Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Incident Alerting
Environment: Huntress Dashboard
Summary: This article explains how Huntress alert subjects and ticket titles for incidents, escalations, and host isolation are generated so you can reliably parse, sort, and route them within your RMM, PSA, or email-based workflows.
On this page
Sender and Integration Details
Email Subjects and Ticket Titles
Using These Patterns in Your Tools
Overview
Huntress incident alerts use a consistent ticket title or email subject format. Understanding this format makes it easier to build alert rules, filters, and automation in your RMM, PSA, or email system. This article walks through how those titles and subjects are generated and how you can use them.
Throughout this article you may see references to
Ticket Title — used for API PSA integrations.
E-Mail Subject — used for e-mailed incident reports.
These values are identical for the same alert; only the delivery method changes.
Sender and Integration Details
E-mail integrations
Huntress alert messages originate from noreply@huntress.io. When creating mail parsing rules, match on this sender and process based on the subject line format described below.
PSA API integrations
For PSA integrations, tickets are entered by an API user created specifically for Huntress alerting. The exact user and queue configuration varies by tool. Review the PSA integration instructions for your specific PSA.
Some links and URLs in notifications and reports can only be accessed by Account Admins. The recipient email address may not always have permission to open them.
Email Subjects and Ticket Titles
Email subjects are constructed to include enough information for simple, reliable parsing with automation tools.
Email subjects from Huntress follow this format:
Huntress Product Severity Category | Details of the notification (Organization)
Product is an optional field and can contain one of: EDR, ITDR, SIEM, ISPM, ESPM or SAT
Severity can be one of: Critical, High, or Low.
Category will be one of: Incident Report, Escalation, Platform Action, or Account Notice.
Details contains a short description and, for some notifications, the host and/or organization name.
Organization contains the name of the organization if applicable
Example subjects:
Huntress EDR High Escalation | Hosts not being properly protected
Huntress EDR Critical Incident Report | Incident on DESKTOP-ARL0EQ1 (Infinite Improbability)
Variable Reference
In the examples and patterns below:
$agent_name is the hostname (also called Computer Name) of the endpoint.
$organization_name is the Huntress organization name of the affected endpoint.
$severity is one of: CRITICAL, HIGH, or LOW.
Regex-Friendly Patterns
If you use regular expressions (regex) in your RMM, PSA, or email rules, you can match Huntress ticket titles using the patterns below.
Standard incidents$severity - Incident on $agent_name ($organization_name)
(CRITICAL|HIGH|LOW) - Incident on $agent_name ($organization_name)An incident title always starts with the severity of the alert, except in cases of Host Isolation.
Host Isolation incidentsCRITICAL - ISOLATED - Incident on $agent_name ($organization_name)
The ISOLATED wording is only added into reports that result in managed Host Isolation.
Using These Patterns in Your Tools
For email parsing, match messages from noreply@huntress.io and build rules based on the subject line formats and patterns above.
For PSA API integrations, look for tickets created by your Huntress integration user in the appropriate queue and apply rules based on the ticket title patterns.