Managed ITDR

Standard security practice is to do all 3, so having Huntress also reset MFA in addition to revoking all sessions and disabling the account would be helpful.

Per the latest product update, Chris mentioned that permission requirements have changed for ITDR. Huntress should have a way to validate if partner organizations are setup with latest graph API permissions to enable most up-to-date ITDR detections.

I think it would be important for Huntress to set up escalations for any signings from users with global admin roles and allow us to specify expected sign-ins from certain IP addresses. This will help identify when a user accidentally has global admin access, especially if the sign-in occurs from an unexpected IP address, which is usually suspicious.

I ran into an incident report, for foreign country. However the % was 0. USA was 100%. The report showed Guatemala, with 2 logins there. I reached out to Huntress Support, Sam said "we round down to 0, since the number of logins was less than 1% for the Organization, we round down to 0" I explained that this is misleading, and requested this says <1% for the foreign country. He said to submit feedback here.

Allow partners and customers to block all countries and VPNs at the account and organization level

Currently this is only available at the Account / MSP level and not granular down to Organization / Client level.

Generate alert if any users are hit with X number of MFA attempts in a short time span. TTP of social engineering to generate MFA fatigue.

M365 sign-in logs show the US city/state for logins, but conditional access can only operate at the country-level. Not sure if the logs Huntress pulls from M365 include city/state info, but it would be cool to be able to isolate or at least alert/escalate on logins from unexpected states. For example, if all my clients are in Seattle, a login at 3am from Texas is suspicious. A lot of these are caught by unwanted VPN and now malicious datacenter logins, but the ability to deny-by-default and only allow certain states would be great of possible. Might be noisy at first, but for clients who never travel anywhere and always login from the same state, it would be helpful.

Can we look into having the comment log in the escalation thread update with each PSA push?

Could you include a note for which larger company owns a particular VPN service (e.g. SurfEasy VPN -> Norton, TunnelBear -> McAfee, etc.) in Unexpected VPN alerts? It would be super helpful to not have to research this every time our users don't know about a VPN service. Users we reach out to have never heard of SurfEasy/TunnleBear VPNs but as soon as we research and tell them who owns them they say "Oh, yes, I have Norton/McAfee on my phone/computer"