J
Joel DeTeves
The current implementation of SIEM "Scheduled Queries" is impractical for most use cases.
Here is what we would be useful for us as an org:
  • Custom alerting based on query
  • Sent directly to our PSA integration (HaloPSA)
  • Details included in the alert
  • Ability to control at Account Level and have it split into correct orgs (alerts organized per client)
  • Ability to set up individual alerts for specific clients
For example, say we set up a custom alert for failed user logins on a remote desktop server.
Say we have more than one client with an RDS.
We get an alert from Client A -> shows up under that client's org in Halo with the full details of the event (user.id, event.id, etc).
Say both client A and client B alert at the same time -> we get two tickets, one for client A and client B.
We would like to be able to do this for any query -> send the full query details, for that org, when it occurs, to our PSA via integration.