Adding an external analyst - Beta

IMPORTANT  We strongly suggest reading this document in full and conducting internal testing with an external analyst user before rollout. This approach will solidify your understanding of the feature and help minimize end-customer inquiries.

NOTE  This feature is currently available in Beta, indicating it is fully functional but released early to support ongoing enhancements. Please leave any feedback regarding the External Analyst feature using the in-product link to the Ideas Portal. Your feedback helps us continue improving this feature.

In this article, the External Analyst role is described and includes the steps for adding an external analyst.

Overview

The External Analyst feature in Datto EDR allows an administrator to create a new user with the External Analyst role and restrict their access within the EDR platform to assigned organizations. External analysts in your customer environment can log in and review the assigned organization for new alerts, initiate alert responses, and run scans on installed agents.

External analyst permissions

An external analyst has permissions for their assigned organization only.

External analysts can view the following data:

  • Alerts

  • Assigned organization details such as policies, locations, and deployed agents

  • Quarantined files

External analysts can perform the following actions:

  • Acknowledge, respond to, and export alerts

  • Run EDR/AV scans on devices

  • Restore/delete quarantined files

Important considerations

  • Only users with the Admin role can create external analysts.

  • External analysts must configure MFA within 7 days of account creation, or their account will be locked. Unlocking requires Datto Support.

  • External analysts must use the "Login with Datto" method. If the administrator enforces "Login with Kaseya One", an exemption must be added for the external analyst in Account > Admin > Settings > Kaseya One.

  • The Respond > Quarantined Files page is available only if the Datto EDR tenant subscribes to Datto AV.

  • Multiple external analysts can be created for the same organization.

If you utilize the Datto RMM/EDR integration, it is recommended you create individual Organizations to assign the external analyst User to. This will avoid assigning an external analyst user to the Default RMM Organization which serves as the default organization for newly created RMM sites.

Follow these steps to prepare a client organization in EDR for External Analyst Assignment.

Create the new organization

  1. In the top navigation menu of your instance, click Organizations.
  2. Click Add Organization.

  3. In the Add Organization modal, complete the following required fields:
    1. Organization Name: Enter the name of the organization.
    2. Organization Description: Enter a description of the organization.
    3. Click Add.

Move locations to the new organization

  1. In the top navigation menu of your instance, click Organizations.
  2. In the left navigation menu, click Locations.
  3. In the Locations table, select the check box of the location you would like to move.
  4. In the last column, click the ellipses menu and select Move.
  5. In the Move to Organization drop-down list, select the new organization.
  1. In the top navigation menu, select > Admin.
  2. The Users & Tokens page is displayed. Click the Add User button.
  3. The Add User form is displayed. In the Email field, enter the user's email address.
  4. In the Role section, select the External Analyst option.
  5. In the Select Organization drop-down list, select the organization to which the new external analyst will be assigned.
  6. Click the Add button.
  7. The organization is listed in the Organization section. Click Save.

After you have successfully created an external analyst user, they will receive a welcome email with the subject "A new Datto user account has been created for you."

We recommend they complete account setup by clicking the temporary link to set up a password and then configuring MFA.

IMPORTANT  The external analyst must configure MFA within 7 days of account creation otherwise their account will become locked. Unlocking a users account requires intervention from Datto Support.

IMPORTANT  At this time, the External Analyst must Use the Login with Datto Method. If the administrator utilizes Enforce Login with Kaseya One, an exemption must be added for the External Analyst user in Account > Admin > Settings > Kaseya One. See the article Integrating with KaseyaOne.

The external analyst can log into the EDR platform using one of the following methods:

  • Enter auto.datto.com/login in their browser.
    If the user's email address is associated with other Datto accounts/products, they can switch accounts on the account-selection page.

  • Enter the direct URL to your EDR instance in their browser, for example https://name.infocyte.com.

Interface details

The external analyst can access the following UI Sections:

Alerts

  • Alerts table:
    The Alerts page contains a journal of suspected threats and notable adversary behaviors detected by the Datto EDR or Datto AV analysis engine on your endpoints in the last 30 days. From this location, you can audit, acknowledge, and respond to activity that may pose a concern to your environment.
    For details on working with the alerts table, refer to the article Working with the Alerts page
    Here is an example of the Alerts page as it appears for an external analyst:

  • Alert Detail page:
    The Alert Detail page provides granular information about the conditions that triggered an alert and the endpoint from which it originated. From this page, you can quickly investigate incidents and carry out response actions to keep your customers safe.
    For details on the functionality and feature-set within the Alert Detail page, refer to the article Understanding the Alert Detail page. Here is an example of the Alert Detail page for a behavioral alert as it appears for an external analyst:

Respond

  • Quarantined Files:
    External Analysts will be able to initiate Delete/Restore actions for files quarantined by Datto AV in this section of the UI.
    For more information on the functionality and navigation of this page, refer to the article Navigating the Respond page. Here is an example of the Quarantined Files page as it appears for an external analyst:

NOTE  This feature is only available to Datto AV subscribers.

  • Can an External Analyst create or delete users?
    No

  • What happens if an organization has multiple analysts? Do they see each other’s actions?
    An external analyst does not have access to the Activity Log for the EDR tenant, but they are able to view queued and running tasks.

  • Is external analyst activity audited/logged?
    External analyst activity is logged like all other user activity in Datto EDR and can be audited by Admin users in the Admin > Activity section.

  • Is the external analyst able to trigger alert responses without approval?
    Yes, the external analyst can initiate alert responses against any alert under their assigned organization.

  • What kind of alert responses is the external analyst able to initiate?
    Host Isolation [Win/Linux], Host Isolation Restore [Win/Linux], Evidence Collector, Delete File, Terminate Process, Force System Reboot

  • What’s the difference between the External Analyst role and a normal (internal) Analyst role?
    An external analyst has limited visibility in the EDR platform compared to the analyst role. Admins can control this visibility by editing their assigned organizations.

  • What’s the recovery process if they miss MFA setup?
    If an external analyst user is locked out due to missing the MFA setup Window, they must reach out to Datto Support to unlock their user account.

  • Does adding external analysts count toward user licensing?
    Datto EDR/AV does not bill based off of user counts. You are allowed to create as many external analyst users as desired.

 

Revision Date
Initial release. 9/19/25
Added section: Create your organization structure. 9/25/25