How does 10.4 handle being able to report on it's own health? i.e. alerting when a service is down, alerting when traffic is congesting the system, alerting/monitoring of systems within a single pane of glass.
Does SA 10.4 tag a device's hostname as meta to logs as they come in? This would be useful to create dynamic device groups based on REGEX values of the hostnames.
How does SA 10.4 better handle using Active Directory based authentication and can this be configured and managed from the UI? Along with this, how does 10.4 better handle reporting on failed logins to the console?
Device grouping is targeted for our next release of Security Analytics. In the meantime with SA 10.4, you can create Incident Management rules that would group by IP fairly simply.
Does SA 10.4 have a device or asset table? Somewhere that is a central repository for all devices that have reported into SA where descriptions and notes could be added (ie location, refresh date, etc).
Does 10.4 have the ability to show in the UI the parser xml file so that we can determine what messages SA knows about without having to look at the file through an SSH or WinSCP sessions?
>>No, it does not
Along with this, is there a place in the GUI that we can map the eventid that we find in the parser xml file to the event category name that is used within the UI for meta without having to use SSH or WinSCP to manually pull the ecat file and find it?
>>No, it does not
Device grouping by IP is not a desired solution for large enterprise environments. A better solution would be to have device groups based on hostname where regex statements could be used to create dynamic groups. For example, a large enterprise that has 500 locations has a router at each site that is labeled site#-rtr. By being able to group routers by a regex looking for site#-rtr we can easily have them all grouped (and dynamically without having to manage a list or feed) as site 1 may use .1 for the router, site 2 .254, site 3 .40 - since there is not always a constant IP scheme to build off, manually adding hundreds of devices is not desirable and this is something envision can handle now. Is this slated for a future release?
Will 10.4 have the ability to better customize charts used for dashlet's? for example we have two RSA DLP line charts, one shows network events high and critical, the other shows endpoint events high and critical. One issue is that the network chart uses blue for high and green for critical, the endpoint will use green for high and blue for critical (it seems it's based on which it parsed to first) - can we modify this and control so that value 1 is red and value 2 is blue so that when a user looks at a SoC dashboard the correlation on the two makes more sense?
SA 10.4 introduces the ability to view the system health of SA components from a single pane of glass in the UI, by providing visual indicators that draw the Administrator's attention to problems quickly when looking at this view. The ability to proactively trigger alarms is planned for a future release of SA.