Team: Huntress Managed Endpoint Detection and Response (EDR)
Summary: Managed Response gives partners the ability to pre-approve Huntress Security Operation Center (SOC) to automatically take actions on their behalf to contain and neutralize confirmed threats. These active remediation steps allow our partners to take initial interactions on incidents, without have to wait for someone to push an extra button.
What are Managed Response Actions?
What actions can Huntress SOC take on my behalf?
How do I enable or disable Managed Response Actions?
How are Managed Response Actions applied?
How does it work? When are Managed Response Actions applied?
Are Managed Response Actions safe?
What else do I need to do after a Managed Response Action is complete?
What are Managed Response Actions?
Instead of only sending an alert that requires your team to respond manually, Managed Response Actions allow our security experts to take immediate, decisive action. Our goal is simple: to wreck a hacker's day by shrinking their dwell time from hours to minutes.
When enabled, our SOC can instantly perform critical incident response tasks, including:
- Halting Active Attacks: Isolating malware-infected hosts to stop malware from spreading and preventing lateral movement, and disabling compromised user identities to stop attacks.
- Eradicating Threats: Removing malware executables and artifacts, severing the attacker's foothold by deleting persistence mechanisms, and resetting compromised user identities.
- Blocking Data Exfiltration: Blocking data exfiltration from a compromised host or user.
- Cleaning Up Endpoints: Uninstalling potentially unwanted programs (PUPs) and other unwanted files and software.
These actions, along with other steps our SOC can take, are designed to disrupt attacker activity, evict them from the environment, and rapidly contain incidents. Enabling Managed Response is the most effective way to operationalize our SOC's expertise and ensure threats are handled with speed and precision, 24/7.
What actions can Huntress SOC take on my behalf?
Our SOC can perform a wide range of surgical actions to contain threats and evict attackers.
On Endpoints (Hosts):
- Neutralize Active Threats: We can immediately kill malicious processes and isolate the host from the network to stop an attack from spreading.
- Remove Attacker Tools: We surgically delete malicious files and registry entries used by spyware, ransomware, and other malware.
- Eliminate Persistence: We remove the mechanisms attackers use to survive reboots, such as malicious Scheduled Tasks, Services, and WMI Consumers.
- Block Malicious Communication: We can block network connections to known malicious IP addresses.
For User Identities (Microsoft 365):
- Revoke Unauthorized Access: We can revoke all active sessions for a compromised user, forcing a fresh login on all devices, and remove malicious application permissions.
- Evict Attackers from Mailboxes: We can find and delete malicious inbox rules that forward sensitive email and disable the compromised account to lock out the threat actor.
How do I enable or disable Managed Response Actions?
You have granular control over Managed Response. You can manage your settings at the account or organization level directly within the Huntress Portal. Simply navigate to Settings > Managed Response to enable or disable features. Beginning by Q4 2025, this feature will be enabled by default for all new partners. Current partners in the meantime may be prompted to enable or disable this feature when accessing the platform if they have not already decided to enable or disable it.
How are Managed Response Actions applied?
Our remediation commands are delivered through our trusted platform components:
- Host Remediations are securely sent and executed by the Huntress Agent already on your endpoints.
- Identity Remediations are applied via your secure, read/write Microsoft 365 integration.
How does it work? When are Managed Response Actions applied?
Remediation begins the instant our SOC confirms a threat and publishes the Incident Report. This immediate, automated response is designed to contain the threat in minutes, not hours. You can monitor the real-time progress of every action on the Remediations tab of the Incident Report.
Machines will not be rebooted as part of these remediations. Once remediation steps are run by Huntress, please review the open incident report to approve the Huntress reboot, or manually perform a host reboot before closing the incident report.
A note on isolated hosts: hosts that have been isolated will remain isolated until the incident report is fully resolved.
Low Severity Incidents: Huntress will attempt to remediate the entire incident on behalf of the partner and send a completed incident report for record keeping after it is successfully completed. No further work is needed by partners in these instances. However, if the remediations fail, an open incident report will be sent to the partner indicating what needs to be done to manually resolve the incident.
- For example, if a Potentially Unwanted Program (PUP) is detected, we will attempt to take the action to remove the PUP without needing to approve an incident report first. An incident report with details will be sent noting what action was taken, and any action that may still be needed.
High or Critical Incidents: While Huntress will attempt to remediate the incident on behalf of the partner, remediation reports will always be sent for High or Critical alerts when remediation is started. While we may be able to perform all remediation steps except for reboots, these reports will always generate as high and critical incidents are often accompanied by additional manual remediation steps in the Report Details page that should be addressed to fully remediate complex threats. Host isolation will not clear until the incident report is resolved.
- It is possible to receive an open incident report where remediations are either fully completed, still pending, or in a failed status. To help with this, we have added a new functionality to allow partners to manually resolve an incident that hasn't fully completed all remediation steps, with a warning modal that displays if there are still pending or failed remediations for that incident prior to closure.
From the incident report choose "Resolve" to review the status prompt. If there are steps requiring action still, you will see the following prompt. If these were completed manually, check the box and hit resolve. If these were not completed manually, please complete them prior to resolving the incident report.
Exclusions
If you would like to exclude specific endpoints from Active Remediation, you can scroll down to the bottom of the settings page to exclusions and under the “Active Remediations” Section add an exclusion for that endpoint. We will not actively remediate endpoints that are added to the exclusions list.
Are Managed Response Actions safe?
Yes, they are designed for safety. Our remediations are surgical and targeted. We don't perform broad, sweeping actions that could cause business disruption. For example, we delete a specific malicious registry key rather than quarantining a critical system file. Every automated action is built on the same expertise and procedures our human analysts have used to remediate thousands of incidents.
What else do I need to do after a Managed Response Action is complete?
After our platform handles the immediate threat, your job is to ensure the environment is fully secured. This often includes tasks like resetting the affected user's password, determining the root cause of the compromise (e.g., a phishing email), and applying any necessary patches. The incident report will provide you with clear guidance and next steps.