Configure Endpoint Security - Datto EDR / AV

 

How to set it up

  1. Create API token in Datto EDR / AV portal for use by RocketCyber
  2. Configure integration in RocketCyber and map organizations

 

In order to connect Datto EDR / AV to RocketCyber, you will first need to collect a few pieces of information from your instance:

  • The URL you use to access Datto EDR / AV
  • An API token generated in Datto EDR / AV portal for RocketCyber to use for the integration

 

How to generate an API token

  • Log into your Datto EDR /AV instance, and navigate to your user icon in the top right
  • Select Admin from the drop-down
  • Now select Users&Tokens from the left nav
  • Select the API Tokens tab at top of page


    blobid0.png

 

Next, select  Create New Token

blobid1.png

 

mceclip1.png

 

Give it a name such as RocketCyber so you can easily identify it later, and select Create. You will be supplied your token in the next screen.   Please copy it for later use and make sure you protect access to the key. You will not be able to view it in Datto EDR / AV after creation.

 

Important:  The generated key expires one year after creation. You will need to refresh the key once a year to ensure continued integration. Please make a note and set a reminder to refresh the key yearly.

 

Configuring the integration within RocketCyber

Sign in to RocketCyber and ensure you are at the Provider level

Select Integrations, click on the Endpoint Security tab. and select Datto EDR / AV

blobid3.png

Paste your API key in the specified section

Supply the URL you use to access Datto EDR / AV (note: use the base url and add /api to the url)

Example: https://<instancename>.infocyte.com/api

Note: You must add /api to the end of the url or the attempt to authenticate and load Companies will fail

Click Check Credentials to verify connection to Datto EDR / AV, and then Authenticate

 

Note:  After successfully authenticating, RocketCyber will automatically create a webhook within Datto EDR / AV so that it can send telemetry to RocketCyber. If you configured the integration, but see no data coming across (after a new event is triggered in Datto EDR / AV), you may want to verify the webhook is created properly.  Please view the troubleshooting section at the end of this article.

 

The organization mapping section will load, allowing you to map your Datto EDR / AV Sites/organization to RocketCyber organization. 

blobid4.png

Click Save when all organizations are mapped

 

Once this is complete, you will see the events generated populated by Datto EDR / AV in your RocketCyber dashboard under Datto EDR / AV monitor.

Now the SOC will have visibility into Datto EDR / AV events, and Incidents will be created for items that require your attention.

 

Troubleshooting

If you see events in Datto EDR / AV, but they are not populating in RocketCyber, you can check the webhook to ensure it was created properly, and that there are no errors in the webhook.

 

Verifying the webhook that sends detection information to RocketCyber

 

The webhook should be automatically created by RocketCyber during the integration set up.  Here is how you can verify the webhook is set up properly.

 

Navigate to the Admin section in Datto EDR / AV

Select Webhooks from the left Nav section 

 

There should be a Webhook named RocketCyber-integration

Review the webhook to ensure it is configured by selecting it.

Name:RocketCyber-integration

Description:Rocketcyber integration webhook: needed to work with RocketCyber SOC

Method: POST

URL:

For organizations using app.rocketcyber.com(US instance): https://web-receiver.us.rocketcyber.com/api/datto-edr/

For organizations using eu.rocketcyber.com:  https://web-receiver-eu.herokuapp.com/api/datto_edr

 

Headers:  Content-Type=application/json

Body: Ensure the below is in the Body of the webhook

{"targetId": "{{targetGroupId}}","rmmSiteId": "{{rmmSiteId}}","rmmAccountId": "{{rmmAccountId}}","data": "{{data}}","instance": "{{instance}}","id": "{{id}}","itemType": "{{type}}","hostScanID": "{{hostScanId}}","alertType": "{{sourceType}}","name": "{{name}}","commandLine": "{{commandLine}}","threatName": "{{threatName}}","threatScore": "{{threatScore}}","threatWeight": "{{threatWeight}}","hostName": "{{hostname}}","flag": "{{flagName}}","flagId": "{{flagId}}","flagColor": "{{flagColor}}","flagName": "{{flagName}}","flagWeight": "{{flagWeight}}","avScore": "{{avPositives}}/{{avTotal}}","itemId": "{{itemId}}","createdOn": "{{createdOn}}","avScan": "{{hasAvScan}}","description": "{{description}}","sourceId": "{{sourceId}}","severity": "{{severity}}","sourceName": "{{sourceName}}","link": "{{link}}","scanId": "{{scanId}}","fileRepId": "{{fileRepId}}","signed": "{{signed}}","managed": "{{managed}}","avPositives": "{{avPositives}}","avTotal": "{{avTotal}}","hasAvScan": "{{hasAvScan}}","synapse": "{{synapse}}","staticAnalysis": "{{staticAnalysis}}","suspicious": "{{suspicious}}","whitelist": "{{whitelist}}","blacklist": "{{blacklist}}","localWhitelist": "{{localWhitelist}}","localBlacklist": "{{localBlacklist}}","unknown": "{{unknown}}","notMalicious": "{{notMalicious}}"}

 

---------------------

 

Tip: If you are having trouble receiving events from Datto EDR / AV (after configuring mapping in step 2), you can also navigate to the Webhooks section and click the tri-dot menu to the right of the webhook and View Errors to see if there are any errors sending data.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section