Unwanted Access - Need an option to "dismiss the escalation"
complete
A
Adam Palmer
Unwanted Access presently only gives you the response choices of Expected or Unexpected. Expected adds the VPN to the allow list, and you have a choice of at the user level or at the organization level. Unexpected triggers a critical incident and blocks the user's sign-in which is overkill if you just want the Huntress alert to go away.
The easy use case that comes to mind is at our MSP specifically, where our users frequently support and test out many VPN solutions that our customers use. I don't want to allow these solutions org-wide or even at the user level because outside of specific times these actions are completely unexpected, and we should be alerted on each event.
Please help!
Rich Mozeleski
complete
Delivered!
A
Adam Palmer
Rich Mozeleski Thank you very much Rich and the Huntress dev team! Appreciate partnering on a solution.
T
Tony Magee
I would like this as well. Id also like the option to put a timeline in place if needed. So user in Russia until specified date, then remove the rule.
J
Jamie Pappas
Tony Magee this is doable now if it wasn't back in September :)
J
Joe Cimino
Another vote for this. In the SMB market, we often have less control on what VPN individual users put on systems and may not be aware of them until we're alerted. Accepting them moving forward isn't responsible, and blocking them will cause more problems than it helps if we don't have a chance to have a conversation with the customer.
'Dismiss' is the move that lets us schedule that call, explain the issue, and find a more permanent resolution, and it's much needed.
J
Jonathan Bailey
Something along the lines of "unexpected, but not malicious" would be good. I feel like "expected" also implies that we implicitly permit this where it would be better to have a gray area option.
N
Neil O'Sullivan
Agree completely! Would love to see a block (if the link to 365 allows for it) to be in place to prevent logins without generating an isolation and requiring a technician to take action/review the activity
N
Neil O'Sullivan
Adding more context here given personal devices being present, users may accidentally log in with it connected, so blocking the login itself without killing the entire account will help keep users happier to not be interrupted, but also the clients from receiving angry emails about having to go through a pw reset every time
D
Daniel Cronin
Really need this
A
Abraham Bouzaglou
This is important!
Rich Mozeleski
in progress
Rich Mozeleski
Merged in a post:
More options for Escalations
R
Ryan Marasco
We had some escalations today where we were given two options:
Unauthorized - Logout and disable these identities
Expected - Allow logins like this
We were hoping for another third option that is something in the middle like: Yes this login is OK but to still alert on future ones.