Managed EDR

We currently use Azure Virtual Desktop (AVD) and Citrix Cloud, both of which support deleting unused hosts and rebuilding them on demand. It would be highly beneficial if Huntress could better accommodate these environments by enabling continued management of these ephemeral VDA/VDI machines. Ideally, this could be achieved by: Allowing the Huntress agent to automatically uninstall itself when the host is decommissioned (e.g., on shutdown). Providing an API-driven method to remove agents from hosts that have been deleted in the VDI platform. This functionality would ensure that ephemeral VDA/VDI hosts are properly tracked, avoid stale agents, and maintain clean licensing and reporting.

We would like for the SOC analyst that performs an org-wide host isolation action to then call each number listed on the "Incident Notification Contacts" list at least once to speak to someone that can let the SOC analyst know if something unique might be happening in the customer environment that could warrant having the SOC analyst fully or partially roll back the org-wide host isolation. It would also be good for the SOC analyst to give the organization contact a quick run-down of what they saw in the environment in case the org contact hasn't seen any details about new incidents being entered into the Huntress platform yet.

The new Huntress detection of Connectwise has been fantastic, we caught some previous IT companies software on our recently acquired clients workstations. It would be amazing if huntress continued this detection and expanded it to detecting other remote access software such as splashtop, teamviewer, anydesk, etc..

Huntress now supports an IP address allow list for isolated hosts, but this doesn't work with Cloud RMM, AV, or other tooling which typically uses dynamic IP addresses for agent connectivity. Vote here if you'd like to see this capability added. Even better, it would be great to hear what specific tools you'd want to use it with; the list of DNS names that need allowing for typical cloud tooling is long, and we could potentially preconfigure them (just check a box) for common-needed tools.

MSPs are increasingly having to align to different frameworks like NIST and CMMC. It'd be good if Huntress could provide documentation mapping to what controls you meet for each.

Huntress logs alerts to ScreenConnect instances. Huntress has the capability to isolate a computer when a severe threat is detected. Rogue ScreenConnect active sessions are a severe threat. We can tell you for sure they are a severe threat by allow listing the one and only host our clients are allowed to connect. Ergo, Huntress should auto-isolate a host when it connects to a known rogue ScreenConnect instance, and you don't have to worry about false positives because we have already told it exactly what it should do. I have said this to every Huntress rep and they all seem puzzled. I don't understand why, all the pieces are already there. This would be a huge bonus for all of us and it seems trivial to implement. Please consider fast tracking this.

Provide alerting on events that have a persistent flag being captured in Antivirus events; such as an exploit that keeps trying to be triggered after a certain threshold.

Alert when a computer has installed malicious browser extensions

Huntress already can detect Screenconnect connections outbound from endpoints. If we provide our Screenconnect IP, Huntress could alert on connections to OTHER foreign Screenconnect hosts.

S1 and other EDR/XDR providers allow you to easily roll back changes and allows you to control VSS to ensure you have drive snapshots. So if ransomware does start encrypting, you can roll back those changes. We need this feature built into huntress.