Be great to add in SIEM functionality to alert for certain event logs, monitor diskspace, audit password, users, permission changes, etc.
Chris
Hello @poynter ,
Thank you very much for providing us this suggestion.
Your input is important to us as it will help to improve the usefulness of C1 for the entire users’ community.
We have submitted your request to our product team. They will review it and determine where it will fit best on the product road-map.
Support team will also get in touch with you vial email shortly.
KRegards,
Looks like this could be done with the exiting functionality in monitors. Can add a condition for an event ID such as 1102 (clearing of security log) which can then raise a ticket for that machine.
Not sure if this can be improved with maybe categorising the tickets or providing a baseline monitor for domain controllers and workstations, e.g. https://github.com/palantir/windows-event-forwarding/
@poynter ,
We will try to replicate this setup and review if other requirements needs to be met in order for this monitoring to be achieved successfully. We will provide you a feedback from Our Developers results