Huntress

Work with the Huntress API

Actions11

Agent Actions
- Get
- Get Many
Billing Report Actions
- Get
- Get Many
Incident Report Actions
- Get
- Get Many
Organization Actions
- Get
Signal Actions
- Get
- Get Many
Summary Report Actions
- Get
- Get Many

Overview

This node integrates with the Huntress API to retrieve multiple "Signal" records based on specified filters. Signals represent various security-related events or alerts associated with entities such as agents, users, or services within an environment monitored by Huntress.

Common scenarios for this node include:

Fetching all recent security signals related to a specific agent or user.
Filtering signals by type (e.g., Antivirus alerts, Ransomware Canaries) to analyze particular threat categories.
Retrieving signals with certain statuses (e.g., reported or closed) for incident tracking or reporting.

Practical example: A security analyst wants to gather all open antivirus-related signals for a particular service principal to investigate potential threats. They configure this node to filter by entity type "Service Principal," select "Antivirus" in types, and status "Reported."

Properties

Name	Meaning
Filters	Collection of filters to narrow down the signals retrieved. Includes:
Entity Type	The category of entity the signal is associated with. Options: Agent, Identity, Service Principal, Source, User.
Entity ID	Specific identifier of the entity to fetch signals for.
Types	Types of signals to include. Multiple selections allowed. Options: Antivirus, Favicon Detections, Footholds, Managed ITDR, MDE Detections, Process Insights, Ransomware Canaries, SIEM.
Statuses	Statuses of signals to filter by. Multiple selections allowed. Options: Reported, Closed.

Output

The node outputs JSON data containing an array of signal objects matching the applied filters. Each signal object includes details about the event detected by Huntress, such as its type, status, associated entity, timestamps, and other relevant metadata.

No binary data output is indicated.

Dependencies

Requires an API key credential for authenticating with the Huntress API.
The node uses the base URL https://api.huntress.io/v1 for requests.
Pagination support is included via a generic pagination method from utilities.

Troubleshooting

Authentication errors: If the API key is invalid or missing, the node will fail to connect. Ensure the API key credential is correctly configured.
Empty results: Applying overly restrictive filters (e.g., non-existent entity ID or incompatible types/statuses) may return no signals.
API rate limits: Excessive requests might be throttled by the Huntress API. Implement appropriate delays or reduce request frequency.
Invalid filter values: Selecting unsupported options or malformed input can cause query failures. Use only the provided options for filters.