Shadow Workflows
in progress
Rich Mozeleski
The Shadow Workflows capability will provide detection and response of the most common post-compromise malicious activities. These activities include:
- Malicious inbox rule creation (we are completely revamping how we detect malicious inbox rules as part of this effort)
- Malicious phishing campaigns: At a minimum, we will detect and generate an incident report when a mailbox is responsible for a malicious phishing campaign.
- Data exfiltration timeline: Provide a timeline and attack summary within the ITDR incident report to enable users to quickly determine scope of an attack.
A
Abbey Jo Leyendecker
Merged in a post:
provide after action report
H
Halion Abramovitch
would be nice if ITDR could provide a full breakdown of what happened
ex:
user clicked phishing email at 3:45 pm
attacker accessed from country X at 5:30 PM
attacker created exchange rule
attacked access files XYZ
Petra can do something similar to this already so it can be done
Rich Mozeleski
Merged in a post:
SharePoint Monitoring
W
Will MacFee
Ability to monitor SharePoint events such as File shared Publicly, Item deleted from retention mechanism, new sharepoint site created and site deleted similar to Sherweb's Office Protect
Rich Mozeleski
Merged in a post:
Shadow Workflows (EA)
Rich Mozeleski
Enhanced and refactored inbox rule detections. This capability is designed to combat tactics exploited by threat actors in manipulating mail delivery using inbox rules and mail forwarding techniques.
Rich Mozeleski
in progress
Rich Mozeleski
Merged in a post:
Shadow Workflows (GA)
Rich Mozeleski
Detection and response to phishing campaigns and data exfiltration. Anomalous inbox rules to Triage and Review Queue.
Rich Mozeleski
Merged in a post:
Office 365 Rules - Can't tell if they were enabled or not when Huntress found them
D
Daniel Stevens
When we get alerted to dangerous mailbox rules in 365, the alert makes it impossible to tell whether or not the rule was ALREADY disabled when Huntress encountered it.
This is a huge problem when onboarding a new client. If the rule is found to be already disabled, then the breach was likely already remediated. If it was enabled, then it's probably an active breach.
The alert should include this critical information.
As it is now, I have to contact tech support and ask them.
C
Cameron Granger
open
Rich Mozeleski
Merged in a post:
Microsoft Expanded Cloud Log Implementation Playbook
S
Scott Brewster
CISA released its playbook for Microsoft expanded log collection. Please update ITDR to be able to ingest the logs. You can find this playbook here:
Rich Mozeleski
in progress