Managed ITDR

If there is a "Login from Unexpected Country" escalation, there should be a secondary check to see if there is a Huntress agent registered to the same client located at that same IP. If there is an agent registered to the same account at that IP, we can be reasonably sure that the login is expected.

Is there any thought to creating a CA rule that Huntress Manages Dynamically that blocks known bad IP's before they become an issue.

I tested the Exfiltration timeline against a controlled test scenario. In my scenario, I: Logged in from a blocked VPN Deleted 4 emails Viewed others Sent 1 email to 4 users Change technical contact in Entra Downloaded various Onedrive files Made new onedrive files Before I could do anything else, Huntress locked me up. The timeline did detect email deletions and send - but it did not detect anythign else. This surprised me as after doing a GAL audit, and filtering results to the IP of the VPN service, I saw all these actions were detected. Maybe this is what is being planned here: https://feedback.huntress.com/reporting-api/p/investigative-timeline-added-to-incidents But it would be nice to see this feature epanded on. Currently it is super pretty in the portal, but I would be happy if it were just the raw logs - saves the time of putting together an Audit and analyzing it. Thank you.

Need a way to select multiple countries or VPN providers to build rules.

The integration with Microsoft pulls all licensed users. We need to filter these users and apply ITDR to those we specify. We are wasting money by having exchange online or student licensing being applied to ITDR when they are not supposed to be.

Sometimes we will receive notice of BEC/compromise before the Huntress ITDR alert, and we will internally remediate the identity. It would be nice if there was a way for us to proactively notate what we discovered and the steps we took on the identity in the huntress portal. That way if/when those signals are later investigated by Huntress SOC, or escalated to another technician internally, alerting/work is not being duplicated

Add an option to export the Dara Exfiltration Timeline as a report.

Please add functionality to map multiple Microsoft 365 tenants into a single Huntress organization. We have clients that are acquiring competitors. We need to be able to feed M365 MDR data into Huntress while billing our clients under the parent organization.

Hi All! Currently when we get incidents generated on Huntress in case if this is a phishing attack and the user clicked on the link, we only get the IP attack occurred from. It would be extremely useful if we had the email of malicious sender and the contents of the email so we could have an idea how this has happened. Currently there no such function in place, I got a confirmation with Huntress support. On the top of that, it would be awesome to see what other mailboxes have received it an also if they interacted with the email and its content and purging the malicious email out of the mailboxes. Another useful function would be blocking the malicious sender for a set period of time. A product called "Phishier" of Knowbe4 has that functionality for reference

Currently, I have to create rules for each VPN individually, which is time-consuming. It would be helpful to have an option to create a rule that covers all VPNs at once, streamlining the process.