ITDR (MDR for Microsoft 365)

We want to know immediately when this happens so that we can verify the account changes.

We use Conditional access policies for our clients when they travel out of country. As such, the users will be connecting to their O365 account from a different location than their accounts set Usage location. Can Huntress auto propagate a tenant's Conditional Access policies to the ITDR Location Rules. This would help reduce the amount of "Unexpected Location" escalations. Whether this be through automatic creation of Location Rules, based on Conditional Access policies from Azure/Entra. Or Huntress references the Conditional Access policies that are applied to the users account, before creating "Unexpected Location" escalations.

Please add functionality to map multiple Microsoft 365 tenants into a single Huntress organization. We have clients that are acquiring competitors. We need to be able to feed M365 MDR data into Huntress while billing our clients under the parent organization.

When we get alerted to dangerous mailbox rules in 365, the alert makes it impossible to tell whether or not the rule was ALREADY disabled when Huntress encountered it. This is a huge problem when onboarding a new client. If the rule is found to be already disabled, then the breach was likely already remediated. If it was enabled, then it's probably an active breach. The alert should include this critical information. As it is now, I have to contact tech support and ask them.

Huntress does not send out new alerts or notifications when a new event occurs under an old Escalation. These new events often go unnoticed by the partner because they're not always scanning the ITDR dashboard and no notification was sent.

Please bring back the ability to click into a user's account and pull up their recent audit/sign-in activity! That was a tool I used all the time and was very helpful, especially since there doesn't seem to be a filter available for the "All Events" view either. Definitely helped make my life much easier and efficient when checking user activity. Thanks!

it's a bit of a pain to have to log in to huntress to see who these notifications are referring to, especially when i see the notification through my phone or via my ticketing system it would be helpful to have the user and tenant listed in the subject line or at least the body of the email so i can jump right into their m365 tenant and verify is the sign in is a problem

Hey Everyone We would strongly recommend to put alerts in place when a Global Admin gets excluded from MFA. Our internal practice for this is good for change management, but unfortunately we several large co managed IT and have found repeatedly admin accounts get excluded from CA policies. Would like an alert if an admin is excluded, as well as another dashboard that tracks Admins without MFA specifically in addition to users. We feel like this is our biggest risk to tenant compromise so would like to get some hooks around it.

Add support for Google Workspace for MDR (similar to the O365 MDR).

We need a better alerting system, or at least some kind of notification should you suddenly not get any data from client tenants.