SIEM Canned Queries | Voters

SIEM Canned Queries

in progress

Chi'la Herman'la

It would be nice if we can have an "easy button" for searching for specific common / interesting events. One example may be "failed logins" or "RDP Session Logins" with the option to modify the query to expand or scope it (Machine name etc).

April 16, 2024

Chris Bisnett

marked this post as

in progress

This is currently in progress. We're pulling together some queries that we think show some interesting things and will add them to the dashboard users can easily pull up insights.

James Stull

I lik the idea of canned queries, but even better is if we had a community share of queries for all huntress clients. Then we can share various queries with eachother.

Anthony Rankine

James Stull great idea to have a spot for shared queries. If not in Huntress then github could work?

James Stull

Anthony Rankine Maybe, only you probably don't want the queries that public. Also, I would imagine a lot of your end users may not be able to navigate github successfully. I was thinking more along the line of a shared repository that would be built into the report tool itself. You could search for shared reports and share the queries you build as well. Make it easy to search and easy to run... maybe even show an example of output? The idea would be so we wouldn't have to reinvent the wheel every time and help learn how to build good queries.

Chris Bisnett

marked this post as

planned

We added a few example queries to the dashboard last week, but we're going to expand upon this to give some common queries for things like you pointed out as well as providing some additional examples within the dashboard to make it easy to find what you're looking for without needing to memorize the ES|QL syntax.