Open Source SIEM Response Made Simple: Dynamic Endpoint Actions with SOCFortress CoPilot

In modern SOC environments, speed matters. Detection is only half the battle — the real challenge is response. When a threat is detected, analysts need the ability to quickly block malicious IPs, disable suspicious accounts, or collect system information without jumping through endless hoops.

Traditionally, frameworks like Wazuh Active Response have been a powerful way to take automated actions. But configuring scripts across endpoints, editing manager configs, and managing those workflows can get cumbersome. That’s why we built CoPilot Actions — a simpler, more flexible way to launch response actions directly from your open source SIEM stack.

🚀 What Are CoPilot Actions?

CoPilot Actions extend the SOCFortress CoPilot platform by integrating with Velociraptor. Together, they allow security teams to:

• 🛡️ Block/Unblock IPs on Windows or Linux firewalls
• 👥 Remove or enumerate users and investigate accounts
• 📊 Collect system data for rapid triage
• 🔍 Run custom PowerShell or Bash scripts for incident response or threat hunting

All from a single UI — no manual deployments, no config headaches.

🔧 How It Works

Under the hood, CoPilot communicates with Velociraptor’s API to run what we call “CoPilot Actions.” These are artifacts designed to fetch and execute scripts dynamically.

• On Windows, scripts are executed via PowerShell.
• On Linux, scripts run via Bash.
• All results are written into a dedicated CoPilot Actions index, keeping them separate from Wazuh alerts or vulnerability data.

This makes it easy to parse results in Graylog and visualize them in Grafana dashboards — giving analysts both context and clarity.

⚡ Example: Blocking an IP in Seconds

Imagine a malicious IP is hitting your endpoints. With Wazuh Active Response, you’d need to:

1. Deploy a script to the endpoint.
2. Update the manager configuration.
3. Validate the rule deployment.

With CoPilot Actions, it’s as simple as:

• Select the action (Windows Firewall Block IP).
• Enter the target IP and choose inbound or outbound.
• Click Invoke.

Within seconds, Velociraptor executes the script, the rule is applied, and the result is logged back into your SIEM.

📊 Clean Data, Clear Dashboards

One of our design goals was making results easy to interpret. Instead of digging through Velociraptor logs, all CoPilot Action outputs are funneled into their own index.

From there, you can:

• Build Grafana dashboards (e.g., view blocked IPs at a glance).
• Route data through Graylog streams for alerting or enrichment.
• Maintain separation of concerns — actions in one place, detections in another.

🌐 Getting Started

To set up CoPilot Actions, you’ll need:

• A running instance of SOCFortress CoPilot
• Velociraptor server + clients installed on your endpoints
• Artifacts imported for Windows and Linux execution
• A Graylog index and stream to capture results
• Optional: Grafana dashboards for visualization

Full setup details and artifacts are available on our GitHub:

👉 SOCFortress CoPilot Actions Repository

🤝 Join the Community

At SOCFortress, we believe in open source collaboration. That’s why all of our CoPilot Actions and scripts live in public repositories. If you see room for improvement, find a bug, or want to contribute a new action, open an issue or pull request — your work helps strengthen the whole community.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html