Team: Huntress Managed Endpoint Detection and Response (EDR), Huntress Managed Identity Threat Detection and Response (ITDR)
Product: Incident Reports
Environment: Huntress Platform
Summary: Huntress analysts deliver incident reports through your configured integrations to notify you of active malicious activity observed on a monitored endpoint or cloud identity.
When a Huntress analyst investigates an event and confirms malicious activity, they create and populate an incident report with explicit remediation tasks. The Huntress Platform then delivers the report directly to your primary communication channels. For more information on setting up these workflows, see Managing Huntress Integrations.
In this article
Navigating to the Incident Report
Who Receives an Incident Report
Severity Levels
Remediation Types
Remediation Process
Remediation Failed
Remediation Auto-Closed
Incident Report Simulation
Navigating to the Incident Report
To locate your reports, navigate to the main dashboard interface. Organizing your workflow from this centralized view helps ensure you do not miss critical updates.
Log in to Huntress and go to Incidents.
Select the report subject to open the details page.
The Incident Report page displays specific tabs—including Report, Remaining Footholds, Remediations, Signals, Comments, and Timeline—depending on the report type.
Who Receives an Incident Report?
When an incident is published, notifications route to your designated primary communication channels automatically. Maintaining accurate integration settings prevents delivery gaps.
Email addresses specified in your integration settings for Email (incident reports) receive these notifications. Huntress also routes reports to your configured professional services automation (PSA) tool. You can manage these preferences on the Integrations page of your account.
Critical severity incident reports can also trigger alerts via automated phone calls or text messages. For more information, see the following guides:
Severity Levels
Each incident displays a severity designation at the top of the report page. Detections fall into specific categories based on the risk they present to your environment.
| Severity / Affected Entity | Endpoint | Identity |
|---|---|---|
| Low | Potentially unwanted programs, browser add-ons, freeware, and malware artifacts. | Lower-immediacy or historic identity findings. Example: suspicious inbox rules found during an initial environment scan that were pre-existing and not observed being created in real time. |
| High | Serious confirmed malware that requires urgent remediation, but does not require isolation. Practical examples: cryptocurrency miners, and persistent or noisy early-stage malware. | Suspicious and actionable identity compromise activity, but not enough context or confidence to justify disabling the identity. Example: Rogue Microsoft 365 enterprise app registration detected. |
| Critical | Hands on keyboard threat actor, Dangerous malware, or active compromise where ransomware, rapid spread, lateral movement, or severe impact is the concern. Immediate containment is required. | Isolation-worthy, hands-on attacker activity. Examples: Login from a known bad IP and malicious email forwarding rule setup; in those cases Huntress will work to revoke (logout) sessions and/or disable accounts. |
Remediation Types
Huntress organizes response tasks into distinct categories to clarify who executes each action and how they execute it. Reviewing these types helps you plan your response workflow.
| Remediation Type | Description | Examples |
|---|---|---|
| Active | Remediation steps that Huntress can perform on behalf of a partner. These are pre-approved by the partner based on set criteria such as incident level severity. Once approved, Huntress will immediately take action on all future incident reports. | Delete file, Delete registry key, Kill process, Delete service |
| Assisted | Remediation steps that Huntress can perform on behalf of a partner. These require approval be granted by the partner on an incident-by-incident case. Huntress cannot take action until approval is granted. Many assisted remediation steps can also be performed as Active remediations. |
See Active Remediation examples Add: Reboot an endpoint, remove malicious applications, delete inbox rules |
| Containment | Isolation or disabling of entities (endpoints, identities) that helps to remove threat actors actively in partner environments. | Isolation, Disable User Identity |
| Manual | Remediation steps that Huntress cannot perform and require partner intervention to complete. Alternately, if any of the other remediation types fail, partners may need to manually complete the remediations, These often require "hands on" access to the endpoint or identity in question to complete, or are suggestions on next steps for protecting an entity. | Implement Incident Response procedures, Review internal logs, Consider resetting passwords, Enroll a user in Security Awareness Training |
Remediation Process
The Report tab includes explicit steps to resolve the incident. Review the entire report thoroughly before starting the tasks to determine if your team needs to take additional administrative actions.
If an incident is eligible for assisted or manual remediation, use the interface tools to authorize the plan:
Select Review Remediation Plan to open the configuration window.
Approve or reject the proposed remediation steps.
The Remediations tab tracks the status of each step as Success, In Progress, or Failure. For more information, see Why is an Incident still Active if I remediated it?
Remediation failed
If a task cannot complete successfully, check the interface indicators for error details. Reviewing these warnings prevents persistent security gaps.
Hover over the red exclamation mark to review the error message. If a remediation fails and the remaining footholds counter is greater than 0, you must perform manual remediation steps to resolve the incident.
Remediation auto-closed
External environmental changes can sometimes resolve an issue before automated tasks trigger. Huntress checks for these changes before executing duplicate actions.
If a vulnerability is remediated by outside means before Huntress executes a step, the platform recognizes that the issue is no longer present. Huntress then closes the incident, updates the status to Remediations complete, and marks the approval field as N/A.
Incident Report Simulation
Testing your configurations in a non-production setting verifies that your integrations route alerts successfully. Run a simulation to familiarize your team with the workflow.
To see how an incident report behaves, you can utilize the incident simulation tool for both EDR and ITDR. For step-by-step guidance, see EDR / ITDR Incident Simulation
If you receive an incident report for a trusted program or application Contact Us