Title
#fleet
mikermcneil

mikermcneil

10/22/2021, 3:03 AM
What would make Fleet 10x better?
j

Jason

10/22/2021, 1:41 PM
• A "Canned" set of CIS policies • Webhooks / alerts / notifications for policy violations (maybe this is here already?) • "Canned" FIM examples • (really big one) duplication of functionality in tools like Velociraptor for DFIR. This probably includes some default carves for incident response • For Ops purposes, perhaps some queries / guides for process monitoring.
1:42 PM
I personally think the CIS validation is probably a better fit than vuln management. Not sure who else cares about this stuff.
m

MarkMurdock

10/22/2021, 2:02 PM
👍
Jocelyn Bothe

Jocelyn Bothe

10/22/2021, 2:45 PM
database sharding so we can scale the DB writer across multiple instances
2:46 PM
customizable RBAC, so I could allow certain people edit access to certain queries/packs, but not others
zwass

zwass

10/22/2021, 6:26 PM
@Jocelyn Bothe The RBAC in Teams (Fleet Premium) allows giving users access to edit the schedule only for Teams where they have the appropriate permissions. This might be what you're looking for?
Jocelyn Bothe

Jocelyn Bothe

10/22/2021, 6:37 PM
not precisely for example, I want our Tier 1 support team to be able to remove a specific query from a specific pack when specific error conditions that we monitor for alert, but I don't want our Tier 1 Support Team to be able to do ANYTHING else
zwass

zwass

10/23/2021, 2:37 AM
Ah, interesting! Are there other quite fine-grained permissions you'd like to be able to work with?
Mystery Incorporated

Mystery Incorporated

10/24/2021, 7:35 PM
The ability to set alerts in fleet from the web UI, and those alerts would ideally be wrote into results.log as JSON just like osquery results and those alerts can be shipped from there and actioned from elastic or whatever (maybe as webhooks too). You might think what's the point when we have queries, but stuff like vulnerabilities are processed by fleetdm, and it could allow for some things like "Alert me when a machine has < 10% disk space" and even if that is ultimately a query behind the scenes, it reduces some complexity and take the pain for a novice writing a complex query into a few clicks. Then have like an alerts dash/interface for the alerts that have been set.
r

Ryan

10/25/2021, 12:51 PM
I’d love to see the vulnerabilities stuff add a main dashboard page that gives a summary, to complement the per-host page. Handy for seeing the statues “at-a-glance”. I’d also love to see the data there made available in queries too, so we can create query packs for CVE status, and ingest those into ELK along with the normal query pack data.
z

Zach Zeid

10/25/2021, 3:05 PM
++ on having a more robust landing page, configurable maybe? Unlike others, I find great value in the vuln man stuff and would like to build upon it (at some point, maybe) Alternatively, it'd be cool to be able to define different outputs for different queries (pack 1 goes to this kinesis stream, pack 2 goes to that kinesis stream, etc) Also ++ on more granular RBAC, we want to be able to enable other teams to perform actions but in a limited fashion. I'm less concerned with CIS benchmark validation, I feel like that's very company specific on how CIS compliance is achieved, however I'd love to see more ATT&CK framework rules
Andrew Bare

Andrew Bare

10/25/2021, 3:25 PM
@Zach Zeid what specific actions would you want other teams to be able to perform in a limited fashion?
z

Zach Zeid

10/26/2021, 3:42 PM
I uh, don't know 🤔 I basically just want to be able to assign specific actions to a user, maybe ideally constrained to specific conditions like queries/packs?
mikermcneil

mikermcneil

10/27/2021, 7:36 PM
Thank you so much for the feedback, everybody!