Sign in
Get Help

Configure Endpoint Security - Datto EDR


Datto EDR can be deployed on endpoints to detect potential malicious actions that bypass traditional AV solutions.  It is a powerful tool that can perform memory inspection as well as identify potentially malicious files, processes, or actions that bad actors use to infiltrate systems.

Adding Datto EDR telemetry to RocketCyber will allow the SOC to have deeper visibility and work to react to threats across endpoints, network, and cloud resources, supplying you with a Managed Detection and Response capability.


How to set it up

  1. Create API token in Datto EDR for use by RocketCyber
  2. Configure integration in RocketCyber and map organizations


In order to connect Datto EDR to RocketCyber, you will first need to collect a few pieces of information from your Datto EDR instance:

  • The URL you use to access Datto EDR
  • An API token generated in Datto EDR for RocketCyber to use for the integration


How to generate an API token in Datto EDR

  • Log into your Datto EDR instance, and navigate to your user icon in the top right
  • Select Admin from the drop-down
  • Now select Users&Tokens from the left nav
  • Select the API Tokens tab at top of page



Next, select  Create New Token





Give it a name such as RocketCyber so you can easily identify it later, and select Create. You will be supplied your token in the next screen.   Please copy it for later use and make sure you protect access to the key. You will not be able to view it in Datto EDR after creation.


Important:  The generated key expires one year after creation. You will need to refresh the key once a year to ensure continued integration. Please make a note and set a reminder to refresh the key yearly.


Configuring the integration within RocketCyber

Sign in to RocketCyber and ensure you are at the Provider level

Select Integrations, click on the Endpoint Security tab. and select Datto EDR


Paste your API key in the specified section

Supply the URL you use to access Datto EDR(note: use the base url and add /api to the url)

Example: https://<instancename>

Note: You must add /api to the end of the url or the attempt to authenticate and load Companies will fail

Click Check Credentials to verify connection to Datto EDR, and then Authenticate


Note:  After successfully authenticating, RocketCyber will automatically create a webhook within Datto EDR so that it can send telemetry to RocketCyber. If you configured the integration, but see no data coming across(after a new event is triggered in Datto EDR), you may want to verify the webhook is created properly.  Please view the troubleshooting section at the end of this article.


The organization mapping section will load, allowing you to map your Datto EDR Sites/organization to RocketCyber organization. 


Click Save when all organizations are mapped

Note:  One site can be assigned to one RocketCyber organization - it is important to ensure that each organization is contained within one site in Datto EDR (standalone version). If you are using the DattoRMM integrated version, you will map each organization to the corresponding Site that organization belongs to in DattoRMM, which will be displayed in the organization mapping section.


Once this is complete, you will see the events generated populated by Datto EDR in your RocketCyber dashboard under Datto EDR monitor.

Now the SOC will have visibility into Datto EDR events, and Incidents will be created for items that require your attention.



If you see events in Datto EDR, but they are not populating in RocketCyber, you can check the webhook to ensure it was created properly, and that there are no errors in the webhook.


Verifying the webhook that sends detection information to RocketCyber


The webhook should be automatically created by RocketCyber during the integration set up.  Here is how you can verify the webhook is set up properly.


Navigate to the Admin section in Datto EDR

Select Webhooks from the left Nav section 


There should be a Webhook named RocketCyber-integration

Review the webhook to ensure it is configured by selecting it.


Description:Rocketcyber integration webhook: needed to work with RocketCyber SOC

Method: POST


For organizations using instance):

For organizations using


Headers:  Content-Type=application/json

Body: Ensure the below is in the Body of the webhook

{"targetId": "{{targetGroupId}}","rmmSiteId": "{{rmmSiteId}}","rmmAccountId": "{{rmmAccountId}}","data": "{{data}}","instance": "{{instance}}","id": "{{id}}","itemType": "{{type}}","hostScanID": "{{hostScanId}}","alertType": "{{sourceType}}","name": "{{name}}","commandLine": "{{commandLine}}","threatName": "{{threatName}}","threatScore": "{{threatScore}}","threatWeight": "{{threatWeight}}","hostName": "{{hostname}}","flag": "{{flagName}}","flagId": "{{flagId}}","flagColor": "{{flagColor}}","flagName": "{{flagName}}","flagWeight": "{{flagWeight}}","avScore": "{{avPositives}}/{{avTotal}}","itemId": "{{itemId}}","createdOn": "{{createdOn}}","avScan": "{{hasAvScan}}","description": "{{description}}","sourceId": "{{sourceId}}","severity": "{{severity}}","sourceName": "{{sourceName}}","link": "{{link}}","scanId": "{{scanId}}","fileRepId": "{{fileRepId}}","signed": "{{signed}}","managed": "{{managed}}","avPositives": "{{avPositives}}","avTotal": "{{avTotal}}","hasAvScan": "{{hasAvScan}}","synapse": "{{synapse}}","staticAnalysis": "{{staticAnalysis}}","suspicious": "{{suspicious}}","whitelist": "{{whitelist}}","blacklist": "{{blacklist}}","localWhitelist": "{{localWhitelist}}","localBlacklist": "{{localBlacklist}}","unknown": "{{unknown}}","notMalicious": "{{notMalicious}}"}




Tip: If you are having trouble receiving events from Datto EDR(after configuring mapping in step 2), you can also navigate to the Webhooks section and click the tri-dot menu to the right of the webhook and View Errors to see if there are any errors sending data.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section