Huntress Managed SIEM is absolutely committed to providing a managed, easy SIEM experience. However, SIEMs are complex orchestrations of many third-party services and applications. This inherently creates challenges around supporting the flow of data from source to SIEM. The Huntress Managed SIEM team does its best to support the range of sources. However, our ability to support third-party log sources is limited due to limited access to vendor documentation, products, and complex 3rd party configurations such as Active Directory and Intune.
How the Huntress Team Supports Partners
In general, the Huntress team will start by validating Huntress-side configurations. This is a critical process for ensuring that fundamental steps are completed as required and that valuable partner time isn't wasted on unnecessary, lengthy troubleshooting steps. In addition, the Huntress team will walk through standard troubleshooting steps like validating IP addresses, port availability, domain name resolution, and firewall rules.
The majority of support tickets are resolved through these first two processes - validation of configurations and basic troubleshooting. Additional troubleshooting will proceed with support and guidance from the product teams.
Knowledge Base:
- General Syslog Troubleshooting
- General SIEM FAQ
- General SIEM Usability
- Syslog Source Configuration Library
- HEC Source Configuration Library
- API Source Configuration Library
- Windows Event Logging Audit Policies
Support:
- Answer general configuration questions.
- Validate Huntress Requirement configurations.
- Confirm Huntress functionality.
- Provide basic troubleshooting steps for client-side configuration issues (*)
Engineering:
- Collaborate with the partner and third-party vendors to determine logging failures after clearing basic configuration and troubleshooting steps.
* Due to the complexity, potential impact, and Huntress's lack of visibility into environmental configuration where Active Directory and Intune set policy, Huntress Support cannot provide advice for creating or editing GPO's beyond what's established in Enforcing Windows Logging Audit Policies KB.
When to Engage Third-Party Support
The collection of logs by a SIEM relies on time-tested methods like syslog, API, and HEC (HTTP Event Collector). These are industry standards that ease the transfer of information from service to service. However, Syslog and HEC are only standards for transferring information, not for the information or the structure of information itself. While technically, Syslog RFC 5424 defines a general format for the information being passed, it is frequently invalidated or expanded on by vendors. HEC requires JSON formatting, but does not guarantee or restrict field names and values. The result is a wide divergence of implementation methods, options, and messages. Industry SIEMs do their best to keep up with this constantly changing landscape, but exceptions occur frequently.
To further complicate Source to SIEM workflows, vendors frequently have multiple versions of configurations, documentation, and message schemas. The documentation itself is often restricted to account access, making mutual support more difficult. Often these issues are addressable through validation of configurations and basic troubleshooting steps, however complexities with Active Directory and Intune cannot be safely . The Huntress team cannot own troubleshooting of third-party vendors beyond default configuration validation. This is where we may need to direct partners to their respective vendors for additional troubleshooting.
Given our best effort to support partners, you may still need to engage your vendor support teams for advanced troubleshooting when log forwarding and collection are not working as anticipated.