Product: Huntress Managed Endpoint Detection and Response (EDR) & Managed Identity Threat Detection and Response (ITDR)
Environment: Huntress Platform
Summary: This article explains what Huntress suppressions are and the risks they pose
What are Signals?
The Huntress products are constantly sifting through security telemetry. When they detect an event that fits the criteria laid out by our detection engineering, a signal is generated.
Signals are then presented to our SOC Analysts who investigate and report if they deem a genuine threat is present.
Signals can also trigger automatic reports, for example when they are related to common potentially unwanted programs (PUPs)
What are Suppressions?
Suppressions allow Huntress to prevent certain signals from appearing in the SOC's queue. There are three suppression scope options:
Entity: Suppresses the behavior for a single endpoint or Microsoft 365 identity.
Organization: Suppresses the behavior for all entities within a specific organization.
Account (Global): Suppresses the behavior for all organizations under the partner account.
The Risk
While they can be useful, suppressions can introduce a serious risk of malicious activity being missed by our SOC.
For example, we are sometimes asked to suppress reports related to a certain Remote Monitoring and Management (RMM) tools. We understand it can be frustrating to receive a report for a tool that is legitimately in use. However, if a threat actor then used that same tool in an attack, our detection and response would be delayed or potentially missed altogether.
Acceptance of Risk
Partners must explicitly accept the associated risks before a suppression can be applied. If you are considering a suppression or have questions about the potential impact, please contact our SOC Support team to discuss your options.