Managed SIEM

It would be nice if you could create custom alerts for the SIEM. Basically create a query and if something meets the criteria send a alert. A few things that you would probably want for this feature: I don't think these alerts should go to SOC. As otherwise the SOC might get overwhelmed by custom alerts. Allow the custom alert to have a threshold before activated. For example set a threshold of 50 failed logins on user bob2 before triggering. While the alerts should not go directly to the SOC it probably would be helpful if visible to the SOC if something does happen.

It would be great to use the MDR connector or something related to ingest logs from Defender XDR to the SIEM solution.

Ingest powershell data for auditing and detection purposes. Malicious PowerShell scripts are commonly used by threat actors to run silent actions in the background.

Collect, parse, and store logs from Azure, AWS, and Google Workspace

When configuring Firewalls such as Sonicwall or Ubiquiti, their source name in Huntress SIEM is "Syslog events for 192.168.x.x", source type "SonicWall Firewall". It would be very helpful that the SIEM fetched the Syslog ID from the messages. In the Sonicwall, it is sonicwall.id . In ubiquiti, host.hostname. These fields contain the actual Firewall name or Syslog ID we have to identify them internally. If this value was shown as the Source name in Huntress, it would be very helpful. As an alternative, manually renaming the sources would be useful too

Have a way to deal with data retention for longer than 1 year. Huntress charging more for longer retention or automated option for data moving to 3rd party location.

Would be good if there was a way to store a custom query we make for quick reference back to. E.G if we are monitoring the same event type for a particular user, instead of having to type of the ES|QL command each time, being able to load a stored custom query or a dropdown list of showing the history of previously ran queries to refer back on.

Add the ability for users to build a query via a GUI. This would help less tech savvy users be able to search for specific events.

We have multiple firewalls sending syslogs to different servers to allow for the agents on those servers to forward the logs to the SIEM. The source is always the name of the server, not the name or brand name of the firewalls. It would be nice if we could change the names of the source type and agent for them so they are easier to find.