Managed SIEM

Would it be possible to get some better alerts from DUO. Our previous SOC/SIEM provider alerted us on concurrent login failures, new privileged accounts and other suspicious activities. I don't think Huntress is doing any DUO alerting so it feels like a step backwards. I realize Huntress's methodology is to cut down on noise, but if I'm choosing to pipe DUO logs in to Huntress it's because I want you to watch them, let us know about suspicious things, and our team will decide if we want to ignore it.

It would be nice if you could create custom alerts for the SIEM. Basically create a query and if something meets the criteria send a alert. A few things that you would probably want for this feature: I don't think these alerts should go to SOC. As otherwise the SOC might get overwhelmed by custom alerts. Allow the custom alert to have a threshold before activated. For example set a threshold of 50 failed logins on user bob2 before triggering. While the alerts should not go directly to the SOC it probably would be helpful if visible to the SOC if something does happen.

If one of the Enabled Syslog Agents(ie: syslog listener) stops sending data for an extended period(ideally configurable), there should be an alert that is generated to have someone investigate.

I would sleep better at night if you guys watched my RMM logs from Ninja.

We would like to be able to send SIEM syslog data directly from the firewall into the Huntress portal rather than relaying through an agent on the network.

Would be great to collect logs from NAS appliances. I have both Synology and QNAP NAS systems at client sites and the logs would help get insight into authentication and access attempts as well as things like the built-in AV logs on those devices.

Bitwarden is a popular password manager and is used in both hosted/cloud and self-hosted setups. They publish event logs via a very well documented API. Would love to see Huntress support this for ingest. PLEASE support custom URLs for self-hosted and not just cloud hosted. https://bitwarden.com/help/public-api/ https://bitwarden.com/help/event-logs/

Currently, the M365 SIEM logs are tied to the M365 integration/subscription and are considered a free log source for ITDR partners. I would appreciate having a generic M365 log source available for SIEM, which would enhance our ability to retain logs and review them for potential compromises or malicious activity.

Ingest access logs from things like Screenconnect, Kaseya, Nable, Auvik, Datto RMM etc etc that MSP's use to admin their clients.