Summary: Partner administrators now have the option to toggle off or on the feature to allow Huntress to automatically perform most remediation steps for Low, High, and/or Critical severity incident reports without requiring additional approval.
Account administrators can opt-in to Active Remediations via the Settings page. Once here, you will notice under “Huntress Managed Response” a setting to turn Active Remediation Approval “On”.
Note that this applies only for Endpoint Detection & Response incident reports, and is not currently available for the Managed Detection & Response for Microsoft 365 integration incident reports.
How does it work?
Once this setting is enabled, Huntress will automatically take remediation actions on behalf of the partner for low, high, and/or critical incidents, depending on whether the severity is toggled On or Off in the Settings. Depending on the severity of the incident, there are two different actions that are taken.
Machines will not be rebooted as part of these remediations. Once remediation steps are run by Huntress, please review the open incident report to approve the Huntress reboot, or manually perform a host reboot before closing the incident report.
A note on isolated hosts: hosts that have been isolated will remain isolated until the incident report is fully resolved.
Low Severity Incidents: Huntress will attempt to remediate the entire incident on behalf of the partner and send a completed incident report for record keeping after it is successfully completed. No further work is needed by partners in these instances. However, if the remediations fail, an open incident report will be sent to the partner indicating what needs to be done to manually resolve the incident.
- For example, if a Potentially Unwanted Program (PUP) is detected, we will attempt to take the action to remove the PUP without needing to approve an incident report first. An incident report with details will be sent noting what action was taken, and any action that may still be needed.
High or Critical Incidents: While Huntress will attempt to remediate the incident on behalf of the partner, remediation reports will always be sent for High or Critical alerts when remediation is started. While we may be able to perform all remediation steps except for reboots, these reports will always generate as high and critical incidents are often accompanied by additional manual remediation steps in the Report Details page that should be addressed to fully remediate complex threats. Host isolation will not clear until the incident report is resolved.
- It is possible to receive an open incident report where remediations are either fully completed, still pending, or in a failed status. To help with this, we have added a new functionality to allow partners to manually resolve an incident that hasn't fully completed all remediation steps, with a warning modal that displays if there are still pending or failed remediations for that incident prior to closure.
From the incident report choose "Resolve" to review the status prompt. If there are steps requiring action still, you will see the following prompt. If these were completed manually, check the box and hit resolve. If these were not completed manually, please complete them prior to resolving the incident report.
Exclusions
If you would like to exclude specific endpoints from Active Remediation, you can scroll down to the bottom of the settings page to exclusions and under the “Active Remediations” Section add an exclusion for that endpoint. We will not actively remediate endpoints that are added to the exclusions list.
Comments
0 comments
Please sign in to leave a comment.