Team: Huntress Managed Security Information and Event Management (SIEM)
Summary: This guide covers how to scope, connect, verify, and run functional checks for your Huntress Managed Security Information and Event Management (SIEM) environment. Following these steps ensures your high-value log data is properly centralized, searchable, and monitored.
In this Article
Before You Begin
Ensure you have the following configuration resources ready before starting your deployment:
A complete list of target infrastructure components, including domain controllers, critical application/file servers, boundary firewalls, VPN appliances, and active SaaS tenants.
Phase 1: Scope and Connect Your Log Sources
Identify the high-value assets in your environment and configure them to stream events directly to the platform.
-
Review the technical integration documentation for each specific device type you would like to add.
Syslog sources, such as firewalls, require configuration of an endpoint with the Huntress Agent to collect data first before following vendor specific guides.
The specific deployment guidelines for your hardware or software fabric: API Device Configuration Guide, HEC Device Configuration Guide, Syslog Device Configuration Guide, and the Operating System Log Configuration Guide. Vendor-provided guides should also be used for setup when Huntress does not have a specific guide.
Configure each device or cloud service to forward event data to the Huntress Agent or log collector as documented.
Phase 1 Result
The highest-value log sources for this environment are configured to send logs to Huntress.
You can now track progress toward your contracted SIEM data source count.
Phase 2: Verify Your Logging Coverage
Confirm your initial data sources are connected, healthy, and actively streaming events. Your deployment milestone is to have at least 50% of your contracted data sources successfully transmitting data.
-
In the Huntress platform, navigate to the SIEM data sources management page.
Review the categories view to confirm active log entries exist for your scoped domain controllers, core servers, firewalls, VPN appliances, and SaaS tenants.
Select one primary domain controller and verify that recent Operating System Event Logs are indexing correctly.
Select one firewall or VPN appliance and confirm that live log volume is processing.
Treat any missing infrastructure source or stale data connection as a gap and open a support ticket with Huntress Support to remediate the link.
Phase 2 Result
All domain controllers and key servers from your Phase 1 list show as log sources with recent events.
Primary firewalls and VPN appliances show recent events
Any SaaS tenants you planned for SIEM are visible and sending data
At least half of your SIEM data sources are either sending logs or have open tickets tracking gaps.
Phase 3: Perform a Search and Reporting Function Check
Validate that indexed records are instantly searchable, and confirm that automated query workflows route to your team as expected.
Run a simple query
-
In the platform search window, run a basic ad-hoc query to confirm logs are searchable. Examples include:
Recent admin logons
Firewall denies
VPN authentication events
Verify that the query results populate with real-time entries originating from the sources connected.
Save and test the query
Click Save Query to bookmark valuable views, using clear structural naming conventions (for example:
Recent Admin Logons - Last 24 Hours).Build a test scheduled query based on a straightforward use case, such as a daily digest of perimeter firewall drop behaviors.
Route the scheduled query results to a production mailbox monitored daily by your security team.
Confirm the scheduled script executes cleanly and the resulting alert payload lands successfully in the target inbox.
Phase 3 Result
Your team can run a basic SIEM query and see expected results from connected sources.
At least one scheduled query is configured, has run successfully, and its results are going to a mailbox or destination that’s actively monitored.
Final Expectations
Your core logging architecture is now operational. Huntress Managed SIEM is accurately indexing data from your boundary devices and internal infrastructure. Your team can run manual investigative queries, and automated reporting paths are fully verified.