browse
Introduction
The Cisco Umbrella Autotask integration allows MSPs to be notified of potentially infected end-points requiring attention by automatically creating tickets in Autotask. The integration also pushes service deployment status and value data between the Cisco Umbrella Dashboard and an Autotask Autotask-installed product (automatically created) called "OpenDNS_Umbrella."
Steps to Integration:
- Prerequisites
- Initial Autotask Authentication and Cisco Umbrella Setup
- Configure Autotask Ticketing
- Company Mapping in Cisco Umbrella
- Setting up the "OpenDNS_Umbrella" Configuration Item
1. Prerequisites
The following table contains the base software requirements for installation:
Software |
Version |
Hosted Model |
Cisco Umbrella |
Not applicable |
Hosted |
Autotask |
6.0 or higher |
Hosted |
Note: Only one (1) PSA integration can be added at a time. If you already have a Connectwise integration configured, you must delete it from the dashboard before the Autotask setup can proceed.
2. Initial Autotask Authentication and Cisco Umbrella Setup
Establish a user for authentication:
To connect to the AutoTask API, Cisco Umbrella needs a login for Autotask. This can be a new user resource account or an existing shared login.
- Existing user: If you already have an Autotask login that you use for integrations, please check that the account is set as an API User. The account should not be using two-step authentication.
-
New user: To create a new user resource:
- Log in to your Autotask dashboard.
- Select Admin > CiscoResources (Users) > New.
- Fill in the personal information requirements for the user under the HR tabs.
- Under the Security tab, ensure the Security Level for this user is set to "API User (system)".
Note: The user for authentication must have the “View Unprotected Data” checkbox selected in Admin > Features & Settings > Resources/Users (HR) > Security > Protected Data Permission > [the user for authentication].
Note: Effective June 1, 2021, the user for authentication must have an API Tracking Identifier set. For more information, please see this Umbrella Knowledge Base article: Changes to Autotask PSA integration with Umbrella
Once an account has been created or selected, navigate to Umbrella for MSPs.
- Navigate to MSP Settings > PSA Integration Details.
- Select Set-Up Integration to open the Integration wizard.
- Under Select PSA, select Autotask as the Integration type, then select Save and Continue.
- Next, you'll be asked to enter the account selected earlier (e-mail address and password) and verify your credentials to select a Material Billing Code:
Select the appropriate Material Billing Code:
Once you've authenticated, the Material Billing Code will show a selection with your existing Autotask material billing code. At a later time, you can change the material billing code for the "OpenDNS_Umbrella" product within Autotask if you wish.
Select Save & Continue.
3. Configure Autotask Ticketing
Cisco Umbrella for MSPs proactively notifies you of infected hosts that require action by creating tickets within an Autotask Service Desk queue. When correctly integrated, Cisco Umbrella will automatically check for infected hosts being contained and create tickets for you.
How a Service Queue Ticket is generated by Cisco Umbrella:
Currently, the following criteria must be met to generate a ticket within an Autotask Service Desk queue:
- Cisco Umbrella monitors your identities for "botnet activity" being blocked. This activity indicates an endpoint that is infected and that Cisco Umbrella is actively blocking attempts to "call home" for updates, to upload stolen data, or to be a part of a botnet. If an identity in your organization is repeatedly trying to reach a site categorized as "botnet. This means that while Cisco Umbrella is containing the damage, the machine is infected with malware and needs additional action on your part for remediation.
- Cisco Umbrella does not create alerts when it prevents infections for categories such as malware or drive-by downloads since those events are preventively blocking the user from visiting malicious sites. No additional action is required.
- Every four hours, Cisco Umbrella checks all of the organizations that are mapped to PSA organizations in your Cisco Umbrella for MSP console.
- If a single identity, such as a computer with an agent installed or a network, has more botnet events than the "query threshold" (three by default) within the four-hour block, the Cisco Umbrella Integration automatically opens a ticket within the Service Desk defined by the Ticketing Details Integration in the Integration wizard. You can change the query threshold there.
- If the same identity continues to generate additional botnet activity in the next four-hour window (or another time window after that) and the ticket is still open, additional data will be appended to the ticket.
- Cisco Umbrella references the ticket by its ticket number and will not create unnecessary duplicates even if a ticket is moved to another service desk queue or the copy is changed.
- If the ticket has been marked Closed, then a new ticket will be created as it is assumed that this is a new botnet-related security event (such as re-infection) for the same identity.
Set Ticketing Details:
If you're following the Integration wizard, you should be on step 3 of the Integration wizard. If you are configuring ticketing later, select PSA Integration > Integration Details. Your credentials should show as enabled but ticketing as disabled.
- Selecting Ticketing > Disabled brings you to Set Ticketing Details.
- First, select a queue. This example uses the Triage queue to leave tickets in. You must select the queue first to populate the additional fields:
- After selecting your queue, wait a few seconds for the detail to be populated for the remaining fields, then select the appropriate one. Each field in the Cisco Umbrella Dashboard should map to the equivalent field within the tickets for the Service Desk queue selected.
The exact parameters for each field will vary slightly based on your implementation. One field of note is the Query Threshold, which is the number of botnet activities from a single identity that are blocked before the ticket is created.
- Complete all fields as applicable, then select Save and Continue.
The fourth and final step of the integration allows you to review all of your settings to ensure they're what you expect.
Note: If you would like to generate a test ticket, please contact Cisco Umbrella Support with a request to do so. This ticket will obey your Autotask ticketing rules.
4. Company Mapping in Cisco Umbrella
Mapping customer companies enables the integration and allows tickets and installed products to be associated with the customer account. The Installed Product "OpenDNS_Umbrella" contains valuable statistics about the customer usage and efficacy of Cisco Umbrella and is configured in Step 5.
To synchronize customers between Autotask and Cisco Umbrella, you must have the Account ID for each customer. This may not be shown in Autotask by default.
- To see the customer ID in the Autotask dashboard, select CRM, then choose My Accounts from the drop-down list. Each account has an account ID in the properties for that account visible by double-clicking on the account name which opens a pop-up window showing the Account ID.
- To see all of the Account IDs for your customers in the overview, you must expose a new column. Right-click the columns to show the Column Chooser.
- Within the column chooser, move the Account ID column to the Selected Columns.
This should show you the Account ID for the customer:
- Once you have the account ID for your customer, return to Cisco Umbrella for MSPs.
- Navigate to Customer Management to show a list of the customers you’ve configured in your console
Note: If there are no customers listed here, you’ll need to add customers to your Cisco Umbrella for MSPs MSP. Please read the Cisco Umbrella for MSPs User Guide for more information. - Next, select the customer to map to Autotask. This example uses "Able Manufacturing Co."
- Earlier, we found that Able Manufacturing Co. has an Account ID of 29683561. Select the name of the customer and then enter the Company Account ID under the field for PSA ID.
- Select Save to confirm the change. You should receive a confirmation message about the integration being enabled. From that point forward, the PSA ID will show next to the customer it's enabled for in the Customer Details.
- To confirm your integration is enabled, navigate to Centralized Reports > Deployment Status. If it's operational, a PSA Status column will be populated.
- Organizations with valid PSA IDs will show up with a green Active status.
- Organizations that do not have a PSA ID value will show up with a gray Inactive status.
5. Setting up the "OpenDNS_Umbrella" Configuration Item (Optional)
Once the PSA Company ID has been successfully integrated, an Installed Product/Configuration Item named OpenDNS_Umbrella will be automatically created.
You can view the Configuration Item under Directory > Accounts and then select one of the accounts you integrated in Step 4. Within this account, there should now be a Configuration Item for OpenDNS_Umbrella.
Note that by default, the Configuration Item will include all possible fields and the Cisco Umbrella fields we’ve added in the integration. Some fields are not filled as they are not applicable to Cisco Umbrella, such as Brand or Make & Model.
To change the product to not include these fields, set up a unique Configuration type for Cisco Umbrella.
Configuration Type Setup
Configuration items created in Autotask through the Cisco Umbrella integration create user-defined fields (UDFs) for your Cisco Umbrella auto-updated information. By default, a new product will show all UDFs, and a configuration item type is recommended. Due to limitations with the current Autotask API, creating a Configuration Item Type within Autotask is limited to manual intervention by you or your Autotask administrator. The following table provides a list of all fields which should be added to your Configuration Item Type.
# |
Field Name |
Type |
1 |
Organization Id |
Text (Single Line) |
2 |
Last Updated |
Text (Single Line) |
3 |
Package |
Text (Single Line) |
4 |
Seats |
Text (Single Line) |
5 |
Networks Total |
Text (Single Line) |
6 |
Networks Active in Last 7 Days |
Text (Single Line) |
7 |
Networks Inactive in Last 7 Days |
Text (Multi-Line) |
8 |
Umbrella Agents Deployed |
Text (Single Line) |
9 |
Umbrella Agents Active in Last 7 Days |
Text (Single Line) |
10 |
Umbrella Agents Inactive in Last 7 Days |
Text (Multi-Line) |
11 |
DNS Queries Last Month |
Text (Single Line) |
12 |
Malware Infections Prevented Last Month |
Text (Single Line) |
13 |
Botnet Infections Contained Last Month |
Text (Single Line) |
14 |
Top Domains Last Month |
Text (Multi-Line) |
15 |
Top Domains Blocked Last Month |
Text (Multi-Line) |
16 |
Top Categories Last Month |
Text (Multi-Line) |
For users who are unfamiliar with the setup of new Configuration Item Types in Autotask, please follow the instructions below to create the new record in the system:
- Sign in to Autotask as an administrator.
- Navigate to the Admin section using the top menu.
- Navigate to Products and Services > Products > Configuration Items and select "Configuration Items Types."
- Select the New Configuration Item Type menu option above the list of current types.
- Enter a name for your new Configuration Item Type.
- Select New and enter the field information for the first field at the top above.
- Repeat step 6 until you have added all the fields in the table above to the new item type.
- Save and close your new Configuration Item Type.
Product Setup
The Cisco Umbrella integration will automatically create a Product within your Autotask implementation to tie configuration items to when being created. After the product has been created in your system, Cisco Umbrella recommends that you update the product definition with settings that best reflect your business standards and needs.
To identify the product definition and update its settings follow these steps:
- Sign in to Autotask as an administrator.
- Navigate to the Admin section using the top menu.
- Navigate to Products and Services > Products and select Products.
- Type "Umbrella" into the Product Name search field and select Search.
- Select the Umbrella product to view its details.
- Update the product definition to reflect your desired settings.
- Select Save & Close.
Notes:
- Do not change the Product Name string from "OpenDNS_Umbrella" to something else. This will break the integration, but if you did rename it, rename it back to fix the issue.
- Make sure "Active: is selected as you see in the screenshot above.
The definitions of each of the Cisco Umbrella AutoTask fields that will be updated and included in the Configuration Item are listed in the table below:
Field |
Description |
Organization Id |
Umbrella internal organization ID |
Last Updated |
Date at which the last sync with Umbrella took place |
Seats |
Total number of seats applied to this company. |
Networks Total |
Total number of networks applied to this company |
Networks Active (7 Days) |
Total number of active networks in the last seven days |
Networks Inactive (7 Days) |
List of network names inactive in the last seven days |
Umbrella Agents Deployed |
Number of Umbrella Roaming agents deployed |
Umbrella Agents Active 7 Days |
Number of Umbrella Roaming agents active in the last seven days |
Umbrella Agents Inactive 7 Days |
Names of Umbrella Roaming agent identities inactive in the last seven days |
DNS Queries Last Month |
Total number of DNS requests for this company in the previous calendar month |
Malware Infections Prevented Last Month |
Number of sites hosting malware prevented from access in the previous calendar month |
Botnet Infections Contained Last Month |
Number of sites hosting botnet command and control prevented from access in the previous calendar month |
Top Domains Last Month |
List of the names of the most heavily accessed domains in the previous calendar month |
Top Domains Blocked Last Month |
List of the names of the most frequently blocked domains in the previous calendar month |
Top Categories Last Month |
List of content categories most frequently requested in the previous calendar month, including number of requests per category |