Informational Alerts/Escalations
under review
Rich Mozeleski
The Managed ITDR team will be adding Informational Alerts as Escalations. These will initially be basic and available by request. We eventually will allow for customization and tuning of these types of alerts.
We are looking to immediately develop the following basic escalations:
* Admin roles granted to an identity
* Successful logins blocked by Conditional Access
* Break glass account sign in
Please use this topic for feedback and other suggestions relating to Informational Alerts.
Rich Mozeleski
Merged in a post:
Information Alerts for ITDR
M
Matt Picarazzi
We would like information alerts for ITDR
K
Kat Horvath
Currently when a ticket is created within our PSA it does not contain the identity information. So if a VPN escalation is flagged it contains the organization/customer and the name of the VPN, but not the actual name of the identity that it's flagged on and someone has to go back into the Huntress console to retrieve it prior to investigating versus just using all the information in the ticket like we can with an incident.
Could we please get the identity information in the ticket created within the PSA? :)
J
Jared Roy
What is the problem you have with the lack of informational alerts?
What sort of contact would you expect to be alerted?
What business/operation/workflow problem would this be solving?
I feel like informational alerts could get really noisy, and the point of huntress is to have a managed services that provides only actionable alerts.
Rich Mozeleski
marked this post as
under review
Rich Mozeleski
Merged in a post:
Generate Critical or High alert for Axios regardless of success
A
Austin Dennis
Occasionally, I've noticed axios agent sign ins getting blocked by conditional access policies blocking unknown and unsupported device platforms, but these were a result of successful credential harvesting attacks. I don't necessarily mean that a brute force should generate an alert like this, but a sign in that has the correct password that is then blocked by conditional access.
While yes, the threat actor was not successful at compromising a 365 identity, it would be extremely helpful to find out about compromised credentials before they pivot to a new resource such as a VPN or potentially another application with a shared credential.
Rich Mozeleski
Merged in a post:
Authentication Method Changes on Privileged Accounts
J
John Hardwick
It would be nice if ITDR could alert on changes to authentication methods on privileged accounts. The registration or change of an auth method should result in an escalation for manual review.
Rich Mozeleski
Merged in a post:
Alerting for new administrative activities for 365
J
Jordyn Wrape
Create alerting for different types of activities regarding admin roles and permissions, such as when an account is given admin permissions or a new GDAP partnership is created.
C
Cameron Granger
marked this post as
open
Rich Mozeleski
marked this post as
planned
Ben Marflitt
Would love an alert for mailbox delegation especially for specifically priority accounts
Load More
→