SIEM

It would be nice if we can have an "easy button" for searching for specific common / interesting events. One example may be "failed logins" or "RDP Session Logins" with the option to modify the query to expand or scope it (Machine name etc).

It would be nice if you could create custom alerts for the SIEM. Basically create a query and if something meets the criteria send a alert. A few things that you would probably want for this feature: I don't think these alerts should go to SOC. As otherwise the SOC might get overwhelmed by custom alerts. Allow the custom alert to have a threshold before activated. For example set a threshold of 50 failed logins on user bob2 before triggering. While the alerts should not go directly to the SOC it probably would be helpful if visible to the SOC if something does happen.

It would be fantastic if Huntress was a full SIEM/SOAR solution, were we could collect event logs, syslogs, etc and the SOC be able to take action or help us resolve incidents. It would also be handy for us for more visibility. Such as which websites a user visited, what files they edited, etc.

Add the ability to exclude a computer from log collection (mainly if consumption based). Though this would depend if you plan on using the Huntress agent or if you plan to eventually separate the SIEM into its own program. As if it is the latter it would be simple as just not installing the SIEM component.

It would be great if there was a way to see a preview of the filtered logs, or at a minimum some examples or rule definitions of things that are filtered so we know what is or is not captured.

Ingest logs from Ubiquiti and Unifi

Being able to see what logs are using up the ingest quota (if that ends up being the pricing model) and would be very helpful. Would be nice to see this at the organization and computer level.

If we are running our own internal log management system, such as Graylog for exmaple, it would be good to have the ability to ship pre-filtered logs from our own aggregator into huntress SIEM.

Had a neat issue where a system was having some sort of odd LGPO/LocalSecurityPolicy problem that resulted in security audit events essentially turning off shortly after boot up. Only caught it because the system stood out because of low volume of logs being ingested into SIEM. I'd be nice to have some sort of best-practice/recommended/WinDefault 'audit policy' reporting (similar to Huntress Managed AV settings reporting) to indicate systems that don't have a useful/working Windows security audit/event config.