Managed ITDR (MDR for Microsoft 365)

An alert should be generated if a random global admin account is created in an office 365 tenant. When a user is assigned privileged access it very well could be an IoC

We get a lot of requests for international travel PRIOR to the user leaving. Sometimes we get them up to a few weeks prior to departure. There is a good way in Unwanted access to set an expiration for when the travel STOPS but there is currently no way to set up when the travel STARTS as the exception starts as soon as the rule is created. I think it would be an very helpful feature if you could set the start AND stop date of the expected travel, so IT departments could fulfill these requests as we get them, and not have to flag them to to do in the future. Sometimes I have caught the tech's putting the exceptions in right away, which will open a country prior to travel and could potentially open a security hole. In addition sometimes a user is traveling to multiple countries over a few month period, so you can go in there and set up the exceptions once instead of having to go in multiple times. It would be more efficient and more secure if we could set the start and stop travel dates.

Twice this week I have seen where hackers have gained a users password and the sign in logs in 365 show they tried it and it was successful, but failed to complete MFA so didn't get in. The sign ins were from new IPs, overseas and completely out of character. If the login succeeded we'd likely have received an alert from Huntress about an unusual country login at the least, but we don't seem to when the login didn't complete. Yet we definitely want to know about these ones, this means hackers have the users password even if they didn't actually get into 365 with it, and we still need to change it. We only knew about the two this week due to 365 itself alerting us through Lighthouse about a risky sign in. Surely firstly Huntress can see these logins just from the sign in logs and alert us, but secondly does it not monitor the 365 risky sign ins feature? I'd have thought that was easy and essential.

We often have multiple people from multiple companies travelling together to the same countries. It would be great if we can "Add Country Rule for Identity" and select multiple identities concurrently (from multiple accounts) in order to avoid having to repeat the process multiple times. eg. Many people are travelling to the same conference from Australia to Singapore.

The Autotask ticket created from an ITDR escalation does not include the user (email) and other details about the escalation, so we cannot automate a notification to the customer. Instead, we have to find the Huntress email generated from the escalation and copy paste the information and manually create the customer notification. If we had the user email and other details in the Autotask ticket created by the ITDR escalation, we could automate a notification to the customer. This would not only save time, it would allow us to easily let the customer know 24x7.

When I export unwanted access escalations to CSV, it would be super helpful to have the username as a field in that document so I can distribute to a client and they know who to contact.

On the 'All Installed Apps' page it would be valuable to filter based on permissions. This would enable a quick view of the apps with the highest permissions for quicker review.

Email rules/filters in place are something that ITDR is monitoring and alerting for. We have received a few false positive (investigated and corrected) notifications regarding rules for deletion or marked as read. What would be really helpful is if Huntress was able to leverage things to alert on mass email deletion. This is somewhat of a DLP specific thing rather than identity protection, but I would imagine mass deleting 100-1000+ emails from an inbox would certainly be out of the norm for most entities.

Please add functionality to map multiple Microsoft 365 tenants into a single Huntress organization. We have clients that are acquiring competitors. We need to be able to feed M365 MDR data into Huntress while billing our clients under the parent organization.

There's a high priority need to have a sync feature from 365 Azure AD (Entra) for geo exclusion groups. This would allow the ability to sync 365 Azure AD groups to Huntress IDTR as a way to control which user identities trigger alerts on unwanted country sign-ins and save time opposed to adding either the entire org under a country or add each country separately.