Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Active Incidents
Environment: Huntress Dashboard
Summary: If all incident remediations steps are completed, it can take about 15 minutes to fully close in the portal. If it's still active, check for any footholds that may be keeping it open. If you wipe an endpoint, you need to remove the agent from the Huntress Dashboard to close the incident.
Incidents are automatically closed when all the reported footholds have been removed from the endpoint. The agent will detect the change and the console will be updated. If you recently remediated, it may take about 15 minutes for the console to update (the agent surveys the endpoint at regular intervals).
In cases where you have wiped the endpoint, you will need to uninstall the agent from the Huntress Dashboard, which will close the incident.
Why is an incident still active if I remediated? How do I verify the footholds have been removed?
There are sometimes instances where you may have removed the footholds, but the incident remains open. Those are covered here.