Huntress Data Collection

Team: Huntress EDR
Environment: Platform, Portal
Summary: Information on what Data Huntress collects  

Huntress collects details about persistent (auto-starting or autorun) applications/files. These files are used to help determine if an autorun is legitimate  The data collected includes:

• file-path
• file meta-data (size, timestamp, hashes, etc)
• The user account the autorun starts under
• How the autorun starts (registry value, task, service, etc.)
• The version of the operating system and installed updates
• Computer configuration (CPU make/model, amount of RAM, amount of free and used storage, uptime)
• Network configuration (hardware type, IP address, MAC address, hostname, Active Directory status, Defender Firewall status) 
• Limited Microsoft Defender data (update times, scan times, past detections, exclusions, other AV solutions, remediation status, quarantined files, etc)

With Managed AV enabled, Huntress collects the following data provided by Microsoft Defender:

• infected file and any resources used or linked to the infection (malware artifacts, registry keys, etc)
• infected file meta-data (size, timestamp, path)
• The user account the infection was discovered under

Huntress also collects details about running processes on end points with Process Insights (on by default). This data includes:

• process file path
• process meta-data (parameters, PID, start/end time, certificate(s), size, hash, etc)
• process parent data (PID, name, meta-data)
• The user account the process started under

All of the data collected is held indefinitely in U.S. based data centers and detailed in our privacy policy