Team: Huntress EDR
Product: Active Incidents
Environment: Huntress EDR
Summary: If all incident remediations steps are completed, it can take about 15 minutes to fully close in the portal. If it's still active, check for any footholds that may be keeping it open. If you wipe a host, you need to remove the agent from the Huntress Dashboard to close the incident.
Incidents are automatically closed when all the reported footholds have been removed from the host. The agent will detect the change and the console will be updated. If you recently remediated, it may take about 15 minutes for the console to update (the agent surveys the host at regular intervals).
In cases where you have wiped the host, you will need to uninstall the agent from the Huntress Dashboard, which will close the incident.
Why is an incident still active if I remediated? How do I verify the footholds have been removed?
There are sometimes instances where you may have removed the footholds, but the incident remains open. Those are covered here.
Comments
0 comments
Please sign in to leave a comment.