Managed SIEM

It would be nice if you could create custom alerts for the SIEM. Basically create a query and if something meets the criteria send a alert. A few things that you would probably want for this feature: I don't think these alerts should go to SOC. As otherwise the SOC might get overwhelmed by custom alerts. Allow the custom alert to have a threshold before activated. For example set a threshold of 50 failed logins on user bob2 before triggering. While the alerts should not go directly to the SOC it probably would be helpful if visible to the SOC if something does happen.

Currently Microsoft 365 Unified Audit Logs are ingested through ITDR and stored in SIEM but this is only ingesting the AzureActiveDirectory and Exchange UAL workloads. It would be nice to see this expanded out to include all UAL workloads, especially SharePoint, Onedrive, and Teams. This would be a huge help for investigating account compromise incidents to get a full picture of all activity performed by a threat actor before containment (if it wasn't outright prevented by ITDR of course). Maybe even make this a standalone integration for clients who want SIEM but not ITDR? It would also be nice to see the parsing improved. Especially parsing out the session ids more reliably as in my experience so far those are often still contained in the itdr.DeviceProperties or raw message field rather than the itdr.sessionid field.

It is great we can get alerts when a device stops sending data to SIEM. Could we get a filter to choose which devices send alerts? For example, I would like Firewalls to send alerts but not workstations.

Would be good if there was a way to store a custom query we make for quick reference back to. E.G if we are monitoring the same event type for a particular user, instead of having to type of the ES|QL command each time, being able to load a stored custom query or a dropdown list of showing the history of previously ran queries to refer back on.

The current settings for non-reporting source management escalations cause issues with workstations that are offline for extended periods of time (after hours, weekends, etc.). It would be nice if there was a way to configure the duration separately for servers and workstations, along with a custom field rather than presents.

Add support for parsing Mikrotik RouterOS logs sent via syslog

We'd like to label our Syslog Sources something other than "Syslog (Local)", if we have multiple sources configured it becomes tedious having to open each one and match IP addresses

I would like the ability to remove or archive firewall syslog sources. For firewalls that were permanently removed, this still shows as a source and just looks as if it is not properly collecting. When the reporting of offline collectors occurs, this would alert even though it is not expected to be collecting logs any longer.

Have a way to deal with data retention for longer than 1 year. Huntress charging more for longer retention or automated option for data moving to 3rd party location.

Hyperlink to source to view all logs from said source, and also sort by source or any column.