Summary: Information on what Data Huntress collects for the EDR and MDR products
Unless otherwise noted, all of the data collected is held indefinitely in U.S. based data centers and detailed in our privacy policy
Managed EDR
Huntress collects details about persistent (auto-starting or autorun) applications/files. These files are used to help determine if an autorun is legitimate The data collected includes:
- file-path
- file meta-data (size, timestamp, hashes, etc)
- The user account the autorun starts under
- How the autorun starts (registry value, task, service, etc.)
- The version of the operating system and installed updates
- Computer configuration (CPU make/model, amount of RAM, amount of free and used storage, uptime)
- Network configuration (hardware type, IP address, MAC address, hostname, Active Directory status, Defender Firewall status)
- Limited Microsoft Defender data (update times, scan times, past detections, exclusions, other AV solutions, remediation status, quarantined files, etc)
With Managed AV enabled, Huntress collects the following data provided by Microsoft Defender:
- infected file and any resources used or linked to the infection (malware artifacts, registry keys, etc)
- infected file meta-data (size, timestamp, path)
- The user account the infection was discovered under
Huntress also collects details about running processes on end points with Process Insights (on by default). This data includes:
- process file path
- process meta-data (parameters, PID, start/end time, certificate(s), size, hash, etc)
- process parent data (PID, name, meta-data)
- The user account the process started under
MDR for Microsoft 365
Huntress collects Microsoft 365 event logs from any connected tenants and user session details in order to determine if user behavior is legitimate. The data collected includes:
- Inbox rule names and actions (stored as long as the rule is active)
- Tracked Events (stored for 14 days)
- Session information such as:
- ID
- Browser names
- Country
- OS
- Tunnels
- Identities:
- Microsoft GUID
- UPN
- Most Recent Event seen at
- Location Users have accessed from
- Licenses User has linked to their account
Comments
0 comments
Please sign in to leave a comment.