ITDR (MDR for Microsoft 365)

If you have a broken tenant, we will tell you.

The Managed ITDR team will be adding Informational Alerts as Escalations. These will initially be basic and available by request. We eventually will allow for customization and tuning of these types of alerts. We are looking to immediately develop the following basic escalations: * Admin roles granted to an identity * Successful logins blocked by Conditional Access * Break glass account sign in Please use this topic for feedback and other suggestions relating to Informational Alerts.

Allow us to create a rule that sets a (or multiple) countries as Allowed and all others as Unexpected

Google tenant integrations, identity onboarding, and basic event ingestion.

When an account experience say 100 failed login attemps in 1 hour but the 101 login is succesvol this might indicate a successfull brute force attack. In that case I want to know. Number of attempts and timeframe to be defined; this was just an example.

Currently, we’re accurately representing the data we get from MS, but the visual could be better. This is the ability for us to more accurately display MFA status for identities.

Seeking the ability to export the list of billable users from the billable identities page- https://MYSITE.huntress.io/account/managed_identity/user_entities?filters%5Bbillable_licenses%5D=true

Add support for Google Workspace for MDR (similar to the O365 MDR).

It would be super helpful to have some additional context around the installed apps section of the ITDR portal. For example, if Huntress can determine the publisher of a particular installed app, it would be useful information to know so that it could be filtered out. It looks like Microsoft publishes a ton of apps that work in the background on Azure/M365, but they are not identified as Microsoft apps. At this point we could probably just filter those out and focus on the third party ones. Any additional information gathered would be super helpful too!

Can their be a way to pick multiple countries for a user instead of needing to create a new rule per country per user. Also to have a way to swap Expected to unexpected in the rule. Currently if you save the rule by accident it grey's out the options to change the user or to change the behavior. It would be beneficial if they can be updated after the fact.