We're excited to announce that we've enhanced our security by strengthening the protection of endpoints with Huntress. This improvement prevents easy uninstallation of the Huntress Agent or tampering with any of its components.

Moving forward, uninstalling the Agent can only be done through the Huntress Dashboard or by turning off the Tamper Protection feature in the Dashboard, then uninstalling it locally or via RMM tools.

For detailed instructions on enabling this feature or for more information, please refer to our Support Documentation here.

Bot-Head is looking to build something very special for the Curriculaville Comic-Con, but with a low balance in her bank account, she may have to turn to an AiTM attack to finance her project.

Learning Objectives:

Exciting News! We've streamlined our reporting system to improve how updates are handled. Previously, every change to an incident would trigger a new report, causing an overload of notifications, and cluttering ticketing systems and/or inboxes. This made it harder to track individual incidents, with multiple notifications to sift through.

With this update, reports can now be edited, with any changes to incident details, status, severity, or remediation guidance being reflected in a single report, reducing noise and making incident management much more efficient for our Partners and Customers.

The Huntress Managed SAT team is excited to share that when learners log into their Huntress Managed SAT portal, they will see an entirely new and improved interface which is now GA. Episodes are prioritized based on time left to complete and feature a more colorful, engaging style. The time remaining is clearly visible to help learners focus on completing the right episodes.

Admins can now also opt their companies into leaderboards. This new feature, currently in Open Beta, introduces friendly competition to your SAT program to help motivate learners to complete their assignments on time. Learners are assigned a randomized handle which they can change if they so choose, and can see how their security awareness stacks up against their colleagues. They score the most points by completing episodes within the first week of it being assigned with points decreasing over time after the first week. Learners lose points when they interact with landing pages from phishing scenarios in a way that simulates compromise but can recover some points by completing their phishing defense coaching.

To learn more about leaderboards, the scoring system, and how to opt in, check out this knowledge brief article here.

With this feature being in Open Beta, we are hoping to hear your feedback on what you like or where we can improve. Please feel free to make your voice heard here.

Great news for your quality of life with your Huntress environment: Our PSA integrations now support auto-updating ticket status! After an incident report is closed within the Huntress Dashboard, you can have it automatically update your PSA to keep your tool in sync with Huntress incidents.

To enable this functionality, log into your Huntress Dashboard, navigate to the integrations page, and edit your PSA integration settings.

Imani is taking a much needed vacation, but when someone catches wind of a big deal her company is working on, will she be able to protect the incredibly valuable details while working remotely?

Learning Objectives:

We're excited to announce that Unwanted Access for MDR for Microsoft 365 is now in General Availability! Unwanted Access protects your identities by detecting malicious activity related to logins to your Microsoft tenants. Unwanted Access introduces several new features:

Huntress now detects differences within login events from the same session. Our SOC analyzes these differences and will report on and isolate the identity if warranted.

Huntress now allows partners to configure Expected and Unauthorized rules within the Unwanted Access dashboard. These rules allow partners to tailor their SOC experience and provide context to Huntress analysts investigating potential malicious activity. Expected rules allow partners to specify countries and/or VPNs through which logins are expected to occur. By default, the identity’s usage location (country) from Microsoft will be treated as an Expected country.

Huntress will still evaluate all events for malicious activity, but Expected rules help the SOC filter out anomalies from confirmed malicious activity. Unauthorized rules allow partners to specify countries and/or VPNs through which logins should never occur. Huntress will send an incident report and isolate identities that trigger Unauthorized rules.

Huntress will now generate escalations for unknown login locations and unknown VPNs. These escalations provide partners with the ability to tell Huntress (via rules) if activity is Expected or Unauthorized. Escalations are only indicative of unexpected login activity and should not be considered incident reports.

We are continually iterating and improving upon Unwanted Access. To request specific features and see what is coming, please visit http://feedback.huntress.com/.

You can now configure which hosts collect Windows Event logs at the Account, Organization, or Host level. We recently added a configuration page that provides an Account-level setting to determine if all supported Windows hosts collect Event logs. With this setting you can specify whether you want to collect Event logs with a broad stroke. If you want to collect Event logs everywhere, then you can enable this and you are done.

If instead you want to customize which Organizations and Hosts collect Event logs, you can alter the settings at the Organization or Host level to override the Account-level setting. This way if you want to only collect Event logs from a few Organizations, you can leave the Account-level setting disabled and create override settings for only those Organizations where you want to collect logs. On the other hand, if you want to collect Event logs from everywhere a few hosts, then you can enable collection using the Account-level setting and create override settings for the Organizations where you don't want to collect logs.

On Monday, August 19, Huntress will activate email and PSA ticket notifications for two new types of escalations. Escalations are important security-related inquiries that Huntress would like your help in answering. They are not incident reports and do not indicate that malicious activity is occurring.

Starting Monday, you might see these two new types of these escalations via email or PSA (depending on how you’ve configured escalation notifications in the portal).

- This escalation is sent with low severity. It specifies which identities within a particular organization are missing their Microsoft Entra Usage location. Huntress relies on the usage location to determine the “home location” for the identity and to alert you if the identity logs in from somewhere else. This escalation type provides details on the affected identities and links to the Huntress knowledgebase article explaining how to set the usage location in Microsoft.

- This escalation is sent with high severity. It indicates that an identity has logged in from an unexpected location or with an unexpected VPN. If the Huntress SOC detects clear signs of malicious activity, they might follow up this escalation with an incident report. This escalation can be resolved by creating an Unwanted Access configuration rule that labels the login location or the VPN as expected or unauthorized. Setting the location/VPN as expected helps tune your environment and assist our SOC in filtering out false positives when responding to potential incidents. Setting the location/VPN as unauthorized immediately logs out and disables any affected identities; it will also do the same to those identities logging in from that location/VPN in the future.

We’ve been rapidly iterating on this functionality and will continue to introduce improvements over the next several weeks. Please visit feedback.huntress.com or reach out to support with any questions or concerns. Thanks!

Huntress Product Team

Huntress MDR for Microsoft 365’s Unwanted Access capability is now in public beta! Unwanted Access protects your identities by detecting malicious activity related to logins to your Microsoft tenants. Unwanted Access consists of several new features for our partners:

: Huntress now detects differences within login events from the same session. Our SOC analyzes these differences and will report on and isolate the identity if warranted.

: Huntress now allows partners to configure Expected and Unauthorized rules within the Unwanted Access dashboard. These rules allow partners to tailor their SOC experience and provide context to Huntress analysts investigating potential malicious activity. Expected rules allow partners to specify countries and/or VPNs through which logins are expected to occur.

Huntress will still evaluate all events for malicious activity, but Expected rules help the SOC filter out anomalies from actual malicious activity. Unauthorized rules allow partners to specify countries and/or VPNs through which logins should never occur.

: Huntress will now generate escalations for unknown login locations and unknown VPNs. These escalations provide partners with the ability to tell Huntress (via rules) if activity is Expected or Unauthorized. In beta, these escalations do not generate PSA tickets or emails, but will generate reports if activity is deemed Unauthorized by the partner.

Huntress values partner feedback and, during this public beta, will maintain a keen eye on feedback.huntress.com.