Our users should be able to create Cases to investigate security issues. The security analyst can attach events to its cases to keep track and correlate the results of its investigation.

A security analyst can configure and leverage detection rules that infer the normal statistical behaviour of its information system to detect abnormal behaviours.

As a security analyst I want to see that new indicators are checked into past events So that I'm reassured on the fact that I will not be missing important detection opportunities

When a user on the event page initiates a search, the system waits until the entire search has been completed before returning results. If the search is large, the user may wait a long time before being able to navigate into its events. We will change the hunting search engine to add a bucket-based event search that will focus on segment of events. Buckets will be filled with search results from the youngest to the oldest to increase the interactivity of the hunting.

We should quickly make a set of basic but efficient rules on AzureAD and Office365 environments as it is used more and more by companies.

A security analyst can create and leverage SIGMA correlation rules to detect complex malicious activities.

SEKOIA.IO XDR analyzes events for attacks and intrusions. If, for any reason, no more events is analyzed by SEKOIA.IO, it is important for our users to react quickly in order to fix the collection and/or the transport of their events. We will send a notification to users when an event drop is observed on a certain period of time. This feature should be editable by the user by means of the following parameters. - the period of time (15 min, 30 min, 1 hour) - the monitored intake - the threshold value - the notification (Email, In app, Webhook, Mattermost, …)

Avoir la possibilité de créer des règles accessibles pour un ensemble de communautés, comme cela est possible pour les règles natives éditeurs. Par exemple via un choix multiple dans l'interface (cf capture d'écran). Possibilité de gérer les exclusions par communauté (comme cela est le cas pour les règles éditeurs). Cela simplifierait la gestion des règles clients plutot que de créer les mêmes règles dans plusieurs communautés.

As of now the SEKOIA Agent runs only on Windows operating systems. In order to support as much environment as possible, adding support to linux OSes is a necessary step. Netlink should be used directly so auditd won't be a dependency and the produced log must be formatted under the ECS format. By default the agent doesn't have to setup auditd or configure it. However it would be nice if the agent could setup the appropriate auditd config so the user doesn't have to configure it to be able to collect its logs.

As a multi-communities manager when you will create a new rule, it will be available for all your communities. Then you can choose, on which community, you want to activate it. It will still possible, to create a rule for a specific community, if you need.