Skip to main content

Bitdefender B2B Help Center

EDR incidents in the ConnectWise Automate integration with GravityZone

In the ConnectWise Automate integration with GravityZone, you can enable alerts for Endpoint Detection and Response (EDR) incidents reported in the GravityZone console. Based on these alerts, the Bitdefender plugin generates tickets in ConnectWise Automate and further in ConnectWise Manage.

Current threats vs. blocked threats

EDR incidents are complex security events continually evolving that Bitdefender constantly monitors, reports, and takes actions on in GravityZone. Typically, managing an incident involves multiple protection layers and technologies from Bitdefender in addition to the EDR module.

The Bitdefender plugin forwards the information on EDR incidents to ConnectWise Automate in the same regular manner. Therefore, when enabling EDR alerts, you cannot select separately current and blocked threats, as one particular threat blocked at some point by a Bitdefender module could be part of a larger EDR incident still ongoing.

edr-alerts.PNG

Learn how to enable EDR alerts in the ConnectWise Automate Integration Guide.

EDR severity level and ConnectWise Automate categories

In GravityZone, each EDR incident has a severity level based on parameters available with the EDR technology developed by Bitdefender. When creating tickets, the Bitdefender plugin maps the severity levels to categories as they exist in ConnectWise Automate.

EDR severity in GravityZone

Ticket category in ConnectWise Automate

Info

Low

Low

Medium

Medium

High

High

The Bitdefender plugin creates a ticket for each EDR incident. As incidents evolve, the Bitdefender plugin updates the tickets accordingly and it changes their categories if the case.

Creating tickets in ConnectWise Manage

In an enviroment that also integrates ConnectWise Manage, an EDR incident generates corresponding tickets in both ConnectWise Automate and ConnectWise Manage.

To generate ConnectWise Manage tickets, you need to make certain configurations in the ConnectWise Manage plugin. Specifically, you have to map the GravityZone severity levels (low, medium, high) to the ConnectWise Manage priorities available with the service board you are using.

Follow these steps:

  1. In the ConnectWise Manage plugin, go to Ticket Management > Ticket Category.

  2. In the grid, select these elements for each Bitdefender GravityZone severity level:

    • Service board

    • Priority

    • Service type

  3. Save the configuration.

cwManagePlugin-severities.PNG

You may have more than three values in the priorities list in ConnectWise Manage. Selecting a certain priority for a GravityZone severity level depends entirely on your preferences.

Note

To make sure the tickets are generated, check the settings in these sections as well:

  • Server Connection

  • Company/Site Sync

  • Ticket Sync

What ConnectWise tickets contain

ConnectWise tickets display the same information in Automate and Manage as received via Event Push Service API from GravityZone:

  • Client name

  • Computer name

  • Incident ID

  • Attack entry (a string indicating the node where the attack started)

  • Main action taken regarding to the incident

  • Detection name

  • Severity score (a number between 0 and 100)

  • Severity (on a three-level scale: low, medium, high)

  • File hash (MD5 and SHA256)

  • Port of access for the detected threat

  • Process PID where the threat was detected

  • Process path

  • Process command line

  • Parent process PID

  • Parent process patch

  • Attack types

  • MITRE ATT&CK IDs

  • Logged in user name

  • Logged in user SID

As incidents evolve, tickets are updated accordingly. The subsequent updates are appended to the initial payload and they indicate what details have changed, including severity and the action taken by Bitdefender. The common element between iterations is Incident ID, which does not change.

Figure 3. A ConnectWise Automate ticket. Updates are displayed under the initial payload.
A ConnectWise Automate ticket. Updates are displayed under the initial payload.


Figure 4. A ConnectWise Manage ticket. Updates are displayed under Discussion (the area is configurable)
A ConnectWise Manage ticket. Updates are displayed under Discussion (the area is configurable)