Why am I receiving incident reports for offline/decommissioned hosts
All Huntress data is archived and can be classified at any time. When a threat is found that was not previously seen, the team will search for this threat on all hosts, including the archived data from offline or decommissioned hosts.
When one of our ThreatOps analysts categorizes a new malicious (or potentially malicious) threat the entire Huntress database will be searched (including archived data) to identify whether the threat is present on other hosts.
Investigations utilize the most recent survey received from an agent, regardless of when it was received. The analysts will then retroactively send reports on all hosts with the identified threat.
If you receive an incident report for a host that has been offline or If the host has been decommissioned you can remove it from Huntress (which will also close this incident) by following the instructions found here: Uninstalling the Huntress Agent
You can also request that we manually close the report by contacting us at: firstname.lastname@example.org