Parsing Huntress Incident Alerts – Huntress Product Support

Team: Huntress EDR
Product: Incident Alerting
Environment: Huntress Dashboard
Summary: Understanding the systematically generated incident ticket information (such as title, email subject, origination address) is critical to helping you sort / parse / filter these tickets within your alerting system.

Huntress incident alerts, whether submitted via API integration or e-mail, contain a systematically generated ticket title or subject line to allow for customized workflows within your alerting system. This article aims to describe the way these are generated to help you further understand how it can be used to create a workflow that may be more suited to your specific environment over a basic integration or inbound e-mail.

NOTE: Throughout this article you may see references to "Ticket Title" or "E-Mail Subject." When Huntress send an incident alert, these two values are the same. The only difference is Ticket Titles are for API PSA integrations, while e-mail subjects apply to e-mailed incident reports. The values of these variables will be identical.

For e-mail integration, the alert message will originate from support@huntress.io. For PSA integrations, typically an API user specifically created for the Huntress alerting will be the "user" which is entering the tickets. This varies from tool to tool, review our PSA integration instructions here for your specific scenario.

A sample Huntress incident title would be "HIGH - Incident on DESKTOP-ARL0EQ1 (Infinite Improbability)" and we'll show how that's derived below.

For these examples, we'll use $agent_name to represent the hostname (also called "Computer Name") of the endpoint and $organization_name to represent the Huntress organization name of the affected endpoint. $severity represents one of three levels as outlined below.

A regex-friendly description of a Huntress ticket title is as follows:

(CRITICAL|HIGH|LOW) - Incident on $agent_name ($organization_name)

An incident title always starts with the severity of the alert except in cases of Host Isolation.
*The ISOLATED wording will only be added into reports that result in managed host isolation*

A regex-friendly description of a Huntress Host Isolation ticket title is as follows:

(CRITICAL - ISOLATED) - Incident on $agent_name ($organization_name)

Another way to look at it would be as follows:

$severity

This should help you set up your PSA or external e-mail parser to read through Huntress incidents for greater control of reporting. Remember, for e-mail parsing, look for e-mails coming from noreply@huntress.io and process based on the subject line. For PSA API integrations, look for tickets entered by the integration user into the specific queue and process based on ticket title.

The ISOLATED wording will only be added into reports that result in managed host isolation

Related articles