Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Escalations and Integrations
Environment: Huntress Platform, your PSA or email system
Summary: Escalations differ from other alert types in that Escalations typically represent a question from Huntress, while Incident Reports for example represent a known threat or malicious behavior (read more about Huntress alert types here).
ITDR Escalations combine all unexpected logins from a specific location or VPN (for a single Huntress organization) into a single alert. As a result, if a PSA ticket has already been created for that same type of event, a new one won't be sent automatically (with the exception of the setting in the next paragraph).
ITDR Unwanted Access Escalation notifications through email and PSA can now be sent on a per-identity basis. If you'd like to receive an email or ticket for every unexpected country/VPN event for every identity, please reach out to Support. This setting only applies to ITDR Unexpected Country and Unexpected VPN escalations.
What is a Huntress Escalation?
An Escalation is used to notify Huntress account administrators that a situation requires their attention. Every Escalation will include a question for the account admin and an associated workflow to respond or resolve the Escalation. Escalations are not incident reports, however, they are assigned a severity (low, high, critical) that dictates an expected response time. If no response is received, account administrators will be re-notified.
Unexpected login escalations are resolved when a rule is created for the associated identity, organization, or account.
Responding to an Escalation?
NOTE: Only Account-Level Users and Organization-Level Admins can access Escalations. Organization Admins are unable to respond to an Escalation. More on user permissions here.
Who can respond?
Account administrators are ultimately responsible for responding to Escalations. All accounts users can view Escalations by navigating to the page at the top of the Dashboard, but only admins can respond within the Portal.
From the Escalations Dashboard users can click into the details of an Escalation to see what happened and respond by working through the steps to resolve.
How do I manage who gets notified?
Partners can manage Escalation notification settings within Integration Settings. By default, all account admins will receive Escalation notifications. Admins can edit the notified recipients, but at least 1 account admin email contact is required. Please note these are just emails sent to the listed recipients, not actual tickets generated through a PSA.
Escalation severity and expected response times
Huntress wants to provide the best possible service to our partners. Not responding to an Escalation event can degrade that level of service. Our goal is never to spam partners with notifications, but to only use Escalations when absolutely necessary. When an Escalation is marked overdue you will receive another notification through your integration of choice.
Response Time Expectations by Escalation Severity
Critical = Overdue after 12 hrs
High = Overdue after 48 hrs
Low = Overdue after 7 days
Why not reach out via Support?
Huntress Support Staff have the ability to manually escalate situations to account administrators via email and sometimes over the phone. However, these escalations are human-powered and the process can be inconsistent and sometimes cumbersome, requiring multiple follow-ups by both Huntress and the partner. By providing a standardized and automated process for escalated inquiries, we can reduce the back and forth and give our partners another one-click solution to address complex situations. Some Escalations may require more than one-click from partners (i.e. multiple endpoints isolated), but Huntress will strive to automate all possible remediation actions based on your response.
Types of Escalations
The following table describes the supported Escalation use cases. Huntress will continue to add coverage for new use cases.
| Escalation Use Cases | What is it? | Per-Identity notify |
|
Host Isolation - Org-Wide Incident & Isolation Severity = Critical |
A security incident was detected in one of your organizations. Huntress or a partner Account Admin has isolated multiple endpoints from the network to limit the attack spread. | X |
|
Login - Unexpected Country Severity = Low |
Huntress observed a login event for an identity from a country that is not that identity's associated Entra location. | |
|
Login - Unexpected VPN Severity = Low |
Huntress observed a login event for an identity from a VPN that is not already associated with an "Expected" configuration rule. |