Huntress judgement and identity
Identity is the biggest blast radius on the platform. Work the ITDR compromise playbook end to end on Microsoft 365 and Google Workspace, triage Managed SIEM Incident Reports without drifting into detection-tuning, communicate cleanly to customers and the SOC, then run the capstone judgement framework against fifteen scored scenarios.
Lessons
- 01 ~8 minWhy identity has a bigger blast radius than endpoint
A compromised mailbox can phish contacts, re-route payments, and forward sensitive mail outside the org in minutes. The ITDR response model is sharper than EDR's for that reason.
- 02 ~8 minReading an ITDR Incident Report and the Timeline view
ITDR Incident Reports share EDR's skeleton but carry event-shaped Evidence and a Timeline view that stitches events into a chronological compromise story.
- 03 ~8 minIncident type: impossible travel
Impossible travel is one of the most reliable compromise signals on the platform and one of the most reliable false-positive sources. The skill is reading the SOC's classification.
- 04 ~8 minIncident type: malicious inbox rule and suspicious forwarding
Attackers create inbox rules within minutes of getting access because rules are durable. Even after the attacker loses access, the rule keeps forwarding mail.
- 05 ~8 minIncident type: MFA tampering
MFA tampering is a near-certain compromise signal because legitimate MFA changes follow a specific shape that attacker-driven changes do not match.
- 06 ~8 minIncident type: OAuth grant abuse
OAuth grants survive password resets and session revocations. An un-revoked grant lets an attacker keep reading mail and sending as the user days after you thought the compromise was fixed.
- 07 ~8 minIncident type: suspicious sign-in
Suspicious sign-in is a family of signals, not a single pattern. The shape varies; the right response is whatever the Recommendation says.
- 08 ~8 minVerifying legitimacy with the user
User verification on identity incidents has a specific shape. Done badly, it becomes the social-engineering surface the attacker exploits.
- 09 ~8 minCompromise playbook: revoke sessions
Session revoke is step 1 because it stops the active attacker immediately, before anything else in the playbook matters.
- 10 ~8 minCompromise playbook: reset password and MFA
Step 2 closes the door the attacker came in through. Password and MFA reset together, with a secure credential handoff.
- 11 ~8 minCompromise playbook: remove inbox rules and forwarding
Step 3 closes the data-exfiltration paths the attacker set up. Two mechanisms, inbox rules and mailbox-level forwarders, both need attention.
- 12 ~8 minCompromise playbook: review and revoke OAuth grants
Step 4 handles persistent access that survives session revoke, password reset, and rule cleanup. OAuth tokens authenticate independently.
- 13 ~8 minCompromise playbook: check newly enrolled MFA devices
Step 5 audits the MFA-methods list post-reset so only legitimate methods remain. Targeted removal, not blanket cleanup.
- 14 ~8 minRecognising tenant-wide compromise
Three signal families tell you the compromise is bigger than one identity. Recognition is the helpdesk's contribution; the response moves above the ceiling.
- 15 ~8 minCoordinating with Huntress auto-response
Auto-response can complete containment actions before you see the incident. Recognise what it did, verify it worked, then continue from the next applicable step.
- 16 ~8 minThe same playbook in Google Workspace
The compromise playbook maps to GWS with different admin-tool paths, more forwarding mechanisms, and a user-admin overlap pattern in smaller tenants.
- 17 ~8 minWhat Managed SIEM is, and how it relates to EDR and ITDR
SIEM is the third Huntress surface, log ingestion across endpoints and SaaS, with the same SOC-managed response model you already know. Optional product, optional course.
- 18 ~8 minThe data-source model: agent logs, HEC, API integrations
Three ingestion mechanisms, each with its own healthy state and failure modes. Naming the mechanism first is what makes every later SIEM diagnostic short.
- 19 ~7 minReading a SIEM Incident Report
The SIEM Incident Report shares the skeleton you already know, with log-shaped Evidence, sometimes-derived affected entities, and Recommendations that may span surfaces.
- 20 ~7 minResponding to a SIEM alert: the standard flow
The six-step response flow (claim, review, act, verify, close, document) applies to SIEM with different action surfaces and a wider set of senior triggers.
- 21 ~8 minData-source health: why is this source quiet?
Five common causes of a quiet SIEM source, a mechanism-first diagnostic order, and the difference between broken and genuinely silent.
- 22 ~7 minAdding a new data source from a runbook
Adding a data source is routine work when a runbook covers it and senior authorisation is in place. Without either, it is an architecture decision that belongs above the helpdesk ceiling.
- 23 ~7 minWhere the ceiling sits on SIEM
Four categories of in-scope SIEM work, six categories that escalate, and why the SIEM ceiling matters more than feel when the portal exposes tuning surfaces.
- 24 ~6 minCoordinating with the SOC on SIEM-driven incidents
Four properties of a clean SOC reply, three reasons to reply, two reasons not to, and the tone that makes SIEM coordination work.
- 25 ~6 minThe monthly summary report, and how to walk a customer through it
The monthly summary is the customer's most concrete evidence the service is working. Pull it from the customer's Reports view; translate the bands into security outcomes; lead with the story, not the section order.
- 26 ~7 minWriting incident notifications: three rewrites compared
The first few sentences a customer reads about an incident shape their entire impression of the response. Compare dramatic, vague, and correct versions of the same notification to calibrate your framing.
- 27 ~6 minChoosing the right comms channel: phone, email, or ticket
The wrong channel for the situation wastes the work the response did. Apply a severity-and-preference matrix to decide whether an incident notification goes by phone, email, or ticket update.
- 28 ~7 minAfter-hours escalation
After-hours work has two opposite failure modes: waking the on-call senior for every High, or sitting on a Critical at 2am. The escalation matrix and the discipline of using it are the skill.
- 29 ~6 minClosing the loop with the client after incident resolution
The closing communication is the customer's last impression of the incident. Four elements every time: what happened, what was done, what the client should do, and what was learned.
- 30 ~6 minCommunicating with the SOC: when and how to reply on a ticket
The reply-to-analyst surface exists for clarifying questions and customer-context the analyst could not see. Three patterns warrant a reply; three patterns to avoid. The skill is calibrating the moment, the framing, and the tone.
- 31 ~7 minThe categories of mandatory escalation
Six categories of work that always escalate regardless of how the ticket arrives, how confident the customer's IT contact sounds, or how reasonable a senior's offhanded 'just go ahead' sounds. The list is short; carrying it as a mental check is the practice.
- 32 ~7 minWhy clicking approve and see gets people fired
The click-and-see reflex is the failure mode that ends helpdesk careers fastest. This lesson names it, explains why the consequences compound, and installs the ten-second pause as the alternative.
- 33 ~7 minCalibrated uncertainty
The internal signal that says 'wait, am I sure?' is faster than any external check. This lesson teaches you to treat it as an escalation trigger rather than noise to push through.
- 34 ~7 minCommon helpdesk traps
Four failure patterns show up in new-tech work on Huntress more than any others: suppressing alerts, second-guessing the SOC, isolating without comms, and closing Huntress but not the PSA. This lesson names all four so they are recognisable.
- 35 ~10 minFinal scenario assessment
The shape of the final assessment, the categories it weights, and worked scenarios that rehearse the judgement framework one last time before the scored run.
- Final quiz
Test what you learned. Wrong answers are explained on the spot.