EDR incidents in the ConnectWise Automate integration with GravityZone
In the ConnectWise Automate integration with GravityZone, you can enable alerts for Endpoint Detection and Response (EDR) incidents reported in the GravityZone console. Based on these alerts, the Bitdefender plugin generates tickets in ConnectWise Automate and further in ConnectWise Manage.
Current threats vs. blocked threats
EDR incidents are complex security events continually evolving that Bitdefender constantly monitors, reports, and takes actions on in GravityZone. Typically, managing an incident involves multiple protection layers and technologies from Bitdefender in addition to the EDR module.
The Bitdefender plugin forwards the information on EDR incidents to ConnectWise Automate in the same regular manner. Therefore, when enabling EDR alerts, you cannot select separately current and blocked threats, as one particular threat blocked at some point by a Bitdefender module could be part of a larger EDR incident still ongoing.
Learn how to enable EDR alerts in the ConnectWise Automate Integration Guide.
EDR severity level and ConnectWise Automate categories
In GravityZone, each EDR incident has a severity level based on parameters available with the EDR technology developed by Bitdefender. When creating tickets, the Bitdefender plugin maps the severity levels to categories as they exist in ConnectWise Automate.
EDR severity in GravityZone | Ticket category in ConnectWise Automate |
|---|---|
Info | Low |
Low | |
Medium | Medium |
High | High |
The Bitdefender plugin creates a ticket for each EDR incident. As incidents evolve, the Bitdefender plugin updates the tickets accordingly and it changes their categories if the case.
Creating tickets in ConnectWise Manage
In an enviroment that also integrates ConnectWise Manage, an EDR incident generates corresponding tickets in both ConnectWise Automate and ConnectWise Manage.
To generate ConnectWise Manage tickets, you need to make certain configurations in the ConnectWise Manage plugin. Specifically, you have to map the GravityZone severity levels (low, medium, high) to the ConnectWise Manage priorities available with the service board you are using.
Follow these steps:
In the ConnectWise Manage plugin, go to Ticket Management > Ticket Category.
In the grid, select these elements for each Bitdefender GravityZone severity level:
Service board
Priority
Service type
Save the configuration.
You may have more than three values in the priorities list in ConnectWise Manage. Selecting a certain priority for a GravityZone severity level depends entirely on your preferences.
Note
To make sure the tickets are generated, check the settings in these sections as well:
Server Connection
Company/Site Sync
Ticket Sync
What ConnectWise tickets contain
ConnectWise tickets display the same information in Automate and Manage as received via Event Push Service API from GravityZone:
Client name
Computer name
Incident ID
Attack entry (a string indicating the node where the attack started)
Main action taken regarding to the incident
Detection name
Severity score (a number between 0 and 100)
Severity (on a three-level scale: low, medium, high)
File hash (MD5 and SHA256)
Port of access for the detected threat
Process PID where the threat was detected
Process path
Process command line
Parent process PID
Parent process patch
Attack types
MITRE ATT&CK IDs
Logged in user name
Logged in user SID
As incidents evolve, tickets are updated accordingly. The subsequent updates are appended to the initial payload and they indicate what details have changed, including severity and the action taken by Bitdefender. The common element between iterations is Incident ID, which does not change.
