New features
It would be great if you implemented the following features:
1. Add "alert name" column in the alert table in the alerts tab. This will help to analyze and debug the rules faster.
2. When we create alerts profile, we need to be able to check the alert profile on the events already in the database.
This option will include a large number of false positives (letters) if the alert profile is error.
3. It would be great if for the filters it will be possible to use lists (tables).
For example: I create a table (TestTable) with the following columns User name | Hostname | IP address | Event ID.
Then I create 2 alerts profiles with the following filters:
First - EventID = 4624 and UserName not in list TestTable.
Second - EventID = 4624 and HostName not in list TestTable and UserName = TestUser.
This will reduce the number of filter conditions if I need to filter out 50 user names.
In addition, for these tables, I must be able to specify the retention period of records.
For example, if you set 0, then records are always stored, if 5 days, then records older than 5 days are removed from the table.
4. For Alert profiles add feature to automatically add and delete entries from the tables from step 3.
Example1.
The table has fields User name | Hostname | IP address | EventID.
The table stores the entry: TestUser2 | TestHost2 | 192.168.1.22 | 4624. In Alert profile I create the following condition: IF EventID = 4624 AND IP not in list TestTable THEN add to list TestTable. When an event arrives where Event ID = 4624 UserName = TestUser HostName = TestHost IP = 192.168.10.10 this rule is triggered and adds a new entry to the table: TestUser | TestHost | 192.168.10.10 | 4624. If an event will arrives is another event with Event ID = 4624 UserName = TestUser HostName = TestHost IP = 192.168.10.10 then the rule does not work and does not add a new record to the table.
Example2.
The table has fields User name | Hostname | IP address | EventID | Count.
The table contains a record: TestUser2 | TestHost2 | 192.168.1.22 | 4624 | 36. In Alert profile I create the following condition: IF EventID = 4624 THEN add to list TestTable. When an event arrives where Event ID = 4624 UserName = TestUser HostName = TestHost IP = 192.168.10.10 the rule is triggered and adds a new entry to the table: TestUser | TestHost | 192.168.10.10 | 4624 | 1. If there is another event with Event ID = 4624 UserName = TestUser HostName = TestHost IP = 192.168.10.10 then the rule is triggered and does not add a new record to the table, but changes the value of Count to 2.
5. Add the synchronization option with AD. If AD has a new computer (server), it is automatically added to AD Audit. If the computer (server) is deleted in AD, it is automatically deleted from AD Audit.
6. Please add an opportunity when doing custom queries for reports.
Example:
Select from WindowsLogTable where UserName Like a%;
7. Add please the ability to change the value of EVENT FETCH INTERVAL for workstations to 5, 10, 30 minutes.
1. Add "alert name" column in the alert table in the alerts tab. This will help to analyze and debug the rules faster.
2. When we create alerts profile, we need to be able to check the alert profile on the events already in the database.
This option will include a large number of false positives (letters) if the alert profile is error.
3. It would be great if for the filters it will be possible to use lists (tables).
For example: I create a table (TestTable) with the following columns User name | Hostname | IP address | Event ID.
Then I create 2 alerts profiles with the following filters:
First - EventID = 4624 and UserName not in list TestTable.
Second - EventID = 4624 and HostName not in list TestTable and UserName = TestUser.
This will reduce the number of filter conditions if I need to filter out 50 user names.
In addition, for these tables, I must be able to specify the retention period of records.
For example, if you set 0, then records are always stored, if 5 days, then records older than 5 days are removed from the table.
4. For Alert profiles add feature to automatically add and delete entries from the tables from step 3.
Example1.
The table has fields User name | Hostname | IP address | EventID.
The table stores the entry: TestUser2 | TestHost2 | 192.168.1.22 | 4624. In Alert profile I create the following condition: IF EventID = 4624 AND IP not in list TestTable THEN add to list TestTable. When an event arrives where Event ID = 4624 UserName = TestUser HostName = TestHost IP = 192.168.10.10 this rule is triggered and adds a new entry to the table: TestUser | TestHost | 192.168.10.10 | 4624. If an event will arrives is another event with Event ID = 4624 UserName = TestUser HostName = TestHost IP = 192.168.10.10 then the rule does not work and does not add a new record to the table.
Example2.
The table has fields User name | Hostname | IP address | EventID | Count.
The table contains a record: TestUser2 | TestHost2 | 192.168.1.22 | 4624 | 36. In Alert profile I create the following condition: IF EventID = 4624 THEN add to list TestTable. When an event arrives where Event ID = 4624 UserName = TestUser HostName = TestHost IP = 192.168.10.10 the rule is triggered and adds a new entry to the table: TestUser | TestHost | 192.168.10.10 | 4624 | 1. If there is another event with Event ID = 4624 UserName = TestUser HostName = TestHost IP = 192.168.10.10 then the rule is triggered and does not add a new record to the table, but changes the value of Count to 2.
5. Add the synchronization option with AD. If AD has a new computer (server), it is automatically added to AD Audit. If the computer (server) is deleted in AD, it is automatically deleted from AD Audit.
6. Please add an opportunity when doing custom queries for reports.
Example:
Select from WindowsLogTable where UserName Like a%;
7. Add please the ability to change the value of EVENT FETCH INTERVAL for workstations to 5, 10, 30 minutes.