Additional output action fields
Can RSA please add more fields to the output action templates. The current templates and are very "Network" centric. We utilise envision alerts for alot of windows hosts and it would be good to see some windows fields like username, object type etc included into the templates.
Why cant we just create our own and pick the fields that are in specific tables ?? seems simple enough to me and other SIEM products can do it.
I've been asking for this for years. Even more specifically, I'd like to see these fields added:
Target Account Name
Caller Machine Name
Caller User Name
These fields are common throughout many Windows Security events and provide key information in events like Account Lockouts, Accounts Unlocked, Password Resets and many others like these.
As the other person stated, the output action fields available are very Network centric. I think these are all still the original fields from many years ago. Without the above fields that I mentioned, you have to use the Message Text field to get that information, but it ends up being a big block of data and you have to fish for it making it quite cumbersome. Add trying to read it on a blackberry and it becomes a nightmare to say the least.
These are standard message fields and shouln't be too difficult to add, I would think. I know the alert parsing is being addressed and that changes are coming down the road, but can we at least get tossed a bone to keep us somewhat satisfied for now?
I've asked that they at least standardize the fields they output. That would be a start.
ESE-357 - Need fields added to output action (should be for standardizing all fields output)