Filtering for MDR for Microsoft 365 Detections
The ability to see at a glance if MDR incidents are resolved would be much appreciated. They can be filtered by resolved, but it would be nice to have a column for resolution status, and be able to permanently hide resolved incidents in the dashboard. Of course, would still need to view resolved incidents in a history log.
Filter Audit Log
Want the ability to filter the event audit log for Microsoft 365 by event type or IP addresses in Huntress Portal
MDR Billing Sync to Connectwise
Hello Huntress Team, this is now a critical implementation requirement for us. My billing team are not happy to be inputting counts manually in CW.
Application Permission Alerting
We recently experienced a breach where the attacker created several Enterprise applications with access to various Graph APIs. They did this after crafter forwarding/deletion rules in a user's email. It would be great to have some kind of alerting around when a user or application gets any administrative privileges. Also when any forwarding rules are created in email... because it's hard to know if they're malicious or not without asking the user.
Endpoint and Office 365 Most important
80% of security related issues we work on are endpoint & Office 365 related. We can use the Sentinel SIEM from Microsoft and other products, but they seem to be from full SOC vendors. If there was a good 365 monitoring solution, I would find it easier to get Huntress in more of my clients.
M365 Partner/GDAP integration is clunky with enforced SSO to Azure AD
The M365 integration does not work very nicely with enforced SSO using Azure AD as the IdP. If you have to log into Huntress.io using Azure AD SSO, then following the instructions in the M365 integration setup guide telling you to login to Huntress using an incognito window and then hitting the re-authorise button are redundant, because although you’ve used an incognito window, you’ve then had to immediately auth to a different Azure AD identity (not the Huntress Service Account), which renders the incognito window useless - it's no loger free of MS cookies. We ended up having to temporarily disable enforced SSO (which then annoyingly made everyone have to enrol MFA again), login to Huntress with direct credentials in an incognito window, then re-auth with the Huntress Service Account (twice, as per the docs). The alternative work-around is to make the Huntress M365 service account a Huntress portal admin so that you can login to the Huntress portal with that same account (via SAML SSO).
Indicate High Value Identities
Want the ability to indicate users who are potentially high risk (CEO, CFO etc) and any time something suspicious occurs (such as login from new ip address) on those accounts send a low level report automatically.
Is there any roadmap to implement an impossible travel detection? Or at the very least, implementing a country/IP whitelist for M365 users logging into the platform?
Brute Force succesfull
When an account experience say 100 failed login attemps in 1 hour but the 101 login is succesvol this might indicate a successfull brute force attack. In that case I want to know. Number of attempts and timeframe to be defined; this was just an example.
Enforce O365 Settings
We currently use another product, Office Protect, to enforce standard security settings across all our O365 tenants. It would be great to consolidate this into the MDR product. Also, Office Protect automatically generates mail flow rules to prepend warning banners on emails that are sent with a display name that matches an in-tenant user. This helps prevent a huge number of phishing attacks.