ITDR (MDR for Microsoft 365)

I realize this would be tricky to implement because of the numberous different ways organizations can implement conditional access policies to block unwanted countries. However, with the introduction of the feature to track unwanted access by countries in Huntress ITDR we've now been doing double duty having to track and enter scheduled exlusions in both Huntress and Entra ID (we utilize the open source CIPP to schedule these exclusions). It would be great if Huntress would integrate with Entra ID so that the scheduled/timed exclusion that we're creating in Huntress to mark that country as allowed would have the ability to link to a conditional access policy that it can update on the start/end dates of the scheduled travel as well. Due to everyone potentially having different conditional access policies - the easiest way I can invision this being implemented is simply pulling a list of the Conditional Access policies from the tenant when scheduling the exclusion and requesting which policy should be used for this particular exclusion. Then Huntress can add the user to that conditional access policy for the exclusion when the scheduled travel starts and then remove them when the scheduled travel ends. This is coincidentally the same way CIPP handles these exclusions. This allows this functionality to work for anyone who has individual conditional access policies for each country, one single conditional access policy for all countries, or anywhere inbetween.

Google tenant integrations, identity onboarding, and basic event ingestion.

Would like an alert when a user successfully signs into M365 but fails a Conditional Access policy. For example, user gets phished, MFA is bypassed but CA geo policy blocks the sign in. Currently Lighthouse does this via "risky user" alert if you have it configured, which can take days to receive the alert. Huntress does not alert on this attack vector at all. All of this data is available in Entra sign in logs, and licence agnostic. Can huntress create this alert?

Add support for Google Workspace for MDR (similar to the O365 MDR).

If you have a broken tenant, we will tell you.

Currently, we’re accurately representing the data we get from MS, but the visual could be better. This is the ability for us to more accurately display MFA status for identities.

So its great that Huntress can disable a user but the issue is that when it sync's back to the on prem server if that user is not locked will re-enable the users account and remove the block. This is an issue because we want the account to be locked until we can look into it but if its not locked on the server the user just has to wait until the sync and then they are re-enabled.

Really basic request: in the "escalation" email from ITDR, it shows org, but not user account. It would be really handy to see the affected user account in the email body also. And 2 cents: the way the paragraph is formatted, I always have to slow way down to find the org name buried in all the words.

We would like to be able to add Enterprise apps to Rogue Apps for our own alerting, for example if we know the applications an old MSP has used for a new client, we can add it to alert for in their M365 environment and allow us to find and remove the leftover apps.

We would like information alerts for ITDR