Skip to main content

EDR incidents in the ConnectWise Automate integration with GravityZone

In the ConnectWise Automate integration with GravityZone, you can enable alerts for Endpoint Detection and Response (EDR) incidents reported in the GravityZone console. Based on these alerts, the Bitdefender Plugin generates tickets in ConnectWise Automate and further in ConnectWise PSA (formerly ConnectWise Manage).

Current threats vs. blocked threats

EDR incidents are complex security events continually evolving that Bitdefender constantly monitors, reports, and takes actions on in GravityZone. Typically, managing an incident involves multiple protection layers and technologies from Bitdefender in addition to the EDR module.

The Bitdefender plugin forwards the information on EDR incidents to ConnectWise Automate in the same regular manner. Therefore, when enabling EDR alerts, you cannot select separately current and blocked threats, as one particular threat blocked at some point by a Bitdefender module could be part of a larger EDR incident still ongoing.

To enable Endpoint Detection and Response alerts in the ConnectWise Automate integration, you must go to Tools > Bitdefender GravityZone > Alerts Settings and select the corresponding check box. In addition, you can edit the severity of tickets that are going to be created, as described further down in this article.

cw-automate_edr_slider_p_144471_en.png

For details on enabling alerts in the ConnectWise Automate integration, refer to Configuring the integration.

EDR severity level and ConnectWise Automate categories

In GravityZone, each EDR incident has a severity level based on parameters available with the EDR technology developed by Bitdefender. When creating tickets, the Bitdefender Plugin maps by default the severity levels to categories as they exist in ConnectWise Automate.

Default severity score intervals in GravityZone

EDR severity level in GravityZone

Ticket category in ConnectWise Automate

0-39

Low

Low

40-75

Medium

Medium

76-100

High

High

However, you can edit the ticket category in ConnectWise Automate by changing the severity score intervals.

To change the severity score intervals, go to the Alert Settings page, under the Endpoint Detection and Response section, and move the sliders left or right, or enter the desired numeric values in the corresponding boxes.

For example, if you move the sliders to the numeric values of 88 and 94, respectively, you have the following ticket severity categories:

  • Low - for tickets with a score of 87 and below.

  • Medium - for tickets with a score between 88 and 93.

  • High - for tickets with a score of 94 and above.

That means fewer medium and high severity tickets would be generated compared if you used the default GravityZone thresholds.

cw_automate_edr_slider_p_144471_en.png

Tickets in ConnectWise Automate display the severity category, calculated according to your settings, in the Ticket Data tab > Category section. If you have modified the severity thresholds as in the example presented above, the ticket category would be indicated as "low".

cw-automate_custom_severity_ticket_p_144471_en.png

As a reference, you can view the GravityZone severity level, calculated according to the default Bitdefender thresholds, in the Reading View tab. In the case of a ticket with a severity score of 62, the GravityZone severity level in this area would be marked as "medium". However, this severity level is ignored when generating the ticket because your custom settings have priority.

cw-automate_default_severity_ticket_p_144471_en.png

The Bitdefender Plugin creates a ticket for each EDR incident. As incidents evolve, the Bitdefender plugin updates the tickets accordingly and it changes the severity category if the case.

cw_automate_ticket_severity_changed_p_144471_en.png

Creating tickets in ConnectWise PSA

In an environment that integrates ConnectWise PSA (formerly ConnectWise Manage), an EDR incident generates corresponding tickets in both ConnectWise Automate and ConnectWise PSA.

To generate ConnectWise PSA tickets, you need to make certain configurations in the ConnectWise PSA plugin. Specifically, you have to map the GravityZone severity levels (low, medium, high) to the ConnectWise PSA priorities available with the service board you are using.

To map the severity levels, follow these steps:

  1. In the ConnectWise PSA plugin, go to Ticket Management > Ticket Category.

  2. In the grid, select these elements for each BitdefenderGravityZone severity level:

    • Service board

    • Priority

    • Service type

  3. Save the configuration.

cw_manage_psa_plugin_severity_p_144471_en.png

You may have more than three values in the priorities list in ConnectWise PSA. Selecting a certain priority for a GravityZone severity level depends entirely on your preferences.

Note

To make sure the tickets are generated, check the settings in these sections as well:

  • Server Connection

  • Company/Site Sync

  • Ticket Sync

What ConnectWise tickets contain

ConnectWise tickets display the same information in ConnectWise Automate and ConnectWise PSA as received via Event Push Service API from GravityZone. Details include:

  • Client name

  • Computer name

  • Incident ID

  • Attack entry (a string indicating the node where the attack started)

  • Main action taken regarding to the incident

  • Detection name

  • Severity score (a number between 0 and 100)

  • Severity (on a three-level scale: low, medium, high)

  • File hash (MD5 and SHA256)

  • Port of access for the detected threat

  • Process PID where the threat was detected

  • Process path

  • Process command line

  • Parent process PID

  • Parent process patch

  • Attack types

  • MITRE ATT&CK IDs

  • Logged in user name

  • Logged in user SID

As incidents evolve, tickets are updated accordingly. The subsequent updates are appended to the initial payload and they indicate what details have changed, including severity and the action taken by Bitdefender. The common element between iterations is Incident ID, which does not change.

Figure 5. A ConnectWise Automate ticket. Updates are displayed under the initial payload.
A ConnectWise Automate ticket. Updates are displayed under the initial payload.


Figure 6. A ConnectWise PSA ticket. Updates are displayed under Discussion (the area is configurable)
A ConnectWise PSA ticket. Updates are displayed under Discussion (the area is configurable)