What is a one sentence summary of your feature request?
Include “Count” Field in SIEM Syslog Integration
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Please add the “Count” field to the SIEM syslog output for Endpoint Protector events.
Today, the admin console shows the Count value (for example, when a user uploads a CSV with 30 records, Count = 30), but this field is not sent to the SIEM. As a result, we lose important context that is useful for detection logic, alerting, and playbook automation.
This seems like a simple and very valuable enhancement. Ideally, the Count field would be included by default or available as an optional field to enable.
This would significantly improve the usefulness of the SIEM integration.
How do you currently solve the challenges you have by not having this feature?
Manual review.
Hi Jayme,
Welcome to Netwrix Community and thank you for your request!
We will review it and get back with a response as soon as possible. While waiting, we thank you for the patience!
Kind Regards,
Simona
Hello Jayme,
I hope you are doing well!
We’ve reviewed this scenario and would like to clarify how the Count field works.
On the Reports and Analysis → Content Aware Report page, the Count value represents the number of Matched Items. While the Endpoint Protector Server stores a single log entry for this event, the SIEM receives one separate log per matched item.
For example, for an upload if the number of matched items is 5 (such as five emails), the SIEM will receive 5 individual logs.
Let us know if this explanation addresses your question. If not, we’d be happy to take a closer look—please share your specific use case and any additional details that might help us better understand your scenario.
Looking forward to your reply.