Thanks all, I came to this request looking for a way to parse out these notifications to our different client's helpdesks. Is it possible to include the client name and possibly the endpoint name in the email notifications that get sent out from these alerts? Currently we get an alert but no specific information is included in the alert, we must login to the Huntress GUI to get any specific info.

Thanks!

Over the next three days we are rolling out a new Escalation type for Managed Antivirus endpoints that use Microsoft Defender as the primary antivirus. This escalation will trigger for any endpoint that is set to Enforce for Managed Antivirus and the Microsoft Defender Real-time Protection engine has been disabled for longer than 2 hours. There is an ‘Email (Escalations)’ field in the Integration settings in Huntress that determines who is notified when this happens.

Defender has a lot of tools built into it that allow it to self-correct. Based on our research, if the endpoint has the Real-time Protection engine disabled longer than 2 hours, it will most likely need manual intervention to bring it back to a healthy state.

Learn more about Huntress Escalations and get answers to your questions in this article: https://support.huntress.io/hc/en-us/articles/4405464541459-Escalations

Let us know what you think!

I'd like to see threat detection alerts as well. We had legitimate files quarantined during a script execution that would have been missed until they were required. Just so happened that I checked the Huntress portal and saw the false positives.

We're looking at leveraging our existing Escalation flow to alert on enforced endpoints that have Defender Disabled for an extended period of time.

We've done some work behind the scenes to automatically correct endpoints that were unhealthy for other reasons (like scan and signature updates being needed) which has helped a lot there. There isn't much we can do to correct Defender being disabled automatically (AV's don't like external tampering) and it opens the endpoint to the most risk, so that is why we are starting our alerts there.

We want to be able to get this out as soon as possible, so our first iteration won't include PSA integration. These requests specifically called out getting it all the way to a PSA so I just wanted to be transparent on our plan. Just because the first iteration doesn't include PSA integration it doesn't mean we won't get there in the future though.

We're still planning out some details so I won't be able to answer every question at this time, but I just wanted to keep everyone interested in the loop.

Thank you all for your feedback and interest in helping us improve our product!

I agree this should be in Halo but we have used our PSA to make sure all defenders are online and if not, raise an alert/ticket as a workaround.

Great Idea this would be really helpful