Skip to main content

Understanding Huntress Incidents

Cameron Granger
  • Updated

Team: Huntress EDR
Product: Incident Reports
Environment: Huntress.io portal
Summary: Huntress analysts will open incident reports which are used to notify users via configured integrations of active malicious activity that are present on a protected machine. These incidents should be read and acted upon in order to remediate the situation.

After a Huntress Analyst opens an Investigation and finds that an Autorun may be malicious an infection report is created. Once the infection report is completed, it will be delivered as an incident report through your configured integrations (see Managing Huntress Integrations).

In this article

1Navigating to Incident Reports

2Levels of Incident Severity

3Incident Remediation

4Rejecting Remediation

5Remediation Auto-close

  1. Click on the Incident tab from the Huntress Dashboard
  2. Click on the Subject of the Reportmceclip0.png
  3. You will be taken to the Incident Report page which includes tabs for the Report, Remaining Footholds, and Remediation

mceclip1.png

Severity Levels

Each Incident will be labeled with a severity level, Low, High, or Critical. The severity level will be identified at the top of the report

mceclip2.png

mceclip3.pngmceclip4.png

Critical - Dangerous Malware that can spread throughout a network or ransomwaremceclip5.png
High - Keyloggers or other malware that can spread throughout a network mceclip0.png
Low - These are potentially unwanted programs, browser add-ons, freeware types (malware artifacts also fall in this category)mceclip7.png

Remediation

The Report tab will include recommendations on how to best remediate the Incident. We recommend first thoroughly reading through the report prior to following remediation steps, as sometimes certain user profiles must be logged in for remediation to be successful. More information on scenarios where manual remediation is the best option can be found here: Manual Remediation

If an Incident is eligible for Assisted Remediation you will have a green button to "Review Remediation Plan", clicking this button will give you a pop-up where you can approve or reject AR.

Huntress_Management_Console.png

mceclip5.png

The Remediations tab shows whether each remediation is complete, in progress, not completed, or failed. To learn more about common reasons remediations fail, follow the link: Why is an Incident still Active if I remediated it?

Huntress_Management_Console.png

mceclip2.png

mceclip3.png

Remediation failed

Hover over the red exclamation to review the error message. If remediation failed and the "remaining footholds" counter if greater than 0, manual remediation may be necessary to resolve the incident. 

mceclip4.png

Remediation auto-closed

There are some circumstances where Remediations were completed by outside means before Huntress was able to complete them. In these instances, Huntress recognizes that the issue is no longer present and closes the incident "Remediations completed", Approved By N/A

auto-approved.png

        

 

Find out more about using Assisted Remediation in this article: Using Assisted Remediation

 

If you receive an incident report for a trusted program or application Contact Us

Comments

0 comments

Please sign in to leave a comment.

Related articles