ITDR (MDR for Microsoft 365)

As an MSP Account Admin, I have the rights to respond to alerts with full functionality. My clients are Organizational Admins, and they get all the alerts but cannot act on them and they find this rightly frustrating. We've heard from Huntress that you have intended to either expand on those rights OR allow us to create Account Admin rights that can be limited to single organizations or sets of end points. Do you intend to make these changes, ever, and if so- when?

It would be great if there were a true two-way sync of incident statuses

I need the ability to set a start date for location rules in advance. This feature would be beneficial for situations like when a senior lawyer is going on a cruise, and I have the stopover dates. I want to add these dates proactively rather than scheduling them manually later, which can be risky.

It would be nice to be able to view all applied rules in an organization or MSP level to see what has been put out there. A way to audit what the technicians are doing and ensuring that only what is needed is actually in place without having to click on each individual user. Even further an option to export this into report form in order to present to the client and ensure again, only what is needed is there. Ex: Applied Rules User Email Rule Summary? Date Applied(start of rule) Date End(end of rule) etc.?

I realize this would be tricky to implement because of the numberous different ways organizations can implement conditional access policies to block unwanted countries. However, with the introduction of the feature to track unwanted access by countries in Huntress ITDR we've now been doing double duty having to track and enter scheduled exlusions in both Huntress and Entra ID (we utilize the open source CIPP to schedule these exclusions). It would be great if Huntress would integrate with Entra ID so that the scheduled/timed exclusion that we're creating in Huntress to mark that country as allowed would have the ability to link to a conditional access policy that it can update on the start/end dates of the scheduled travel as well. Due to everyone potentially having different conditional access policies - the easiest way I can invision this being implemented is simply pulling a list of the Conditional Access policies from the tenant when scheduling the exclusion and requesting which policy should be used for this particular exclusion. Then Huntress can add the user to that conditional access policy for the exclusion when the scheduled travel starts and then remove them when the scheduled travel ends. This is coincidentally the same way CIPP handles these exclusions. This allows this functionality to work for anyone who has individual conditional access policies for each country, one single conditional access policy for all countries, or anywhere inbetween.

Currently, we’re accurately representing the data we get from MS, but the visual could be better. This is the ability for us to more accurately display MFA status for identities.

We have certain accounts that are used by contractors around the globe. We do not want Huntress to keep notifying us of unexpected logins, and I don't want to have to spend my time creating and maintaining rules for all the countries that are allowed. We want to allow logins from any country except those that are high-risk or sanctioned, like North Korea, Russia, Iran, etc. If we do have a contractor working in one of these countries, then we'd also like the option to create an exception for that specific country while disallowing all the other risky countries.

The escalations per identity in Identity Threat Detection & Response only support the two escalation types of Unexpected Country and Unexpected VPN. All others create new escalations. It would be nice for all escalations to be created with individual identities so that the Autotask integration accounts for all details in an escalation by ensuring each detail becomes a single escalation, which then becomes a single Autotask ticket. As of now, new details are getting added to old escalations that had already been resolved as well as the Autotask ticket completed. When escalations open again, the ticket does not get reopened. This causes a disconnect in our NOC in that escalations show as active in the Huntress console, but in Autotask. Our workaround is to closely monitor the console.

The Managed ITDR team will be adding Informational Alerts as Escalations. These will initially be basic and available by request. We eventually will allow for customization and tuning of these types of alerts. We are looking to immediately develop the following basic escalations: * Admin roles granted to an identity * Successful logins blocked by Conditional Access * Break glass account sign in Please use this topic for feedback and other suggestions relating to Informational Alerts.

If you have a broken tenant, we will tell you.