Navigation
10.25. Huntress Integration: Turn SOC Incident Reports into Tickets
Connect Huntress to AlgaPSA so SOC-reviewed incident reports become tickets on your security board automatically, with severity-based priorities and a fallback that guarantees nothing is dropped.
Huntress is a managed security platform: its SOC reviews detections and publishes incident reports that need a fast, accountable response. This integration polls those incident reports and turns each one into an AlgaPSA ticket on your security board, with the priority your severity mapping chooses. A security incident that nobody opened a ticket for is the scenario this integration exists to prevent, so its routing is built around one promise: nothing is dropped. Incidents from Huntress organizations you have not mapped still create tickets, on a fallback client and triage board you choose.
Huntress is an Enterprise Edition integration. Unlike the device RMMs, it does not sync devices or use the shared alert rules; it has its own routing configuration described below. For the wider RMM picture, see How RMM Integrations Work in AlgaPSA.
Connect AlgaPSA to Huntress
- Generate API credentials in Huntress at
<your-account>.huntress.iounder API Credentials. - Navigate to Settings > Integrations > RMM in AlgaPSA and select Huntress.
- Paste the API Key and API Secret Key into the Connect Huntress card.
- Click Connect.
Once connected, the status card shows your Huntress account name, organization count (with how many are unmapped), open incident count, and the last poll time.
Configure ticket routing
Incident polling stays paused until routing is complete: the security board, the fallback client and board, and all three severity priorities must be set. The status card reminds you while anything is missing.
In the Ticket Routing card:
| Setting | What it does |
|---|---|
| Security board | Where incident tickets land for mapped organizations. |
| Category (optional) | A ticket category applied to incident tickets. |
| Fallback client | The client that receives tickets for unmapped Huntress organizations. Many MSPs use an internal "Security Triage" client. |
| Fallback (triage) board | The board those fallback tickets land on. |
| Critical / High / Low severity | The AlgaPSA priority assigned for each Huntress severity. |
| Poll interval (minutes) | How often AlgaPSA checks for new incident reports, 1–60 minutes. |
| Close tickets when Huntress closes the incident | When enabled, choose the Closed status; tickets close automatically when the SOC closes the incident. |
Click Save routing configuration. Polling starts on the next interval; Poll now on the status card runs one immediately.
Map Huntress organizations
The organization mapping table assigns each Huntress organization to an AlgaPSA client, the same way the device RMMs map organizations. Mapped organizations put their incident tickets on the security board under the right client. Anything unmapped goes to the fallback client and triage board, where your dispatcher can re-home it, so an unmapped organization delays attribution but never loses an incident.
What your team sees
- A new incident report creates a ticket with the incident's summary and severity-mapped priority, on the security board (mapped) or triage board (unmapped).
- If the SOC closes the incident and you enabled close-through, the ticket closes with your chosen status.
- A failed poll is reported on the status card ("Last poll failed"), so a credential problem is visible rather than silent.
Operational checks
- The status card shows Connected to [your account] and a recent last poll time.
- Unmapped organization count is zero, or your dispatcher knows to watch the triage board.
- Run Poll now after setup and confirm an open incident in Huntress produced a ticket with the expected priority.
Related topics
- How RMM Integrations Work in AlgaPSA — the shared model behind every provider
- Ticketing Settings — boards, statuses, and priorities used by routing