New OpenSource Case Management Platform — Powered by CoPilot

4 min readSep 2, 2024

As cybersecurity defenders, we’re constantly seeking tools that not only enhance our ability to detect and respond to threats but also streamline our operations. Today, I’m thrilled to introduce a significant upgrade to SOCFortress CoPilot — our very own custom-built case management system. This new system is a major step forward from our previous reliance on DFIR-IRIS, allowing us to take full control over our case management and truly integrate it into our SIEM stack.

Why We Built Our Own Case Management System

DFIR-IRIS served us well as a dependable sidekick, but we recognized the need for a solution we could fully customize and evolve. We wanted to create a case management system that was not just tailored to our needs but also flexible enough to accommodate a wide range of use cases, particularly those involving diverse alert criteria and third-party integrations. Our goal was to provide you with a system that empowers you to craft your own alerts and case management workflows, without being dependent on predefined settings.

What’s New in CoPilot

One of the first things you’ll notice after updating to the latest version of CoPilot is the absence of the DFIR-IRIS connector. This change was intentional; we’ve replaced it with our custom case management solution, fully integrated into CoPilot. This new system is designed to work seamlessly with various logs and data sources you might be ingesting into your SIEM stack, including Wazuh, Office 365, Huntress, CrowdStrike, and more.

Leveraging Graylog for Custom Alerting

Our new system leverages Graylog to handle alert searches and provisioning. Think of it as your new ElastAlert or Praeco replacement within the SIEM stack. Graylog runs search queries against the Wazuh indexer, looking for specific alerts that match your criteria. These queries can be fully customized, giving you the flexibility to create alerts based on the exact conditions you need to monitor.

We’ve provided several templated alerts that you can enable right out of the box, such as the Wazuh Syslog level alert. For those of you using the SOCFortress Wazuh content pack, these alerts will integrate seamlessly, but you’re also free to create your own custom alerts tailored to your environment.

Under the Hood: How It Works

When Graylog identifies an alert that matches your search query, it writes the alert to a specific index. CoPilot then retrieves this alert and integrates it into the case management system. This process is all about giving you full control over what gets alerted on and how those alerts are handled within the system.

In CoPilot, alerts are organized by sources, which can be thought of as categories of alerts. For example, Wazuh alerts, Office 365 alerts, and CrowdStrike alerts can each be grouped under their respective sources. This organization helps keep your alerts structured and easy to manage.

The Power of Customization

One of the standout features of our new case management system is the level of customization it offers. You can define what metadata fields are included in your alerts, set specific time fields, and choose what data should populate the alert context. This flexibility ensures that the alerts you see are relevant and actionable, without overwhelming you with unnecessary information.

Enhanced Incident Management

Once an alert is triggered, CoPilot allows you to manage it directly within the system. You can assign alerts to team members, add tags for easy filtering, and even run Velociraptor artifact collections if you have the Velociraptor agent installed on the endpoint. The alert timeline feature provides a visual representation of the sequence of events leading up to and following the alert, making it easier to understand the context and impact of an incident.

Creating and Managing Cases

Another powerful feature of the new system is the ability to create cases from alerts. Cases allow you to group related alerts together, making it easier to manage complex incidents. For instance, if multiple alerts are related to the same malware campaign, you can merge them into a single case, keeping your investigation organized and efficient.

Conclusion: A New Chapter in SIEM Management

We’re incredibly excited to bring this new case management system to you as part of SOCFortress CoPilot. It represents a new chapter in how we handle alerts and incidents, offering unparalleled flexibility and control. We’ll be releasing more videos and tutorials to help you get the most out of this new system, so stay tuned for more updates.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/