Connecting integrations

Per-integration credentials, scopes, health and one-click disconnect.

Last updated 2/17/2026

Integrations connect SOCPilot to the customer's existing security stack. They never replace those tools.

Supported integration classes

  • SIEM (Microsoft Sentinel, Splunk, Chronicle, Elastic)
  • EDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender)
  • Identity (Okta, Azure AD, Google Workspace)
  • Cloud (AWS CloudTrail, GCP, Azure)
  • Email (Google Workspace, Microsoft 365, Proofpoint)

Connection modes

  • API — recommended; uses scoped service credentials
  • Webhook — for vendors that push events
  • File / S3 — for batch log delivery

Health

Each integration shows health (healthy, degraded, error), last sync time and the most recent ingestion run. Errors include enough context to act on without exposing secrets.

Disconnect

One-click disconnect immediately revokes the credential at the source where the API supports revocation, and pauses ingestion in all cases.

Related articles