What is a Huntress Escalation?
An Escalation is used to notify Huntress account administrators that a situation requires their attention. Below are some common use cases:
- The Huntress security platform is unable to send incident reports to your PSA system and we need you to reconfigure the integration.
- ThreatOps suspects that an application being flagged as malicious is a false positive and we want to get your authorization to allow-list the application moving forward.
- A potential threat flagged by Managed Antivirus requires additional information (file path details, etc.) in order for Huntress to provide actionable assisted remediation steps.
Every Escalation will include a question for the account admin and an associated workflow to respond or resolve the Escalation. Escalations are not incident reports, however they do have severities (low, high, critical) associated with them that dictate an expected response time. If no response is received, account administrators will be re-notified.
Responding to an Escalation?
Who can respond?
Account administrators are ultimately responsible for responding to Escalations. All accounts users can view Escalations by navigating to the page at the top of the Dashboard , but only admins can respond within the Portal.
From the Escalations Dashboard users can click into the details of an Escalation to see what happened and respond by working through the steps to resolve.
How do I manage who gets notified?
Partners can manage Escalation notification settings within Integration Settings. By default all account admins will receive Escalation notifications. Admins can edit the notified recipients, but at least 1 account admin email contact is required.
In the future, Partners will be able to configure PSAs to receive Escalation notifications. Do you want to get SMS notifications for Escalations and Incident Reports? Check out this support article on how to configure mobile carrier gateway addresses.
Escalation severities and expected response times
Huntress wants to provide the best possible service to our partners. Not responding to an Escalation event can degrade that level of service. Our goal is never to spam partners with notifications, but to only use Escalations when absolutely necessary. Let's walk through a couple scenarios:
- Scenario 1: A critical malware incident report failed to make it to your company's PSA, thus the event went unnoticed by your team. Huntress will send an Escalation with the same severity as the incident report to bring your attention to the event.
- Scenario 2: You have multiple hosts with outdated Managed Antivirus signatures across your account, we would escalate this as a low severity Escalation because it is a preventative security measure that requires action but not immediate action.
Why not reach out via Support?
Huntress Support Staff have the ability to manually escalate situations to account administrators via Zendesk, email and sometimes over the phone. However, these escalations are human-powered and the process can be inconsistent and sometimes cumbersome, requiring multiple follow-ups by both Huntress and the partner. By providing a standardized and automated process for escalated inquiries, we can reduce the back and forth and give our partner's another one-click solution to address complex situations. Some Escalations may require more than one-click from partners (i.e. fixing a misconfigured PSA), but Huntress will strive to automate all possible remediation actions based on your response.
Types of Escalations
Escalations fall into different categories: Integrations, System Health, Potential Threats, etc. The below table describes the supported Escalation use cases. Huntress will continue to add coverage for new use cases.
Escalation Use Cases
|What is it?|
Integration - Unable to Send Incident Reports
Severity = severity of failed incident report
The integration with your PSA ticketing system has failed and Huntress cannot send you incident reports.
System Health - Defender Unhealthy (Other Security Product Detected)
Severity = Low
|Defender is repeatedly flagging a 3rd party security product that is running on the host(s). Huntress's ThreatOps team has flagged the Defender detections to escalate the potential configuration issue.|