Feature Request – Customizable Columns in SIEM Log Search Results
complete
R
Ruben Castello
Hello Huntress Team,
I would like to suggest an improvement for the SIEM log search interface. When running queries (for example, using from logs | where event.code == 4740), the current view only displays a fixed set of columns, and it’s necessary to open each log entry individually to review its details.
It would be extremely helpful to have the ability to customize which columns are displayed in the results table — for example, allowing users to add or remove fields such as target.user.name, destination.host.name, target.user.domain
This enhancement would greatly improve investigation efficiency, especially when analyzing large volumes of Windows Security logs (like account lockouts, logon failures, or privilege changes), where being able to quickly sort, filter, or visualize key fields in the main table would save significant time.
Thank you very much for considering this suggestion and for your continued work improving the Huntress platform.
Nate O'Brien
marked this post as
complete
Per Jason Phelps comment, we can do this today via the KEEP processor. Please see the documentation here: https://support.huntress.io/hc/en-us/articles/30113222043155-Huntress-Managed-SIEM-Log-Search-Guide
Autopilot
Merged in a post:
ability to add custom columns or addtional data fields to saved query results
D
Darren Djernes
to be able to show more detail with out clicking further into each result
M
Michael Paranich
I want to 2nd this, the ability to quickly identify specific Event IDs in the logs is fantastic but then we can't quickly get the information we'd need to act. For example, we review 4625, Failed Login, but without adding columns that show which user and what IP address, it takes 10x as long to use your report, and we end up using a competitor's report generator from the AD. My goal is to go single pane of glass everything we can into Huntress, so please, some additional columns from the details made available in the reports would be ideal.
Jason Phelps
Hi Ruben, you can do this today! If you look at our Log Search Guide, you'll see the operator "KEEP" which allows you to specify which columns you want to show on the query results.