Team: Huntress EDR
Product: Persistant Footholds
Environment: Huntress portal
Summary: Huntress Security Operations Center Workflow
Huntress monitors all autoruns on machines with Huntress installed. Each foothold is reviewed by our automated processing to determine if it is something we have seen before. If a foothold/autorun is new to the Huntress database, a Security Operations Center (SOC) Analyst begins a "review" which could lead to an investigation and even an incident report.
Automated Analysis - Huntress automatically classifies known good and bad software.
Human Review (something new to Huntress) - a SOC Analyst will take a look at the new file and determine if it's good or bad
Investigate (something suspicious or classification of goodware) - Investigations are done by SOC Analysts. They will often download the suspicious files and pull them apart to determine what the software is doing
Report - Should a SOC Analyst Investigation (or Automated Analysis) yield something malicious, a report is generated, a SOC Analyst gives it one more review before sending off an incident report to your integrations.