What would make Fleet 10x better?

• A "Canned" set of CIS policies • Webhooks / alerts / notifications for policy violations (maybe this is here already?) • "Canned" FIM examples • (really big one) duplication of functionality in tools like Velociraptor for DFIR. This probably includes some default carves for incident response • For Ops purposes, perhaps some queries / guides for process monitoring.

👍

database sharding so we can scale the DB writer across multiple instances

@Jocelyn Bothe The RBAC in Teams (Fleet Premium) allows giving users access to edit the schedule only for Teams where they have the appropriate permissions. This might be what you're looking for?

not precisely for example, I want our Tier 1 support team to be able to remove a specific query from a specific pack when specific error conditions that we monitor for alert, but I don't want our Tier 1 Support Team to be able to do ANYTHING else

Ah, interesting! Are there other quite fine-grained permissions you'd like to be able to work with?

The ability to set alerts in fleet from the web UI, and those alerts would ideally be wrote into results.log as JSON just like osquery results and those alerts can be shipped from there and actioned from elastic or whatever (maybe as webhooks too). You might think what's the point when we have queries, but stuff like vulnerabilities are processed by fleetdm, and it could allow for some things like "Alert me when a machine has < 10% disk space" and even if that is ultimately a query behind the scenes, it reduces some complexity and take the pain for a novice writing a complex query into a few clicks. Then have like an alerts dash/interface for the alerts that have been set.

I’d love to see the vulnerabilities stuff add a main dashboard page that gives a summary, to complement the per-host page. Handy for seeing the statues “at-a-glance”. I’d also love to see the data there made available in queries too, so we can create query packs for CVE status, and ingest those into ELK along with the normal query pack data.

++ on having a more robust landing page, configurable maybe? Unlike others, I find great value in the vuln man stuff and would like to build upon it (at some point, maybe) Alternatively, it'd be cool to be able to define different outputs for different queries (pack 1 goes to this kinesis stream, pack 2 goes to that kinesis stream, etc) Also ++ on more granular RBAC, we want to be able to enable other teams to perform actions but in a limited fashion. I'm less concerned with CIS benchmark validation, I feel like that's very company specific on how CIS compliance is achieved, however I'd love to see more ATT&CK framework rules

@Zach Zeid what specific actions would you want other teams to be able to perform in a limited fashion?

I uh, don't know 🤔 I basically just want to be able to assign specific actions to a user, maybe ideally constrained to specific conditions like queries/packs?

Thank you so much for the feedback, everybody!