Ability to mute or suppress repeated escalations for specific identities
E
Eric Keitz
Currently, repeated escalations are generated for the same user activity — for example, a user who regularly logs in via Proton VPN from their personal device. If an organization does not have a policy against personal VPN use, we do not want to mark Proton VPN globally or at the identity level as expected or unauthorized. However, each time this user logs in via Proton VPN, a new escalation is opened, creating noise and unnecessary alerts.
The challenge is that a VPN is not inherently malicious, a known user may use it legitimately, but the same VPN network could also be leveraged by an attacker to compromise an account. Today, there is no way to differentiate between those cases in Huntress.
We’re not certain what the ideal solution looks like, but options such as identity-level exceptions, contextual rules, or smarter suppression logic would help reduce noise while maintaining security visibility.
Rich Mozeleski
Hey Eric Keitz, would an identity-level rule for Proton VPN not work in this case?
E
Eric Keitz
Rich Mozeleski Appreciate the follow up Rich. My concern is that I don't necessarily want to "Allow" Proton VPN for this user, I was hoping for something in-between. The Dismiss option is perfect, as it feels like we are neither telling the system this type of login is inherently safe or not, however doing this causes the escalation to reappear over and over again.
Rich Mozeleski
Eric Keitz I understand. We are eventually (ie: early next year) going to iterate on "Unexpected Logins" in favor of a system of "Anomalous Logins". The current functionality may move into our future ISPM product for partners looking for restricting logins from a compliance perspective. "Anomalous Logins" would utilize enhanced logic and the SOC to make determinations on login malice, with escalations only coming when a SOC analyst cannot determine whether or not a login is malicious or benign.
E
Eric Keitz
Rich Mozeleski Looking forward to this, thanks for the info Rich!!