Escalation Notifications in MDR for Microsoft 365

On Monday, August 19, Huntress will activate email and PSA ticket notifications for two new types of escalations. Escalations are important security-related inquiries that Huntress would like your help in answering. They are not incident reports and do not indicate that malicious activity is occurring.

Starting Monday, you might see these two new types of these escalations via email or PSA (depending on how you’ve configured escalation notifications in the portal).

- This escalation is sent with low severity. It specifies which identities within a particular organization are missing their Microsoft Entra Usage location. Huntress relies on the usage location to determine the “home location” for the identity and to alert you if the identity logs in from somewhere else. This escalation type provides details on the affected identities and links to the Huntress knowledgebase article explaining how to set the usage location in Microsoft.

- This escalation is sent with high severity. It indicates that an identity has logged in from an unexpected location or with an unexpected VPN. If the Huntress SOC detects clear signs of malicious activity, they might follow up this escalation with an incident report. This escalation can be resolved by creating an Unwanted Access configuration rule that labels the login location or the VPN as expected or unauthorized. Setting the location/VPN as expected helps tune your environment and assist our SOC in filtering out false positives when responding to potential incidents. Setting the location/VPN as unauthorized immediately logs out and disables any affected identities; it will also do the same to those identities logging in from that location/VPN in the future.

We’ve been rapidly iterating on this functionality and will continue to introduce improvements over the next several weeks. Please visit feedback.huntress.com or reach out to support with any questions or concerns. Thanks!

Huntress Product Team