Modules
Sign in
New Request

Configuring RocketCyber integration with Datto EDR

Article updated on Dec 21, 2022 to reflect the new workflow

Datto EDR can be deployed on endpoints to detect potential malicious actions that bypass traditional AV solutions.  It is a powerful tool that can perform memory inspection as well as identify potentially malicious files, processes, or actions that bad actors use to infiltrate systems.

Adding Datto EDR telemetry to RocketCyber will allow the SOC to have deeper visibility and work to react to threats across endpoints, network, and cloud resources, supplying you with a Managed Detection and Response capability for you and your customers.

 

How to set it up

  1. Create API token in Datto EDR for use by RocketCyber
  2. Configure integration in RocketCyber and map customers

 

In order to connect Datto EDR to RocketCyber, you will first need to collect a few pieces of information from your Datto EDR instance:

  • The URL you use to access Datto EDR
  • An API token generated in Datto EDR for RocketCyber to use for the integration

Important Note: If you are using the version of Datto EDR that is managed through Datto RMM, you will need to contact Datto RMM support teams to obtain this information, as it is not displayed in the Datto RMM UI. 

How to generate an API token in Datto EDR

 

  • Log into your Datto EDR instance, and navigate to your user icon in the top right
  • Select Admin from the drop-down
  • Now select Users&Tokens from the left nav
  • Select the API Tokens tab at top of page


    blobid0.png

 

 

Next, select  Create New Token

 

blobid1.png

 

mceclip1.png

 

 

Give it a name such as RocketCyber so you can easily identify it later, and select Create. You will be supplied your token in the next screen.   Please copy it for later use and make sure you protect access to the key. You will not be able to view it in Datto EDR after creation.

 

Important:  The generated key expires one year after creation. You will need to refresh the key once a year to ensure continued integration. Please make a note and set a reminder to refresh the key yearly.

 

 

 

Configuring the integration within RocketCyber

 

Sign in to RocketCyber and ensure you are at the Provider level

 

Select Integrations, click on the Endpoint Security tab. and select Datto EDR

blobid3.png

Paste your API key in the specified section

Supply the URL you use to access Datto EDR(note: use the base url and add /api to the url)

Example: https://<instancename>.infocyte.com/api

Note: You must add /api to the end of the url or the attempt to authenticate and load Companies will fail

Click Check Credentials to verify connection to Datto EDR, and then Authenticate

 

Note:  After successfully authenticating, RocketCyber will automatically create a webhook within Datto EDR so that it can send telemetry to RocketCyber. If you configured the integration, but see no data coming across(after a new event is triggered in Datto EDR), you may want to verify the webhook is created properly.  Please view the troubleshooting section at the end of this article.

 

The customer mapping section will load, allowing you to map your Datto EDR Sites/Customers to RocketCyber customers. 

blobid4.png

Click Save when all customers are mapped

Note:  One site can be assigned to one RocketCyber customer - it is important to ensure that each customer is contained within one site in Datto EDR(standalone version). If you are using the DattoRMM integrated version, you will map each customer to the corresponding Site that customer belongs to in DattoRMM, which will be displayed in the customer mapping section.

 

Once this is complete, you will see the events generated populated by Datto EDR in your RocketCyber dashboard under Datto EDR monitor.

Now the SOC will have visibility into Datto EDR events, and Incidents will be created for items that require your attention.

 

 

Troubleshooting

If you see events in Datto EDR, but they are not populating in RocketCyber, you can check the webhook to ensure it was created properly, and that there are no errors in the webhook.

 

Verifying the webhook that sends detection information to RocketCyber

 

The webhook should be automatically created by RocketCyber during the integration set up.  Here is how you can verify the webhook is set up properly.

Note: if you are using the Datto RMM integrated version of Datto EDR, you will not have access to the backend console.  Please contact Datto support for assistance in reviewing the webhook for accuracy if there is an issue receiving events in RocketCyber.

 

Navigate to the Admin section in Datto EDR

Select Webhooks from the left Nav section 

 

There should be a Webhook named RocketCyber-integration

Review the webhook to ensure it is configured by selecting it.

Name:RocketCyber-integration

Description:Rocketcyber integration webhook: needed to work with RocketCyber SOC

Method: POST

URL:

For customers using app.rocketcyber.com(US instance): https://web-receiver-us.herokuapp.com/api/datto_edr

For customers using eu.rocketcyber.com:  https://web-receiver-eu.herokuapp.com/api/datto_edr

 

Headers:  Content-Type=application/json

Body: Ensure the below is in the Body of the webhook

{"targetId": "{{targetGroupId}}","rmmSiteId": "{{rmmSiteId}}","rmmAccountId": "{{rmmAccountId}}","data": "{{data}}","instance": "{{instance}}","id": "{{id}}","itemType": "{{type}}","hostScanID": "{{hostScanId}}","alertType": "{{sourceType}}","name": "{{name}}","commandLine": "{{commandLine}}","threatName": "{{threatName}}","threatScore": "{{threatScore}}","threatWeight": "{{threatWeight}}","hostName": "{{hostname}}","flag": "{{flagName}}","flagId": "{{flagId}}","flagColor": "{{flagColor}}","flagName": "{{flagName}}","flagWeight": "{{flagWeight}}","avScore": "{{avPositives}}/{{avTotal}}","itemId": "{{itemId}}","createdOn": "{{createdOn}}","avScan": "{{hasAvScan}}","description": "{{description}}","sourceId": "{{sourceId}}","severity": "{{severity}}","sourceName": "{{sourceName}}","link": "{{link}}","scanId": "{{scanId}}","fileRepId": "{{fileRepId}}","signed": "{{signed}}","managed": "{{managed}}","avPositives": "{{avPositives}}","avTotal": "{{avTotal}}","hasAvScan": "{{hasAvScan}}","synapse": "{{synapse}}","staticAnalysis": "{{staticAnalysis}}","suspicious": "{{suspicious}}","whitelist": "{{whitelist}}","blacklist": "{{blacklist}}","localWhitelist": "{{localWhitelist}}","localBlacklist": "{{localBlacklist}}","unknown": "{{unknown}}","notMalicious": "{{notMalicious}}"}

 

---------------------

 

Tip: If you are having trouble receiving events from Datto EDR(after configuring mapping in step 2), you can also navigate to the Webhooks section and click the tri-dot menu to the right of the webhook and View Errors to see if there are any errors sending data.

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section