Shadow Workflows
in progress
Rich Mozeleski
The Shadow Workflows capability will provide detection and response of the most common post-compromise malicious activities. These activities include:
- Malicious inbox rule creation (we are completely revamping how we detect malicious inbox rules as part of this effort)
- Malicious phishing campaigns: At a minimum, we will detect and generate an incident report when a mailbox is responsible for a malicious phishing campaign.
- Data exfiltration: At a minimum, we will detect malicious file downloads from the Microsoft ecosystem.
Rich Mozeleski
Merged in a post:
SharePoint Monitoring
W
Will MacFee
Ability to monitor SharePoint events such as File shared Publicly, Item deleted from retention mechanism, new sharepoint site created and site deleted similar to Sherweb's Office Protect
Rich Mozeleski
Merged in a post:
Shadow Workflows (EA)
Rich Mozeleski
Enhanced and refactored inbox rule detections. This capability is designed to combat tactics exploited by threat actors in manipulating mail delivery using inbox rules and mail forwarding techniques.
Rich Mozeleski
in progress
Rich Mozeleski
Merged in a post:
Shadow Workflows (GA)
Rich Mozeleski
Detection and response to phishing campaigns and data exfiltration. Anomalous inbox rules to Triage and Review Queue.
Rich Mozeleski
Merged in a post:
Office 365 Rules - Can't tell if they were enabled or not when Huntress found them
D
Daniel Stevens
When we get alerted to dangerous mailbox rules in 365, the alert makes it impossible to tell whether or not the rule was ALREADY disabled when Huntress encountered it.
This is a huge problem when onboarding a new client. If the rule is found to be already disabled, then the breach was likely already remediated. If it was enabled, then it's probably an active breach.
The alert should include this critical information.
As it is now, I have to contact tech support and ask them.
C
Cameron Granger
open
Rich Mozeleski
Merged in a post:
Microsoft Expanded Cloud Log Implementation Playbook
S
Scott Brewster
CISA released its playbook for Microsoft expanded log collection. Please update ITDR to be able to ingest the logs. You can find this playbook here:
Rich Mozeleski
in progress