Managed ITDR (MDR for Microsoft 365)

We get a lot of requests for international travel PRIOR to the user leaving. Sometimes we get them up to a few weeks prior to departure. There is a good way in Unwanted access to set an expiration for when the travel STOPS but there is currently no way to set up when the travel STARTS as the exception starts as soon as the rule is created. I think it would be an very helpful feature if you could set the start AND stop date of the expected travel, so IT departments could fulfill these requests as we get them, and not have to flag them to to do in the future. Sometimes I have caught the tech's putting the exceptions in right away, which will open a country prior to travel and could potentially open a security hole. In addition sometimes a user is traveling to multiple countries over a few month period, so you can go in there and set up the exceptions once instead of having to go in multiple times. It would be more efficient and more secure if we could set the start and stop travel dates.

Email rules/filters in place are something that ITDR is monitoring and alerting for. We have received a few false positive (investigated and corrected) notifications regarding rules for deletion or marked as read. What would be really helpful is if Huntress was able to leverage things to alert on mass email deletion. This is somewhat of a DLP specific thing rather than identity protection, but I would imagine mass deleting 100-1000+ emails from an inbox would certainly be out of the norm for most entities.

As an MSP Account Admin, I have the rights to respond to alerts with full functionality. My clients are Organizational Admins, and they get all the alerts but cannot act on them and they find this rightly frustrating. We've heard from Huntress that you have intended to either expand on those rights OR allow us to create Account Admin rights that can be limited to single organizations or sets of end points. Do you intend to make these changes, ever, and if so- when?

Allow us to create a rule that sets a (or multiple) countries as Allowed and all others as Unexpected

There's a high priority need to have a sync feature from 365 Azure AD (Entra) for geo exclusion groups. This would allow the ability to sync 365 Azure AD groups to Huntress IDTR as a way to control which user identities trigger alerts on unwanted country sign-ins and save time opposed to adding either the entire org under a country or add each country separately.

Can we have a better solution than M365 alerts for bulk file changes(encrypts)/access/reads that may indicate compromise, malware or exfiltration. I know Huntress don't want inconclusive alerts/non actionable alerts for us, but something that indicates unusual bulk file access in Sharepoint/OneDrive/Teams within a short time period would bring a lot of peace of mind. Even if it was an optional switch.

It would be great to be able to see a tenants Microsoft security scores within Huntress.

Currently, we’re accurately representing the data we get from MS, but the visual could be better. This is the ability for us to more accurately display MFA status for identities.

It would be great if there were a true two-way sync of incident statuses

We have certain accounts that are used by contractors around the globe. We do not want Huntress to keep notifying us of unexpected logins, and I don't want to have to spend my time creating and maintaining rules for all the countries that are allowed. We want to allow logins from any country except those that are high-risk or sanctioned, like North Korea, Russia, Iran, etc. If we do have a contractor working in one of these countries, then we'd also like the option to create an exception for that specific country while disallowing all the other risky countries.