Parsing Huntress Incident Alerts
Huntress incident alerts, whether submitted via API integration or e-mail, contain a systematically generated ticket title or subject line to allow for customized workflows within your alerting system. This article aims to describe the way these are generate to help you further understand how it can be used to create a workflow that may be more suited to your specific environment over a basic integration or inbound e-mail.
NOTE: Throughout this article you may see references to "Ticket Title" or "E-Mail Subject." When Huntress send an incident alert, these two values are the same. The only difference is Ticket Titles are for API PSA integrations, while e-mail subjects apply to e-mailed incident reports. The values of these variables will be identical.
For e-mail integration, the alert message will originate from firstname.lastname@example.org. For PSA integrations, typically an API user specifically created for the Huntress alerting will be the "user" which is entering the tickets. This varies from tool to tool, review our PSA integration instructions here for your specific scenario.
A sample Huntress incident title would be "HIGH - Incident on DESKTOP-ARL0EQ1 (Infinite Improbability)" and we'll show how that's derived below.
For these examples we'll use $agent_name to represent the hostname (also called "Computer Name") of the endpoint and $organization_name to represent the Huntress organization name of the affected endpoint. $severity represents one of three levels as outlined below.
A regex-friendly description of a Huntress ticket title is as follows:
(CRITICAL|HIGH|LOW) - Incident on $agent_name ($organization_name)
A incident title always starts with the severity of the alert. In this case it will be one of three values, CRITICAL or HIGH or LOW, in all CAPS. It's always followed by <space> <hyphen> <space> "Incident on" <space>. After this <space> the agent name appears followed by another <space> and finally the organization name encapsulated within parenthesis. The organization name that appears here will be the friendly name as it appears in Huntress. In most cases this should match your client's name in your PSA, but this may vary based on your deployment scenario. Most of our RMM deployment scenarios will utilize the name of the client as it appears in the RMM, but this does vary based on each RMM and their limitations. Please review our RMM deployment instructions for your specific scenario.
Another way to look at it would be as follows:
$severity<space><hyphen><space>Incident on<space>$agent_name<space><open parenthesis>$organization_name<close parenthesis>
This should help you setup your PSA or external e-mail parser to read through Huntress incidents for greater control of reporting. Remember, for e-mail parsing, look for e-mails coming from email@example.com and process based on subject line. For PSA API integrations, look for tickets entered by the integration user into the specific queue and process based on ticket title.
Feel free to reach out to firstname.lastname@example.org if you have any additional questions.