Display investigative comments from SOC analysts
complete
Patrick Sofo [Security Product Manager]
When a signal gets investigated and closed, not reported... I'd like to see the investigative comment added by the analyst in addition to the contextual close out reasons (benign true positive, false positive, pen-testing, etc.). Right now there's no other info or reasoning as to why that decision was made.
Patrick Sofo [Security Product Manager]
complete
Patrick Sofo [Security Product Manager]
Rhys WatsonI I merged the 1st bit of your feedback into this feature request that I am tracking and actively shaping.
The 2nd part of your post regarding email/ticket notification for investigations is probably best captured in one of the following requests if you'd like to upvote there:
IMO an API endpoint to consume Signals Investigated data would be most manageable depending on your use case. The volume of Signals Investigated is high and getting a ticket for each one may not be tenable (i.e. let the Huntress SOC worry about the noise for you), but being able to consume all of the signals via an API for reporting purposes does seem more desirable:
If you absolutely want a ticket for everything then this may be the post of interest.
Patrick Sofo [Security Product Manager]
Merged in a post:
Information on why an incident has been marked Safe by Huntress
R
Rhys Watson
In the platform we've had some M365 incidents that Huntress have marked as "Benign True Positive". However, there's no other info or reasoning as to why that decision was made. Plus there's no email\ticket alert generated so we only find out when we log into the platform.
It'd be good to A) be alerted that you've made that decision on an incident and B) have some information written by the Huntress analyst on why they made that call.