Ability to mute or suppress repeated escalations for specific identities
E
Eric Keitz
Currently, repeated escalations are generated for the same user activity — for example, a user who regularly logs in via Proton VPN from their personal device. If an organization does not have a policy against personal VPN use, we do not want to mark Proton VPN globally or at the identity level as expected or unauthorized. However, each time this user logs in via Proton VPN, a new escalation is opened, creating noise and unnecessary alerts.
The challenge is that a VPN is not inherently malicious, a known user may use it legitimately, but the same VPN network could also be leveraged by an attacker to compromise an account. Today, there is no way to differentiate between those cases in Huntress.
We’re not certain what the ideal solution looks like, but options such as identity-level exceptions, contextual rules, or smarter suppression logic would help reduce noise while maintaining security visibility.
Rich Mozeleski
Hey Eric Keitz, would an identity-level rule for Proton VPN not work in this case?
E
Eric Keitz
Rich Mozeleski Appreciate the follow up Rich. My concern is that I don't necessarily want to "Allow" Proton VPN for this user, I was hoping for something in-between. The Dismiss option is perfect, as it feels like we are neither telling the system this type of login is inherently safe or not, however doing this causes the escalation to reappear over and over again.