I would like the ability to whitelist specific IP addresses as trusted IPs for ITDR. This feature would enhance security by allowing only certain IPs to access the system, reducing the risk of unauthorized access. It would be beneficial if this capability could be added to the platform.

allow users/admin to whitelist ip's that come from a certain user to stop the location alerts - e.g user is based in sri lanka and accesses all GA accounts.

Being able to whitelist his ips in huntress to get rid of that alert would be nice.

I would like to have the ability to whitelist a specific Trusted IP address instead of having to whitelist an entire country. This feature would provide more granular control over access and improve security management.

In addition to Locations & VPN, it would be useful to create rules based off specific IP addresses.

We've had recent instances where Ip enrichment tools incorrectly tagged an IP address as another country. We don't want to allow this country, so only option is to dismiss the alert. But a new escalation is then created after each sign-in..

Being able to quickly identify AI Applications (eg M365 MCP Server for Claude) as a category and alert when this is added to an Organisation would be valuable. Would allow us to have conversations with clients and ensure they have policies and procedures in place to ensure data is not leaked

The escalations per identity in Identity Threat Detection & Response only support the two escalation types of Unexpected Country and Unexpected VPN. All others create new escalations. It would be nice for all escalations to be created with individual identities so that the Autotask integration accounts for all details in an escalation by ensuring each detail becomes a single escalation, which then becomes a single Autotask ticket. As of now, new details are getting added to old escalations that had already been resolved as well as the Autotask ticket completed. When escalations open again, the ticket does not get reopened. This causes a disconnect in our NOC in that escalations show as active in the Huntress console, but in Autotask. Our workaround is to closely monitor the console.

The "ITDR Escalations Send PSA/Email per Identity" functionality allows Huntress to notify for each instance of Unexpected Country / VPN Escalation, but does not allow for new tickets to be created when a new Usage Location Escalation occurs.

This creates a visibility problem for my team, in that there is no ticket created on our security board in our PSA when a new event occurs. The only "notification" is seeing the event in the Huntress portal. Additionally, without a ticket in our PSA, there's nowhere for my security tech to enter time when resolving these escalations, so he has to create a ticket manually for this anyways.

It would be much better if this feature also applied to Usage Location escalations.

it's a bit of a pain to have to log in to huntress to see who these notifications are referring to, especially when i see the notification through my phone or via my ticketing system

it would be helpful to have the user and tenant listed in the subject line or at least the body of the email so i can jump right into their m365 tenant and verify is the sign in is a problem

Unwanted Access sends the alert emails in another style than the normal incidents. The customer tenant name is not included in the subject. This is mandatory for filtering the mails to the proper customer queues.

Providing some details about the device when alerting on an unexpected location would help with assessing this situation

For example:

Device Name

Intune managed / Hybrid Joined

Conditional access status of the sign in

Knowing the device being used at the unexpected location is company owned, managed and conditional access compliant would significantly reduce the concern with it being in another country.

Conversely, a random sign in from an OS X device in an unexpected country when a user is PC based would be an immediate concern.