Huntress operations
Daily Huntress work end to end. Onboard and offboard customers from documented runbooks, deploy and lifecycle the EDR agent across endpoints, triage EDR Incident Reports per the SOC's recommendation, and contain Critical incidents while escalating in parallel.
Lessons
- 01 ~8 minThe customer-onboarding model, runbook vs. commercial decisions
Onboarding is the part of the platform where mistakes touch commercials. Runbook execution stays on the helpdesk floor; subscription, product-mix, and deployment-strategy decisions bump every time.
- 02 ~7 minCreating a new organisation in the portal
The org record is the spine every onboarding step hangs off. Get the name, branding, and notification routing right from the runbook before you click save, then verify the blank state catches the wrong-tenant or duplicate-onboarding signal.
- 03 ~12 minConnecting Microsoft 365 for Managed ITDR
Two integration paths exist. Direct per-tenant Global Admin consent or GDAP/CSP via Partner Center. Your MSP uses one; the runbook says which. Many MSPs reserve the connection step itself for senior staff because of the permissions involved.
- 04 ~10 minConnecting Google Workspace for Managed ITDR
Same back-end model as M365, different integration path. Super-admin role, Google OAuth consent, and sometimes a domain-wide-delegation step in the Admin console. Don't run the M365 runbook with names swapped.
- 05 ~10 minBulk agent rollout, the runbook approach
Bulk rollout is where one mistake hits the most endpoints fastest. The runbook owns scope and timing; you own the running, the monitoring, and the gap between RMM success and portal enrolment.
- 06 ~10 minCoverage verification, three surfaces not one
Endpoints, identity, and SIEM all need verification, not just the agent count. Green status on an integration is necessary, not sufficient. Run the reconciliation at 24 hours and again at 48.
- 07 ~9 minFirst-week monitoring, the noise window
A new customer typically generates a Low-severity wave for one to two weeks as the SOC learns their environment. Two opposite failure modes are reacting too hard and suppressing the queue to clear it. The middle path is the standard Low workflow, on each one, every time.
- 08 ~8 minThe offboarding sequence, what gets removed and in what order
Six steps, in order. Pause alerts, disconnect ITDR, bulk uninstall, disconnect SIEM, archive incidents, raise the billing-closure ticket. Permanent org deletion is not in scope.
- 09 ~8 minBulk agent uninstall
The mirror image of bulk rollout, with a sharper failure surface. RMM success is not portal disappearance. Distinguish slow from resistant; resistant agents get per-endpoint follow-up, not bulk re-push.
- 10 ~7 minDisconnecting ITDR integrations
The step half-done offboardings most often skip. Each connected tenant gets its own disconnect; if both M365 and Workspace were connected, both need cutting. Verify no events arrive in the 24 hours after.
- 11 ~7 minFinal offboarding checklist and handoff
Six final-state targets. The discipline is the physical checklist, ticks are honest. Permanent org deletion is not on the list, the senior owns it.
- 12 ~8 minAgent architecture in one screen
A mental model of what the Huntress agent collects and where it sends telemetry. Installation and registration are two separate steps that fail separately. Carry the split into every diagnostic that follows.
- 13 ~7 minDeploying via RMM to a single endpoint
The daily reflex for new laptops, replacement workstations, and rebuilt servers. Five-minute job when pre-flight is done; a long week when the RMM exit code gets trusted as the final word.
- 14 ~8 minInstall failure, AV conflict
The most common install-failure cause. The right fix is documented exclusions pushed via the AV management console, not disabling AV. The customer's IT shouldn't have to know the agent's install was bumpy.
- 15 ~7 minInstall failure, GPO or policy block
Policy blocks look like AV blocks on the install log, but the fix lives in GPO, MDM, AppLocker, or WDAC. Reading the system event log alongside the install log is what separates them.
- 16 ~7 minInstall failure, unsupported OS or missing dependencies
Sometimes the right answer is "this endpoint can't be covered." The supported-platforms list is the bright line. A missing dependency on a supported OS is a routine fix; an unsupported OS is a senior conversation, not a different install attempt.
- 17 ~8 minInstall failure, blocked outbound connectivity
Where install-vs-registration matters most. The install completes cleanly; the RMM exits zero; the agent service starts. And the portal shows nothing because the agent can't reach Huntress to register.
- 18 ~8 minThe four causes of an offline agent
Agent offline is one status hiding four different problems with four different fixes. A two-question diagnostic separates them in under a minute. Skipping it is the most common reason offline-agent work takes an hour instead of ten minutes.
- 19 ~9 minClearing an offline backlog
Backlogs are a category problem disguised as a count problem. Categorise first, batch only within a category, document each endpoint. The customer wants the count down for the right reason, not cosmetically.
- 20 ~7 minAgent upgrades and version compliance
The agent self-upgrades. When it doesn't, the cause is almost always one of the install-failure causes coming back on a different operation. Manual upgrades treat a symptom; the fix lives in the original cause.
- 21 ~7 minClean uninstall and decommission, single endpoint
The daily mirror of single-endpoint deploy. The portal's organisation-specific uninstall key authorises the removal cleanly. Verify both ends of the uninstall (portal and endpoint) before closing the ticket.
- 22 ~8 minMoving agents between organisations
Two paths, two outcomes. Move-in-place preserves telemetry continuity; uninstall-and-re-install gives a clean break. The runbook decides; rules of thumb apply when the runbook doesn't cover.
- 23 ~7 minThe standard EDR incident workflow
Six discrete steps from notification to closure for every routine Low or High EDR Incident Report. Claim, review, approve remediations, verify, close, document — the spine the rest of the EDR arc hangs on.
- 24 ~7 minApproving remediations: autoruns
What the autoruns remediation does on the endpoint, what it doesn't do, how to verify it cleanly, and the re-detection pattern that turns a routine approve into a containment-and-escalate call.
- 25 ~8 minApproving remediations: scheduled tasks, services, files
Three more remediation types, each with a different blast radius. Scheduled tasks are bounded; services stop a running process; file removals depend on the file's role. Diligence on review and verify scales with what gets touched.
- 26 ~8 minHost isolation: what it does, what it breaks
Isolation cuts the endpoint's network at the agent, with a documented allow-list. Local stays working. Knowing what the user will experience is what makes the customer call survivable.
- 27 ~8 minWhen to isolate before contacting the user
Severity and the Recommendation decide. Critical and isolation-recommended High mean isolate first, then call. High without isolation and Low mean don't add it. The 30-second-vs-30-minute trade is the whole game.
- 28 ~7 minReturning an isolated host to service
Un-isolation is the easiest action in the portal to click and the hardest one to do correctly. A five-item recovery checklist walked before the click is what separates fast triage from fast triage that holds up.
- 29 ~7 minWriting incident notes
Four sections, every time. What you did, what you verified, who you contacted with names and times, open items. The note is for the next reader; the cold-read test is the standard.
- 30 ~6 minClosing the loop in the ticketing system
Two systems hold the work — Huntress and the PSA. Closing one and not the other is the cardinal drift trap. Six small close-out steps, takes two minutes, prevents the most common helpdesk pattern in the EDR arc.
- 31 ~9 minWalkthrough: a Low-severity incident, start to finish
The whole EDR machine working together on a routine Low. Eleven minutes, six steps, no surprises. The rhythm is the point; the components are familiar by now.
- 32 ~10 minWalkthrough: a High-severity incident, start to finish
A Low plus tighter SLA, paired actions (often isolation), and the customer call. Components are the same; tempo, coordination, and stakes differ. Twenty-eight minutes, six steps, one isolate-then-call cycle.
- 33 ~7 minWhat makes an incident Critical
Four markers tell you the response model has flipped, ransomware canary trip, mass deletion, lateral movement, admin-credential abuse. Recognise the shape and you switch from triage to contain-and-escalate before the severity tag confirms it.
- 34 ~7 minRansomware canary trips
A canary trip is unambiguous, either a decoy file was touched or it wasn't. See the trip, isolate inside 60 seconds, escalate in parallel. Investigation of the canary is for after, and not by you.
- 35 ~8 minThe containment-first response
Contain, escalate in parallel, do not investigate. One rule across five branching shapes, single-host, multi-host, identity, mixed, and re-detection. The branching is what you contain and who you call, not whether you switch into the reflex.
- 36 ~7 minWhere the helpdesk ceiling sits on Critical
Two failure modes appear in new techs on Critical, freezing and overstepping. The line is sharp, containment is in scope, investigation is not. The map below is the one to carry.
- 37 ~7 minProcess detections and benign-but-suspicious activity
Legitimate admin tools and attacker tradecraft look identical at the OS level. The SOC weighs context the OS can't see; the tech reads the Recommendation, not the pattern.
- 38 ~7 minSubmitting exclusions safely
Exclusions are persistent suppression of a detection pattern. Done right they reduce noise; done wrong they create blind spots. Four conditions gate "appropriate", and customer pressure isn't one of them.
- Final quiz
Test what you learned. Wrong answers are explained on the spot.