Managed SIEM

It would be nice if you could create custom alerts for the SIEM. Basically create a query and if something meets the criteria send a alert. A few things that you would probably want for this feature: I don't think these alerts should go to SOC. As otherwise the SOC might get overwhelmed by custom alerts. Allow the custom alert to have a threshold before activated. For example set a threshold of 50 failed logins on user bob2 before triggering. While the alerts should not go directly to the SOC it probably would be helpful if visible to the SOC if something does happen.

We'd like to label our Syslog Sources something other than "Syslog (Local)", if we have multiple sources configured it becomes tedious having to open each one and match IP addresses

Manage Windows security audit (logging) settings

Add the ability for users to build a query via a GUI. This would help less tech savvy users be able to search for specific events.

Hi all, I am working with a partner who would like additional visibility for the data archives. Currently, the data archives only show the Account Name and not the Organization in which the data archive was performed for. Adding the Organization name instead would prevent the potential to cross streams and mix up data between the orgs. Lastly, the data archive time period only allows for chunks of 30-days. If you are conducting several data archives over a 6-month period, it becomes difficult to track which archive pertains to which time frame without downloading the data and having a look. So, the partner would like the data archive time period on display as well, please. Thank you!

Would be great to collect logs from NAS appliances. I have both Synology and QNAP NAS systems at client sites and the logs would help get insight into authentication and access attempts as well as things like the built-in AV logs on those devices.

Would be good if there was a way to store a custom query we make for quick reference back to. E.G if we are monitoring the same event type for a particular user, instead of having to type of the ES|QL command each time, being able to load a stored custom query or a dropdown list of showing the history of previously ran queries to refer back on.

I would like the ability to remove or archive firewall syslog sources. For firewalls that were permanently removed, this still shows as a source and just looks as if it is not properly collecting. When the reporting of offline collectors occurs, this would alert even though it is not expected to be collecting logs any longer.

When looking at the ITDR logs the Message column is just the JSON collection of event information. It would be amazing if you were able to parse the JSON and split that content into columns similar to how this KB does for Excel: https://learn.microsoft.com/en-us/purview/audit-log-export-records It's more human readable that way.