The need to take syslog or get more info from the cloud API is a dire need for us.
It is so much a part of any compliance framework.
I know in the past I have been told that syslog support is coming. But it seems to be just a talking point.
How can this product be called enterprise if we can't get vital information out of it?
There are already at least 3 requests for this in the last few years in the feature request area. So my adding another is not going to make any difference.
I do remember having a conversation porbably in late 2016 where our sales people said they were going to be adding syslog "soon".
This really should be a priority for WebRoot. Pushing SIEM out to the end points is getting more important as the ability to spot things on the wire is decreasing with the push for more encryption while in motion.
Would you be able to share the links to the most relevant feature requests? Then I can bring them up specifically with our product team. Thanks!
Also, if you can provide more detail around what you are looking for in terms of a more robust IPA that would be helpful as well.
First of all, I can't beleive I have to respond to the request to show people asking for syslog in the past. This should not even be a question.
The idea of syslog to a central location for analysis, correlation, input to a threat detection system, etc is not just a nice thing to have anymore. It is becoming legally required by many compliance frameworks, like PCI, HIPPA, GDPR, etc. This is just a basic compliance thing.
Auditor's like to ding you on the basics.
It's also nice to have for troubleshooting issues on endpoints.
As far as more robust API's, I was only suggeting that in the case that syslog is not a possibility. We should then have the ability to make calls into the portal using API's to pull the detection history information from the databases. All processes that were seen starting and stopping, what they did, did WRSA prompt the user to allow, did upgrades fail, did a user turn off protection, etc. This is all relevent information that should be provided.
But from what I've seen from the API documentation, all you can really do is create groups, or apply policies, or run reports on how many end points have which version. All very basic stuff that is not helping wtih all the actual threat detection work.