Today setup the Qualys connector, had to guess on how it worked. As I found MANY times before NO documentation what. So figured I start a discussion about this and see what people think, what took time to figure out and was not obvious right away?
- When I first starting using LEM watched every video I could find, while the videos are good I could not find what I would consider real world training for a typical setup. Curtis Ingram and Rob Johnson are doing a great job with the new videos over the past month by the way.
- Think a real world, start to finish, config for a typical customer would go a long way.
- Examples on how to use each group of rules in more detail
- More details on how the GUI should work.
- It took me a bit to understand how to correctly use Incident, video examples would be great
- Basically all the rules that use Incident create new events, great now what? Well now its obvious!
- Under Monitor > Security > Incidents you will see whats being created
- Create a new rule that then watches just these new events, using event name "*Incident" which then can email or take action
- Think a real world, start to finish, config for a typical customer would go a long way.
- Console
- Version 6.1 added the rule wizard which fixed a gripe on setup, very cool start.
- Email must be added and its enable, can cause an issue, must disable quickly on a live system
- When I called support and they told me I could not send ndepth or monitor conditions to a rule my mouth dropped :O Even a simple export / import!
- Add and use a right mouse click function! AIR/Flex can do it Adding menus to an AIR application | Adobe Developer Connection
- Limited widget functions. For example on denied ACL traffic I want to see a table with source machines plus the destination ports with a count of each, this would be useful.
- Basically what the Flow Utilizes can do, don't have sFlow so not useful
- Option to auto fit the column
- Out of the box would be nice to have a tag setup for Action types
- Move some of the console in to an admin section via GUI
- LEM local logs
- Connector upgrades
- Backups scheduling
- Date and time / NTP
- Way to see LEMs hardware performance, or maybe add saidar or nmon to list of console menu items to see whats going on via a single page?
- Save grid settings
- Version 6.1 added the rule wizard which fixed a gripe on setup, very cool start.
- Policies
- Warehouse is not being used any longer why is it still an option??
- Rules:
- Click on a column to sort, edit a rule and save. The list is then resorted by the name column, this is not cool! Allow the sort to stick even after saving a rule.
- Filter options in refine result for not enable and not test
- Option to auto activate rules changes