Best practices for integration with IT Complete

NAVIGATION   > Admin > Integrations

SECURITY   Datto EDR subscription with administrator-level platform access

IT Complete modules such as RocketCyber, Business Management Solution (BMS), Professional Services Automation (PSA) suites, and Datto Remote Monitoring and Management (dRMM) have overlapping ticketing and alerting options, which can cause system administrators to receive duplicate notifications if not properly configured.

This article provides guidance to assist users in setting up their systems for maximum value when using them with Endpoint Detection and Response (EDR). To learn more about the Datto RMM integration, refer to Understanding the Datto EDR + Datto RMM integration.

IMPORTANT  When integrating EDR with other security products such as RocketCyber or RMM, you should only use EDR to manage your ransomware detection. Configuring ransomware detection across multiple modules creates duplicate processes on the endpoint, which causes increased resource utilization and process conflicts.

The table below includes best practices for enabling/disabling software when integrating IT complete products.

  EDR/AV Endpoint Security Portal RocketCyber RMM PSA (Autotask, BMS)
Ransomware Detection Enable in EDR. Disable in RocketCyber. Disable in RMM. NA
Windows Defender AV Management (free version) Enable in EDR. Disable in RocketCyber. Disable in RMM. NA
Ticket Management (Kaseya 365 Express) Integrate EDR with RMM to send EDR alerts to RMM. NA Integrate RMM with your PSA to receive alerts in PSA. PSA is integrated with RMM only.
Ticket Management (Kaseya 365 Pro) Integrate EDR with RocketCyber to send alerts from EDR to RocketCyber. Integrate RocketCyber with PSA to send alerts from RocketCyber to PSA.

Integrate RMM with your PSA to see alerts in PSA.

EDR alerts shouldn't be sent to PSA from RMM.

PSA is integrated with RMM & RocketCyber.

 

PSA must receive EDR incidents from RocketCyber only.

Use cases

If you have integrated your EDR platform with dRMM and enabled the EDR profile, our EDR+iRMM simplified alert management will automatically send all high-severity alerts to dRMM, consolidating your security and system alerts in one place. No additional steps are necessary. Otherwise, select a topic to continue.

Designed for small MSPs with limited SOC members, this configuration will send all high- and critical-severity alerts from RMM to your PSA. It will restrict sending low- and medium-severity alerts to RMM.

  1. Integrate dRMM with your PSA.

  2. Set up the EDR security policy in dRMM to send high-criticality alerts to your PSA. Doing so enables MSPs to quickly ingest and respond to these events.

  3. MSPs should periodically review lower severity alerts within their EDR portal.

Designed for larger teams with separate Security- and System-level groups responsible for managing all notifications, EDR will send specified security alerts directly to your PSA, while dRMM will send all system events to the PSA. Optionally, you can send alerts to separate queues to assist larger teams.

  1. Configure EDR to send security alerts to the PSA.

  2. Set up dRMM to send system events (e.g., CPU, memory) to the PSA.

  3. Separate security and RMM alerts into different queues for efficient management.

RocketCyber is your SOC as a Service; it is responsible for the intake and triage of your security alerts. In this configuration, EDR will send all of its alerts to RocketCyber. Then, RocketCyber will triage and escalate only the events that require your attention to your PSA.

  1. Send all EDR alerts to RocketCyber for initial intake and triage. Then, forward them from RocketCyber to the MSP's PSA.

  2. To prevent duplicate events that could impact support teams, avoid sending alerts from both EDR and RocketCyber to the PSA.

This configuration is similar to PSA + RocketCyber + EDR, but in this configuration, RMM sends system alerts directly to your PSA. You can send security escalations from RocketCyber to a different queue than system alerts from dRMM.

  1. Direct all EDR alerts to RocketCyber for intake and triage.

  2. Configure the EDR policy in dRMM in such a way as to not send any EDR alerts to either PSA or RocketCyber.

  3. Set up dRMM to send system events (such as CPU and memory) to the customer's PSA, allowing for separate processing queues for security and system events.