From huntress
Queries, triages, and resolves Huntress SOC-confirmed security incidents. Lists incidents by org/status, reviews remediations, approves/rejects in bulk, and resolves incidents.
How this skill is triggered — by the user, by Claude, or both
Slash command
/huntress:incidentsWhen to use
When listing, triaging, investigating, resolving incidents, and managing remediations including bulk approve and reject workflows. Use when: huntress incident, huntress alert, incident triage, incident investigation, incident resolution, incident management, remediation, approve remediation, reject remediation, threat response, security incident, or soc recommendation.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Manage Huntress SOC-confirmed security incidents across client organizations. Query open incidents, review SOC-recommended remediations, approve or reject remediation actions, and resolve incidents once all remediations are processed.
Manage Huntress SOC-confirmed security incidents across client organizations. Query open incidents, review SOC-recommended remediations, approve or reject remediation actions, and resolve incidents once all remediations are processed.
Retrieve incidents filtered by organization and status.
huntress_incidents_list(organization_id='org-456', status='open', page_token=None)
# Returns: {"incidents": [...], "next_page_token": "abc123" | null}
Each incident object contains id, title, severity, status, organization_id, created_at, affected_hosts, and remediations_count.
huntress_incidents_get(incident_id='inc-789')
# Returns: full incident with investigation details, indicators, timeline, and affected hosts
huntress_incidents_remediations(incident_id='inc-789')
# Returns: {"remediations": [{"id": "rem-001", "type": "scheduled_task_removal", "description": "Remove malicious scheduled task 'WindowsUpdate'", "status": "pending", "host": "ACME-WS-042"}, ...]}
Each remediation has a status field: pending, approved, rejected, executing, completed, or failed.
huntress_incidents_remediation_get(incident_id='inc-789', remediation_id='rem-001')
# Returns: single remediation with full execution details and host context
huntress_incidents_bulk_approve(incident_id='inc-789', remediation_ids=['rem-001', 'rem-002'])
# Returns: per-remediation success/failure status
huntress_incidents_bulk_reject(incident_id='inc-789', remediation_ids=['rem-003'], reason='False positive - legitimate admin tool')
# Returns: per-remediation success/failure status
huntress_incidents_resolve(incident_id='inc-789')
# Fails if any remediations are still pending — approve or reject all first
huntress_incidents_list(status='open')next_page_token is returnedorganization_idhuntress_incidents_get(incident_id=...) to review investigation detailshuntress_incidents_get(incident_id='inc-789')huntress_incidents_remediations(incident_id='inc-789')type, description, and host before approvinghuntress_incidents_resolve(incident_id='inc-789')Use this workflow when an incident has multiple pending remediations.
huntress_incidents_remediations(incident_id='inc-789') and confirm all target remediations have status: 'pending' — skip any already processedhuntress_incidents_bulk_approve(incident_id='inc-789', remediation_ids=['rem-001', 'rem-002'])huntress_incidents_bulk_reject(incident_id='inc-789', remediation_ids=['rem-003'], reason='...')huntress_incidents_remediations(incident_id='inc-789') and confirm no remediations remain pending before resolvinghuntress_incidents_resolve(incident_id='inc-789')| Error | Cause | Recovery |
|---|---|---|
| Incident not found | Invalid ID or deleted incident | Re-list incidents to get correct IDs |
| Remediation already processed | Approve/reject on non-pending remediation | Check status before processing; filter to pending only |
| Cannot resolve with pending remediations | Unprocessed remediations remain | Approve or reject all remediations first |
organization_id and status to huntress_incidents_list to reduce response size and avoid unnecessary paginationstatus: 'pending' immediately before calling bulk approve/reject to avoid already-processed errorsreason parameter on huntress_incidents_bulk_reject creates an audit trail — use specific, actionable reasons (e.g., "Legitimate admin tool — verified with client IT")See REFERENCE.md for full response examples, remediation types, incident lifecycle details, and severity level descriptions.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin huntressLists, reviews, and resolves Huntress SOC escalations. Useful when working with high-priority SOC-to-partner communications.
Guides incident lifecycle management for Checkpoint Harmony Email security events: status transitions, triage, investigation, evidence collection, remediation, and closure workflows.
Manages RocketCyber security incidents: search, triage, investigate, and resolve. Covers incident lifecycle, severity levels, verdicts, and PSA ticket correlation.