Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Incident Reports
Environment: Huntress.io portal
Summary: Huntress analysts will open incident reports which are used to notify users via configured integrations of active malicious activity that is observed on a Huntress monitored endpoint or cloud identity. These incidents should be read and acted upon in order to remediate the situation.
After a Huntress Analyst opens an Investigation and finds that an event may be malicious an incident report is created. Once the report is written by the analyst with all the necessary remediations, it will be delivered through your configured integrations (see Managing Huntress Integrations).
In this article
1Navigating to Incident Reports
2Who Receives an Incident Report
3Levels of Incident Severity
4Incident Remediation
5Rejecting Remediation
6Remediation Auto-close
7Incident Report Simulation
Navigating to the Incident Report
- Click on the Incident tab from the Huntress Dashboard
- Click on the Subject of the Report
- You will be taken to the Incident Report page which includes tabs for the Report, Remaining Footholds, and Remediation
Who Receives an Incident Report?
Email addresses listed under your integration for “Email (incident reports)” will receive the incidents. They will also be sent out to your PSA (if configured). This can be managed under the “integrations” menu on your account. For more information on managing incident report integrations, please see the following guides.
Severity Levels
Each Incident will be labeled with a severity level, Low, High, or Critical. The severity level will be identified at the top of the report
Critical - Dangerous Malware that can spread throughout a network or ransomware
High - Keyloggers or other malware that can spread throughout a network
Low - These are potentially unwanted programs, browser add-ons, freeware types (malware artifacts also fall in this category)
Remediation
The Report tab will include recommendations on how to best remediate the Incident. We recommend first thoroughly reading through the report prior to following remediation steps, as sometimes certain user profiles must be logged in for remediation to be successful. More information on scenarios where manual remediation is the best option can be found here: Manual Remediation
If an Incident is eligible for Assisted Remediation you will have a green button to "Review Remediation Plan", clicking this button will give you a pop-up where you can approve or reject AR.
The Remediations tab shows whether each remediation is complete, in progress, not completed, or failed. To learn more about common reasons remediations fail, follow the link: Why is an Incident still Active if I remediated it?
Remediation failed
Hover over the red exclamation to review the error message. If remediation failed and the "remaining footholds" counter if greater than 0, manual remediation may be necessary to resolve the incident.
Remediation auto-closed
There are some circumstances where Remediations were completed by outside means before Huntress was able to complete them. In these instances, Huntress recognizes that the issue is no longer present and closes the incident "Remediations completed", Approved By N/A
Incident Report Simulation
If you would like to see what an incident report looks like and how it behaves, you can utilize our incident simulation tool for both EDR and ITDR. Here is our KB on running a simulation - EDR / ITDR Incident Simulation
Find out more about using Assisted Remediation in this article: Using Assisted Remediation
If you receive an incident report for a trusted program or application Contact Us