Since July 31, 2023, Huntress has released four new Escalation types.
- Altering for Microsoft 365 integrations when data becomes inaccessible due to `AADSTS` errors that require Microsoft environment intervention.
- Alerting for an organization-wide security incident that has led to Huntress isolating multiple endpoints from the network to limit the attack spread.
- Alerting for endpoints with Managed Antivirus set to Enforce and where the Microsoft Defender Real-time Protection engine has been disabled for longer than 2 hours.
- Unwanted Access escalations from unexpected logins from countries and VPNs.
Currently Unwanted Access escalations will come via the integration Email (Escalations) if no PSA integration is present, or via PSA only if the PSA integration is present. It is not possible to get Unwanted Access escalations to PSA and email.
What is a Huntress Escalation?
An Escalation is used to notify Huntress account administrators that a situation requires their attention. Below are some common use cases:
- The Huntress security platform is unable to send incident reports to your PSA system and we need you to reconfigure the integration.
- SOC suspects that an application being flagged as malicious is a false positive and we want to get your authorization to allow-list the application moving forward.
- A potential threat flagged by Managed Antivirus requires additional information (file path details, etc.) in order for Huntress to provide actionable assisted remediation steps.
- A login event occurred from an unexpected country or VPN and Huntress would like partner feedback on whether that event should be expected or unauthorized.
Every Escalation will include a question for the account admin and an associated workflow to respond or resolve the Escalation. Escalations are not incident reports, however they do have severities (low, high, critical) associated with them that dictate an expected response time. If no response is received, account administrators will be re-notified.
Unexpected login escalations are resolved when a rule is created for the associated identity, organization, or account.
Responding to an Escalation?
Who can respond?
Account administrators are ultimately responsible for responding to Escalations. All accounts users can view Escalations by navigating to the page at the top of the Dashboard , but only admins can respond within the Portal.
From the Escalations Dashboard users can click into the details of an Escalation to see what happened and respond by working through the steps to resolve.
Note: Only Account users can access Escalations. Organization users are unable to access the tab, see or respond to an Escalation. More on user permissions here.
How do I manage who gets notified?
Partners can manage Escalation notification settings within Integration Settings. By default all account admins will receive Escalation notifications. Admins can edit the notified recipients, but at least 1 account admin email contact is required.
In the future, Partners will be able to configure PSAs to receive Escalation notifications for products other than ITDR Unwanted Access.
Escalation severities and expected response times
Huntress wants to provide the best possible service to our partners. Not responding to an Escalation event can degrade that level of service. Our goal is never to spam partners with notifications, but to only use Escalations when absolutely necessary. Let's walk through a couple scenarios:
- Scenario 1: A critical malware incident report failed to make it to your company's PSA, thus the event went unnoticed by your team. Huntress will send an Escalation with the same severity as the incident report to bring your attention to the event.
- Scenario 2: Multiple hosts have had the Microsoft Defender Real-time Protection engine disabled for an extended period of time across your account. We would escalate this as a high severity Escalation because it is a preventive security measure that requires action but not immediate action.
Response Time Expectations by Escalation Severity
Critical = Overdue after 12 hrs
High = Overdue after 48 hrs
Low = Overdue after 7 days
Why not reach out via Support?
Huntress Support Staff have the ability to manually escalate situations to account administrators via email and sometimes over the phone. However, these escalations are human-powered and the process can be inconsistent and sometimes cumbersome, requiring multiple follow-ups by both Huntress and the partner. By providing a standardized and automated process for escalated inquiries, we can reduce the back and forth and give our partner's another one-click solution to address complex situations. Some Escalations may require more than one-click from partners (i.e. fixing a misconfigured PSA), but Huntress will strive to automate all possible remediation actions based on your response.
Types of Escalations
Escalations fall into different categories: Integrations, System Health, Potential Threats, etc. The below table describes the supported Escalation use cases. Huntress will continue to add coverage for new use cases.
Escalation Use Cases |
What is it? |
Integration - Unable to Send Incident Reports Severity = severity of failed incident report |
The integration with your PSA ticketing system has failed, and Huntress cannot send you incident reports.
|
System Health - Defender Real-Time Protection Engine Disabled Severity = High |
Huntress Managed Antivirus is set to Enforce, and the Defender Real-time Protection engine has been disabled for longer than 2 hours, leaving the endpoint unprotected by an AV. These escalations will automatically resolve and close once Defender Real-time Protection is detected as enabled. |
Host Isolation - Org-Wide Incident & Isolation Severity = Critical |
A security incident was detected in one of your organizations. Huntress or a partner Account Admin has isolated multiple endpoints from the network to limit the attack spread. |
Integration - Inaccessible Microsoft 365 data Severity = Critical |
A Microsoft 365 environment component has changed, and data is no longer accessible. |
Login - Unexpected Country Severity = Low |
Huntress observed a login event for an identity from a country that is not that identity's associated Entra location. |
Login - Unexpected VPN Severity = Low |
Huntress observed a login event for an identity from a VPN that is not already associated with an "Expected" configuration rule. |
Comments
2 comments
I notice that the paragraph above the table of listed escalation types notes "Potential Threats" as an option, but this type is not covered in the table.
Are "Potential Threats" a type of escalation? or has this been changed since the writing of the article?
Hi Tristan,
Huntress plans to eventually support a wider variety of Escalation use cases, including those related to potential threats. However, at this time we do not have those use cases time-lined on our official product roadmap. We will be sure to update this page when we do.
Below is an example use case for a potential threat escalation:
Please sign in to leave a comment.