What is a one sentence summary of your feature request?
Improve SIEM experience to assist teams with utilizing threat data in their SIEMs.
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
There are certain aspects to date that make sending threat data to a SIEM today a bit challenging.
For starters, a customer would not know exactly what is being sent to their SIEM today when selecting a certain template (like CEF for example). Having it updated to where when a template is chosen it shows the exact variables that will be sent for each would be a helpful improvement for a customer to not waste their time. If a certain template doesn’t contain enough of what they will need, then they can jump to using a custom template for example.
A second challenge is that only one SIEM template can be configured which must be utilized by all threats. However, a customer might not want the same types of data for each threat sent to their SIEM. Being able to build a unique SIEM profile with different templates for each that could be assigned per threat would assist these teams with getting the actionable data per threat that they desire. I was made aware this is possible building a custom powershell and running via playbook as a workaround, but this functionality being baked into the product today would ease that burden on these teams quite a lot to achieve this (similar to how NTP has SIEM profiles today).
A third challenge is not knowing which variables would contain data based on the threat that is sent. This can change based on the threat type, and a customer might find it hard to know the exact type of variables to utilize in their templates per threat. If we knew which ones would be populated per threat type in some location, this could help when building out these templates. Perhaps a preview in the NTM UI of available variables and example data for each when running a preview on an identified threat in their environment or something would be very helpful.
The last is not currently having a template that just includes all variables. Some customers like to just do a send all type functionality, and the only way to do it today would be to manually enter each documented variable into their own custom template. If we had one that just naturally included all (or inserted all), then this could make things quite a bit easier when building this out.
Ultimately, a lot of folks handle extra analysis/reporting in their SIEMs today, and improving this experience so that customers can manage to their threats that are triggering easier would hopefully help them get a handle on the types of risks we are seeing pop up.
How do you currently solve the challenges you have by not having this feature?
A customer I am working with just built a custom template themselves that included all variables and are just using that for each threat to just send everything and then handling the extra parsing on the SIEM side. This obviously takes quite a bit of extra work for them at this point though to parse through a lot of extra noise.