Managed SIEM

The current settings for non-reporting source management escalations cause issues with workstations that are offline for extended periods of time (after hours, weekends, etc.). It would be nice if there was a way to configure the duration separately for servers and workstations, along with a custom field rather than presents.

We rely on the Non-Reporting Log Source Escalation feature to alert us when critical infrastructure sources such as firewalls and servers stop reporting. However, the current setting applies to all sources equally with no way to exclude endpoints. Workstations and laptops get powered off regularly, which causes the alert to fire frequently and creates unnecessary noise. This alert fatigue makes it harder to catch the cases that actually matter, like a firewall or server going silent. We would like the ability to either designate specific sources as critical so only those trigger the escalation, or exclude certain device types such as laptops and desktops from the alert entirely. Confirmed with Huntress support that this is not currently possible.

Please add a supported way to ingest Druva logs (native integration or Druva-compatible mode on Generic HEC) so partners can centralize Druva audit/backup activity in Huntress SIEM.

We have multiple firewalls sending syslogs to different servers to allow for the agents on those servers to forward the logs to the SIEM. The source is always the name of the server, not the name or brand name of the firewalls. It would be nice if we could change the names of the source type and agent for them so they are easier to find.

Would be good to collect the Mac logs into the SIEM its a requirement for some of our clients right now and makes sense to be in Huntress.

It would be great to see a connection between Huntress Siem and Avanan for Email security

I understand that internal Syslog collection is supported, but external Syslog collection is not yet available. It would be advantageous to have support for external Syslog collection to broaden the scope of log sources that can be integrated into Huntress SIEM.

Customers would like the ability to ingest log data for OneDrive and Sharepoint online to track security relevant events in the case of data attempted to be exfiltrated or unauthorized users accessing data

Ability for more granularity around the SIEM source not reporting escalation settings. Currently, SIEM sources need to report every hour for 7 days to establish a baseline before an alert will be created. Adding in the ability to customize the duration for that period to be shorter or longer would allow for finer tuning.

Will you consider adding the ability to create custom detection rules ? That would enable us to use the data collected in the SIEM (Logs + EDR) to check for intrusions. I know that you do that already but if it was possible it would allow us to migrate from our current solution. Access to the data and being able to perform our checks is very important. You already consider allowing siem users to see the edr data so i think this is a natural next step.