🛡️ GuardFoxCopilot Documentation

Live SIEM

Real-time security event ingestion, correlation, and pivot analysis across 10 connectors.

Route: /siem

How it works

Overview

How the SIEM Engine Works

GuardFoxCopilot ingests security events from up to 10 data sources simultaneously. All events are normalised into the SIEMEvent schema before storage, which enables cross-source correlation and pivot analysis.

Ingestion flow:

  1. Source sends data to POST /api/siem/ingest (webhook) or GuardFoxCopilot polls the source API
  2. Events are parsed and normalised — fields mapped to: user, host, srcIp, message, eventId, timestamp, category
  3. Events are stored in PostgreSQL via Prisma
  4. If an event matches a SOAR trigger rule, the playbook engine fires
  5. AI root-cause analysis runs on correlated event clusters

Supported connectors:

  • Syslog (UDP/514)
  • Wazuh (webhook)
  • CrowdStrike Falcon (API stream)
  • AWS CloudTrail + GuardDuty
  • Okta Identity Events
  • Microsoft 365 / Azure AD
  • Palo Alto Panorama
  • Generic webhook (JSON)
  • EDR agent events (internal)

Connecting a source

Setup

Connecting a Data Source

Step 1 — Go to Administration → Data Sources

Each connector has a unique webhook URL and optional API key.

Step 2 — Configure your source

Syslog (UDP)

Host: portal.guardfoxsecurity.com
Port: 5140
Protocol: UDP
Format: RFC 5424 or RFC 3164

Wazuh

In /var/ossec/etc/ossec.conf, add an integration block:

<integration>
  <name>custom-webhook</name>
  <hook_url>https://portal.guardfoxsecurity.com/api/siem/ingest</hook_url>
  <alert_format>json</alert_format>
</integration>

CrowdStrike

In the Falcon console: Settings → Integrations → SIEM Connector

  • Protocol: HTTPS
  • URL: https://portal.guardfoxsecurity.com/api/siem/ingest
  • Format: JSON

Generic webhook

POST JSON to /api/siem/ingest with header X-GuardFoxKey: YOUR_INGEST_KEY.

Using the SIEM view

How to use

Using the Live SIEM

Event stream

The main view shows a real-time event stream with auto-refresh every 10 seconds. Events are colour-coded by severity.

Root-cause pivot

Click any IP, hostname, or username to pivot — the SIEM immediately filters to all events involving that entity across all sources and time.

AI root-cause summary

Click the AI Analyse button on any event cluster to generate a natural-language narrative explaining the sequence of events, likely attack technique, and recommended actions.

Filters

  • Source — filter to one connector
  • Category — Authentication, Network, Endpoint, Policy
  • Time range — last 1h / 6h / 24h / 7d / custom
  • Severity — Critical, High, Medium, Low, Info

Export

Click Export CSV to download the current filtered view. Useful for offline analysis or sharing with stakeholders.