Overview
Huntress has released significant improvements to notifications on January 28, 2026. The changes will enable greater flexibility in configuring and routing notifications from Huntress. The new categories are designed to better align with automated and manual workflows.
The New categories are listed below, along with their descriptions.
| Name | Description | State |
|---|---|---|
| Incident Report | Malicious activity is confirmed or imminent. | No Changes |
| Escalation | Security events where Huntress does not have enough context to make a high-confidence decision. | Some existing notifications moved to new categories listed below |
| Platform Action | Important notifications that impact Huntress service delivery and generally require a partner/customer administrator to take action. | New |
| Account Notice | Events that are not directly actionable and not reviewed by the SOC. | New |
Escalation notifications are broken down below, along with what will be moved from the Escalation category to the Platform Action category.
| Portal Notification Name | Category |
|---|---|
| AD Sync Identity Disablement Failure - #{username} | Platform Action |
| AD Sync Identity Enablement Failure - #{username} | Platform Action |
| Defender Disabled | Platform Action |
| Endpoints with Low Disk Space | Platform Action |
| Endpoints with Network Connectivity Issues | Platform Action |
| Log sources not reporting | Platform Action |
| Login without Entra Usage Location | Platform Action |
| macOS EDR Health Escalation | Platform Action |
| Microsoft 365 Integration - Error | Platform Action |
| Microsoft 365 Integration - Identity Error | Platform Action |
| Microsoft 365 Integration - MFA Required | Platform Action |
| Microsoft 365 Integration - Permission Error | Platform Action |
| Multiple Endpoints Isolated | Escalation |
| Platform Integration | Platform Action |
| SIEM data not being audited properly | Platform Action |
| Unexpected Country - #{country_display_name} | Escalation |
| Unexpected VPN - #{vpn_name} | Escalation |
Integration Updates
Ticket Integrations
All ticket integrations will be updated to allow control over which notification categories are delivered to the integration, as well as mapping ticket values to each notification category. This enables users of ticket integrations to send notifications to their ticketing system that were previously only available via email.
Email Integrations
Email integrations will also be updated to allow notifications to be routed on a per-category basis. Other changes to emails include new email subjects with more information, designed to be parsable by common email automation tools.
Email Subjects
Email subjects have been updated to contain additional information to allow easier parsing with automation tools. Email sourcing from email integrations will follow the following format:
Huntress Severity Category | Details of the notification
Where:
Severity can be one of: Critical, High or Low
Category will be one of: Incident Report, Escalation, Platform Action or Account Notice
The details will contain a description and for some notifications the name of the host and/or organization
Examples
Huntress High Escalation | Hosts not being properly protected
Huntress Critical Escalation | Multiple Endpoints Isolated
FAQ
What will happen to existing notification configurations?
Existing configurations will be migrated; however, you may wish to visit the settings to see the new delivery options available.
When did the notification changes go live?
The new features were released on January 28, 2026.
Will the configuration of notification destinations be configurable at the organization level?
No. Notification settings will continue to be only configurable at the account level.
However, several of our partners have accomplished this with email rules. The email rule forwards or copies the incident report based on the organization name in the subject line to a different destination.
NOTE: The links and URLs provided in some notifications and reports can only be accessed by Account Admins, and the recipient address may not be able to fully interact with them.
For more information on parsing Huntress Incidents, check out our Parse Incident Reports to Integrations (RMM, PSA, Email) KB.
If alerting and remediation must be set up for an organization, that Organization must be bumped up to a Huntress Account Contract (that can live as a "reseller contract" under the parent account). More information here: Reselling Huntress (for resellers)