Boards

Managed EDR

Managed ITDR

Managed SAT

Managed SIEM

Endpoint Security Posture Management

Integrations, Webhooks, APIs

Account, Org, and User Management

Reporting & Dashboards

Powered by Canny

Managed ITDR

MDR for Microsoft 365

Token Theft False Positives Related to Cloud PC/VM Usage

ITDR Token Theft detectors have recently started to generate false positives related to benign logins from VMs and Cloud PCs. This fix adds a field to our detection logic common across all benign logins to filter these out before generating a signal for the SOC to review.

in progress

Cisco AnyConnect & OpenVPN

Add Cisco AnyConnect and OpenVPN as options to the VPN Rules

The Tunnelbear VPN is being identified by end-users as McAfee VPN.

Caused false positive events.

Alert for M365 GA account being created

An alert should be generated if a random global admin account is created in an office 365 tenant. When a user is assigned privileged access it very well could be an IoC

Two-way sync in Connectwise Manage

It would be great if there were a true two-way sync of incident statuses

Include Correlation/Request ID in Incident Reports

ITDR Incident reports do not include the Entra Correlation/Request IDs for the sign-ins that are reported as malicious. This makes correlating the malicious activity in Entra harder than it needs to be. This change will allow customers to better understand the IoCs whether false positive or true positive.

Incorrect Account Isolation for Shared Mailbox Rule Creation

Description: When a suspicious inbox rule was created in a shared mailbox, the detection was correct but the remediation targeted the shared mailbox account. Issue: Shared mailboxes have login disabled by default; they are accessed via delegate accounts. The compromised delegate account was not identified or contained. Impact: This leaves the attacker’s access intact, as the delegate can continue creating rules or exfiltrating data. Recommendation: Update detection/remediation to correlate session identifiers across mailbox events and target the actual compromised delegate account for containment.

ITDR authoritative domain exclusion for a shared M365 tenant.

Have a m365 ITDR client that has 8 authoritative domains and we manage 6 of the 8.

"Login without Usage Location" does not include the organization name in the email notification

While other escalation and incidents include the organization name somewhere in the body of the email notification, it is not included in the specific escalation "Login without Usage Location".

Issues with the GCCHigh Huntress App Registration powershell script

There are a few errors with the GCCHigh Huntress App Registration powershell script. The first is that the Connect-AzureAD command needs the "-Environment AzureUSGovernment" to connect to a govcloud tenant. The second error is the login URL needs to be changed from ".com" to ".us" to denote govcloud. After those two changes, the script ran mostly without issue up until the logo file clean up at the end. I've attached a screenshot of that error.

Load More

→

Powered by Canny