Custom Alerts
under review
J
Jonathan Pilkington
It would be nice if you could create custom alerts for the SIEM. Basically create a query and if something meets the criteria send a alert. A few things that you would probably want for this feature:
- I don't think these alerts should go to SOC. As otherwise the SOC might get overwhelmed by custom alerts.
- Allow the custom alert to have a threshold before activated. For example set a threshold of 50 failed logins on user bob2 before triggering.
- While the alerts should not go directly to the SOC it probably would be helpful if visible to the SOC if something does happen.
G
Gurjan Lally
Would be great for us - with so much infrastructure and custom setups, there are plenty of custom detection cases. i.e. secrets (key vault) access, group membership, pim role assignments etc
F
Frank Coviello
We absolutely need this. CMMC mandates it in 3.3.4
z
zachary miller
This is much needed.
D
Devin Shirkey
This is much needed. Would like custom alerting on successful login on some syslog devices
Robert Duchesne
I agree with this, my defense clients have requested this so that they can know when something is manipulated or if there is an issue.
Nate O'Brien
Hello all - a survey was sent out to all participants (i.e. commenters and voters) of this request, however it looks like it was sent out without a subject line and may have gone to spam in some cases. If you haven't already taken the survey, we would greatly appreciate a moment of your time to do so. The survey can be found here:
Thank you all!
T
Tristan Whitman
It be would nice to have privilege escalation alerts along with change management alerts for compliance. For example, a new user was created (local or domain), user added to a group, account lockouts, user deleted, gpo changes. Generally in our industry, regulators want real time alerts. This could also extend into firewall alerts. Vpn failed logon events, changes, administrator logins.
I think if we could set the query and who gets notified, that would be awesome. These are more just informational alerts, but for certain instances being able to make a ticket would be useful. It might also be useful to be able to assign a criticality rating.
I think it would also be worth mentioning having an inheritance option. For example, as an msp, we can create a global set of alerts. These get pushed out by default, unless a customer overwrittes a rule with their own.
It might be easier from a development standpoint to start with predifined alert options, kind of like the queries.
Nate O'Brien
Merged in a post:
Custom Alerts Notifications
Chris Bisnett
Adding in custom alert notifications through Escalations within Managed SIEM for anomalous behaviors
L
Leith Magon
can you guys implement this asap please! we are wanting to centralize all logging out of huntress SIEM and push these alerts to HaloPSA using the integration already present in huntress. the idea being we can flag certain FortiGate UTM events in our ticketing system for review.
Chris Bisnett
Merged in a post:
Event Notifications
P
Paul Martin
It would be great if the Huntress SIEM could send us a notification when certain events are detected. For example, a new user account being added to Active Directory, a user being added to a security group, or an admin login to the firewall.
Load More
→