ThreatOps workflow to investigate high impact Defender detections
New ThreatOps workflow now allows ThreatOps to investigate high impact defender detections and deliver a MAV incident report to email and/or existing PSA integrations based on the outcome of the investigation
ThreatOps can also pull in quarantined files and artifacts from agents above 0.12.18 to support their MAV investigation
Scans
Retired Weekly Full Scans due to updated recommendations.
Based on the research done in addition to updated Microsoft recommendations, regular scheduled full scans are no longer recommended. For more information, see our support article here.
Assisted Remediation:
Added task for agent to reboot the host
The agent now has the ability to task a reboot in preparation for Assisted Remediation actions for MAV. Additional work is still needed to add host reboot as an Assisted Remediation action into an incident report.
Dashboard:
Added a popup warning modal for manual Full Scans
Due to the resource intensive nature of full scans on managed endpoints, this popup modal provides awareness of the potential impact prior to queuing up a scan.
This appears for Manual Full Scan in the Hosts view as well as Manual Full Scan Bulk Selection in the main MAV Dashboard table.
In addition, this modal also calls out the inability to run manual scans for incompatible OSs.
Added a substatus column in Account View
This column provides additional context to the health state of the managed endpoints
Added an informational popover to MAV account / org views that defines "Reported Detection”
On the MAV account/organizational dashboard, there is a detections graph that shows MAV detections vs reported detections; this popover provides definition and clarification of these items.
Portal UX + Public Website
Incident Reports and Assisted Remediations:
Huntress Incident Reports now display the logged-in user who approved the Assisted Remediation actions.
The details within Exchange Incident Reports were updated to account for the new ProxyShell vulnerability disclosed in August. This helps partners understand the reports they are receiving and not confuse them with the previous Exchange vulnerability from March 2021.
Portal Dashboard:
Huntress removed the Exchange vulnerability dashboard notification pop-up for new users.This was a notification that was added after the Exchange vulnerability event back in March 2021.
[2021-08-16]
MAV Updates
Scans
Updated Unhealthy "Scan Required" substatus logic
A host is now marked as Unhealthy due to "Scan Required" substatus when either a Quick or Full Scan has not run in the last 14 days. Based on recent scanning research, a Quick Scan is also run as part of a Full Scan; this change clears up recent confusion where hosts were deemed as Unhealthy because a Full Scan was run without updating the Quick Scan time.
Updated Huntress Recommended for "Weekly Full Scan: Scan Day" to "Never".
Based on research from the ThreatOps R&D team, running scheduled Full Scans is no longer recommended by Microsoft. Therefore, Huntress is updating its own recommendation to not regularly run a Defender Full Scan.
Updated portal so that a single "Last Scan Time" column reflects both Quick OR Full Scan Time.
Because Full Scans are now manual only and reserved for when absolutely necessary (see above), this also resulted in retiring the “Last Full Scan” column in the MAV table. Time of Last Full Scan is still available in the MAV host view.
Added hover on the "Scheduled Scans" table for failed status that shows failure details.
Additional failure information details are now available when a manual scan cannot complete; this allows administrative users to have more information to help understand why a manual scan fails.
Bug Fixes/Enablers:
Retired 'enabled' column from the antivirus data table.
As part of the logic updates that determine when Defender is enabled, the enabled attribute within the Antivirus model is no longer needed.
Improved chart alignment on MAV account and org dashboard
Improved and cleaned up alignment for Microsoft Defender Health and Defender Detections by Week charts by updating the spacing.
Portal UX + Public Website
New Threat Reports for Partner Admins
Account admins now receive a more detailed threat summary report, which includes a breakdown of each Huntress service (Footholds, Canaries, MAV, Incident Summary).
Partners can now generate reports using a custom date range (up to 90 days)!
Added bulk actions capability for Full Scan, Quick Scan, and Signature Updates
This provides the ability to easily take necessary action for multiple hosts. Admins can first sort on which hosts need a scan or update, then easily run that action for multiple hosts.
Dashboard:
Updated default sorting of Detections Table based on most recent detection
This helps Partners quickly see the most recent MAV detections in their environment.
Added "Unmanaged" as an additional primary Status.
This allows partners to easily identify endpoints already managed by another AV.
Added Health Substatus column to the MAV hosts table.
Allows partners to view the Health Substatus for endpoints in order to easily identify what actions need to be taken
Added a MAV Substatus filter.
Allows partners to limit the host list view based on status in order to assist on specific workflows, such as running a bulk signature update for out-of-date hosts.
Added an Organization column to the MAV Account View.
Allows account-level users to clearly identify what hosts belong to what organizations.
Added a "Reported Detections" plotline to MAV Dashboard Detections Graph.
This allows partners to know and understand how many detections were included in an incident report in a given week compared to the Total Detections.
Portal UX + Public Website
Partner Enablement (PES)
Developed Asset Collections, enabling the Huntress Marketing team to group related content together within one Asset, similar to a folder. Assets can be downloaded individually or all together from a Collection. This makes it so Partners no longer have to download entire zip files from PES.
Threat Summary Reports
Created new Detailed Threat Reports at the account level that includes additional pages geared towards account admins / MSP owners. The new pages include an Incident Log for all critical/high incidents and a MAV page, detailing detection triage data. These reports provide account users detailed threat data on the variety of services that Huntress offers.
Added the ability for Partners to specify custom Threat Report timeframes, to better customize reports for their end-users.
Bug Fixes
Fixed Partner accounts that were affected by cross-month billing errors within Huntress’s payment processing system.
Comments
0 comments
Please sign in to leave a comment.