Halo PSA tickets should update when hosts are added to EDR Escalations
C
Chris Nolan
Currently, if an EDR Escalation generates a ticket in Halo PSA, updates to the escalation are not reflected in the ticket. Once the initial escalation is resolved, the ticket closes. If new hosts are added to the escalation, notification is only sent via email and the ticket system has no visibility into the unprotected/escalated hosts. This leaves endpoints unprotected due to lack of visibility.
C
Chris Nolan
Mathias D'Hoore Yes. It's more nuanced than it would seem:
ITDR Unwanted Access - Support can enable per-identity escalations
ITDR Everything Else, for example: "No Usage Location Set" - Single escalation with no notification if new identities are added, even if the escalation was previously resolved and closed.
EDR - Single escalation with no notification if new hosts are added.
I'm sure there's more nuance than that even. But that's sort of the problem. We want to be notified when issues are discovered, not wait until an agent/identity gets isolated after damage has been done. Escalations are awesome and often alert us to malicious, or even just unexpected, behavior before bad outcomes occur.
M
Mathias D'Hoore
Chris Nolan Did you ask support about this?
We had similar issue with ITDR escalations. For ITDR Escalations, support had the ability to change them to a per-identity rather than per-customer, which bypassed this issue entirely for us. There, the issue was even worse though, because an additional identity being added to an ITDR Escalation didn't even generate an email alert...