Additional Configuration for Non-Reporting Source Management Escalations
J
Jonathan Lewin
The current settings for non-reporting source management escalations cause issues with workstations that are offline for extended periods of time (after hours, weekends, etc.). It would be nice if there was a way to configure the duration separately for servers and workstations, along with a custom field rather than presents.
B
Brent Neste
At the very least, we need the ability to configure this at a per-company and per-source level.
Modern tools need to come out of the box with mechanisms that help prevent false positives and alert fatigue. I was actually surprised to learn this is (currently) a global toggle.
K
Kris Cears
This is critical for us as well to get full value out of the SIEM offering. Ideally this would be configurable down to the device level, with global and customer level settings available as well that can be overridden down to the device level.
J
Jeremy Barnes
This is SUPER critical for us an our CMMC clients. We don't need notified on Windows Devices, but do on EVERY OTHER DEVICE.
J
Jeremy Barnes
Per device thresholds..
Critical Devices <4 hrs trigger.
Infrascture <12hr
Windows<72hr, vacation mode?
R
Ruben Castello
Same problem here. Lot of escalation for laptop/pcs not reporting logs to SIEM.
For a computer/laptop we must define a higher thresold, but for example for a firewall Escalation is good.
A
Adam Palmer
Yeah, this granularity is a much-needed feature. We need to know when devices stop sending logs, but laptops need to be handled differently given their portable nature.
Autopilot
Merged in a post:
Granular control over escalations per device type (server, laptop, desktop ect)
M
Mark Nelson
In the SIEM escalations, it would be helpful to have different escalation time frame for workstations vs Servers ect.
As it is I have to disable escalations due to laptops triggering notifications when they are just being used as normal
Matt
I agree. We have to enable this for our CMMC customers but enabling it for the entire account overwhelms us with alerts. We would like the ability to enable it per organzation instead of per account, and then even further, enable it per-source. This would allow us to only track the servers and network devices we expect to always get logs from.