Managed ITDR

It would be nice if there were an option to create an alert for successful and/or attempted logins for specified admin account(s).

Often the same phishing email is sent to multiple individual recipients at the same organization. Once adversary activity is detected on one account and an incident is triggered, it would be phenomenal if Huntress would proactively find and remove (soft delete automatically with an option to push a button to hard delete) these emails from all other mailboxes. It would cutdown on additional work required to secure the environment after the first user is successfully phished. MSPs and their partners would really benefit from a feature like this.

Have a Critical incident generated in the event the Emergency Break Glass/ Allocated User is accessed. per Microsoft recommendations https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

Google ITDR escalations are using Microsoft alert wording and templates. For example, Google login alerts show messages like “usage location provided by Microsoft”. This is confusing in all environments: If only Google is used, the Microsoft wording is misleading If both are used, technicians cannot tell which identity provider triggered the alert without checking the portal Google alerts should use Google-specific wording and clearly indicate the source (Google vs Microsoft) in the alert itself.

Allow specific IP-ranges not only countries in whitelists. Both for organization and per user. Have certain applications in a country I don't want to allow.

I would like to have the ability to create location-based rules using IP addresses. This feature would help in managing access and permissions based on the geographical location of users, enhancing security and compliance.

Providing auditing of shared files specifically to externals users or public and changes in relation to this. Providing some form of alerts for data extraction covering both insider and external threats.

Best practice per Microsoft is to block sign-ins for shared mailboxes. Maybe configuring escalations for shared mailboxes without sign-ins blocked would be an easy way for partners to ensure proper config here.

Add the ability to add multiple countries when creating location rules.

Please add functionality to map multiple Microsoft 365 tenants into a single Huntress organization. We have clients that are acquiring competitors. We need to be able to feed M365 MDR data into Huntress while billing our clients under the parent organization.