Managed EDR

Huntress logs alerts to ScreenConnect instances. Huntress has the capability to isolate a computer when a severe threat is detected. Rogue ScreenConnect active sessions are a severe threat. We can tell you for sure they are a severe threat by allow listing the one and only host our clients are allowed to connect. Ergo, Huntress should auto-isolate a host when it connects to a known rogue ScreenConnect instance, and you don't have to worry about false positives because we have already told it exactly what it should do. I have said this to every Huntress rep and they all seem puzzled. I don't understand why, all the pieces are already there. This would be a huge bonus for all of us and it seems trivial to implement. Please consider fast tracking this.

The screenconnect host section is very useful. It would be great if we could get a notification about new hosts appearing in here because it would be untypical for a new SC server to be added normally and would usually indicate either an incident, or something that needs to be addressed (i.e the previous IT companies remote access being deployed from somewhere). Ideally this would be expanded to alert on additional Remote Access and RMM tools. E.g Splashtop. Attackers are increasingly using industry standard MSP tools to stay under the radar and being able to give us a heads up directly about this would be great. I appreciate the SOC would alert on suspicious activity, though the MSP will be more aware of the context - the ability for us to toggle an option on for this would be ideal.

We have had several endpoints where Windows Defender shows as healthy and managed, but the settings on the endpoint are out of sync with the managed settings for some reason. This is resolved by setting the endpoint to audit mode, and then flipping it back to enforced mode, but I feel like we really need a way to be able to get these reported to us, and either have an automated remediation of doing this, or at least notify us so that we can perform this action as needed vs finding these machines by random chance.

We would like for the SOC analyst that performs an org-wide host isolation action to then call each number listed on the "Incident Notification Contacts" list at least once to speak to someone that can let the SOC analyst know if something unique might be happening in the customer environment that could warrant having the SOC analyst fully or partially roll back the org-wide host isolation. It would also be good for the SOC analyst to give the organization contact a quick run-down of what they saw in the environment in case the org contact hasn't seen any details about new incidents being entered into the Huntress platform yet.

Parse IIS logs and exchange logs for known Indications of Comprimises. A lot of the latest Exchange vulnerabilities last few years have had "easy to detect" IOCs, but not many tools have the posibility to automatically parse for these IOC's. Exchange has hat a lot of RCE and other high CVSS vulnerabilities and could be used to used to gain knowledge of internal infrastructure. Would be great if Huntess could: identify Exchange servers and IIS servers and report version numbers. help warn if known vulnerabilities on the Exchange Servers. Monitor known exchange and IIS logs for known IOC's and report if found! (last one could be a feature in SIEM, requiring upsell :))

Are there any plans to add a browser add in for edge and chrome toprotect from hijacking browsers

The new Huntress detection of Connectwise has been fantastic, we caught some previous IT companies software on our recently acquired clients workstations. It would be amazing if huntress continued this detection and expanded it to detecting other remote access software such as splashtop, teamviewer, anydesk, etc..

Would be good to collect the Mac logs into the SIEM its a requirement for some of our clients right now and makes sense to be in Huntress.

We would like incidents for suspicious logins - unexpected countries, VPN usage etc, to be bypassed if the activity has come from Microsoft MDM Managed Devices

Huntress currently detects passwords in plain text, and the supporting SAT material suggests users should invest in a secure password manager. However no mention or alerting is available when users utilise password managers built into web browsers, which are generally inferior to full functionallity password managers. There is also the added risk of passwords being saved to the browser account (Google, Microsoft, etc), and then being downloaded and used on less secure devices which may not meet the companies security requirements, or already be compromised. It would be ideal to have (when enabled) EDR detect events of users saving passwords in browsers and flag them as a security incident for review.