Raise/indicate/notify if a client is under-logging
S
Scott Thomson
Had a neat issue where a system was having some sort of odd LGPO/LocalSecurityPolicy problem that resulted in security audit events essentially turning off shortly after boot up. Only caught it because the system stood out because of low volume of logs being ingested into SIEM.
I'd be nice to have some sort of best-practice/recommended/WinDefault 'audit policy' reporting (similar to Huntress Managed AV settings reporting) to indicate systems that don't have a useful/working Windows security audit/event config.
J
Jonathan Pilkington
I feel from just a general security standpoint this is something that would need to be done. As that could be a sign of something blocking logs from coming in.
B
Billy Rudolph
I believe this is necessary as we've seen similar behavior across other systems. It would be nice if we could get alerted if the "rolling average" of logs for a particular source or client decreases (or increases) by a certain percentage as that likely indicates a system issue beyond Huntress.