ITDR (MDR for Microsoft 365)

Really basic request: in the "escalation" email from ITDR, it shows org, but not user account. It would be really handy to see the affected user account in the email body also. And 2 cents: the way the paragraph is formatted, I always have to slow way down to find the org name buried in all the words.

It would be amazing if you could create an expected location rule for a specific user with a policy expiration date through the Huntress API. Seeing as how you already sponsor CIPP, I think this would be a great addition to their existing vacation mode, which excludes a user from a conditional access policy for a period of time. This would prevent the Huntress escalation for the unknown location, as it would already be defined before the user traveled. Other partners could also use this API with other automation platforms like Rewst. This would reduce the need to hop to different portals, allow us to be more proactive, and provide better details to the Huntress team without our help desk forgetting.

Seeking the ability to export the list of billable users from the billable identities page- https://MYSITE.huntress.io/account/managed_identity/user_entities?filters%5Bbillable_licenses%5D=true

“Deny all” country by default and bring “deny all” for country and VPN down to the organization level (currently an account-level only)

Google tenant integrations, identity onboarding, and basic event ingestion.

If you have a broken tenant, we will tell you.

I realize this would be tricky to implement because of the numberous different ways organizations can implement conditional access policies to block unwanted countries. However, with the introduction of the feature to track unwanted access by countries in Huntress ITDR we've now been doing double duty having to track and enter scheduled exlusions in both Huntress and Entra ID (we utilize the open source CIPP to schedule these exclusions). It would be great if Huntress would integrate with Entra ID so that the scheduled/timed exclusion that we're creating in Huntress to mark that country as allowed would have the ability to link to a conditional access policy that it can update on the start/end dates of the scheduled travel as well. Due to everyone potentially having different conditional access policies - the easiest way I can invision this being implemented is simply pulling a list of the Conditional Access policies from the tenant when scheduling the exclusion and requesting which policy should be used for this particular exclusion. Then Huntress can add the user to that conditional access policy for the exclusion when the scheduled travel starts and then remove them when the scheduled travel ends. This is coincidentally the same way CIPP handles these exclusions. This allows this functionality to work for anyone who has individual conditional access policies for each country, one single conditional access policy for all countries, or anywhere inbetween.

It would be super helpful to have some additional context around the installed apps section of the ITDR portal. For example, if Huntress can determine the publisher of a particular installed app, it would be useful information to know so that it could be filtered out. It looks like Microsoft publishes a ton of apps that work in the background on Azure/M365, but they are not identified as Microsoft apps. At this point we could probably just filter those out and focus on the third party ones. Any additional information gathered would be super helpful too!

Currently, we’re accurately representing the data we get from MS, but the visual could be better. This is the ability for us to more accurately display MFA status for identities.

So its great that Huntress can disable a user but the issue is that when it sync's back to the on prem server if that user is not locked will re-enable the users account and remove the block. This is an issue because we want the account to be locked until we can look into it but if its not locked on the server the user just has to wait until the sync and then they are re-enabled.