would be nice if ITDR could provide a full breakdown of what happened

ex:

user clicked phishing email at 3:45 pm

attacker accessed from country X at 5:30 PM

attacker created exchange rule

attacked access files XYZ

Petra can do something similar to this already so it can be done

Ability to monitor SharePoint events such as File shared Publicly, Item deleted from retention mechanism, new sharepoint site created and site deleted similar to Sherweb's Office Protect

Enhanced and refactored inbox rule detections. This capability is designed to combat tactics exploited by threat actors in manipulating mail delivery using inbox rules and mail forwarding techniques.

Detection and response to phishing campaigns and data exfiltration. Anomalous inbox rules to Triage and Review Queue.

When we get alerted to dangerous mailbox rules in 365, the alert makes it impossible to tell whether or not the rule was ALREADY disabled when Huntress encountered it.

This is a huge problem when onboarding a new client. If the rule is found to be already disabled, then the breach was likely already remediated. If it was enabled, then it's probably an active breach.

The alert should include this critical information.

As it is now, I have to contact tech support and ask them.

CISA released its playbook for Microsoft expanded log collection. Please update ITDR to be able to ingest the logs. You can find this playbook here: