Managed ITDR

Allow partners and customers to block all countries and VPNs at the account and organization level

ITDR Token Theft detectors have recently started to generate false positives related to benign logins from VMs and Cloud PCs. This fix adds a field to our detection logic common across all benign logins to filter these out before generating a signal for the SOC to review.

Add Cisco AnyConnect and OpenVPN as options to the VPN Rules

would be nice if ITDR could provide a full breakdown of what happened ex: user clicked phishing email at 3:45 pm attacker accessed from country X at 5:30 PM attacker created exchange rule attacked access files XYZ Petra can do something similar to this already so it can be done

Want to be able to set a start date for expected rules so that when a client gives us the start and end date of a trip we can add the schedule in when they tell us instead of having to schedule in to do it on the day they leave.

Have a Critical incident generated in the event the Emergency Break Glass/ Allocated User is accessed. per Microsoft recommendations https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

Does ITDR have any ability to consider the MFA from Okta as part of the overall identity space? I wonder if there's a way to bring this in to include as part of that ID threat.

Hi, we recently had an issue where Huntress flagged a possible unwanted connection coming in from Singapore. In the Huntress system there was nothing at the time to indicate this was a legit connection, so an investigation was launched given the end user at the time advised he was in Australia. After reviewing in the Entra logs, it showed that this connection was done via Microsoft GSA and as such was indeed legit as the person accidently left their GSA client on. I would like to suggest the following to handle situations such like this: (Preferred) Given Huntress has access to the audit logs etc, update the reporting in the identities to show that it was a VPN and its MS GSA. (Alternative) If GSA is considered trusted/low risk, then at the very least don't generate an escalation. I raised this with the support team and was advised you only alert on "non-gated" VPNs (VPNs where there's no requirement to identify yourself, such as VPN's that are free or that offer a trial).. I can see how that cuts down on the possible false positives etc, but wouldn't it be better to classify all vpns and then perhaps have a standard template/profile applied at a client level which is "best practise" from Huntress and then let us decide what to alert on? Eg in the above scenario, Huntress might automatically tick GSA to be trusted but we might say "GSA isn't in use/permitted, we want to know if a connection is detected".

Release an API endpoint for read/write of ITDR configuration rules. These endpoints will all partners to view and create Expected and Unauthorized rules via the Huntress API. This will include the ability to set end dates and (when available) start dates for configuration rules.

If you have a broken tenant, we will tell you.