Managed EDR

Huntress logs alerts to ScreenConnect instances. Huntress has the capability to isolate a computer when a severe threat is detected. Rogue ScreenConnect active sessions are a severe threat. We can tell you for sure they are a severe threat by allow listing the one and only host our clients are allowed to connect. Ergo, Huntress should auto-isolate a host when it connects to a known rogue ScreenConnect instance, and you don't have to worry about false positives because we have already told it exactly what it should do. I have said this to every Huntress rep and they all seem puzzled. I don't understand why, all the pieces are already there. This would be a huge bonus for all of us and it seems trivial to implement. Please consider fast tracking this.

The screenconnect host section is very useful. It would be great if we could get a notification about new hosts appearing in here because it would be untypical for a new SC server to be added normally and would usually indicate either an incident, or something that needs to be addressed (i.e the previous IT companies remote access being deployed from somewhere). Ideally this would be expanded to alert on additional Remote Access and RMM tools. E.g Splashtop. Attackers are increasingly using industry standard MSP tools to stay under the radar and being able to give us a heads up directly about this would be great. I appreciate the SOC would alert on suspicious activity, though the MSP will be more aware of the context - the ability for us to toggle an option on for this would be ideal.

We would like for the SOC analyst that performs an org-wide host isolation action to then call each number listed on the "Incident Notification Contacts" list at least once to speak to someone that can let the SOC analyst know if something unique might be happening in the customer environment that could warrant having the SOC analyst fully or partially roll back the org-wide host isolation. It would also be good for the SOC analyst to give the organization contact a quick run-down of what they saw in the environment in case the org contact hasn't seen any details about new incidents being entered into the Huntress platform yet.

Are there any plans to add a browser add in for edge and chrome toprotect from hijacking browsers

The new Huntress detection of Connectwise has been fantastic, we caught some previous IT companies software on our recently acquired clients workstations. It would be amazing if huntress continued this detection and expanded it to detecting other remote access software such as splashtop, teamviewer, anydesk, etc..

Would be good to collect the Mac logs into the SIEM its a requirement for some of our clients right now and makes sense to be in Huntress.

We currently use Azure Virtual Desktop (AVD) and Citrix Cloud, both of which support deleting unused hosts and rebuilding them on demand. It would be highly beneficial if Huntress could better accommodate these environments by enabling continued management of these ephemeral VDA/VDI machines. Ideally, this could be achieved by: Allowing the Huntress agent to automatically uninstall itself when the host is decommissioned (e.g., on shutdown). Providing an API-driven method to remove agents from hosts that have been deleted in the VDI platform. This functionality would ensure that ephemeral VDA/VDI hosts are properly tracked, avoid stale agents, and maintain clean licensing and reporting.

It would be extremely helpful if agents that remain unresponsive for a certain period could automatically transition into a non-billable state. We’ve noticed that in co-managed environments where customers handle their own device refresh cycles - devices are sometimes wiped and shelved when a user leaves, but the Huntress agent isn’t uninstalled. This results in continued billing for inactive devices. Ideally, if an agent remains unresponsive beyond a defined threshold, it would be marked as non-billable. Should the device come back online or re-register, billing and protection could automatically resume.

would like ability to mark an endpoint for further scan or analysis by SOC and get a report back , for example if a user clicks on a phishing link, or opens attachment. Just a way to proactively scan for any or to detect for anything malicious on a one time per needed bases ,

When the portal tells us a machine has "Other AV" Would be nice to know exactly which AV so we can action faster, thanks!