Home / Platform / Identity, Threat, Detection & Response
Identity, Threat, Detection & Response
Catch identity threats before they become incidents.
Real-time monitoring of every sign-in, audit event, and risk signal across every Microsoft 365 tenant you manage — with detection rules tuned for the kinds of attacks that actually hit MSP customers.
Sifting through Entra audit logs in 15 different tenant portals. Missing a privilege-escalation event because nobody was watching at 2am. Reacting to an incident after a customer noticed.
What's included
Every shipping capability in ITDR.
Below is the complete capability list for this app — not a roadmap. If a capability is on this page, it's in the product today.
Real-time event ingestion
Continuous collection of sign-in, audit, and risk events from Microsoft Graph, normalised across every tenant.
10+ built-in detection rules
Impossible travel, brute force, privilege escalation, MFA bypass, suspicious mailbox rules, abnormal admin activity, token theft indicators, and more.
Custom rule authoring
Build tenant-specific or customer-specific detection rules with a visual editor.
Centralised alert dashboard
Filter alerts by severity, status, tenant, or time range. One pane of glass across the fleet.
Alert lifecycle management
Assign alerts, change status, escalate, bulk-action across multiple alerts.
Cross-tenant aggregate view
See identity threat trends across every customer simultaneously.
Timeline visualisation
Per-event timeline with risk breakdown and context.
Email security signals
Phishing, malware, suspicious-mailbox-rule, and external-sharing alerts folded into the same dashboard.
Anomaly detection
Behavioural baselines per user. Deviation alerts on unusual sign-ins or data movement.
Conditional Access monitoring
Inventory and monitor CA policies. Detect when high-risk users bypass policies.
App Consent governance
Enterprise-app inventory. Over-privileged-permission flags. Suspicious API-usage detection. Revocation tools.
Incident management
Promote alerts to incidents with severity, assignment, SLA tracking, timeline, and post-mortems.
DR playbooks
Pre-built runbooks for credential reset, MFA reset, account disable, and token revocation — executable at scale.
CSV / SIEM export
Forward alerts to Splunk, ArcSight, ELK, or download as CSV.
Built for
Three roles get the most out of it.
We design every screen with one of these three users in mind. If that's not you, you'll still benefit — we just won't have built it for you.
MSP Security Lead
Sets detection strategy across the fleet, owns the alert backlog, reports posture upward.
SOC Analyst
Triages alerts, runs investigations, executes playbooks during incidents.
Incident Responder
Drives an incident from page to post-mortem with timelines and assigned tasks in one place.
How it fits
Pairs naturally with the rest of the platform.
Modules share tenants, tags, and templates. Activity from one shows up in the others.
Device, User & Group Management
Act on the user behind an alert — disable, reset MFA, revoke tokens.
ExploreGraph Explorer & Custom Reporting
Build custom hunts and reports on top of the same event data.
ExploreSharePoint Permission Management
The user behind a sharing risk often shows up in identity events.
ExploreBilled monthly per Microsoft 365 tenant managed. No setup fees. Mix-and-match with other apps or take the All-Apps bundle.