Advanced

Huntress judgement and identity

Identity is the biggest blast radius on the platform. Work the ITDR compromise playbook end to end on Microsoft 365 and Google Workspace, triage Managed SIEM Incident Reports without drifting into detection-tuning, communicate cleanly to customers and the SOC, then run the capstone judgement framework against fifteen scored scenarios.

~315 min total · 35 lessons · Final quiz
35 lessons

Lessons

  1. 01
    Why identity has a bigger blast radius than endpoint

    A compromised mailbox can phish contacts, re-route payments, and forward sensitive mail outside the org in minutes. The ITDR response model is sharper than EDR's for that reason.

  2. 02
    Reading an ITDR Incident Report and the Timeline view

    ITDR Incident Reports share EDR's skeleton but carry event-shaped Evidence and a Timeline view that stitches events into a chronological compromise story.

  3. 03
    Incident type: impossible travel

    Impossible travel is one of the most reliable compromise signals on the platform and one of the most reliable false-positive sources. The skill is reading the SOC's classification.

  4. 04
    Incident type: malicious inbox rule and suspicious forwarding

    Attackers create inbox rules within minutes of getting access because rules are durable. Even after the attacker loses access, the rule keeps forwarding mail.

  5. 05
    Incident type: MFA tampering

    MFA tampering is a near-certain compromise signal because legitimate MFA changes follow a specific shape that attacker-driven changes do not match.

  6. 06
    Incident type: OAuth grant abuse

    OAuth grants survive password resets and session revocations. An un-revoked grant lets an attacker keep reading mail and sending as the user days after you thought the compromise was fixed.

  7. 07
    Incident type: suspicious sign-in

    Suspicious sign-in is a family of signals, not a single pattern. The shape varies; the right response is whatever the Recommendation says.

  8. 08
    Verifying legitimacy with the user

    User verification on identity incidents has a specific shape. Done badly, it becomes the social-engineering surface the attacker exploits.

  9. 09
    Compromise playbook: revoke sessions

    Session revoke is step 1 because it stops the active attacker immediately, before anything else in the playbook matters.

  10. 10
    Compromise playbook: reset password and MFA

    Step 2 closes the door the attacker came in through. Password and MFA reset together, with a secure credential handoff.

  11. 11
    Compromise playbook: remove inbox rules and forwarding

    Step 3 closes the data-exfiltration paths the attacker set up. Two mechanisms, inbox rules and mailbox-level forwarders, both need attention.

  12. 12
    Compromise playbook: review and revoke OAuth grants

    Step 4 handles persistent access that survives session revoke, password reset, and rule cleanup. OAuth tokens authenticate independently.

  13. 13
    Compromise playbook: check newly enrolled MFA devices

    Step 5 audits the MFA-methods list post-reset so only legitimate methods remain. Targeted removal, not blanket cleanup.

  14. 14
    Recognising tenant-wide compromise

    Three signal families tell you the compromise is bigger than one identity. Recognition is the helpdesk's contribution; the response moves above the ceiling.

  15. 15
    Coordinating with Huntress auto-response

    Auto-response can complete containment actions before you see the incident. Recognise what it did, verify it worked, then continue from the next applicable step.

  16. 16
    The same playbook in Google Workspace

    The compromise playbook maps to GWS with different admin-tool paths, more forwarding mechanisms, and a user-admin overlap pattern in smaller tenants.

  17. 17
    What Managed SIEM is, and how it relates to EDR and ITDR

    SIEM is the third Huntress surface, log ingestion across endpoints and SaaS, with the same SOC-managed response model you already know. Optional product, optional course.

  18. 18
    The data-source model: agent logs, HEC, API integrations

    Three ingestion mechanisms, each with its own healthy state and failure modes. Naming the mechanism first is what makes every later SIEM diagnostic short.

  19. 19
    Reading a SIEM Incident Report

    The SIEM Incident Report shares the skeleton you already know, with log-shaped Evidence, sometimes-derived affected entities, and Recommendations that may span surfaces.

  20. 20
    Responding to a SIEM alert: the standard flow

    The six-step response flow (claim, review, act, verify, close, document) applies to SIEM with different action surfaces and a wider set of senior triggers.

  21. 21
    Data-source health: why is this source quiet?

    Five common causes of a quiet SIEM source, a mechanism-first diagnostic order, and the difference between broken and genuinely silent.

  22. 22
    Adding a new data source from a runbook

    Adding a data source is routine work when a runbook covers it and senior authorisation is in place. Without either, it is an architecture decision that belongs above the helpdesk ceiling.

  23. 23
    Where the ceiling sits on SIEM

    Four categories of in-scope SIEM work, six categories that escalate, and why the SIEM ceiling matters more than feel when the portal exposes tuning surfaces.

  24. 24
    Coordinating with the SOC on SIEM-driven incidents

    Four properties of a clean SOC reply, three reasons to reply, two reasons not to, and the tone that makes SIEM coordination work.

  25. 25
    The monthly summary report, and how to walk a customer through it

    The monthly summary is the customer's most concrete evidence the service is working. Pull it from the customer's Reports view; translate the bands into security outcomes; lead with the story, not the section order.

  26. 26
    Writing incident notifications: three rewrites compared

    The first few sentences a customer reads about an incident shape their entire impression of the response. Compare dramatic, vague, and correct versions of the same notification to calibrate your framing.

  27. 27
    Choosing the right comms channel: phone, email, or ticket

    The wrong channel for the situation wastes the work the response did. Apply a severity-and-preference matrix to decide whether an incident notification goes by phone, email, or ticket update.

  28. 28
    After-hours escalation

    After-hours work has two opposite failure modes: waking the on-call senior for every High, or sitting on a Critical at 2am. The escalation matrix and the discipline of using it are the skill.

  29. 29
    Closing the loop with the client after incident resolution

    The closing communication is the customer's last impression of the incident. Four elements every time: what happened, what was done, what the client should do, and what was learned.

  30. 30
    Communicating with the SOC: when and how to reply on a ticket

    The reply-to-analyst surface exists for clarifying questions and customer-context the analyst could not see. Three patterns warrant a reply; three patterns to avoid. The skill is calibrating the moment, the framing, and the tone.

  31. 31
    The categories of mandatory escalation

    Six categories of work that always escalate regardless of how the ticket arrives, how confident the customer's IT contact sounds, or how reasonable a senior's offhanded 'just go ahead' sounds. The list is short; carrying it as a mental check is the practice.

  32. 32
    Why clicking approve and see gets people fired

    The click-and-see reflex is the failure mode that ends helpdesk careers fastest. This lesson names it, explains why the consequences compound, and installs the ten-second pause as the alternative.

  33. 33
    Calibrated uncertainty

    The internal signal that says 'wait, am I sure?' is faster than any external check. This lesson teaches you to treat it as an escalation trigger rather than noise to push through.

  34. 34
    Common helpdesk traps

    Four failure patterns show up in new-tech work on Huntress more than any others: suppressing alerts, second-guessing the SOC, isolating without comms, and closing Huntress but not the PSA. This lesson names all four so they are recognisable.

  35. 35
    Final scenario assessment

    The shape of the final assessment, the categories it weights, and worked scenarios that rehearse the judgement framework one last time before the scored run.

  36. Final quiz

    Test what you learned. Wrong answers are explained on the spot.