Product: Huntress Managed Identity Threat Detection and Response (ITDR)
Environment: Unwanted Access Dashboard
Summary: The Unwanted Access dashboard allows you to set access rules for your account, organization, or individual identities to manage expected and unauthorized logins.
In This Article
Overview
Where to View Unwanted Access Settings
Create a Rule Exception
Edit an Existing Rule
Overview
Unwanted Access Rules provide Huntress partners with the ability to configure rules for expected and unauthorized logins from specific countries and VPNs/proxies. A rule can be created via the UI or as a result of resolving an escalation.
Where to View Unwanted Access Settings
-
From the Huntress portal, go to ITDR > Unwanted Access
-
Click the blue “Manage VPN Rules” or “Manage Country Rules” button, depending on what access setting you wish to modify
- This will bring you to the Unwanted Access Rules page where you can configure your account and/or organizations to default to "unauthorized" (deny all) for Locations and VPNs. This allows you to enforce strict access policies and then create exceptions using Expected or Unauthorized rules.
-
Account Level Rules: When Deny All is enabled, all logins from countries or VPNs not explicitly allowed with rule exceptions will be treated as unauthorized for all organizations under the account.
-
Organization Level Rules:
-
Organization Ignore Account Setting: When this is enabled, the Account-level "Deny-All" setting does not apply to this organization. However, specific rules created at the Account level will still apply
- Note: This setting must be enabled before you can toggle the Organization Level Deny All setting.
-
Organization Level Deny All: When enabled, all login events for the organization are considered unauthorized unless there is an explicit "Expected" rule at the Organization or Identity level (or the login matches the licensed usage location).
- Important: Enabling this setting overrides all Account-level rules. Account-level rules are never considered for identities in this organization while this setting is active.
-
Organization Ignore Account Setting: When this is enabled, the Account-level "Deny-All" setting does not apply to this organization. However, specific rules created at the Account level will still apply
-
Account Level Rules: When Deny All is enabled, all logins from countries or VPNs not explicitly allowed with rule exceptions will be treated as unauthorized for all organizations under the account.
Create a Rule Exception
From the Unwanted Access Rule page
- Select VPN Rules or Location Rules
- Select Add Rule in the Rule Management module
- Choose the Rule Level (Account, Organization, or Identity).
- Select the Rule Type
Expected: Aligns with normal user activity and is not escalated. SOC will continue monitoring for other suspicious events
Unauthorized: Behavior is not anticipated from the user. Events from this location will trigger an Incident Report for further investigation.
- Set the Location (Country) or VPN that you wish to apply the rule to.
- (Optional) Add a Start Date and/or Expiration Date by unchecking the box next to Starts Immediately or Never Expires.
- Leaving the box checked on next to Starts Immediately will result in the rule applying right away. Leaving the box checked on next to Never Expires will result in the rule remaining indefinitely, unless someone manually removes the rule.
- The Start Date and Expiration Dates allow you to pre-configure rules for future events, such as upcoming travel or a scheduled policy change.
- Start Dates are effective at 00:00:00 UTC on the selected date, and Expiration Dates are effective until Expires at 23:59:59 UTC on the selected date. The time is not currently configurable.
- Leaving the box checked on next to Starts Immediately will result in the rule applying right away. Leaving the box checked on next to Never Expires will result in the rule remaining indefinitely, unless someone manually removes the rule.
- (Optional) Add a Note with any information about the rule that you wish to include. This will be visible to other account users.
- Select Create to finish creating the rule and view it in your dashboard
Edit an Existing Rule
You can edit existing Unwanted Access rules by selecting the Actions icon (three dots) in the row of the rule you want to change.
- You can only update the Start Date, Expiration Date, and Notes; all other fields are locked.
- To modify locked fields, you must remove the rule and create a new one.