Unify enhances SaaS Alerts’ event data with device data from supported RMM platforms.
After mapping devices to their respective accounts, Unify can prove that users know their password, have the MFA token, and that they are accessing the SaaS application from a known device.
Unify Configuration Steps
- Connect a supported RMM to SaaS Alerts
- Map RMM Organizations to SaaS Alerts Organizations
- Map Devices to their corresponding Accounts
- Enable Respond and utilize templates to create your first rule
After attaching your supported RMM (Connectwise Automate, Datto RMM, Kaseya VSA, N-Able N-Central RMM ,Ninja RMM, and Syncro RMM) to the SaaS Alerts platform, proceed to the second step (RMM Organization Mapping) of the wizard.
Note: If you have an existing RMM connection, you can access the RMM Organization Mapping screen by accessing the Organizations screen from the main navigation menu, editing the Organization that the RMM is connected to and then clicking the edit pencil next to the RMM.
In order for the devices from the RMM to be attached to the proper organization within SaaS Alerts, it is necessary to map the RMM organizations to the corresponding SaaS Alerts organizations.
Each RMM organization can be mapped only once. Each time an RMM is mapped, it will automatically move from the Unmapped tab to the Mapped tab, and that RMM organization will no longer be able to be selected in the drop down.
If a mistake is made, or an organization needs to be unmapped, head to the Mapped tab, and you can remove the mapping there by clicking the X next to the organization.
Note: When you unmap an Organization, all Devices and their Account mappings will be removed within 15 minutes.
When all mappings are complete, choose Finish. It will take 15 minutes for the devices to be imported, and for the suggested mappings to be presented in the Unify tab.
The Unify Module
The Unify module is used to map the devices that are imported to their respective Accounts, as well as to see and remove devices that are mapped to Accounts. You access it by clicking the Unify icon on the main navigation menu.
Begin by selecting the Organization with the devices that need to be mapped. The number next to the Organization is the total number of unmapped devices.
For each device, a list of Suggested Accounts is presented. The Suggested Account(s) for each device is calculated 15 minutes after mapping an Organization, as well as being recalculated once per day.
The Confidence Score indicates how confident Unify is that the suggested account(s) for the device are accurate.
The Confidence Score is calculated by comparing device data from the RMM to all events for the Organization that owns that device.
Click on the Confidence Score any place a single suggested account exists to see what data is being compared and what the specific values are for that device.
50% Confidence Score is a “magic” number for Unify. When a Confidence Score equals 50%, that means that the Public IP address and the Operating System matches 100% between the device and the account(s) that have been suggested.
Less than 50% and Unify does not see any IP and OS match in events for that account, and thus would be considered to not be confident. If the Confidence Score is over 50%, that means that the IP and OS match exactly, and that some combination of device name and locally logged on user for that device also matches the event ‘s data. Anything over 50% is considered to be a strong indication of confidence.
Note: Because public IP address and OS have such a heavy weight in the Confidence Score, employee-dense offices where users have the same public IP address, and utilize a standard OS image, it is possible to have many accounts suggested for the same device. The tie-breaker here will be the device name and the current username for that device.
Minimum Confidence Filter and Single Device Checkbox
By default, the minimum confidence filter is set to 50%. This is to ensure that the Accounts that are presented have a decent likelihood of being the proper account for that device.
Increase this to have Unify recommend only Accounts where additional event and device data beyond IP and OS match.
If devices are not presented, because of this filter, it can be lowered to 0%, and the devices will appear, even if there is no suggested Account for that device.
To speed up mapping of many devices, the minimum confidence filter (suggestion: use > 60%) can be combined with the Only devices with a single suggested account checkbox to focus mapping on very high certainty accounts.
There will be two types of actions available in the Suggested Accounts column: Mapping a single suggested account, and viewing potential accounts where multiple accounts are possible.
To map a single Account to the device, click on Map, right below the suggested Account. The device will disappear from this list and move to the Mapped Accounts tab upon successful mapping.
To view the potential Accounts, click on See potential accounts. The Potential Accounts screen will pop up where each potential Account and that Account’s confidence score is presented. Click on Map with device to select the proper Account for that device.
The Mapped Accounts tab is used to:
- View which Accounts have mapped devices
- See which devices are mapped to a particular Account
- Remove device mappings
Begin by selecting the Organization with the Accounts that you would like to view. The number next to the Organization is the total number of Accounts with mapped devices.
Click on View Devices to see that Account’s mapped Devices.
Click on Unmap Device to remove that device from that Account. It will be removed from this list, and placed back into the Unmapped Devices tab.
Real Time Alerts and Analyze Device Column
The Real Time Alerts and the Analize modules have been enhanced with a Unify-powered Device column. The Device column provides insight into the events and how they relate to the Accounts known Devices.
These are the values that can be presented in this column:
Known Device: Device Name and Confidence Score
This indicates that the event has enough data for Unify to compare the event data to the Account’s mapped device(s), and that the event data matches at least the public IP address and OS of one the Account’s devices.
To view the details of the Confidence Score, click on the device’s name in the Device column.
This indicates that the event has enough data for Unify to compare the event data to the Account’s mapped device(s), and that the event data does NOT match the public IP address and OS of one the Account’s devices.
No Mapped Devices for Account
This indicates that the Account that created this event does not have any mapped devices associated with it. To map devices, follow the instructions above.
Incomplete device data in event
This indicates that the event data is missing the main components necessary for Unify to compare the event data to the device data. There is nothing you can do about this; it is either a limitation in the data provided by the SaaS provider, or an enhancement that SaaS Alerts needs to complete to get data that is available, but not yet being ingested.
This indicates that the event was performed from a Mobile OS (IOS, Android). Unify ignores mobile devices, because it is uncommon to have Mobile devices in RMMs. There is nothing you can do about this at this time. Future enhancements may address this.
Unify-Powered Respond Rules
Unify, when combined with Respond, enables partners to check that events are occurring on known (or unknown) devices based on the device data from the RMM.
To enable Unify Respond conditions, click on the event property filter next to the event you would like to enhance with Unify conditions.
When setting up Respond event conditions that utilize Unify functionality, it is important to understand the main items required and how they impact the Respond trigger logic.
- Unify Can Evaluate - Indicates that the event has enough data to be able to evaluate with Unify.
- Is Mapped: Unify Device is Mapped - Indicates that the Account that generated the event has at least one device mapped to it.
- Is Mobile OS - (Set to false): Indicates that the event was/was not generated on a mobile device.
- Mapped Confidence: Unify Mapped Confidence Score - indicates whether the device is known or unknown, and then how certain Unify is of that.
Note: A confidence score of less than 50% means that Unify considers the device to be Unknown. 50% means that the OS and Public IP in the event data and device data match. Greater than 50% and Unify has matched the Public IP, the OS and has at least a partial match in one other set of data (like device name or currently logged in user).
Templates are available in the Rule Templates section of Respond that demonstrate the power of Unify+Respond. They address the following scenarios:
- Logon Failure from an unknown device
- Successful logon from an unknown device
- Outside Approved Location from a mapped device
- Outside Approved Location from an unknown device
If I had a RMM setup prior, what do I need to do to turn on Unify?
Go to the RMM Organization Mapping screen by accessing the Organizations screen from the main navigation menu, editing the Organization that the RMM is connected to and then clicking the edit pencil next to the RMM.
What is the confidence score, and how is it calculated?
The confidence score is calculated by comparing the data from the last 30 days of events to the data in devices from the RMM. Currently the data being compared are:
- Public IP address
- Operating system
- Account email address
- Account full name
- Name of the device
- Current logged in user
- Recently logged in users
Note that public IP and operating system are heavily weighted and account for 50% of the confidence score.
Why do I not see the proper user recommended for the device?
The suggested account functionality requires real activity for the account in question, and the events associated with that activity must have a public IP address match and an OS match with the device. This means that if there are no recorded alerts for an account that have an OS and Public IP address match with their respective device in the last 30 days, the account will not be offered as a suggested account for the device.
Why do I see so many accounts suggested for the devices for my corporate office clients?
Because the IP and OS are heavily weighted, an office with many people on similar operating systems will cause all of the accounts in that office to reach 50% confidence. In situations where this occurs, it is recommended that the minimum confidence score filter be increased to at least 51% to ensure that at least a partial match in the device name and the current user is considered.
I am getting Unknown device for a device that I am sure is a mapped device. Why?
This is likely related to timing. When a public IP address changes on a mapped device, it takes time for the RMM to recognize the change. Then, SaaS Alerts needs to get that data from the RMM.
It can potentially be as long as 20 minutes (5 minutes for the RMM agent to update the RMM and then 15 minutes before SaaS Alerts gets the data from the RMM).
Future releases will likely address this timing issue.
Does Unify support IPV6?
It does not at this time.
Future releases will likely address this.