ITDR (MDR for Microsoft 365)

Currently this is only available at the Account / MSP level and not granular down to Organization / Client level.

Google tenant integrations, identity onboarding, and basic event ingestion.

Caused false positive events.

We need the ability to monitor and document actions conducted by M365 IDs with assigned Administrator roles, such as SharePoint Administrator. This feature would allow us to review and flag activities performed by these roles, especially when third parties are involved, ensuring transparency and security.

It would be helpful to have the option to set a start date for authorised location rules, in addition to the existing expiry date. This would allow us to pre-schedule access for users who notify us in advance of overseas travel, without having to manually set the rule closer to their departure. It would also reduce the risk of prematurely allowing access from high-risk locations.

So its great that Huntress can disable a user but the issue is that when it sync's back to the on prem server if that user is not locked will re-enable the users account and remove the block. This is an issue because we want the account to be locked until we can look into it but if its not locked on the server the user just has to wait until the sync and then they are re-enabled.

VPNs are commonly used in countries such as dubai to access whatsapp or western services on mobile devices. Supressing VPN usage per user where device type == mobile would allow for higher fidelity suppression

Allow us to create a rule that sets a (or multiple) countries as Allowed and all others as Unexpected

While other escalation and incidents include the organization name somewhere in the body of the email notification, it is not included in the specific escalation "Login without Usage Location".

If you have a broken tenant, we will tell you.