MSP Tool Logs
in progress
D
Dee Lowndes
Ingest access logs from things like Screenconnect, Kaseya, Nable, Auvik, Datto RMM etc etc that MSP's use to admin their clients.
Chris Bisnett
in progress
We're working through the long list of MSP tools that folks have requested. Some are easier than others to implement and some we have access to and others we don't. All of these things determine just how fast we can get to the data source.
Separate tickets for tracking interest and progress for each tool:
DattoRMM
NinjaRMM
D
Domenick Lanuzza
ScreenConnect already has an integration for forwarding syslog locally for on premise hosted servers (although the format is terrible....) and an integration for Splunk HEC that would also work for Huntress HEC. Would be awesome to see some log filtering and parsing for ScreenConnect!
M
Martin Yelland
N-Central supports shipping Audit Logs to Syslog, this would be great.
Chris Bisnett
in progress
We're working through the long list of MSP tools that folks have requested. Some are easier than others to implement and some we have access to and others we don't. All of these things determine just how fast we can get to the data source.
Separate tickets for tracking interest and progress for each tool:
C
Cory B
I would like to add ManageEngine Endpoint Central, GoToAssist, and LogMeIn to this request.
C
Craig Gauss
Have had our financial auditors ask for logs for any RAT
J
Jacob Wiley
NinjaRMM please!
M
Miles Silk
This would be great for SyncroMSP
Chris Bisnett
under review
S
Scott Thomson
Keeper Security, does audit log shipping via syslog
Chris Bisnett
I like this idea. What types of events are logged? Is it stuff that could identify malicious uses of the tooling?
Is that what you would be looking to do with this source?
S
Scott Thomson
Chris Bisnett different vendors do or do not retain to same degree. Having a single trusted vendor to warehouse these, possibly on different terms (from customer SIEM, pricing wise), would be a huge boon to us just for compliance reasons. DattoRMM was, im pretty sure, infinite technician activity retention when we onboarded years ago. Its 6m rolling now. I trust my staff, but... thats not going to mean much if we end up with an insider threat situation and i dont have vis of their entire history.
S
Scott Thomson
Expanding: I'm not even sure you can get DattoRMM activity logs via API. But if you give me a means to manually ingest, dedup the duplicates that come from that, and raise alerts.if we are behind by X on manual submit? Ill pay for that even if you dont threat hunt against it.
Matt
Chris Bisnett The biggest thing for me is to be able to investigate if/when the RMM gets owned in a quick and easy manner. A lot of that is up to the RMM vendor actually giving access to that data via API but if it is available, it would be great to have the SIEM be able to ingest that and possibly alert on anything malicious. If that makes sense.
Load More
→