Summary: Huntress updates detailed with features and bug fixes for all Huntress products
- Huntress Managed Endpoint Detection and Response (EDR)
- Huntress Managed Identity Threat Detection and Response (ITDR)
- Huntress Managed Security Awareness Training (SAT)
- Huntress Managed Security Information and Event Management (SIEM)
Table of Contents
2024 Nov
2024 Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2023 Jan Feb Mar May Jul Aug Sep Oct Nov Dec
For 2021 and 2022, see Historical Huntress Agent and Platform Release Notes
Agent Version
Current release version
Windows: 0.13.230
macOS: 0.13.228
Rio (service): 0.6.9
Hosts running an unsupported version of the agent will be marked as "Outdated" in the Huntress portal.
As Huntress Agent updates roll out over time in batches, agent versions may appear behind but are still considered supported. Agents are set to update automatically given the host is online, agent services are running, and the agent is able to check in to the Huntress portal. Additional action is generally not required to update an active agent.
Agent versions older than the below are considered outdated:
Windows: 0.13.202
macOS: 0.13.198
Recent Release Information
Release Date: November 2024
Features:
EDR
- MacOS Sequoia 15.1 support is now GA. If you are running 15.0, please update to 15.1 at your earliest convenience.
- MacOS Monterey 12 has reached end of life with Apple. While the Huntress Agent may continue to run and be installed at this time, please update to a newer macOS to ensure continued support and future updates.
Security Awareness Training (SAT)
-
SAT multi-language support is no longer behind a feature flag
Before, admins had to submit a support ticket to get access to multi-language subtitles and notifications. This feature is now un-gated and available to all without having to request it from support.
Bug Fixes:
- N/A
___________________________________________________________________
Historical Release Notes
Release Date: October 2024
Features:
Security Awareness Training (SAT)
-
New learner dashboard. The new and vastly improved learner dashboard is now in general availability for all leaders. This new and improved experience is not only much more visually pleasing but also highlights the time remaining per assigned episode to help learners prioritize better.
-
Huntress SAT now has an opt-in open beta for leaderboards. This new feature aims to make learning a bit more fun through a competitive points system to reward top performers. For full details including the steps on how to enable the feature and the point values, check out the Managed SAT Leaderboards KB.
Bug Fixes:
- N/A
Release Date: September 2024
Features:
Security Awareness Training (SAT)
-
SAT now has self-service "Manual Push" for notifications. We occasionally hear that admins want to resend enrollment notifications and reminders for assignments. This happens because there may have been a security tool that wasn't properly configured to allow our emails through or because employees weren't made aware that their company moved to SAT so they deleted the initial email as junk. Admins can now trigger manual pushes in the assignment "Advanced" tab. If you have Manager Notifications enabled via Feature Flag, you can also trigger them from the same place!
-
New beautiful SAT completion certificates. SAT completion certificates have been redesigned and look great now.
-
Improved learner "Guided Tour" experience. Ever accidentally start an episode and when prompted if you want a guided tour of the UI accidentally clicked on "Let's Go" when you intended to skip the tour? We've changed the interface to clearly show "Start Tour" on the left and "Skip" on the right. If you do complete the tour, you now also get opted out of future tours by default.
-
Learners "All" groups option. The Learners page now defaults to "All" groups instead of one group at a time! In the past, learners could only be viewed one group at a time. This was because export and import were buttons on that page and we needed to keep the admin constrained. Those options are now in a modal that selects a specific group allowing us to display all learners in one page.
-
Custom Content Creator: Markdown block. The new "Markdown" block type for SAT custom content creator is now available. This block type allows for greater control over the formatting of slides as well as the ability to embed YouTube, Vimeo, and Loom videos in Huntress SAT custom content.
-
Manager Notifications are now available. Huntress Managed SAT’s most highly requested feature is here! With Manager Notifications, admins can forget about generating and sending reports, and instead let managers know which of their direct reports have incomplete assignments through automated and manually triggered alerts. On top of that, managers also receive magic links that allow them to check on their employees’ progress in real-time. This leads to higher completion rate and less toil for administrators.
-
Pre-configured OAuth providers in SAT. Admins who wish to use the zero-config "Log in with Microsoft" or "Log in with Google" as their primary login, can now choose "Pre-configured OUth providers" and select Microsoft or Google as authentication for the group. Once selected, learner notifications emails and slack messages links will point to a page that only has the Microsoft or Google logins. This can be a great shortcut to skip the tedious SAML SSO process.
Bug Fixes:
- N/A
Release Date: August 2024
Features:
Incident Reports
- Automatically log actions on PSAs. When partners approve or reject a remediation plan on an incident report, Huntress now will automatically update the existing PSA ticket with which user or system action took the remediation action and what actions they took. This works for all 4 of our key PSAs (ConnectWise, Autotask, Syncro, Halo) and streamlines the incident workflow further for our partners.
Security Awareness Training (SAT)
- PDF block in custom content creator is GA (GA). SAT partners often use the custom content creator to send policy documents like acceptable use policies. Historically, they've done that using a link to a PDF on a file share - but this is annoying to manage at scale. Now, you can create a new type of block/slide called "PDF" which allows you to upload a PDF that will be opened in a new browser tab. They can also make clicking this link mandatory before moving on to the next slide
- Custom Content - Markdown Block with embedded video support (Open Beta). Ever wanted to use in a SAT Custom Content block? Or to embed videos from YouTube, Vimeo, or Loom? Well, now you can. This new block type is live in production as an open beta! Everyone can use it but it does say "Beta" in the UI.
-
Slack Manager Notifications in SAT (Closed Beta). Accounts using the beta manager notifications feature can now get notifications via Slack (as long as they have the Slack integration enabled). More details can be found here.
Bug Fixes:
- N/A
Release Date: July 2024
Features:
Host Isolation
-
With Huntress agent version 0.13.192, when the portal isolates a host or if additional IP-blocking rules are added to the host, they only exist for as long as the Huntress Agent is running. If the agent is shutdown, isolation and blocking will go away. When a host is rebooted, and no release task has been sent, the host will eventually (within a few minutes) re-apply the isolation and IP-blocking rules. For releasing a host, you can now simply shut the service down. If that's not possible, you can remove the following files, and restart the host.
[HuntressInstallationDirectory]\huntress-isolation-rule-file
[HuntressInstallationDirectory]\huntress-ip-blocking-rule-file
Incident Reports
- Want to see what a Critical Incident Report looks like before ever experiencing one in real life? Now you can! Huntress can now simulate a Critical level incident, including generating a report, isolating a host, and approving/rejecting incident report remediation steps. This is available for both our Managed EDR and Managed ITDR tools. More information can be found here.
Security Awareness Training (SAT)
- Mapping of Curricula sub-accounts to Huntress orgs is in GA. We now allow partners to map curricula customer sub-accounts to existing Huntress portal orgs or create new ones. We are doing this in order to support having SAT metrics in the Huntress command center and in preparation for a future where we have a much more tightly integrated multi-product experience.
Bug Fixes:
- N/A
Release Date: June 2024
Features:
Portal
- Session Idle Time. Users are often annoyed at how frequently they have to re-authenticate into Huntress. While we don’t want to compromise our security practices, we’ve added a setting to allow users to lengthen their idle time from 30 minutes to 60 minutes. In addition, MSPs that like having the Huntress dashboard up on their main screens can now keep the Command Center dashboard up - it will auto-refresh and keep their session alive.
- Partners can inform the SOC if the findings in a rejected incident were useful. The Portal now captures usefulness data from partners when they reject a report. Why? We know rejection rates have been on the rise, but we don’t really know if partners find the reported findings useful. This information will help us make data-backed decisions when prioritizing SOC Escalation use cases.
-
Analyst first names and investigative comments are partner visible! The Huntress Brand is all about “Human-Powered Threat Hunting”.
- In the past, autorun specific investigations would show the name of the analyst and the investigative comment they left. This feature made partners feel good knowing that Huntress had actual humans supporting them 24x7, 365. Unfortunately, Huntress strayed away from this user experience as we scaled EDR from 1 data source (autoruns) to many (antivirus, process, etc.). We strayed further as we grew into a multi-product platform. We're correcting that now!
- Left Navigation Update. This update consolidates the left navigation icons into their respective products: one for EDR, one for ITDR and one for SAT. This cleans up our sidebar and prepares us for further navigation streamlining in the future.
-
Managed EDR & Managed ITDR Incident Simulation. You can now simulate incidents for EDR and Microsoft 365! This feature lets you experience the Huntress incident response workflow as if a critical-severity incident was occurring in your network or Microsoft 365 tenant. Incident simulation aims to answer the question of "Is this thing on?", but can also be used during tabletop exercises to test security response protocols.
Security Awareness Training
- Huntress Phishing Defense Coaching is now enabled for all customers and partners. This means that when their learners click on a simulated phishing message and the scenario within that scenario has been enabled with coaching, the learner will go through this experience rather than the legacy Phishing Recovery episode.
- New Phishing Campaign Report is in GA. The new and vastly improved phishing campaign report that includes data on responses from Phishing Defense Coaching is now in GA. This report is available at the MSP and customer level. It also includes new multi-select filters as well as the ability to expand/close all the cards! This will make it easier to find actionable data from phishing campaigns.
Bug Fixes:
N/A
- N/A
Release Date: May 2024
Features:
Portal
- Multi-Org Host Isolation is now available! This enables Partner Admin user roles to isolate endpoints across multiple organization within a single Huntress account from the organizations page. This is useful when multiple clients of an MSP have been hacked and we need to act quickly to quarantine the infected networks. This feature also enables isolation release across multiple organizations.
- Customers can now map Huntress Portal organizations to SAT. Previously, there was no linkage between Huntress Portal and the SAT Portal aside from SSO. With this update, we allow customers to link their data together. This will enable future cross-product features on the Huntress Portal: e.g. SAT phishing or training based on events within Managed EDR or Managed ITDR, or monthly PDF reports that also include SAT.
- Account Settings are now tabbed. Our Account Settings page was getting out of hand: one massive page of all sorts of settings. This update brings logical grouping to users updating their Huntress settings.
- The Reported Incidents table has been restructured to make it easier for partners and Huntress Staff to filter for and find reports of interest. Users can now clearly see when an incident report has been previously rejected and the reason for its rejection. If a report is in the process of being re-reviewed by the Huntress SOC you will be made aware. This will streamline partner operations and eliminate confusion amongst MSP and MM team members working in the Huntress Portal.
Security Awareness Training
- Microsoft 365 groups in selectable drop down. Rather than having to copy-paste the GUID of an Microsoft 365 group, you can now scroll or use type-ahead search to select a group.
- SAT Google sync now supports groups. Google Workspace integrations now allows admins to limit the scope of Google directory sync to a specific group. This is particularly useful for admins who have a group like 'full time employees' or 'security training' within Google.
macOS
-
New macOS Agent Setup Summary Page. We've added a page where you can see all of your macOS agents and their setup status in bulk. Now you don't have to click through each agent to see if they are set up to run our new EDR for macOS. This status page also updates in real-time so you don't have to wait 10-15min to see if your setup worked.
Bug Fixes:
N/A
Release Date: April 2024
Features:
Security Awareness Training
- Forward Reported Phishing Attempts. SAT Admins who use the 'report phishing' service can now have reported phishing attempts that are not from Huntress be forwarded to a designated email address. This is most commonly used to forward messages to an internal security team or to email security vendors.
- SAT Learners - Log in with Google. SAT learners can now log in with their Google Workspace account on MyCurricula.com using OAuth without any work/setup required from admins. Admins can opt out of the feature if desired. This is also usable for Huntress employees for our own security awareness training.
- SAT Locked Learner Status. All SAT admins can now 'lock' a learner's status as active or inactive to prevent directory syncs from changing that state. This eliminates the need to apply the workaround of creating new groups.
- Microsoft 365 groups in selectable drop down. Rather than having to copy-paste the GUID of an Microsoft 365 group, you can now scroll or use type-ahead search to select a group.
Managed ITDR
-
Improved Managed ITDR Onboarding. Onboarding Microsoft tenants is now more resilient and consistently successful. Over the past few weeks, we’ve rolled out a new backend system to better handle the timeouts and errors that often occur during the 11-step Microsoft tenant integration process. We tested this with new tenants first and then reprocessed existing tenants to address any gaps. While these changes might not be noticeable to most partners, some partners received new incident reports or escalations. These related to existing issues that needed to be corrected or things that we did not have visibility into previously, such as existing ”historic” inbox rules, due to incomplete onboarding.
macOS
-
Agent Installer page updated to streamline the full install of Huntress' agent for macOS. With the addition of Huntress EDR for macOS, we've updated the Agent Installer page to show everything that is needed to install the Huntress agent, System Extension, and grant the required permissions.
-
New macOS Agent Setup Summary Page. We've added a page where you can see all of your macOS agents and their setup status in bulk. Now you don't have to click through each agent to see if they are set up to run our new EDR for macOS. This status page also updates in REAL-TIME so you don't have to wait 10-15min to see if your setup worked. This new page is found by clicking on the macOS Endpoint Setup widget on the Command Center.
- This page is in the process of being updated with:
• The ability to filter by setup status
• The ability to export the list to CSV
• The ability to install the System Extension in bulk
• Other minor UX improvements.
- This page is in the process of being updated with:
Bug Fixes:
Security Awareness Training
- Custom Content Creator can now handle larger files. Historically, the SAT custom content creator would encounter errors for files over 200mb or so. Note that there is a cap, and files should be at or lower than 999mb.
Release Date: March 2024
Features:
Managed ITDR
-
Partners can now revoke existing sessions for / log out identities that are synced from on-prem AD, even though we can't disable them. For hybrid environments where identities are based in an on-premises directory and sync to the cloud, attempts to disable identities on the cloud side are quickly overwritten by sync. We've revised our product to reflect this; for synced users, the "Revoke and Disable" button is now simply titled "Revoke" and we are no longer attempting to disable them.
- New "Refresh Identities" button. While Huntress refreshes information about identities automatically from Microsoft on a nightly basis, sometimes it would be helpful to force a refresh manually. We've now enabled this by adding a "Refresh Identities" button to the Microsoft 365 User page. It is most useful when partners or customers have made changes to identities in Microsoft and want to see those changes reflected in Huntress immediately, or if there's a recently-added identity that doesn't have full information in Huntress yet. Huntress automatically adds new users as soon as we see events from them, and product functionality will operate correctly without manually refreshing so this is an option feature.
- Detection improvements for compliant endpoints. We've updated our detections for Microsoft 365 for activity involving devices that are considered "compliant" and "managed" by Microsoft. Typically these are endpoints being managed with Microsoft Intune that are compliant with security policies. Because activity from these devices is more likely to be from a legitimate user, we now are less likely to issue incident reports for events from them, helping ensure that our detections are as accurate as possible.
- Re-enable isolated identities. You can now release an identity from isolation manually by using the new "Enable" button on the Microsoft 365 user overview page. This will enable a disabled cloud identity after an incident has been remediated without having to separately log into Microsoft, saving clicks and helping partner and customer technicians work more efficiently. This button will not appear for disabled hybrid identities synced to the cloud from an on-prem Active Directory server; such identities must be re-enabled on-prem.
Platform
- We now support sending Huntress usage to Autotask! Partners that use Autotask will now be able to save time on operations every month. Instead of manually tracking Managed EDR and Managed ITDR usage on Huntress each month, the integration will do it on their behalf. This is currently a BETA Feature reach out to your Huntress account rep to enable this.
Bug Fixes:
N/A
Release Date: February 2024
Features:
Windows EDR
- Black Hunt Ransomware Vaccine. Vaccination for Black Hunt ransomware. Huntress will prevent current variants of Black Hunt from executing.
- IP Allow List for Isolated Endpoints. We now support the configuration of a list of IP addresses that isolated endpoints can connect to. This advanced feature enables partners who do incident response regularly to work more efficiently by remotely investigating and remediating isolated hosts using their self-hosted RMM or other tooling. This feature supports static IP addresses only and will not work with cloud RMM or other tools which use dynamic IP addresses for agent connectivity. See Host Isolation IP Allowlist.
-
Managed Antivirus policy settings are slightly adjusted. When settings/exclusions are set manually or locally via the Defender GUI or tools such as Intune, it creates a conflict with the settings/exclusions set through the Huntress dashboard. When this case is detected, Huntress will stop attempting to overwrite the local host settings/exclusions, and will display noncompliant for the Policy Status. The MAV status will display as Protected.
-
A tooltip has been added for Managed Antivirus Tamper Protection to guide partners on how to enable Tamper Protection if it is disabled.
- "Microsoft Defender tamper protection settings cannot be managed by Huntress and must be managed through Microsoft. You can manage them at the tenant level through the Microsoft Defender portal or for specific users with Intune. If your team needs it off to complete a task, consider using troubleshooting mode instead"
macOS
-
Command Center Widget for macOS Agent Setup. We created a new Command Center widget to show how many Huntress agents for macOS still need additional setup to be fully protected. Clicking on this widget will show a list of agents that require additional setup. Clicking into a specific agent will have a checklist to show the exact setup that is missing.
- EDR Version column on agent table updated to support EDR for macOS. The EDR Version column on the agent table will now show 'Enabled' for any macOS endpoints running Huntress' Beta EDR for macOS. We are looking to expand the Huntress EDR for macOS Beta and this will make it possible to see if EDR for macOS is running or not.
Platform
- Prospects can now seamlessly try any Huntress product. Before, partners had to follow a convoluted process to get SAT started on the portal. Along with the recent changes to streamline SAT trial issues, it’s easier than ever for customers to see the power of our platform.
- Partners are required to set defaults when setting up a PSA so that Huntress always knows where to send tickets to. This feature improve our ability to automatically send our partners incident reports in the future by enforcing the selection of defaults across all PSAs.
Managed ITDR
-
Microsoft License View. User Identities now have a view dedicated to the Microsoft licenses they hold, and which Huntress bills for and does not.
Security Awareness Training
-
SAT customers and partners can now access data on simulated phishing via the API. Documentation has been added to Stoplight API docs.
Bug Fixes:
Platform
- Fix display of Invoices older than 30 days. Previously, to view any invoice older than 30 days, customers had to follow a convoluted process: getting blocked in the portal, sending an email to Huntress, and then having Huntress Finance generate a link for them manually. All invoices can now be easily accessed.
- Partners that have large PSA implementations can now use auto-map successfully. We saw cases where auto-map was not functioning correctly for partners with a lot of organizations. It would time out and fail to map. This fixes auto-map for all PSAs.
Security Awareness Training
-
SAT trials now start successfully in almost all scenarios. Previously, we saw many instances where customers could not start SAT trials easily. Visibility into error messaging was poor. We’ve resolved most of these cases going forward.\
Release Date: January 2024
Features:
Windows EDR
-
Improved Handling of Microsoft Updates. We continue to invest in our ability to scale our services. When we do this well, it should be invisible to our partners and customers, but we are sharing because a “peek behind the curtain” can be interesting. In this case, we’ve dramatically reduced the quantity of agent surveys (updates sent to our servers when there’s a meaningful security change on an endpoint) we normally receive when Microsoft Updates are rolled out, particularly following “Patch Tuesday”. This has been the source of our peak processing loads and generated extra SOC work. This efficiency increase enables us to continue to keep our pricing low as we serve more and more customers.
macOS
-
Added a new macOS Agent Readiness checklist on the agent detail page for macOS endpoints. This allows partners to quickly understand how to setup a Huntress agent for a macOS endpoint and troubleshoot any issues with that setup.
Platform
- Auto-map PSA Organizations: Partners can now map organizations for ConnectWise, Autotask, and HaloPSA in two clicks, speeding up onboarding and ongoing management.
-
Enabled SAT for Direct Customers. Direct customers with Huntress can now trial and purchase SAT, simplifying the experience. Previously, customers had to go to the legacy Curricula.com website and create a separate account.
- Updated cover page of Threat Summary Report PDF. This gives partners more visibility into the value that Huntress provides, adding signals investigated data that was previously unavailable.
Security Portal
-
Signals investigated and incidents reported shown from the the Command Center now highlight 180 days of data rather than 30 days. This enables partners to get a complete picture of what the Huntress 24x7 SOC has done for them lately.
- Added filtering and export features to the Signals Investigated table. This allows partners to filter data in the portal and then export it for sharing purposes (audit, incident response, etc.).
- Updated the Weekly/Monthly Account & Organization Summary Emails with Signals Investigated and a link to the new Command Center dashboard. This new data replaced autorun specific investigations and a link to the EDR specific dashboard, because the Huntress Platform is now multi-product (Microsoft 365 and EDR).
Infrastructure and Developer Experience (IDEX)
- Enabled static outbound IPs. Security-conscious Huntress partners that self-host their PSAs can now use Huntress integrations to improve their workflows. Our knowledge base has been updated to reflect these IP addresses.
Security Awareness Training
-
Forward phishing emails that weren’t from us in Beta. Admins using the Huntress report a phish service but want to receive copies of the emails that aren’t from us can now specify a destination. This feature is still beta but can be enabled for any admins who request it from their account manager.
-
Update to Huntress Managed Learning. We received feedback that learners need more time to catch up on learning assignments if they fall behind. In response, we’ve pushed the end of a learning assignment to the end of the month following the one in which it was assigned.
-
User-configurable time zones. All administrators can now change the time zone in their profile, which makes it much easier for them to schedule tasks like learner reminders and makes reading reports easier.
- New cards created to help admins onboard in a comprehensive way. These cards remind admins to launch “New Learner Essentials” and Managed Phishing.
Managed ITDR
-
Per user license view: New option in the Microsoft 365 identity left navigation view to view the Microsoft licenses assigned to the identity. Each license lists if it is qualified for billing by Huntress or not. This should help support and partners know which licenses Microsoft has assigned and the reasons Huntress bills for the identity or not.
-
Now tracking VPN usage per identity. As users use VPNs to interact with Microsoft, we begin tracking and building a profile of their VPN usage. With this, we can determine if a new VPN interaction is suspicious or just typical usage for that user. TLDR: Expect more detections on suspicious VPN usage and less on company enforced/sponsored VPN usage.
- No more duplication of inbox rules. Security will now see inbox rule events only for new or updated rules. This feature also builds the ground work for better tracking of inbox rules and re-ingestion.
- Added NONPROFIT_PORTAL to non-billable list. Partners will no longer be billed for this license. (They will be billed if the user has other billable licenses.)
Bug Fixes:
Windows EDR
- We addressed an issue where some agents could silently be in an bad state; they will now correctly show as needing to be repaired.
- Addressed an issue where under certain conditions, agents might not correctly report the status of tasks they are processing to Huntress, leading to incorrect status.
- Made a general performance improvement by optimizing memory allocation in the agent.
- Windows Defender Status Accuracy. We made a change that will reduce the number of cases that result in Windows Defender status showing as “Unknown”.
Platform
- Ensure detailed threat report PDF is turned on for all new partners. Improves onboarding by removing one step for customers when setting up Huntress.
- Display Microsoft 365 last synced number (Connectwise Billing Integration). Previously, we only displayed the last synced number for Managed EDR but did not do so for Managed ITDR. This update adds visibility for partners.
- Add Ramp Info to all Subscription pages. Many Huntress customers have subscriptions that ramp up over time. This information is now displayed in the portal, reducing customer confusion during the first few months of deploying Huntress
Security Portal
-
Improved the display of long Microsoft 365 User Principle Names (UPNs) in the Portal. These UPN values were scrolling off Portal pages and degrading the user experience.
Security Awareness Training
-
Report phishing queue is no longer stuck.
- Regenerated the Monthly Reports that were generated incorrectly and sent them with the corrected data. Added tests to make sure we don’t have this issue again.
- The Auto-enroll feature for “New Learner Essentials” is no longer broken.
Managed ITDR
-
Internal jobs cut into per organization jobs. Partners will see less false error messages, in specific scenarios. Engineering will have better insight into true errors.
- Correct licenses and billable users. Some partners encountered fewer billable users than their licensing would expect. Microsoft is now properly reporting that to us, and we are reporting billable users correctly.
Release Date: December 2023
Features:
Portal Platform
-
Launched the new Command Center! The new homepage allows partners to streamline their security operations. Partners with both products will receive information about both Managed EDR and Managed ITDR from their home page. Key context that was previously absent from the EDR dashboard, such as Escalations and MAV data, is now surfaced.
Windows EDR
-
Agent connectivity resilience: We want to be sure that our agents always stay in contact with Huntress, even in challenging situations. We’ve made improvements that ensure that will happen in cases where an endpoint’s configured DNS servers aren’t reachable; this most commonly happens if local active directory domain controllers are isolated as part of an incident. Our agent will now fall back to a public DNS service to maintain connectivity to Huntress, which is particularly crucial during a significant incident.
Managed ITDR
-
We’ve added routine Microsoft 365 user license updates to ensure that no Huntress account gets incorrectly billed with Managed ITDR
- We've updated our Microsoft 365 license billing policy to exclude Microsoft 365 tenant-wide “exploratory” trial licenses from billing. This change is designed to enhance license management and ensure fair billing practices.
-
We’ve released anomalous user location detections to counteract elusive unauthorized access from threat actors and stop attacks before damage is inflicted. We’re experiencing early success in detecting anomalous user locations, accounting for 37% of Microsoft 365 Security Incidents reported in the last two weeks.
-
We’ve released anonymizing proxy and VPN detections to intercept deceptive threat actors' attempts to evade unauthorized access defenses. We’re experiencing early success detecting defense evasion via VPN, accounting for 15% of Microsoft 365 Security Incidents reported in the last two weeks.
-
We’ve released credential stuffing detections to ensure users' first line of defense, their password, remains as effective as possible. We’re experiencing early success in detecting credential stuffing, accounting for 11% of Microsoft 365 Security Incidents reported in the last two weeks.
Security Awareness Training
-
Huntress Managed Phishing is in general availability for all MSPs and paid mid-market customers. We often hear that admins don’t want to manage simulated phishing and would like to just put phishing “on autopilot.” This feature satisfies the need and takes it one step further: Huntress’ security experts steer the program on your behalf with monthly simulated phishing campaigns. Every enrolled learner will receive one email per month beginning in the month after they are enrolled. In keeping with best practices, messages are sent out over the course of the month rather than all at once and learners receive one of the several selected scenarios. Administrators get visibility into next month’s scenarios in the portal so that they can let their user-facing teams know what to expect in advance of messages getting sent and results of the campaign are included in monthly value reports.
- Start managed phishing and learning immediately, which allows prospects and new customers to start this month’s campaign/assignment right away rather than waiting for next month to start.
- Improvements to learner login experience have been made. We heard partner feedback and have made it easier for learners to log in. Magic links now last a full week rather than one hour. In addition, learners now have the option to authenticate with Microsoft without any admin set up required.
Security Portal
-
Signals Investigated is in Beta with the release of the Command Center! Investigated signals highlight potential security threats that a SOC analyst investigated to determine if an attacker has compromised an endpoint or identity. This is a proof of work feature that will allow all partners, but especially trialing and renewing partners, to see all the work the Huntress SOC has been doing for them. Read more about the feature and why it will be in Beta until mid-January 2024 here.
-
Multiple summary data charts were added to the Signals Investigated table. The charts give partners a breakdown of the most investigated signals, the status of the signals (reported vs. closed), and the different data sources the signals were generated from.
-
Bug Fixes:
Windows EDR
-
Restart Loop Hotfix While working on other improvements, an issue caused our agent service to go into a restart loop on a small number of machines, so we created a hotfix to reverse the change.
-
Security fix We addressed an issue with our installer where it was possible to execute an incorrect file under specific circumstances. We recommend that customers only use our latest installer.
-
Defender Escalations We had turned off escalations that report that Windows Defender is disabled while we address an issue that caused them to be sent erroneously due to false positives. They are now active again.
-
“Unknown” Defender status Fixed an issue where some fields in the UI showing Windows Defender status for specific agents were incorrectly showing “unknown”.
- Fixed an issue where the agent would log and send errors for expected conditions that didn’t need to be reported.
- We’ve improved how we handle legitimate software updates from certain known vendors to reduce the number of updates sent from agents to our servers. This will help ensure that we’re always processing and acting on data from our agents in a timely way as our agent population grows.
macOS
-
Removed a line of text on the agent install page that said the macOS agent was still in Beta. This was old text from when the agent was in beta last year and is no longer true.
Managed ITDR
-
Pre-existing inbox rule detection Addressed an issue where users' pre-existing inbox rules were not being analyzed for malicious activity. ALL users' pre-existing inbox rules have been scanned to ensure no detection gaps. Also addressed an issue where users' pre-existing inbox rules were not being automatically remediated via Huntress. Previously reported incidents have been regenerated to resolve the issue.
-
Insufficient permissions identified Addressed an integration issue where 71 protected organizations lacked sufficient permissions to support assisted remediations; all impacted accounts have been notified.
-
Trials can now view organization dashboard Addressed an issue where accounts only trialing Managed ITDR could not view their customers' Managed ITDR organization dashboard in the Huntress portal.
- Addressed an issue where Managed ITDR Huntress Escalations would not auto-resolve upon completion of Managed ITDR trials or subscriptions. Impacted Huntress Escalations have been resolved.
Release Date: November 2023
Features:
Portal
- Updated instructions on the Agent Installation page to make it easier to install the Huntress Agent.
- Enabled users to see the status of Windows Defender Firewall. On the EDR Dashboard, partners can now see how many hosts in their organization have the Windows Defender Firewall enabled. This visibility enabled partners to address an important security risk in organizations without another tool for managing Windows Defender Firewall.
- Allow Partners to Regenerate Account Key. Partners previously had to reach out to support to request their account key be reset. With this update, partners can self-serve, can now do this by themselves.
- ConnectWise billing integration can now be enabled by partner admins and no longer requires assistance from Huntress support to enable. This feature currently supports both Managed EDR and Managed ITDR billing.
Incident Reports
- Added UTC timestamps for autorun investigations in multiple partner facing views in response to a partner request that highlighted the limitations of only showing relative timestamps.
macOS
- Eligible Mac agents will now be isolated when the entire organization is isolated. Mac endpoints that have our new system extension installed, that enables host isolation, will now be isolated along with other hosts. This allows the Huntress SOC to protect macOS devices during a critical incident.
- Easily grant necessary privileges to our MacOS agent using your MDM. We now provide .mobileconfig files that partners can upload to their MDM to automatically create all of the necessary policies for the Huntress Agent for macOS to have full-disk access, allow host isolation, and support our future EDR.
Security Awareness Training
-
Partners and customers now have a unified monthly report with a summary of:
- Learner enrollment/offboarding activity
- Completion rate stats for all assignments active last month
- A list of learners who have uncompleted learning
- Stats on simulated phishing campaigns
- A list of learners who interacted with simulated phishing campaigns
This report is available to all customers and partners under the Reports tab, to highlight the value delivered and note any exceptions that might warrant managerial intervention.
Automated email delivery of the report is also available by adding recipients to the Monthly Email Report list under the organization's Team settings page. -
Opt learners out of simulated phishing
- When this flag is enabled on the Learners page for a specific learner(s), all currently scheduled and future campaigns will fail as “blocked” at time of send – even if the learners were enrolled in the campaign before. This feature is in general availability and available to all administrators.
-
Custom branding in the learners dashboard
- Custom logos can now be displayed on the Learner dashboard in addition to the existing customization of transactional email notifications and reports.
Bug Fixes:
Incident Reports
- Fixed bug that caused partner-facing incident report tables to not be sorted by Sent At descending; our users expect incident data to be sorted chronologically.
- Enabled Partner Organization Admins and Security Engineers to resolve incidents in bulk to expedite incident resolution. We failed to grant this permission when we initially released the bulk resolve feature to partners last month.
- Fixed a bug that was causing incidents with manual remediations, requiring a system reboot to stay active when all other remediations (including the reboot) had been completed
Potentially Unsecured Credential Signals
- Fixed a bug that prevented partners from exporting the CSV for potentially unsecured credential signals when one of their Huntress Organizations had been deleted.
Release Date: October 2023
Features:
Incident Reports
-
Incident reports for accessing files with clear text passwords. We rolled out a proof of concept feature which sends partners a one-time notification via LOW severity incident reports when a user on their network is accessing a file that may contain clear text passwords. The Huntress Product and SOC teams are evaluating options to enable re-notification and partner opt-out capabilities. More to come!
- UPDATE: New “Credential Reports” provide visibility into usage of plain text password files. Following up on a recent one-time notification, this provides Huntress partners with ongoing visibility into a very common, wildly insecure practice that should be mitigated. It provides the opportunity to introduce customers to more secure practices for credential management. Partners will need to opt-in to this feature to enable it. We’ve also added other management features like CSV exports and bulk resolution to make it easier to use. More details here.
- Updated incident report rejection reason options to be specific to the entity type. Options are based on whether it’s a user or an endpoint, making it easier on partners when selecting a reason and easier for the Huntress Product and SOC team to analyze.
Security Awareness Training
-
Microsoft 365 API Insertion is now in GA. This feature allows partners to skip the cumbersome step of allow listing domains in phishing/spam filters for Microsoft 365 users. Huntress does this by creating messages directly in their inboxes through APIs rather than sending SMTP emails.
- Note: This feature only bypasses filter-type email security products but does get caught by products that scan messages inside the inbox and wrap links, like Microsoft Defender for Office (P1 as included in Microsoft 365 Business Premium).
- Partners can now specify their own sender name and email address. Notifications and reminders for learning assignments can come from their trusted IT professionals rather than Curricula.
- QR code bait-link shortcode added to simulated phishing scenario creator. In response to reports of increasing use of QR codes in phishing emails to bypass email security product protections, we’re enabling SAT admins to create custom phishing scenarios that use QR codes for bait links so they can train users to recognize this new technique. Huntress R&D is building a scenario that will be available to everyone soon. In the meantime, you can benefit from the feature by using the new bait-link in a custom scenario using the phishing creator.
Windows EDR
- New “Credential Reports” provide visibility into usage of plain text password files. Following up on a recent one-time notification, this provides Huntress partners with ongoing visibility into a very common, wildly insecure practice that should be mitigated. It provides the opportunity to introduce customers to more secure practices for credential management. Partners will need to opt-in to this feature to enable it. We’ve also added other management features like CSV exports and bulk resolution to make it easier to use. More details here.
macOS
- Manual Host Isolation is now available for macOS devices. Like Host Isolation for Windows, this feature severs attacker access to a compromised host until it can be remediated, preventing expansion of an incident. This feature for macOS won’t have any automated triggers yet and must be manually isolated through the portal. Host Isolation is only available for macOS agents on version 0.13.72+, after the instructions have been followed to install and permission granted to the new system extension.
- We now support macOS Sonoma.
Incident Reporting
- Bulk incident resolution is now available for applicable incident reports. This time saving feature can help partners bulk action reports that do not require remediation actions. More information on this feature can be found here.
- Critical Incident Notifications (SMS text/call) now support International phone numbers! Partners can now input phone numbers from a variety of international locations, see the full list here.
- Partners who select voice call only for Incident Notifications can now verify landline numbers. Previously, the Huntress Portal only sent verification pin codes through text messages, but call verification is now supported.
Bug Fixes:
-
N/A
Release Date: September 2023
Features:
Platform
- Critical Incident notifications are here! The Huntress Portal now notifies account admins, who have opted-in, via text/call when the Huntress SOC sends a critical incident. This feature will hugely benefit our partners during off hours when they need to be notified ASAP of an incident. Check out our blog on the new feature!
SecOps
- Managed Microsoft 365 Identity Isolation feature is now available!. This automates the Microsoft 365 identity isolation when a SOC analyst sends the associated incident report in order to isolate compromised Microsoft 365 users. The feature also enables our partners to configure user/org level exclusions within Account Settings and filter incidents by managed response actions in the Portal.
- Partners can now isolate an entire Huntress Organization (network with multiple hosts) at once from the Organizations table if they are logged in as an Account Admin or Security Engineer role.
Bug Fixes:
-
N/A
Release Date: August 2023
Features:
Portal Update
- Made slight improvements to the navigation to support multi-product workflows.
Host Isolation
- Enabled partners to bulk release isolation for all hosts in their organization. This is helpful for partners that have experienced a site wide attack and are in the process of recovery.
- Added a new Escalation type that will alert when an entire organization has been isolated. This escalation will send in tandem with the Incident Report that is currently sent due to the criticality of the incident.
External Recon
- Added the ‘Internal IP’ and ‘External IP’ columns to the Agents table to make correlating External Recon ports easier.
Security Awareness Training
- GA: Customers with Microsoft 365 integrations can now enable an option to exclude unlicensed identities when synchronizing learners. This is helpful to automatically ignore non-humans such as printers or backup appliances.
- BETA FEATURE: We have built an oauth based integration onboarding for Microsoft 365, Google, and Okta. This makes onboarding new accounts much faster and easier! For access to this feature, please contact your account manager.
Managed ITDR
- Enabled Microsoft 365 inbox rules to be deleted via Assisted Remediations to help partners delete nefarious inbox rules faster as part of the Huntress Incident resolution workflow.
Bug Fixes:
-
N/A
Release Date: July 2023
Features:
Portal Updates
- Local Time Zones feature is fully live
- Security Engineer role has been added as a user permission
- These users can perform most security functions such as host isolation or assisted remediation, but cannot view/edit billing
Incident Reports
- Moved entity information (hosts/user) to the top of incident reports to improve readability for partners.
Bug Fixes:
-
N/A
Release Date: May 2023
Features:
Host Isolation
-
Added a capability to cancel host isolation from the Host Overview page to provide analysts and partners a mechanism for undoing isolation tasks sent to the host.
Bug Fixes:
-
N/A
Release Date: March 2023
Features:
- N/A
Bug Fixes:
-
Fixed an issue that caused an unintended Huntress-initiated host reboot when partners opted to reboot manually during Assisted Remediations
- Resolved a bug where some Incident Reports weren’t automatically closing after their Remediation Plan completed
Release Date: February 2023
Features:
- N/A
Bug Fixes:
Agent Installer
-
Resolved an issue where updates to Huntress Agents on 32-bit Windows received a 64-bit binary due to a build system error causing Huntress services to no longer run.
- If you manage a Huntress Agent on a 32-bit Windows host that is on version 0.13.38 or below and is not updating, please reinstall the latest Huntress agent. Affected partners have been notified.
Release Date: January 2023
Features:
-
Added messaging on the host overview page to prevent accidental manual host isolation by warning analysts and partner admins that a given host is excluded from Managed Host Isolation. A host can be excluded via specific exclusions in Account Settings OR by an account having disabled Managed Host Isolation.
- In Security Awareness Training, MSPs can now go to the partner-level Library and create custom content (with text, videos, links, and test questions) that is assignable to any and all customers.
- Custom Content creation is set to enable a partner admin to create content once and publish it to all sub-accounts managed by the partner.
Bug Fixes:
-
We identified an issue that may have over reported the number of Changes Analyzed in the Huntress Monthly/Quarterly Threat Summary Reports. This issue has been fixed going forward, however it may mean that the “Changes Analyzed” quantity in your account and organization reports may appear to be out of typical ranges. There was no impact to the number of potential threat indicators, in-depth investigations, or incidents reported.