ve ever found yourself bouncing between README snippets, Discord messages, and old notes just to remember “the right way” to deploy, upgrade, or operate CoPilot — this is the fix.
The goal of these docs is simple:
- Help you get value faster
- Reduce guesswork during deployment and upgrades
- Make day-to-day operations easier (alerts → cases → response)
- Keep everything organized by how people actually work in a SOC and MSSP environment
Why we rebuilt the docs
CoPilot is a single pane of glass designed to help operators manage an open-source SOC/SIEM stack — Wazuh, Graylog, Velociraptor, Grafana, and more — without living in a dozen separate consoles all day.
But the reality is this: tools are only as good as the workflows around them.
So we rebuilt the documentation to be practical, repeatable, and easy to navigate — especially when you’re in the middle of troubleshooting or onboarding a new customer.
Where to start (don’t skip this)
If you do one thing after reading this post, do this:
Go to the docs and click Start here
https://docs.socfortress.co/getting-started/start-here
That page acts as your onboarding checklist and the fastest way to establish a working loop:
- Ingest logs (endpoints, integrations, syslog)
- Visualize with dashboards
- Detect with alerting
- Respond with cases
- Expand with additional modules
It’s designed to prevent the most common time-waster: trying to troubleshoot alerts or dashboards before data is flowing correctly.
Install / Upgrade is now a first-class citizen
We added a dedicated Install / Upgrade section:
https://docs.socfortress.co/getting-started/install-upgrade
This covers:
- Docker Compose deployment
- .env setup guidance
- Retrieving the initial admin password
- Optional Docker daemon settings (DNS, log rotation, MTU)
- TLS/SSL notes (self-signed by default, bring your own cert)
- Upgrade workflow (docker compose pull → docker compose up -d)
- Optional Customer Portal enablement
The README now points back to the docs so these steps don’t drift over time.
Use the docs by role (this saves a ton of time)
The docs are organized around how teams actually operate.
Operator
If you’re doing day-to-day SOC work — triage, investigations, response — start with the Operator section.
You’ll find workflows like:
- Alert triage
- Converting alerts into cases
- Collecting artifacts and evidence
- Tracking investigation progress
Admin / Platform
If you maintain the platform — connectors, provisioning, ingestion, indices, health — this is your home.
Go straight to Admin / Platform if you’re responsible for:
- Tenant or customer provisioning
- Ingestion workflows
- Graylog alert plumbing into CoPilot
- Wazuh Indexer storage and index management
- InfluxDB health metrics
New: Customer Portal (optional, MSSP-friendly)
We added a dedicated Customer Portal section after repeated requests from MSSPs who wanted a clean way to collaborate with customers without exposing internal admin capabilities.
The Customer Portal is designed to help MSSPs:
- Share alerts and cases with customers (tenant-scoped)
- Collaborate using two-way comments
- Let customers track and update status (open / closed)
- Share files within cases (deliverables, evidence)
Docs: https://docs.socfortress.co/customer-portal
Important note:
If you expose the Customer Portal externally, we strongly recommend placing it behind a WAF or reverse proxy (and ideally a VPN), since it introduces an externally accessible application surface.
How to get the most out of the docs
Here’s the workflow we recommend.
1. Pick your current role
Ask yourself: “Am I acting as an operator right now, or an admin?”
That single decision prevents random searching and dramatically speeds things up.
2. Follow a “success criteria” mindset
Many pages are written like runbooks. If you can’t meet the success definition for a step, stop and fix it before moving on.
This avoids painful troubleshooting later.
3. Treat the UI guide like a map
Many pages mirror the product UI, so you can navigate documentation the same way you navigate CoPilot itself.
4. Bookmark the essentials
Most teams end up bookmarking:
- Start here
- Install / Upgrade
- Admin quickstart
- Operator quickstart
- Troubleshooting
If you’re onboarding new team members, those links become a repeatable checklist.
Links
- Docs: https://docs.socfortress.co
- CoPilot repo: https://github.com/socfortress/CoPilot
- Discord: https://discord.gg/UN3pNBzaEQ
- Contact: https://www.socfortress.co/contact_form.html
Feedback welcome
Docs are a living system.
If you find:
- a missing step
- a confusing section
- a workflow you want documented
- or a page you’d love to see
Open a GitHub issue or drop feedback in Discord. We’ll keep iterating.
目录
最新
- SPF, DMARC and DKIM settings in public domains for safe email.
- ISO/IEC 42001 — Standard for Artificial Intelligence (AI) management systems — Part I: Planning for…
- NGINX Secure Deployment & Hardening Guide — CIS Benchmarks
- New Zealand’s Cyber Security Strategy
- Trend Micro warns of critical Apex One code execution flaws
- Microsoft SQL Server 2019 / 2022 Secure Deployment & Hardening Guide (CIS Benchmarks)
- UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor
- Cisco SD-WAN Is Actively Exploited by UAT-8616