Linking another similar concept - https://feedback.huntress.com/feature-requests/p/canary-files-force-sync

One more idea, if a Defender threat is found, maybe the agent goes into a 'high risk' category for a period of time. Depending on the scale of 'risk', could determine how often the surveys are sent to look for malicious changes/footholds. After a certain amount of time with nothing else found, it would than go back to 'normal risk' and surveys return to normal time thresholds. You could track stats on how often an endpoint has been on elevated risk and I think this could give some insight. There is always that user that clicks on everything, it would be interesting to be able to correlate some user behavior and would also help determine who would benefit from some SAT.

Also, having a 'Force Survey' button might help here and I see there is already a post about this - https://feedback.huntress.com/feature-requests/p/add-force-survey-button