Endpoint Investigation Made Easier with SOCFORTRESS CoPilot and Velociraptor

Endpoint investigation is a core part of modern SOC operations, but too often it involves jumping between tools, re-running collections, or…

SOCFortress

~3 min read · December 30, 2025 (Updated: December 30, 2025) · Free: Yes

Endpoint investigation is a core part of modern SOC operations, but too often it involves jumping between tools, re-running collections, or manually tracking down output.

At SOCFORTRESS, we've continued improving CoPilot with a focus on making Velociraptor-driven investigations more practical and efficient for day-to-day use.

Get Started with CoPilot: https://github.com/socfortress/CoPilot

What's Changed in CoPilot

Recent updates to the Velociraptor integration inside CoPilot introduce more flexibility and better handling of investigation artifacts.

Artifact Parameters in CoPilot

CoPilot now allows analysts to define Velociraptor artifact parameters directly within the UI.

Artifact parameters are automatically populated with Velociraptor defaults, but analysts can adjust them as needed before execution. This removes the need to switch tools or manually modify artifacts while still maintaining control over how collections run.

Improved Artifact Collection Engine

Artifact results are no longer limited to on-screen output.

Every artifact run is now automatically uploaded to a per-agent data store, including:

Artifact results
Collection metadata
Execution logs
Supporting files generated during the run

This creates a persistent record of investigation activity that can be reviewed, downloaded, or archived as needed.

Remote File Collection from Endpoints

CoPilot now supports remote file collection using Velociraptor's file collection capabilities.

Analysts can specify file paths directly in CoPilot and retrieve files from both Windows and Linux endpoints. Collected files are uploaded alongside artifact results and packaged in a downloadable archive.

This makes it easier to pull samples for additional analysis, such as sandboxing or malware review, without relying on manual access or external tooling.

Built Into Alert Investigations

These capabilities are also available directly from alerts.

From an alert, analysts can:

Run Velociraptor artifacts against the affected endpoint
Collect files related to the alert
Access artifact results and uploads from the data store

This keeps investigation steps centralized within the alert workflow and reduces context switching during triage.

SOC Operations

These improvements streamline common investigation tasks by:

Reducing manual steps during artifact execution
Keeping results and collected files organized per endpoint
Making it easier to revisit historical investigation data
Supporting faster, more consistent analyst workflows

The focus is on improving operational efficiency without adding complexity.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

#cybersecurity #open-source #information-security #security #socfortress