TEAM: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
SUMMARY: Commonly asked questions about the Huntress Managed ITDR integration.
How do I exclude a user from the Managed ITDR licensing?
Huntress and the security community consider every user a potential attack vector for a threat actor to leverage in an incident. Users can be created and removed on the fly, and ensuring that Huntress can see all user information (including service accounts and other account types) is the best security outcome.
Huntress does not bill for all user accounts, only those that are actually billed for by Microsoft.
For example, this excludes guests and most shared mailboxes.
If this is something you'd like to advocate for, please submit your requests to our Feedback Portal!
What Microsoft 365 Licenses are excluded?
Please take a look at the following guide to see what licenses we exclude: Licenses that Huntress Excludes
Will you be adding coverage for Google Workspace?
Yes, we will be adding Unwanted Access for Google Workspace in 2025.
If I am not a Microsoft Cloud Solution Provider (CSP) or if the tenant is not in my partner center, can I still use this tool?
Yes! Microsoft organizations can be manually mapped to Huntress organizations via our portal. Please follow instructions at this link to get started [Manual/Non-Partner] Getting integrated with Microsoft 365. This is the preferred installed method for any new setup due to ease of setup, reliability, and reduction in setup errors compared to other setup methods.
Does Huntress recognize third-party MFA as Enabled in the portal?
Not at this time. The Huntress portal will only report MFA as Enabled for a user if that user utilizes Microsoft MFA through the Microsoft authenticator app.
Can Huntress read my clients' emails with this product?
No. Huntress does not pull any email subject or content data from Microsoft.
Will Huntress block or disable accounts when they are compromised?
Yes. A Huntress SOC analyst has the ability to disable an account when they suspect that account is involved in malicious activity.
How long does Huntress keep my logs from Microsoft?
Two weeks.
How long does it take for my Microsoft logs to reach Huntress systems?
There is always some variability but we generally receive and begin processing logs from Microsoft within a few minutes.
Will Huntress Managed ITDR detect existing malicious activity in my environment?
The product will detect existing malicious inbox rules but will not detect historical malicious logins.
Does the Managed ITDR have an external API available?
Yes! Please visit Huntress API.
Can the dedicated Service Account created as part of onboarding be deleted?
Unfortunately, the dedicated service account required for CSP/CPV style mapping cannot be deleted or disabled. Deletion of the user may have unintended consequences with the integration and on-behalf-of Microsoft interaction flows. The purpose of creating a dedicated service account is to reduce security risk and any potential impact from setup complications.