Since enabling the 'VPNs Unauthorized by Default' feature, all VPN usage now generates Critical level incidents, which automatically trigger phone alerts 24/7, including a recent 2 AM call. While I want to detect and prevent unauthorized VPN usage, the Critical severity level creates unnecessary after-hours disruptions for routine violations.

I'd like to request a severity level of High for unauthorized VPN incidents. One that generates tickets for business hours investigation without triggering phone calls, unless accompanied by additional suspicious activity. I'm happy to receive urgent calls for genuine security threats, but 2 AM notifications for a colleague's forgotten Proton VPN connection seems excessive.

Could you consider adding the ability to select the severity option for default VPN detections or allowing custom severity rules for different incident types?

Let us allow IPs, Subnets and entire ISPs (looking at you Starlink)

Desperately need to be able to bulk select unauthorised countries in ITDR. This way a conditional access policy that allows only 3 countries for example can be replicated in Huntress very easily. Currently, this is a very laborious task in selecting country by country.

Would like to see the ability to escalate by location more granular than country. For example, by US state. We have a user with reported logins from states and locations where they are not physically present and need to be alerted to this.

I would love to see the ability to schedule a time frame for expected travel rules, stead of having them start from the time I make the rule. We currently have clients that give us travel plans months out and we have to schedule ourselves so far in advance to set the rule.

I'd love to see it integrate better with Microsoft Entra Conditional Access. For instance, if a conditional access policy restricting/allowing access from certain countries is set, Huntress should follow that and not alert if it sees logins from any of the countries specified in the CA. Thanks