During rule creation I often use the action: Add User-Defined Group Element.
It is helpful for me to keep a simple catalog of some events you need to keep track of, e.g: enabled users, installed software, unathorized USBs etc...
But this action only has a single field to populate
I suggest an improvement where you may add more than one field in this action, e.g: for unauthorized USBs rule to be able to add these fields to User Defined Group:
Time, Source Account, Detection IP, USB ID etc..
Similarly for other rules.
A simple logic would be to be able to drag&drop event fields into this action group, just like we do in Correlations box.
Additionally, it would be of great importance if we can also export these User Defined Groups in a suitable format like csv.
Top Comments