Skip to main content

How can we help you?

Search

Setup Instructions for Unify

Updated: Michael Garrett Edited:

Unify Overview

Unify enhances SaaS Alerts’ event data with device data from supported RMM platforms.

After mapping devices to their respective accounts, Unify can prove that users know their password, have the MFA token, and that they are accessing the SaaS application from a known device.

Unify Configuration Steps

  • Connect a supported RMM to SaaS Alerts
  • Map RMM Organizations to SaaS Alerts Organizations
  • Map Devices to their corresponding Accounts
  • Enable Respond and utilize templates to create your first rule

RMM Configuration

After attaching your supported RMM (Connectwise Automate, Datto RMM, Kaseya VSA, N-Able N-Central RMM ,Ninja RMM, and Syncro RMM) to the SaaS Alerts platform, proceed to the second step (RMM Organization Mapping) of the wizard.

Note: If you have an existing RMM connection, you can access the RMM Organization Mapping screen by accessing the Organizations screen from the main navigation menu, editing the Organization that the RMM is connected to and then clicking the edit pencil and then clicking the RMM tool you wish to update (NinjaOne shown in example).

 

Organization Mapping

In order for the devices from the RMM to be attached to the proper organization within SaaS Alerts, it is necessary to map the RMM organizations to the corresponding SaaS Alerts organizations.

Each RMM organization can be mapped only once. Each time an RMM is mapped, it will automatically move from the Unmapped tab to the Mapped tab, and that RMM organization will no longer be able to be selected in the drop down.

02._RMM_Organization_Mapping_Screen.png

 

If a mistake is made, or an organization needs to be unmapped, head to the Mapped tab, and you can remove the mapping there by clicking the X next to the organization.

Note: When you unmap an Organization, all Devices and their Account mappings will be removed within 15 minutes.

 

03._RMM_Organization_Unmapping.png

When all mappings are complete, choose Finish. It will take 15 minutes for the devices to be imported, and for the suggested mappings to be presented in the Unify tab.

 

The Unify Module

The Unify module is used to map the devices that are imported to their respective Accounts, as well as to see and remove devices that are mapped to Accounts. You access it by clicking the Unify icon on the main navigation menu.

04._Unify_Module_Icon.png

 

"Unmapped Devices" tab

Begin by selecting the Organization with the devices that need to be mapped. The number next to the Organization is the total number of unmapped devices.

05._Unify_Unmapped_Devices_Org_Selection.png

Suggested Accounts

For each device, a list of Suggested Accounts is presented. The Suggested Account(s) for each device is calculated 15 minutes after mapping an Organization, as well as being recalculated once per day.

 

Confidence Score

The Confidence Score indicates how confident Unify is that the suggested account(s) for the device are accurate. 

The Confidence Score is calculated by comparing device data from the RMM to all events for the Organization that owns that device.

Click on the Confidence Score any place a single suggested account exists to see what data is being compared and what the specific values are for that device.

 

06._Unify_Confidence_Score_Details.png

 

50% Confidence Score is a “magic” number for Unify. When a Confidence Score equals 50%, that means that the Public IP address and the Operating System matches 100% between the device and the account(s) that have been suggested.

Less than 50% and Unify does not see any IP and OS match in events for that account, and thus would be considered to not be confident. If the Confidence Score is over 50%, that means that the IP and OS match exactly, and that some combination of device name and locally logged on user for that device also matches the event ‘s data. Anything over 50% is considered to be a strong indication of confidence.

Note: Because public IP address and OS have such a heavy weight in the Confidence Score, employee-dense offices where users have the same public IP address, and utilize a standard OS image, it is possible to have many accounts suggested for the same device. The tie-breaker here will be the device name and the current username for that device.

 

Minimum Confidence Filter and Single Device Checkbox

By default, the minimum confidence filter is set to 50%. This is to ensure that the Accounts that are presented have a decent likelihood of being the proper account for that device.

Increase this to have Unify recommend only Accounts where additional event and device data beyond IP and OS match.

If devices are not presented, because of this filter, it can be lowered to 0%, and the devices will appear, even if there is no suggested Account for that device.

 

07._Minimum_confidence_filter.png

To speed up mapping of many devices, the minimum confidence filter (suggestion: use > 60%)  can be combined with the Only devices with a single suggested account checkbox to focus mapping on very high certainty accounts.

10._Combine_Filters.png

 

Mapping Devices

There will be two types of actions available in the Suggested Accounts column: Mapping a single suggested account, and viewing potential accounts where multiple accounts are possible.

08._Mapping_-_Single_vs._Multiple.png

 

To map a single Account to the device, click on Map, right below the suggested Account. The device will disappear from this list and move to the Mapped Accounts tab upon successful mapping.

To ignore a suggested device to be mapped to a specific account simply click on the "Ignore Device" button and the device will be send to the "Ignore Devices" tab.

 

To view the potential Accounts, click on See potential accounts. The Potential Accounts screen will pop up where each potential Account and that Account’s confidence score is presented. Click on Map with device to select the proper Account for that device.

09._Potential_Accounts.png

 

"Mapped Accounts" tab

The Mapped Accounts tab is used to:

  • View which Accounts have mapped devices
  • See which devices are mapped to a particular Account
  • Remove device mappings 

 

11._Mapped_Accounts.png

Begin by selecting the Organization with the Accounts that you would like to view. The number next to the Organization is the total number of Accounts with mapped devices.

Click on View Devices to see that Account’s mapped Devices.

Click on Unmap Device to remove that device from that Account. It will be removed from this list, and placed back into the Unmapped Devices tab.

 

12._Unmap_Device.png

 

"Ignored Devices" tab

From this screen you are able to review and undo devices previously set to be ignored by the MSP Admin during the mapping process. Once you remove a device from the ignored list, it will be available for mapping under the "Unmapped Devices" tab.

 

 

"Automation" tab

Turning the "Automation" ON will automatically map suggested accounts to their devices as soon
as enough data is available to accurately predict the proper account.

Devices will be mapped as long as they are not in the ignore list, are not already mapped, and
meet the settings picked by the MSP Admin from the "Configuration Options" section.

 

Real Time Alerts and Analyze Device Column

The Real Time Alerts and the Analyze modules have been enhanced with a Unify-powered Device column. The Device column provides insight into the events and how they relate to the Accounts known Devices.

13._Unify_Device_Column.png

 

These are the values that can be presented in this column:

Known Device: Device Name and Confidence Score

This indicates that the event has enough data for Unify to compare the event data to the Account’s mapped device(s), and that the event data matches at least the public IP address and OS of one the Account’s devices.

To view the details of the Confidence Score, click on the device’s name in the Device column.

 

14._Known_Device.png

 

Unknown Device

This indicates that the event has enough data for Unify to compare the event data to the Account’s mapped device(s), and that the event data does NOT match the public IP address and OS of one the Account’s devices.

18._Unknown_Device.png

 

No Mapped Devices for Account

This indicates that the Account that created this event does not have any mapped devices associated with it. To map devices, follow the instructions above.

15._No_Mapped_Devices.png

 

Incomplete device data in event

This indicates that the event data is missing the main components necessary for Unify to compare the event data to the device data. There is nothing you can do about this; it is either a limitation in the data provided by the SaaS provider, or an enhancement that SaaS Alerts needs to complete to get data that is available, but not yet being ingested.

16._Incomplete_data.png

 

Mobile OS

This indicates that the event was performed from a Mobile OS (IOS, Android). Unify ignores mobile devices, because it is uncommon to have Mobile devices in RMMs. There is nothing you can do about this at this time. Future enhancements may address this.

17._Mobile_Device.png

 

Unify-Powered Respond Rules

Unify, when combined with Respond, enables partners to check that events are occurring on known (or unknown) devices based on the device data from the RMM.

To enable Unify Respond conditions, click on the event property filter next to the event you would like to enhance with Unify conditions.

19._Add_Respond_Conditions.png

When setting up Respond event conditions that utilize Unify functionality, it is important to understand the main items required and how they impact the Respond trigger logic.

20._Unify_Conditions.png

  • Unify Can Evaluate - Indicates that the event has enough data to be able to evaluate with Unify.
  • Is Mapped: Unify Device is Mapped - Indicates that the Account that generated the event has at least one device mapped to it.
  • Is Mobile OS - (Set to false): Indicates that the event was/was not generated on a mobile device.
  • Mapped Confidence: Unify Mapped Confidence Score - indicates whether the device is known or unknown, and then how certain Unify is of that.

Note: A confidence score of less than 50% means that Unify considers the device to be Unknown. 50% means that the OS and Public IP in the event data and device data match. Greater than 50% and Unify has matched the Public IP, the OS and has at least a partial match in one other set of data (like device name or currently logged in user).

 

Respond Templates

Templates are available in the Rule Templates section of Respond that demonstrate the power of Unify+Respond. They address the following scenarios:

  • Logon Failure from an unknown device
  • Successful logon from an unknown device
  • Outside Approved Location from a mapped device
  • Outside Approved Location from an unknown device

21._Unify_Templates.png

 

FAQ

If I had a RMM setup prior, what do I need to do to turn on Unify?

Go to the RMM Organization Mapping screen by accessing the Organizations screen from the main navigation menu, editing the Organization that the RMM is connected to and then clicking the edit pencil next to the RMM.

What is the confidence score, and how is it calculated?

The confidence score is calculated by comparing the data from the last 30 days of events to the data in devices from the RMM. Currently the data being compared are:

  • Public IP address
  • Operating system
  • Account email address
  • Account full name
  • Name of the device
  • Current logged in user
  • Recently logged in users

Note that public IP and operating system are heavily weighted and account for 50% of the confidence score.

 

Why do I not see the proper user recommended for the device?

The suggested account functionality requires real activity for the account in question, and the events associated with that activity must have a public IP address match and an OS match with the device. This means that if there are no recorded alerts for an account that have an OS and Public IP address match with their respective device in the last 30 days, the account will not be offered as a suggested account for the device.

 

Why do I see so many accounts suggested for the devices for my corporate office clients?

Because the IP and OS are heavily weighted, an office with many people on similar operating systems will cause all of the accounts in that office to reach 50% confidence. In situations where this occurs, it is recommended that the minimum confidence score filter be increased to at least 51% to ensure that at least a partial match in the device name and the current user is considered.

 

I am getting Unknown device for a device that I am sure is a mapped device. Why?

This is likely related to timing. When a public IP address changes on a mapped device, it takes time for the RMM to recognize the change. Then, SaaS Alerts needs to get that data from the RMM.

It can potentially be as long as 20 minutes (5 minutes for the RMM agent to update the RMM and then 15 minutes before SaaS Alerts gets the data from the RMM).

Future releases will likely address this timing issue.

 

Does Unify support IPV6?

It does not at this time.

Future releases will likely address this.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.