Cisco Umbrella for MSPs proactively notifies you of infected hosts that require action by creating tickets on a ConnectWise service board. When correctly integrated, Umbrella automatically checks for infected hosts being contained and creates tickets for you.
How a Service Ticket is Generated by Umbrella
Currently, the following criteria must be met in order to generate a ticket within a Service Board:
- Umbrella monitors your identities for blocked 'botnet activity.' This activity indicates an end point that is infected and that Umbrella is actively blocking attempts to "call home" for updates, to upload stolen data, or to be a part of a botnet. If an identity in your organization is repeatedly trying to reach a site categorized as 'botnet, this means that while we are containing the damage, the machine is infected with malware and needs additional action on your part for remediation.
- For categories such as malware or drive-by downloads, we don't create alerts when Umbrella prevents infections as those events are preventively blocking the user from visiting malicious sites and no additional action is required.
- Every four hours we check all of the organizations that are mapped to PSA organizations in your Umbrella for MSPs console.
- If a single identity, such as a computer with an agent installed or a network, has more botnet events than the "query threshold" within the four-hour block, the Umbrella Integration automatically opens a ticket within the Service Board defined by the Ticketing Integration in the Umbrella for MSPs console.
- If the same identity continues to generate additional botnet activity in the next four-hour window, or another time window after that, and the ticket is still open, the ticket will get additional data appended to it. Umbrella references the ticket by its ticket ID and will not create unnecessary duplicates even if a ticket is moved to another service board or if the copy is changed.
- However, if the ticket has been marked Closed, then a new ticket will be opened as it is assumed that this is a new botnet related security event—such as re-infection—or the same identity.
Configuring Service Board Integration with Umbrella for MSPs
- Navigate to PSA Integration > Integration Details. Your credentials should show as enabled already, as below. If they do not, check this article for more information on setting up your integration account.
- Skip to step 3 of the wizard: Set Ticketing Details
- Start by selecting the Board Name. All tickets will be placed on a single service board but will be properly mapped to your customer organizations, allowing you to use automation procedures. The list should match the list in your ConnectWise, as below:
- Once you've selected the appropriate board, select the Status for the Service Tickets that will be generated. Status is dynamically pulled from the list of statuses available on your chosen Service Board. For example:
- Select a Priority, which will be used when the ticket is first opened and should match your internal processes and the priorities. The list of priorities is dynamically pulled from your previously selected Service Board.
- Lastly, the Query Threshold is the number of Botnet events generated by a single identity before triggering the creation of a Service Ticket. By default, this is three events within a four-hour window, but you can modify the threshold as you see fit. You cannot modify the time window.
- Click Save to complete the Ticketing Details integration. In the future, if you'd like to modify or delete the Ticketing Integration, you can simply revisit this area of the Integration wizard.
Once completed, you should begin to see tickets arriving in your Service Board:
The Service Ticket will include the Identity name after the colon. The Identity name will match the most precise Identity available in the Umbrella dashboard such as the computer name from a computer with an Umbrella Agent installed, a network label with the public IP in parentheses or AD Identity if you are using the Umbrella VA.
The ticket itself will include the time and date it was created, along with the number of botnet queries, the number of remote domains contacted and the Identity name.