Custom Alerts
J
Jonathan Pilkington
It would be nice if you could create custom alerts for the SIEM. Basically create a query and if something meets the criteria send a alert. A few things that you would probably want for this feature:
- I don't think these alerts should go to SOC. As otherwise the SOC might get overwhelmed by custom alerts.
- Allow the custom alert to have a threshold before activated. For example set a threshold of 50 failed logins on user bob2 before triggering.
- While the alerts should not go directly to the SOC it probably would be helpful if visible to the SOC if something does happen.
P
Phil Eldridge
+1 for this and the comment about monitoring brute force attempts on AD accounts. Any repeated entries for 4625 event ID's I think it is over a period of time would be great
B
Billy Rudolph
I agree there should be some functionality that we can utilize for custom alerts that won't trigger anything with the SOC. We wouldn't use these to alert on malicious actions as I expect Huntress to manage that, but we would use these for various "nice to knows" (e.g. a domain admin logging in), Huntress will already have the logs and a method of querying.
If this isn't built in I can see many organizations still needing to utilize another system to reach this goal which adds complexity and costs.
Additionally if a system cannot send logs to multiple places (e.g. many syslog implementations) then that further complicates things as there will need to be a fourth system in place to send logs to both Huntress and the alerting platform.
J
James Stull
I'm thinking the ability to setup for various actions, such as risky logins, if you have multiple accounts getting password sprayed from the same host, a ton of files being downloaded from onedrive/sharepoint, etc.
Chris Bisnett
What types of events would you be looking for and how would you like to get the notifications? It sounds like these would be potentially security related, but without having them sent to the SOC I'm not sure. Our intention is to fully manage the SIEM product from making sure the right data is ingested to detecting malicious events to ensuring the data is stored for compliance retention purposes.
J
Jonathan Pilkington
Chris Bisnett Honestly the main thing would be brute force attempts on a AD accounts. Similar to how M365 alerts to when there are a lot of failed CA login failed attempts.
S
Scott Thomson
Chris Bisnett another example would be RDP connections from non-LAN IP. Our RMM's RDP functionality tunnels thru the RMM agent, so all RDP connects that it uses appear from localhost, plus any customers that need external RDP access use a brokering tech that doesn't involve firewall/port forwards.
SO for our customers & managed devices - any RDP connection logged from non-LAN IPs -or- from the local LAN gateway (indicating gateway/firewall is remapping the inbound IP to the gw address) would be exceptions and something we'd want to investigate.
J
Jonathan Pilkington
Scott Thomson Agreed we know what IP's should be using RDP on certain computers so being able to alert on that would be great.