ITDR should also cross-reference EDR. If the user's device(s) were also seen in the same country, then that makes the escalation less critical, or even redundant.

Please also identify the country of the VPN exit node in the Escalation, since Huntress currently only shows the IP number of the exit node and our team has to manually look up the country.

Surfacing Intune device information into the Huntress console is crucial for efficient event management. When users travel, their sign-in logs may show activity from different countries, triggering alerts. By displaying the device status directly in Huntress, our team can quickly assess the situation without cross-referencing other systems, reducing unnecessary alerts and improving security management.

This is a critical feature for us also especially when the users sign in logs show the same device in their normal country and then they travel to another country and this is flagged as Unwanted Access. At a minimum we would like to see the device status in Huntress for Device ID and Device Compliance State so our team do not need to cross reference Entra ID when these alerts are triggered. Best case would be for Huntress to use the device telemetry in the sign in logs and if the same device was used within say 3 days in their normal home country then lower the risk score as this would be strong evidence that the user is travelling with a trusted/compliant device (assuming this is not classified as impossible travel).