Skill

Huntress Incidents

Manages Huntress security incidents: lists, triages, investigates, resolves them, and handles remediations with bulk approve/reject workflows.

security

Install

npx claudepluginhub wyre-technology/msp-claude-plugins --plugin huntress

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Incidents are the core security events in Huntress, generated by the Huntress SOC team when threats are confirmed on managed endpoints. Each incident includes severity, affected hosts, investigation details, and recommended remediations. MSPs must triage, investigate, and resolve incidents — often approving or rejecting SOC-recommended remediations.

SKILL.md

Similar Skills

ui-ux-pro-max

Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.

ui-ux-pro-max

57.6k

context7-mcp

Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.

context7-plugin

51.8k

market-sizing-analysis

2 files

Calculates TAM/SAM/SOM using top-down, bottom-up, and value theory methodologies for market sizing, revenue estimation, and startup validation.

startup-business-analyst

32.9k

Stats

Parent Repo Stars12

Parent Repo Forks8

Last CommitApr 5, 2026

Actions

View Source View Plugin View on GitHub View README

Huntress Incidents

Overview

Key Concepts

Incident Lifecycle

Detection — Huntress SOC identifies a threat
Triage — MSP reviews the incident and severity
Investigation — Deep dive into affected hosts and indicators
Remediation — Approve/reject SOC-recommended actions
Resolution — Close the incident

Severity Levels

Critical — Active threat requiring immediate response
High — Confirmed threat requiring urgent action
Low — Suspicious activity requiring review

Remediations

Huntress SOC provides recommended remediations for each incident. MSPs can:

Approve — Execute the recommended remediation
Reject — Decline the remediation (provide reason)
Bulk approve/reject — Handle multiple remediations at once

API Patterns

List Incidents

huntress_incidents_list

Parameters:

organization_id — Filter by organization
status — Filter by status (open, resolved)
page_token — Pagination token

Example response:

{
  "incidents": [
    {
      "id": "inc-789",
      "title": "Persistent Footholds: Malicious Scheduled Task",
      "severity": "critical",
      "status": "open",
      "organization_id": "org-456",
      "created_at": "2026-02-26T08:15:00Z",
      "affected_hosts": ["ACME-WS-042"],
      "remediations_count": 2
    }
  ],
  "next_page_token": null
}

Get Incident Details

huntress_incidents_get

Parameters:

incident_id — The incident ID

Resolve Incident

huntress_incidents_resolve

Parameters:

incident_id — The incident to resolve

List Remediations

huntress_incidents_remediations

Parameters:

incident_id — The incident ID

Example response:

{
  "remediations": [
    {
      "id": "rem-001",
      "type": "scheduled_task_removal",
      "description": "Remove malicious scheduled task 'WindowsUpdate'",
      "status": "pending",
      "host": "ACME-WS-042"
    },
    {
      "id": "rem-002",
      "type": "file_quarantine",
      "description": "Quarantine C:\\Windows\\Temp\\payload.exe",
      "status": "pending",
      "host": "ACME-WS-042"
    }
  ]
}

Get Remediation Details

huntress_incidents_remediation_get

Parameters:

incident_id — The incident ID
remediation_id — The remediation ID

Bulk Approve Remediations

huntress_incidents_bulk_approve

Parameters:

incident_id — The incident ID
remediation_ids — List of remediation IDs to approve

Bulk Reject Remediations

huntress_incidents_bulk_reject

Parameters:

incident_id — The incident ID
remediation_ids — List of remediation IDs to reject
reason — Reason for rejection

Common Workflows

Daily Incident Triage

Call huntress_incidents_list with status=open
Sort by severity (critical first)
Group by organization to identify affected clients
Investigate critical incidents immediately
Schedule review of lower-severity incidents

Incident Investigation

Get incident details with huntress_incidents_get
Review affected hosts, indicators, and timeline
List remediations with huntress_incidents_remediations
Review each remediation's scope and impact
Approve or reject remediations as appropriate
Resolve the incident when complete

Bulk Remediation Approval

List all remediations for an incident
Review each remediation action
Approve all safe remediations with huntress_incidents_bulk_approve
Reject any inappropriate remediations with reason
Verify remediation execution status

Error Handling

Incident Not Found

Cause: Invalid incident ID or incident already deleted Solution: List incidents to verify the correct ID

Remediation Already Processed

Cause: Attempting to approve/reject an already-processed remediation Solution: Check remediation status before processing

Cannot Resolve with Pending Remediations

Cause: Trying to resolve an incident with unprocessed remediations Solution: Approve or reject all remediations before resolving

Best Practices

Triage incidents at least twice daily (morning and afternoon)
Always investigate before approving remediations
Document rejection reasons for audit trail
Notify clients about critical incidents via PSA ticket
Track mean time to resolution (MTTR) per client
Use bulk operations to efficiently process multiple remediations
Cross-reference incidents with escalations for full context

Related Skills

api-patterns - Pagination and error handling
escalations - Related escalations
agents - Affected endpoint agents
organizations - Client organization context
signals - Underlying security signals