We’re excited to announce the Attack Disruption Engine in Managed EDR for Windows. When threat actors find gaps that allow them to land on an endpoint and launch attacks, they move with speed and purpose, whether to steal data or ransom an organization. The Attack Disruption Engine is built to disrupt the attack and create friction for the attacker, buying time for the Huntress SOC to go to work containing and remediating the threat before damage can be done. To learn more, check out this blog that goes into more detail.

Historically, the Gmail "Report a Phish" plugin performed the forward email action on reported messages. This is problematic because the forwarded message lacks complete headers.

In order to preserve the headers and deliver the complete reported message with all headers preserved, the SAT Gmail Report Phishing plugin will now transmit the message to us via API so we may forward it as an attachment.

Note that the attached message will now show the learner as the recipient vs the sender of a forwarded email.

We’ve made it easier to do bulk allow-list exclusions for Windows Defender Antivirus. Also, allow-list exclusions can be set indefinitely. No more 30 day restrictions!

To update exclusions in the Platform, navigate to Managed EDR .. Managed Antivirus, click on Managed Antivirus Exclusions. Scroll down and select the exclusions you would like to modify and then use the bulk action buttons.

We’re excited to release our latest API for User management. Now you can easily automate the lifecycle management of Huntress Security Platform users. The API provides both read and write functions allowing you to programmatically list, create, delete, and update users at the account and organization levels. Check out the API documentation for all the details.

We’re excited to share that we’ve expanded notifications in the Huntress Platform to include new categories. As you may know, there were two categories – Incident Reports and Escalations. We've added two new categories – . More details on the categories are below.

Additionally, you now have expanded visibility of notifications, along with improvements to configure, control, and map the notifications to better support your workflows and automations. For more details, please see this support doc.

We’re excited to announce that EDR for Linux is out of open beta and generally available. Our EDR for Linux is purpose-built for organizations, and made to find and wreck threats targeting your Linux endpoints. Our elite 24/7 SOC and threat hunters have already detected and investigated novel attacker tradecraft and tools. Check out the blog on the PeerBlight Linux Backdoor to learn more.

ITDR subscribers now have access to the new Data Exfiltration Timeline. This new view within ITDR incident reports presents an overview of adversary activity from compromise to remediation, including files and emails accessed, saving you precious time in diagnosing how to respond to a compromise.

The Timeline also includes a complete chronological record of when the compromise started, when Microsoft sent logs to Huntress, and when Huntress took action.

Huntress has retroactively generated Timelines dating back to when we enabled additional audit log ingestion for each account. For most accounts, this took place in December or early January.

For more information, check out The Incident Report Timeline.

Huntress ITDR now ingests and stores in the Huntress SIEM Microsoft Audit.General and Audit.Sharepoint logs (in addition to Audit.Exchange and Audit.AzureActivityDirectory). This data is retained for one year at no cost and does not require a Huntress SIEM subscription.

Huntress SOC analysts and threat hunters use this data to detect adversary activity, and it is now available to Huntress users as well with the full functionality of the Huntress SIEM.

For more information, check out Huntress Managed SIEM Log Search Guide and Huntress Managed SIEM Query Builder.

We’re excited to announce the addition of two new write APIs for account and organization management to make it faster and easier to automate activities and workflows.

The first write API allows organizations to be created, updated, and deleted without needing to log into the Huntress Platform. For example, the Organizations API could be used with an RMM to automate the onboarding of new organizations and deployment of EDR. Please see the API documentation for more details.

The second write API enables automation of account onboarding and off-boarding. To learn more about this API, please see the Reseller API documentation.

The HaloPSA integration with the Huntress Platform now supports automatic billing information syncing, making it faster and easier to automate client billing. To learn how to turn on billing sync with HaloPSA, check out this support article.