Connecting integrations
Per-integration credentials, scopes, health and one-click disconnect.
Last updated 2/17/2026
Integrations connect SOCPilot to the customer's existing security stack. They never replace those tools.
Supported integration classes
- SIEM (Microsoft Sentinel, Splunk, Chronicle, Elastic)
- EDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender)
- Identity (Okta, Azure AD, Google Workspace)
- Cloud (AWS CloudTrail, GCP, Azure)
- Email (Google Workspace, Microsoft 365, Proofpoint)
Connection modes
- API — recommended; uses scoped service credentials
- Webhook — for vendors that push events
- File / S3 — for batch log delivery
Health
Each integration shows health (healthy, degraded, error), last sync time and the most recent ingestion run. Errors include enough context to act on without exposing secrets.
Disconnect
One-click disconnect immediately revokes the credential at the source where the API supports revocation, and pauses ingestion in all cases.
Related articles