About the Huntress EDR/ITDR Deliverable report

Frankie Ryan
Frankie Ryan
  • Updated

The Huntress Deliverable report is a client-facing security report that pulls Endpoint Detection & Response (EDR) data from your connected Huntress account.
If your Huntress account also includes Managed ITDR (Identity Threat Detection & Response), the report adds identity security sections automatically, producing a single unified Endpoint & Identity Security report.

What you'll need:

 
Note: Huntress SAT (Security Awareness Training) is a separate Huntress product with its own integration and its own Deliverable report. See About the Huntress SAT Deliverable report for information about that report.  

Configuring the report

The Huntress report shows data for a selected reporting period. You can change the period to the last month, last 2 months, or last 3 months.

To change the reporting period:

  1. Open the deliverable that contains the Huntress section.
  2. In the Huntress section, click the settings icon ().
  3. In the Deliverable Settings modal, expand the Risk Management section and locate the Endpoint Detection & Response panel.

     
  4. Select Last month, Last 2 months, or Last 3 months.
  5. Click Save.

The report updates immediately with data for the selected period.

Understanding the report sections

The Huntress report always includes endpoint sections. Sections marked Requires Managed ITDR appear only when the connected Huntress account has Managed ITDR enabled. If the account does not have Managed ITDR, those sections either do not appear or show a message explaining that the data is unavailable.

Top stats

A row of headline metrics for the selected reporting period. EDR metrics always appear. ITDR metrics show as zero when the integrated Huntress account doesn't have Managed ITDR.

  • EDR Events Analysed
    Total endpoint events analyzed by Huntress in the selected period.
  • EDR Signals
    Signals investigated in the period.
  • EDR Incidents
    Endpoint incidents reported.
  • Identities Monitored (Requires Managed ITDR)
    Number of identities under ITDR monitoring, as reported in the most recent monthly summary report. 
  • ITDR Events (Requires Managed ITDR)
    Identity-related events analyzed in the period.
  • Identity Incidents (Requires Managed ITDR)
    Identity security incidents reported.

Endpoint Incident Summary

A donut chart breaking down endpoint-only incidents by severity.

Identity Security Incidents (Requires Managed ITDR)

A donut chart breaking down identity security incidents by severity. Identity incidents are those tied to Microsoft 365, Google Workspace, managed identity, email security detections, or AI misuse indicators.

Agent Coverage and Health

A summary of Huntress agent deployment across the client's endpoints.

  • Total Deployed
    Total number of Huntress agents installed.
  • Responsive
    Agents that have called back to Huntress recently.
  • Unresponsive
    Agents that have not called back to Huntress within 21 days.
  • Coverage %
    Percentage of expected endpoints with an active Huntress agent.

Identity MFA and Risk Posture (Requires Managed ITDR)

A summary of identity security posture for the client.

  • Total Identities
    Number of identities monitored.
  • MFA Enabled %
    Percentage of identities with multi-factor authentication enabled.
  • MFA Disabled
    Count of identities without MFA.
  • Risk Distribution
    Identities grouped by risk level: None, Low, Medium, High, and Unknown.
Note: If the Huntress API credentials don't include access to the identity posture endpoint, this section shows the message Identity posture data is not available for this Huntress connection. This can happen even when Managed ITDR is enabled, if the API credentials were generated before ITDR was added to the Huntress account. Regenerating the API credentials in Huntress usually resolves this.  

Identity Security Activity Types (Requires Managed ITDR)

A table of Managed ITDR signal types observed in the selected reporting period.

  • Activity Type
    The type of identity signal, such as "Suspicious Microsoft 365 sign-in activity" or "Credential theft."
  • Count
    Number of times the signal was observed.
  • Reported
    Number of times the signal was escalated to an incident.
  • Closed
    Number of incidents now closed.
  • Latest
    Date of the most recent activity of this type.
🎙️ Interested in attending a live Q&A session with our Product Adoption team? Sign up to attend Lifecycle Manager Office Hours and get real-time answers to your questions.
Any questions? Reach out to our Lifecycle Manager support team by submitting a support ticket.

Related to

Was this article helpful?

Yes! No