Custom Detection Rules
N
Nikos Fronimakis
Will you consider adding the ability to create custom detection rules ? That would enable us to use the data collected in the SIEM (Logs + EDR) to check for intrusions.
I know that you do that already but if it was possible it would allow us to migrate from our current solution.
Access to the data and being able to perform our checks is very important. You already consider allowing siem users to see the edr data so i think this is a natural next step.
Rylan Hutchins
I would also like to create custom alerts for non-intrusion related items. One of our clients requested alerting off of some syslog data we've been seeing, and sadly we're unable to assist until a change like this occurs.
C
Calin Andrews
This would be very helpful even for non-intrusion related items. We leverage SIEM for various kinds of compliance-related tasks where we need to be alerted for various kinds of events that are not necessarily related to a security incident.
Being able to get an alert due to admin account non-use, for example (i.e. alert if an administrative M365 (or a Domain Admin AD) user account has not authenticated within 90 days).
Or if we would like to configure a detection rule that supports an Acceptable Use Policy item that isn't truly a security incident.