Unexpected VPN - Escalate only if not from a known device
Y
Yidel Steinfeld
The Problem: Currently, VPN alerts might trigger regardless of whether the device is a managed/registered asset. This creates noise for IT teams who allow remote users to connect via VPN on their company-issued laptops. (e.g. access WhatsApp from Dubai)
The Solution:
Implement a "Device Awareness" filter for VPN-related detections.
Known Device: If a VPN connection originates from a device with the Huntress agent already installed or a device registered/joined in the Intune, the escalation should reflect that.
O
Otto Rivera Sanchez
This would be specially useful with mobile devices managed via Intune, the MDR/EDR can correlate if its the same device using one of the private relay functions to avoid noise from false positives.
R
Ryan Sipes
We've got integration between EDR and ITDR now, so this should definitely happen.
Similarly, detections from new/extra-sus VPNs should be more heavily scrutinized when the user logs in from unknown devices but typically logs in from registered/joined to Entra or protected by Huntress.
C
Chris Bareham
I hadn't thought about this capability, but I like it!
We have the EDR agent on the host and the ITDR monitoring the IdP ... there are plenty of indicators that line up between those two capabilities, and I agree it would lower the noise. Even if it still showed in the platform as a notification so we could add the VPN to the Expected and/or talk to the user/customer if not authorized. But the notifications/isolation based on this event could be lowered!