Huntress operates a 24x7 Security Operations Center (SOC) to monitor and respond to active intrusions in your environment(s) identified by the Huntress Managed Security Platform. Our mission is to secure the 99% by bringing world-class security solutions & products to a long-underserved market of small & mid-sized businesses around the globe.
Huntress Telemetry & Data Collection
Triage, Investigation and Response
Expanded Data Collection for Investigation/IR
Huntress Telemetry & Data Collection
The Huntress Managed Endpoint Detection and Response is powered by telemetry from multiple features designed to give our Security Operations Center (SOC) the data they need to detect and respond to the top threats targeting small & mid-sized businesses today. Data from the endpoint is routinely sent to the Huntress cloud-hosted platform, where intelligence and detection logic is applied against the forensic data.
Automatically Collected Data
Managed Endpoint Detection and Response (EDR)
Huntress collects details about persistent (auto-starting or autorun) applications/files. These files are used to help determine if an autorun is legitimate The data collected includes:
- file-path
- file meta-data (size, timestamp, hashes, etc)
- The user account the autorun starts under
- How the autorun starts (registry value, task, service, etc.)
- The version of the operating system and installed updates
- Computer configuration (CPU make/model, amount of RAM, amount of free and used storage, uptime)
- Network configuration (hardware type, IP address, MAC address, hostname, Active Directory status, Defender Firewall status)
- Limited Microsoft Defender data (update times, scan times, past detections, exclusions, other AV solutions, remediation status, quarantined files, etc)
With Managed Microsoft Defender enabled, Huntress collects the following data provided by Microsoft Defender:
- infected file and any resources used or linked to the infection (malware artifacts, registry keys, etc)
- infected file meta-data (size, timestamp, path)
- The user account the infection was discovered under
Huntress also collects details about running processes on end points with Process Insights (on by default). This data includes:
- process file path
- process meta-data (parameters, PID, start/end time, certificate(s), size, hash, etc)
- process parent data (PID, name, meta-data)
- The user account the process started under
Managed Identity Threat Detection and Response (ITDR)
Huntress collects Microsoft 365 event logs from any connected tenants and user session details in order to determine if user behavior is legitimate. The data collected includes:
- Inbox rule names and actions (stored as long as the rule is active)
- Tracked Events (stored for 14 days)
-
Session information such as:
- ID
- Browser names
- Country
- OS
- Tunnels
-
Identities:
- Microsoft GUID
- UPN
- Most Recent Event seen at
- Location Users have accessed from
- Licenses User has linked to their account
Triage, Investigation and Response
The Huntress agent has forensic acquisition capabilities that expand upon the routine data collection performed by the Huntress Managed EDR product. These forensic tasks can be initiated manually by the Huntress Security Operations Center (SOC) Analysts during an investigation or can occur as part of automated playbooks in response to specific observed suspicious behaviors. Agent tasks are recorded and can be reviewed in the Huntress product as an audit trail for what actions have been taken on a system.
Expanded Data Collection for Investigation / IR
Upon identifying an investigative lead—whether from an automated detection firing or through manual querying to investigate potential attacker tradecraft—Huntress analysts and threat hunters routinely engage in expanded data collection practices. This data collection supports thorough and industry-standard investigative processes, specifically to acquire relevant forensic artifacts that clarify whether observed activity aligns with malicious behavior or can be attributed to benign operations.
Leveraging the forensic capabilities of our agent, analysts are able to remotely and securely capture critical forensic data from endpoints to answer investigative questions and substantiate findings. Each acquisition step is guided by a principle of minimal and targeted collection, balancing comprehensive evidence gathering with minimal operational impact on the customer’s environment.
This expanded data collection process is foundational to Huntress’ approach, allowing our team to achieve the following goals:
- Contextual Analysis: By acquiring forensic artifacts tied to potential threat indicators, our analysts build context around suspicious activities. This step enables our team to differentiate between legitimate user actions, system behaviors, and possible threat activity.
- Rapid Threat Containment: Through timely acquisition and analysis of forensic data, our team is able to respond swiftly to threats, making decisions that support both immediate containment and the prevention of further compromise.
As part of this expanded data collection effort, Huntress is committed to transparency with our clients, ensuring that forensic acquisition action is purposeful and designed to improve the efficacy of our Security Operation Center's investigative efforts. A full audit log of the retrieved artifacts are available in our customer’s portal.