Managed ITDR

Currently we cannot add more than one unwanted access rule for a single identity/country combo. It would be nice if we could do this. For example, if we know that an identity is traveling to a single country four separate times over the next four months, it would be nice to schedule them all so we don't have to go back and create new rules each time. I don't want to create a rule that spans 4 months if the user is only going to be traveling for a cumulative total of 14 days over that period.

Have a Critical incident generated in the event the Emergency Break Glass/ Allocated User is accessed. per Microsoft recommendations https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

The Timeline feature is a great feature to have during an incident, but we would like to have the option to export the Timeline. It would be nice to have a simple export button to download the timeline.

Add the ability to add multiple countries when creating location rules.

We need a better alerting system, or at least some kind of notification should you suddenly not get any data from client tenants.

Often the same phishing email is sent to multiple individual recipients at the same organization. Once adversary activity is detected on one account and an incident is triggered, it would be phenomenal if Huntress would proactively find and remove (soft delete automatically with an option to push a button to hard delete) these emails from all other mailboxes. It would cutdown on additional work required to secure the environment after the first user is successfully phished. MSPs and their partners would really benefit from a feature like this.

A comprehensive set of improvements to the ITDR escalation system, giving partners more control over their escalation experience and expanding coverage to new threat categories. Planned enhancements include: Automated Response Actions — Option to automatically revoke sessions or disable identities when an escalatable event is detected, stopping potential account takeover immediately. Device Compliance Filtering — Suppress escalations from Entra joined, managed, or compliant devices at the account and organization level, reducing noise from trusted corporate devices. Escalation Opt-Out — Option to disable Unexpected Login escalation generation entirely at the account and organization level for partners who manage their own security workflows. Per-Identity Notifications — Each unique identity that triggers an escalatable event generates a separate notification, ensuring real incidents aren't buried in grouped alerts. Enriched Notifications — Escalation emails include tenant name, identity details, source IP, device info, and a direct link to the portal for faster triage. New Rogue App Escalations — Configurable escalations for new Entra app registrations and AI tooling apps, providing visibility into OAuth consent grants and shadow AI adoption. Admin Role Escalations — Configurable escalations for privileged role assignments and new admin account creation. Know immediately when an identity is granted Global Administrator, Exchange Administrator, or other security-relevant roles. Mail Forwarding Escalations — Configurable escalations when a mailbox is set to forward email to a consumer email provider, a primary BEC persistence mechanism.

Hello Team, In scenarios where Geo Location does not recognise a location and categorises it as Unknown, having notifications enabled would be extremely beneficial. We recently learned from the company owner that a member of staff travels to Turkey once a month. This activity was not queried at the time, as we typically investigate such events immediately upon receiving a geo-location notification. As no alert was generated, the activity went unnoticed until it was raised separately. While we acknowledge that, in the event of account compromise, other security controls would still provide protection, early notification of sign-ins from an Unknown location could help prevent potential incidents before they escalate. Enabling notifications for these cases would significantly improve visibility and allow for more proactive security monitoring.

The Managed ITDR team is looking to improve the onboarding experience for tenants in Q3 of 2025. This will include a revamped CSP/GDAP onboarding for streamlining the onboarding of many tenants. Please comment here on other onboarding improvements you'd like to see us work on!

Configure an setup an unwanted access rule to become active in the future. Example: Set up an expected rule permitting US-based logins on the 5th of May, but the rule won't activate until the 10th of May. Partners could then plan client travel in advance.