From huntress
Lists, reviews, and resolves Huntress SOC escalations. Useful when working with high-priority SOC-to-partner communications.
How this skill is triggered — by the user, by Claude, or both
Slash command
/huntress:escalationsWhen to use
When listing, reviewing, and resolving escalations from the Huntress SOC team. Use when: huntress escalation, escalation review, escalation resolve, soc escalation, or threat escalation.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Escalations are high-priority notifications from the Huntress SOC to MSP partners. When the Huntress SOC identifies activity requiring partner attention or action, they create an escalation. MSPs must review escalations promptly and resolve them after taking appropriate action.
Escalations are high-priority notifications from the Huntress SOC to MSP partners. When the Huntress SOC identifies activity requiring partner attention or action, they create an escalation. MSPs must review escalations promptly and resolve them after taking appropriate action.
Escalations from the Huntress SOC indicate urgency. Treat all open escalations as time-sensitive communications requiring prompt review.
huntress_escalations_list
Parameters:
organization_id — Filter by organizationstatus — Filter by statuspage_token — Pagination tokenExample response:
{
"escalations": [
{
"id": "esc-321",
"title": "Active Ransomware — Immediate Action Required",
"severity": "critical",
"status": "open",
"organization_id": "org-456",
"created_at": "2026-02-26T09:00:00Z",
"summary": "Huntress SOC has identified active ransomware encryption on ACME-WS-042. Immediate network isolation recommended."
}
],
"next_page_token": null
}
huntress_escalations_get
Parameters:
escalation_id — The escalation IDExample response:
{
"escalation": {
"id": "esc-321",
"title": "Active Ransomware — Immediate Action Required",
"severity": "critical",
"status": "open",
"organization_id": "org-456",
"created_at": "2026-02-26T09:00:00Z",
"summary": "Huntress SOC has identified active ransomware encryption on ACME-WS-042. Immediate network isolation recommended.",
"details": "The Huntress SOC detected file encryption activity consistent with ransomware...",
"recommended_actions": [
"Isolate ACME-WS-042 from the network immediately",
"Check for lateral movement to other endpoints",
"Preserve forensic evidence before remediation"
],
"related_incidents": ["inc-789"]
}
}
huntress_escalations_resolve
Parameters:
escalation_id — The escalation to resolvehuntress_escalations_listrelated_incidentshuntress_incidents_getCause: Invalid escalation ID Solution: List escalations to verify the correct ID
Cause: Attempting to resolve an already-resolved escalation Solution: Check escalation status first
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin huntressQueries, triages, and resolves Huntress SOC-confirmed security incidents. Lists incidents by org/status, reviews remediations, approves/rejects in bulk, and resolves incidents.
Guides incident lifecycle management for Checkpoint Harmony Email security events: status transitions, triage, investigation, evidence collection, remediation, and closure workflows.
Unified SOC analyst workflow for CrowdStrike NGSIEM — triage alerts, investigate security events, hunt threats, and tune detections. Use when triaging alerts, investigating detections, running daily SOC review, or tuning for false positives.