EDR incidents in the ConnectWise Automate integration with GravityZone
In the ConnectWise Automate integration with GravityZone, you can enable alerts for Endpoint Detection and Response (EDR) incidents reported in the GravityZone console. Based on these alerts, the Bitdefender Plugin generates tickets in ConnectWise Automate and further in ConnectWise PSA (formerly ConnectWise Manage).
Current threats vs. blocked threats
EDR incidents are complex security events continually evolving that Bitdefender constantly monitors, reports, and takes actions on in GravityZone. Typically, managing an incident involves multiple protection layers and technologies from Bitdefender in addition to the EDR module.
The Bitdefender plugin forwards the information on EDR incidents to ConnectWise Automate in the same regular manner. Therefore, when enabling EDR alerts, you cannot select separately current and blocked threats, as one particular threat blocked at some point by a Bitdefender module could be part of a larger EDR incident still ongoing.
To enable Endpoint Detection and Response alerts in the ConnectWise Automate integration, you must go to Tools > Bitdefender GravityZone > Alerts Settings and select the corresponding check box. In addition, you can edit the severity of tickets that are going to be created, as described further down in this article.
For details on enabling alerts in the ConnectWise Automate integration, refer to Configuring the integration.
EDR severity level and ConnectWise Automate categories
In GravityZone, each EDR incident has a severity level based on parameters available with the EDR technology developed by Bitdefender. When creating tickets, the Bitdefender Plugin maps by default the severity levels to categories as they exist in ConnectWise Automate.
Default severity score intervals in GravityZone | EDR severity level in GravityZone | Ticket category in ConnectWise Automate |
|---|---|---|
0-39 | Low | Low |
40-75 | Medium | Medium |
76-100 | High | High |
However, you can edit the ticket category in ConnectWise Automate by changing the severity score intervals.
To change the severity score intervals, go to the Alert Settings page, under the Endpoint Detection and Response section, and move the sliders left or right, or enter the desired numeric values in the corresponding boxes.
For example, if you move the sliders to the numeric values of 88 and 94, respectively, you have the following ticket severity categories:
Low - for tickets with a score of 87 and below.
Medium - for tickets with a score between 88 and 93.
High - for tickets with a score of 94 and above.
That means fewer medium and high severity tickets would be generated compared if you used the default GravityZone thresholds.
Tickets in ConnectWise Automate display the severity category, calculated according to your settings, in the Ticket Data tab > Category section. If you have modified the severity thresholds as in the example presented above, the ticket category would be indicated as "low".
As a reference, you can view the GravityZone severity level, calculated according to the default Bitdefender thresholds, in the Reading View tab. In the case of a ticket with a severity score of 62, the GravityZone severity level in this area would be marked as "medium". However, this severity level is ignored when generating the ticket because your custom settings have priority.
The Bitdefender Plugin creates a ticket for each EDR incident. As incidents evolve, the Bitdefender plugin updates the tickets accordingly and it changes the severity category if the case.
Creating tickets in ConnectWise PSA
In an environment that integrates ConnectWise PSA (formerly ConnectWise Manage), an EDR incident generates corresponding tickets in both ConnectWise Automate and ConnectWise PSA.
To generate ConnectWise PSA tickets, you need to make certain configurations in the ConnectWise PSA plugin. Specifically, you have to map the GravityZone severity levels (low, medium, high) to the ConnectWise PSA priorities available with the service board you are using.
To map the severity levels, follow these steps:
In the ConnectWise PSA plugin, go to Ticket Management > Ticket Category.
In the grid, select these elements for each BitdefenderGravityZone severity level:
Service board
Priority
Service type
Save the configuration.
You may have more than three values in the priorities list in ConnectWise PSA. Selecting a certain priority for a GravityZone severity level depends entirely on your preferences.
Note
To make sure the tickets are generated, check the settings in these sections as well:
Server Connection
Company/Site Sync
Ticket Sync
What ConnectWise tickets contain
ConnectWise tickets display the same information in ConnectWise Automate and ConnectWise PSA as received via Event Push Service API from GravityZone. Details include:
Client name
Computer name
Incident ID
Attack entry (a string indicating the node where the attack started)
Main action taken regarding to the incident
Detection name
Severity score (a number between 0 and 100)
Severity (on a three-level scale: low, medium, high)
File hash (MD5 and SHA256)
Port of access for the detected threat
Process PID where the threat was detected
Process path
Process command line
Parent process PID
Parent process patch
Attack types
MITRE ATT&CK IDs
Logged in user name
Logged in user SID
As incidents evolve, tickets are updated accordingly. The subsequent updates are appended to the initial payload and they indicate what details have changed, including severity and the action taken by Bitdefender. The common element between iterations is Incident ID, which does not change.
