Just want to point out that SA is lacking basic reporting features that should be brought or developed asap. With enVision and other SIEMs we have worked with, we have built very useful and meaningful timeline reports on traffic, overall log collection or basically anything that is interesting over longer time period. For instance, our basic need is to be able to create weekly or monthly based reports over the traffic inspected by firewalls. Certain accepted or denied traffic, inbound/outbound traffic etc.
Charts can be used to create this kind of stuff, but we really need to have these features on basic reports as well. We schedule punch of reports and inspect those regularly. Basic SIEM stuff...
Currently if we create a report, which should show us the traffic over one week, we will get a crappy looking chart, which has restricted amount of information. Couple of hours, or days at the maximum. X axis is totally screwed up. It tries to show the count of the traffic from every minute, and that's basically ok, but there's no scaling on the time values.
Have we missed something or is this is a known feature, which will not be fixed?
And a second issue is the fact that we can't use sum functions on reports, which could be used to show the traffic in bytes/Kbytes over time. Let's say sent bytes over time to Internet. Once again, pretty basic stuff on other SIEMs and things we really need to have. How about this one? Any chance to see this fix/feature in upcoming releases?
One development hint, please create a separate reporting engine/appliance and sell it as a separate (very cheap) solution as the ESA appliance, which provides those basic alerting capabilities, which all SIEM systems have. And seriously... just joking.. don't ever do that.