Managed EDR

We'd like to see the EDR produce an alert whenever a 'high value' account has it's password changed - to give a specific example the Kerberos Golden Ticket 'krbtgt' account. We've see that a rival XDR platform was able to flag this when we were rotating the password for this account. As an extension to this (and as has been mentioned on another request), any actions against 'high value' users or groups should be flagged e.g. adding or removing users from administrator-level groups which would be a pre-cursor to lateral movement attacks.

As compliance requirements increasingly become more strict, it would be beneficial to plan to have an option on a per-account basis for where their data is stored and/or processed. As I understand today, from your article, all data resides in the US. https://support.huntress.io/hc/en-us/articles/4404012645523-Data-Collected-by-Huntress With respect to recent political instability in the US, the reputation and trust has taken a hit, so giving us this option would help counter this. Data sovereignty perception removes a sales barrier with end customers who are non-technical and not legal-savvy. For my customers, residency in Australia would be optimal, and I can see from 2 other suggestions that EU and UK are also important regions to support.

Tracking and recording user logon and logoff events on a protected Endpoint to monitor access, ensure security, and detect unauthorized activities

During a recent incident, we observed multiple login attempts from foreign countries using a user's compromised credentials. However, Huntress did not generate any alert because the logins were unsuccessful. While we understand Huntress focuses on alerting only for successful logins to reduce noise, we believe this presents a critical visibility gap and is aiming to be reactive and not so much proactive in compromises which is equally if not more important. In this case, the password was already compromised, and the attacker was likely attempting to bypass MFA (e.g., via fatigue attacks). Knowing that someone is attempting logins using a valid password regardless of MFA is a strong indicator of credential compromise and warrants at least a low-severity alert or informational escalation. Being notified in such scenarios could help partners respond before an attacker successfully completes a login and takes further action. We suggest adding an option to alert on: Repeated login attempts from unusual locations using a valid password (even if blocked by MFA) Patterns indicating MFA prompt bombing Any use of a correct password from suspicious geolocations or out of country logins (Similar to out of country logins for successful logins)

When adding an exclusion, it would be helpful to have a description about why we are adding the exclusion - otherwise, over time users will forget why they are added.

Adding additional telemetry streams and views to be able to better identify lateral movement, increasing our overall efficacy and being able to better pinpoint specific attack types.

We would like to see EU customer data that is collected for the Huntress platform stored in a EU Data Centre: Simplifies compliance & reduces regulatory risk. Legal risk is low. Many EU end customers demand EU data residency, especially in specific sectors like healthcare, finance, government and education. Alignment with NIS2 compliance

Want to be able to set a start date for expected rules so that when a client gives us the start and end date of a trip we can add the schedule in when they tell us instead of having to schedule in to do it on the day they leave.

A real-time EDR query endpoint is a feature that allows security professionals to search for and analyze endpoint events in real-time, using a command-line interface or web-based interface. This enables them to investigate potential threats or security incidents as they are happening, rather than waiting for retrospective analysis.

Adding credential theft monitoring seems like an easy fit for Huntress and would kill off a competitor service too.