Managed SIEM

EventID 100 in the application log with the source of ScreenConnect contains connection information when an admin or user connects to a system with ScreenConnect. The details include the name of the user that made the connection and would be helpful to capture in SIEM.

I want to create a custom alert/escalation based on SIEM queries, e.g, using SIEM queries to create an alert/escalation when specific accounts are logged into, without using the scheduled reports

The current implementation of SIEM "Scheduled Queries" is impractical for most use cases. Here is what we would be useful for us as an org: Custom alerting based on query Sent directly to our PSA integration (HaloPSA) Details included in the alert Ability to control at Account Level and have it split into correct orgs (alerts organized per client) Ability to set up individual alerts for specific clients For example, say we set up a custom alert for failed user logins on a remote desktop server. Say we have more than one client with an RDS. We get an alert from Client A -> shows up under that client's org in Halo with the full details of the event ( user.id , event.id , etc). Say both client A and client B alert at the same time -> we get two tickets, one for client A and client B. We would like to be able to do this for any query -> send the full query details, for that org, when it occurs, to our PSA via integration.

Current functionality is that an email notification is sent to the user who configured the scheduled query but it would be more effective to specify a different email address to send the notification to so the right team can work on it.

Scheduled searches are very useful to set up alerts for specific events but the notifications are limited to the person who set them up. It would be helpful to be able to have custom recipients for these (for example to route them to a helpdesk system). Secondly it would help if all huntress admins could see and manage the saved searches

Would be good to collect the Mac logs into the SIEM its a requirement for some of our clients right now and makes sense to be in Huntress.

Currently, Non-Reporting Log Source Escalations are global and will create notifications for endpoints that hit the configured non-report window. This creates unnecessary noise for clients with expected inactive/shelved endpoints. Please allow the setting "Escalate Non-Reporting Data Sources" to be scoped for individual organizations and/or endpoints.

It would be really good to have SIEM able to ingest logs from Microsoft SQL Server to help monitor and secure the usage of our SQL Databases.

SIEM Source Management It would be good to be able to do the following: Rename Source Name Rename Source Type Delete SIEM sources during implementation

We'd like to label our Syslog Sources something other than "Syslog (Local)", if we have multiple sources configured it becomes tedious having to open each one and match IP addresses