SOC/Incident/Investigations

During large-scale or successful lateral movement incidents, we would like to speak with a Huntress security analyst for additional background and guidance, beyond what is listed in the incident report. A 1-hr SLA would be fine.

Please add the ability to add comments to the incidents, as that would improve communication between our team, so they don't have to login to the ticket system and find the ticket to see what the update is.

We receive a ticket now for hosts isolated by the Huntress team as a part of an investigation, but we'd also like a ticket for any manual host isolations performed. If someone calls in because their device can't access the internet, I want a tech to be able to easily identify that as the reason within our ticketing system. If they weren't the tech that isolated within Huntress, they'd have no way of knowing it was triggered there unless they had credentials to the Huntress dashboard and thought to look there.

Would it be possible to have Huntress create a ticket for all investigations, this way it documents the action and time inside a PSA (SyncroMSP in my case)?

When Windows Defender detects blocked Brute Force login attempts to a device, please can Huntress Trigger an Incident investigation which would in turn create a open ticket in our sytems to also investigate.

It would be helpful to communicate with the SOC following an escalation through a chat feature.

Can you add the texts and robocalls for critical incidents at the organization level? It would be nice to be able to set this up for IT managers, etc. at individual customers.

Link Investigation to Incident If an Incident is created based on an Investigation, link the investigation in the incident, and/or ideally include the analyst notes directly in the incident (which means the notes are then in the email, PSA ticket, etc.). Huntress may have already done key research that influences how we react to the incident. Example, a Cobalt Strike beacon was found! But the incident raised was classified LOW. Why Low and not High or Critical? The analyst determined it was a known legitimate beacon from a pen test, and this was documented in the Investigation. However, that extremely-important information is nowhere in the Incident. Only by manually digging through Investigations was it found. And the incident response instructions advise pretty serious actions, like wiping the host, checking logs, checking for compromised accounts, etc. One could spend copious amounts of labor and impact operations unnecessarily, when you see that it was a legit pentest usage (which we doubly-confirmed, of course). (This request is different than https://feedback.huntress.com/feature-requests/p/link-investigation-to-host )

We have a request in from a customer to be able to view the Escalations menu. Currently this is only available to the MSP Partner

Good Afternoon, Cytek currently has an Organization within Huntress called USOSM. Now, we have many clients underneath this organization. Currently, we know we can download a threat report for each organization. But corporate will not have the time to go through over 100 reports and we were hoping that we could just combine each report into one. After some discussions with Andrew Meier and Kyle Sada, we now know this is not a current possibility therefore, I am submitting a feature request in hopes that one day it can be. Thank you again and have a good day. -Tyler A.