Describe what components are there and how they work together, how data flow. (There already is architecture.md, review/update it)
## User management
How user management is handled (Keycloak)? Is everything centralized or are there "local" users in some applications?
How to add/edit user accounts
## Data ingestion
How to forward logs from some servers/applications to SOCtools, what must be set up to in NiFi.
Other data sources except logs? Emails?
How to set up data feeds in MISP and analyzers in Cortex.
## Data processing in NiFi
What the current NiFi pipeline does. How to reconfigure it.
## Other tools?
Is there anything in Elasticsearch, Kibana, MISP, The Hive, etc., which is specific to SOCtools and should be described (i.e. can't be found in official documentation of these tools)?
