Hi SIEM admins, a couple quick questions.
- Are there any pans to add alerting to the SIEM app? Specifically the ability to create a watch as part of the Detection Rule setup?
- I see others have requested allowing custom Signals columns to be saved, ideally I would also want this but I think the default columns should be changed. Personally I would remove Version, Method, Severity and event.module so the actual signal data is surfaced in the Signals pane. External Alerts columns should be changed to include the rule.reference column, the Endgame data that's surfaced here is not that useful but having the link to the alert in the endgame console would be very useful.
- The Network Map in version 7.6.2 appears to have changed to use the endgame-* indices and I don't see a way to change this. This renders the map pretty much useless in our case where the actual external geo data is in the proxy and firewall logs that we ingest and not from endpoints. Can we get an option to customize the data sources or layers for this or at least revert back to normal index geo points?
- Can the Timeline pane be moved to a new TAB, having it render in the same page as the SIEM data you want to investigate makes the interface very clunky and limits the appeal of using timelines, if this was opened in a new tab that could be moved to a second screen would make it much better.
- Can a summary of the ML job anomalies be surfaced on the SIEM Overview page, even the same page that you get from the ML overview page would be fine.
The app itself has real potential (we've found the detection aspect brilliant and pretty much replaces a lot of our previous manual discover and some ML jobs), with some UI tweaks, the addition of alerting directly from the SIEM app and the ability to customise the layout a bit it could be really good.