Managed EDR

While working an incident in which a threat actor deployed RMM agents to live of the land, we came to the conclusion that it would probably be helpful to the SOC to have a note on the account of what the RMM solution of the MSP is. For example, if the MSP uses Kaseya VSA as their primary RMM and Atera agents are deployed unexpectedly or start enumerating a domain remotely, it could be a indicator of compromise as the commands to not originate from the MSP's RMM.

Alert when a computer has installed malicious browser extensions

Ability to add a subnet to allowlist. A lot of vendors provide IP "Subnets" instead of individual IPs.

This feature sounds great in theory but not all organizations operate at the same and it seems we cannot use it on a per-organization basis. Whenever features are implemented PLEASE consider making it both partner and organization level. The more functionality is added at the partner level only the less MSP friendly the tool becomes. Not all organizations are the same!

Since Huntress Potentially Unsecured Credentials have a 30 day cool-down between Incident Reports this can leave partners unaware if the machine has detections for multiple files. This data is normally only exposed to partners via Investigated Signals or Incident Reports, both of which do not populate with new PUC data inside the 30 day cool-down. If we had a central place partners could view these detectors partners could tackle all of these files at once rather than wait for reports to trickle in over time. * Request from ticket 115283

I know Huntress is GDPR compliant. But I think it would be way better for europeans to be able to choose the data to be stored in a Europe based amazon data center.

Enable a dedicated page or table to view and filter all foreign login events. Could be done by: Clicking on the country count (as shown on the map on unwanted access page) would reveal the associated logs in a searchable, filterable format—saving time and making it easier to identify unwanted access. and/or Standard filterable table showing login events somewhere on this page.. Yes, there is a results table currently, but it's limited to 25 results at a time, & has "next/prev" buttons: https://[company].huntress[.]io/account/managed_identity/m365_subscription_events

We get requests from clients decommissioning machines out of client use but the agent is still online. We would like to be able to remove the agent in an automated process along with our other agents from the decommissioned machines. Uninstall the Huntress agent without the need to login to the Web UI. If not a way to override tamper protection, then maybe an API call to be made to call the huntress uninstall Process from the web through an API call.

Most of our devices are windows but having coverage on linux would be nice.

There don't seem to be many products in the MSP space that do CVE-based alerting. Those that do try to be "one stop" tools that replace Huntress (such as RocketCyber.) I would love it if you added this as a feature, even if it was an add-on.