A nice feature that would help in recovering from hacks would be if the audit logs from Defender were duplicated and stored in the hub.
Once of my clients had a hack recently where the attacker got in through an administrator’s account with a weak password an did some damage, posted some nonsense and installed some malicious plugins. When I went in to handle the recovery, I discovered that Defender was disabled. My suspicion is that the attacker, disabled it as one of the first things they did so they could handle their business. When I reactivated Defender, there was also not audit log history – so not only did they deactivate it, they cleared the logs before they did to hide the login.
While I’ve added a secondary audit log plugin to the site just in case. A very nice security feature would be if Defender’s audit logs were stored off-site, in the hub, so they could be referenced on a normal basis when doing management in the hub, and during hack recoveries to better understand how the hack happened.
Thanks for all you do, and thanks for all the great products and services!
