Managed ITDR

We need a better alerting system, or at least some kind of notification should you suddenly not get any data from client tenants.

With the type of access Huntress has to tenants, would it be possible to report on all users that have any type of Admin access to M365 and Entra. This would be really helpful to MSPs

We would expect an alert for suspicious login attempts where the password succeeds, but the sign-in is halted by MFA. Problem: Current alerts fire only on successful sign-ins. Need: Successfully providing a password means a valid credential pair (UN/PW) is compromised, necessitating password rotation, even if MFA blocked the access. Actual Example: A login attempt for an identity from an unusual location using an "axios" user agent provided the correct password but failed due to MFA not being completed. There was no alert/investigation.

Thank you for the recent ability to block all VPNs! Now... It would be really nice if we had the ability to block all residential proxy services, separate from VPNs. Most of our clients don't want us to block all VPNs, as they do have some legitimate use case. But, residential proxy services have no legitimate use case. (at least when it comes to end users connecting to M365) We'd like to block all residential proxy services from the account level, but currently the only way is to make individual unapproved rules for every service on the very long list. Please make blocking all residential proxies as easy as blocking all VPN services! 💘

Hi, would it be possible for the Timeline incident reporting to show the ID of an email and also the time it was accessed by the threatactor? Sometimes there can be multiple emails with the same subject heading, so we would need something extra in order to determine exactly which email was accessed. It would also assist when using MS Purview, as we have the ability to load the email ID's into a search and then generate a report/copy the accessed emails into a PST.

While the ability to set an expiration date on Country Rules is super useful, it would be great if the expiration date / time were based on the user’s local time rather than UTC. Currently, when the desired expiration date is set, the rule expires at 23:59:59 UTC on the selected date. After the UTC offset is applied, this causes the rule to expire earlier (or later) than expected instead of at the end of that day in the local time zone. It would be awesome to have an option to toggle between UTC and local time, or for the expiration to default to local time — consistent with how the rule is displayed after it is saved.

We have some customers where the email address is difficult to identity which users it is, adding the Display Name as a column on the Identities page would remove this issue

At the moment, when creating an expected location or VPN rule, you get the option to apply this against either an identity, or the entire organisation. It would be useful to have an option to create groups within Huntress, and apply expected rules to them. This would help clean up the location and VPN rules dashboard, as we currently have to create multiple rules if there is ever an instance where multiple users would need access from either a specific location or VPN.

When investigating ITDR signals, take into consideration if the signin ip-address belongs to a EDR managed device.

I would like to have the ability to whitelist a specific Trusted IP address instead of having to whitelist an entire country. This feature would provide more granular control over access and improve security management.