Integrations

Verified live APIs where it counts.

Two Live Direct API integrations today — CrowdStrike Falcon and Okta Identity Cloud. Additional systems are supported as evidence sources via SDK, manual ingestion, or category adapters.

Live Direct API

Two verified bidirectional integrations.

Direct APIs with documented inbound and outbound flows, scoped credentials, and manual fallbacks.

CrowdStrike Falcon
Live Direct API · bidirectional via webhooks
Inbound
Process trees, host telemetry, user identity, EDR alerts, file hashes.
Outbound
Investigation status (Case Closed / Resolved) and host tags for context enrichment.
Scopes
Read-only for telemetry; write scoped to specific host-tagging and metadata fields.
Setup
OAuth2 Client ID/Secret via a CrowdStrike API Client with Detection and Host scopes.
Fallback
Manual CSV upload of EDR detection logs.
Privacy
Data processed in memory for context; long-term storage follows SOCPilot retention policy.
Logo
Logo use approved. CrowdStrike Official Partner status pending Q3 2026.
Okta Identity Cloud
Live Direct API
Inbound
User authentication events, MFA challenges, device context, group memberships.
Outbound
Enrichment of the User entity inside SOCPilot investigation timelines.
Scopes
User.Read, Events.Read.All.
Setup
Okta API Token or OAuth2 application.
Fallback
Manual ingestion of Okta System Log exports.
Privacy
PII masking in Executive Brief output unless Full Transparency mode is enabled by a Tenant Admin.
Logo
Logo use approved.
Verified evidence sources

Used as source records — not offered as standalone integrations.

These systems were verified as evidence sources during the Veridian Global Logistics pilot. They are not marketed as direct product integrations without a separate integration proof.

Splunk
Verified source records — VGL workflow

Used as an evidence source during Veridian Global Logistics pilot investigations. Not currently offered as a standalone SOCPilot product integration.

AWS CloudTrail
Verified source records — VGL workflow

Used as an evidence source (AssumeRole events, control-plane activity) during VGL investigations. Not currently offered as a standalone SOCPilot product integration.

Zscaler Internet Access
Verified source records — VGL workflow

Used as an evidence source (session anomalies, new-IP context) during VGL investigations. Not currently offered as a standalone SOCPilot product integration.

Source: Veridian Global Logistics pilot, February 12 – May 30, 2026.

Category coverage

Generic categories, not direct integrations.

For systems outside the Live Direct API list above, SOCPilot ingests data via SDK, manual upload, or category adapters. No specific vendor is claimed as a direct integration without proof.

SIEM

Category support via SDK or manual ingestion.

EDR

Live Direct API for CrowdStrike Falcon; other vendors via SDK or export.

XDR

Category support via SDK or manual ingestion.

Firewall

Category support via SDK or manual ingestion.

Identity

Live Direct API for Okta; other IdPs via SDK or export.

Cloud

Category support via SDK or manual ingestion of audit-log exports.

Email

Category support via SDK or manual ingestion.

Network

Category support via SDK or manual ingestion.

Ticketing

Category support via SDK or manual ingestion.

Compliance

Category support via SDK or manual ingestion.

Read-only defaultsLeast-privilege scopesRotatable credentials
Don't see your tool?

Build with our SDK — or scope a direct integration with us.

Tell us what you need to connect. We respond within one business day.

Request a connector

Tell us what you need to connect.

Contact sales
Tell us about your team and we'll route you to the right person.
We respond within one business day. No newsletter spam.