Managed EDR

The EDR Agent will be able to automatically respond to known malicious tradecraft

I believe having a feature that can help an analyst quickly determine if a RMM is expected is if customers are able to provide a RMM whitelist. I was thinking that this functionality would be similar to the "expected VPNS/countries" in ITDR. This would help the SOC scope on potential compromises by rapidly being able to identify known good RMM usage and can provide a threat hunting opportunity by hunting for RMMs not on the allow list.

It would be good to see Linux agents to have the ability to be enabled as a syslog collector as we could utilise a Raspberry Pi on-prem for customers if lacking a permanent on-prem device.

We have started open beta for Linux EDR! What that means is: anyone can participate its free we have expanded supported distros additional agent installation using Ansible For installation support and other details please see the “Linux Open BETA Prep List” support document on support.huntress.io or reach out to your CAM.

With numerous attacks occurring from end users clicking on links, would it be possible for Huntress to periodically extract what websites users have gone to on their computers? This could be displayed under the computer in the Huntress portal or even a separate section? I’ve seen a few freeware tools which allows this information to be extracted across user profiles. This could be extended to allow for some form of backend automated URL checking/scanning which could generate alerts if sites with dodgy characteristics or known bad reputation are visited. End result, if a user is breached we can see a recent history of sites visited and it can help in the reporting process. This could even be further enhanced to allow partners to report phishing links etc to a central Huntress location which could then in turn notify the threat hunters and allow updates on site reputation. Could possibly be argued that privacy is a thing, but that is a discussion the partner can have with the customer and ensure their IT use policies are adequate.

Is it possible to see the username of who is logged to the host when looking at the Agent list as well seeing it in the details when you click on an Agent. It currently shows the Active Directory domain name so I assume it would be easy to pull the current logged in user.

It would be nice to have the ability to override the "other-AV" status in the Managed Antivirus page. Certain AV/Security software may offer additional features such as VPN or password managers. Currently, it detects the AV product itself and will mark Defender as "Unhealthy - Other AV", even if Defender is running. This will help cover edge cases where a third-party security software is present on the workstation, but the AV portion is disabled and Defender is running.

The Gray color is a little too bright for "dark mode" Much better than light mode, but still really, really bright.

Huntress now supports an IP address allow list for isolated hosts, but this doesn't work with Cloud RMM, AV, or other tooling which typically uses dynamic IP addresses for agent connectivity. Vote here if you'd like to see this capability added. Even better, it would be great to hear what specific tools you'd want to use it with; the list of DNS names that need allowing for typical cloud tooling is long, and we could potentially preconfigure them (just check a box) for common-needed tools.

As an MSP Admin, I would like the ability to unisolate multiple devices of my choosing at once. If the SOC mass isolates, I would like to choose several devices at once to unisolate in order to get people back to work more quickly.