Configuring the RocketCyber - EDR integration

NAVIGATION   > Admin > Users & Tokens > API Tokens

NAVIGATION   > Admin > Webhooks

PERMISSIONS   Datto EDR subscription with administrator-level platform access

PERMISSIONS  Provider-level access to RocketCyber

RocketCyber Managed Security Operations Center (SOC) provides a 24/7 team of security analysts that detect and respond to threats across endpoints, networks, and cloud attack vectors, enabling IT professionals to cut through the noise and focus on critical issues that need remediating. Round-the-clock monitoring eliminates the need to recruit and staff highly-compensated cyber engineers to detect, triage, and examine the mountains of threat data from various point solutions. Skilled SOC analysts escalate only critical action items. RocketCyber’s automated remediation and isolation technologies provide guidance and apply remedies to quarantine a compromised endpoint on the network until it is vetted clean.

This article describes the steps to integrate RocketCyber with your EDR instance.

Prerequisites

To set up the RocketCyber integration, you'll need

  • Administrator-level permissions in both Datto EDR and RocketCyber.

  • webhooks that will send critical alert information to the RocketCyber SOC.

  • the base URL for your Datto EDR instance.

  • an API token for dedicated use with RocketCyber.

Procedure

  1. Within the EDR platform, navigate to > Admin > Users & Tokens > API Tokens.

  2. Create a dedicated API token for dedicated use with RocketCyber. Refer to Generating Datto EDR API tokens.

  1. Make a note of the API token you created (copy it) and the base URL of your EDR instance. For example, if the URL of your instance is https://harknessindustries.infocyte.com, your base URL is harknessindustries.infocyte.com.

    NOTE  The API key expires one year after creation. You will need to refresh the key at least once a year to ensure continued integration.

  2. Proceed to RocketCyber configuration.

  1. From within your RocketCyber instance, in the left navigation pane, click Integrations.
  2. Click the Endpoint Security tab. Then, click the Datto EDR / AV tab.

  1. In the Enter your Datto EDR / AV access token field, paste the API token you created and copied from EDR.

  2. In the Enter your Datto EDR / AV base URL field, enter the URL of your Datto EDR instance, followed by /api. For example, if the base URL of your instance is harknessindustries.infocyte.com, the URL you enter is https://harknessindustries.infocyte.com/api.

  3. Click Credential Test. If the credentials you entered are valid, a confirmation message is displayed.
  4. Click the Authenticate button.

  5. The organization mapping section will load, allowing you to map your Datto EDR/Datto AV locations/organizations (in the left column) to RocketCyber organizations (select in the right column).

NOTE  After successfully authenticating, a webhook will generate within Datto EDR so that it can send telemetry to RocketCyber. Do not change this webhook's settings unless it did not generate correctly. If you configured the integration, but see no data coming across when an event is triggered in Datto EDR, verify that the webhook was created properly. Refer to Creating Datto EDR webhooks for further details.

  1. When you have finished mapping, click Save Map.

    IMPORTANT  One site can be assigned to one RocketCyber customer. In the standalone version of Datto EDR, ensure that each customer is contained within one site. For the Datto RMM integrated version, you will map each customer to their corresponding site, which will appear in the customer mapping section.

  2. Navigate to your RocketCyber dashboard. A new Datto EDR / AV Monitor widget will be present. Click Review.

  3. Events generated by Datto EDR will be visible to RocketCyber. The SOC will be able to monitor events and create incidents to help you stay on top of your alerts.

If you see events in Datto EDR, but they are not populating in RocketCyber, you can perform the following steps to ensure that the webhook generated correctly and that there are no errors being logged.

  1. Navigate to > Admin > Webhooks.

  2. Locate the webhook named RocketCyber-integration.

  3. Verify Method: = POST. Click RocketCyber-integration.



  4. Ensure that all aspects of its configuration match the following:

URL:

  • If you are using app.rocketcyber.com (US instance): https://web-receiver.us.rocketcyber.com/api/datto_edr.

  • If you are using eu.rocketcyber.com (EU instance): https://web-receiver-eu.herokuapp.com/api/datto_edr.

  • Headers: Content-Type=application/json

  1. If the webhook appears to be configured correctly but you are having trouble receiving events from Datto EDR, click the More menu in the last column of the webhook. Select View Errors to see if there are any communication errors logged.