ITDR (MDR for Microsoft 365)

Unwanted Access presently only gives you the response choices of Expected or Unexpected. Expected adds the VPN to the allow list, and you have a choice of at the user level or at the organization level. Unexpected triggers a critical incident and blocks the user's sign-in which is overkill if you just want the Huntress alert to go away. The easy use case that comes to mind is at our MSP specifically, where our users frequently support and test out many VPN solutions that our customers use. I don't want to allow these solutions org-wide or even at the user level because outside of specific times these actions are completely unexpected, and we should be alerted on each event. Please help!

When a signal gets investigated and closed, not reported... I'd like to see the investigative comment added by the analyst in addition to the contextual close out reasons (benign true positive, false positive, pen-testing, etc.). Right now there's no other info or reasoning as to why that decision was made.

The incident/escalation page for unexpected M365 logins shows countries, VPN, browsers, but not IP address(es). Would be very handy to have the list of IPs on this same page. Recently we had a false positive, and had to go into Entra logs to review, only to realize it was our own IPs.

When a user is visiting a country, we should have the option to set a time frame or infinite when clicking the green "expected" button

Need to improve on making an exception rule in part of the Huntress MDR for certain accounts in O365. There is instance that an account may require to access the GA into different GEO location. And in addition to this is the ability of the admin portal user to have the power to pre-configure the way the pre-remediations actions. Like having much control over the action that needs to be taken once there is detection of any anomaly's activity in the account.

The banners that display when selecting the MDR screen need massive improvement. For instance: "Microsoft 365 event subscription missing. The error should automatically resolve when unified audit logs are available. No action needed, do not remove integration." This displays when a customer doesnt have MDR configured or licenced to them.

We're using SaaS Alerts currently and one alert I would like to see in Huntress is when an account has authenticated with a valid password but fails a conditional access policy that otherwise blocks the sign-in. This is common when a user submits creds to a phishing message but the threatactor attempts to sign-in from a unauthorized location. The account is still considered compromised thus requiring remediation.

Hello Huntress Team, this is now a critical implementation requirement for us. My billing team are not happy to be inputting counts manually in CW.

Recently, hackers try to use hosting and VPN service in the region where the client is normally working to avoid detection. a. 99.99% of our users will never use a VPN provider to access their work email It would be interesting to have a toggle for automatic alerts on access from consumer VPN like ExpressVPN and Windscribe for example.

Integration with Microsoft should be automated like the process with Acronis or Avanan. Where we just need to accept permissions for them to do there work. see screenshot referring to my request.