Using your existing RMM agent, Unify reconciles device data with SaaS data to ensure only authorized users on authorized devices can gain access to critical company SaaS applications. And, it’s not just for Microsoft 365. Most of the SaaS applications protected by SaaS Alerts are fully supported with the Unify module.
At a base level, there is no downside to enabling Unify and mapping devices. With this minimal configuration, the only thing that changes is that SaaS events and alerts are enhanced with additional context related to the device performing the SaaS activity.
The only time that Unify changes the behavior of SaaS Alerts is when utilized with Respond.
Unify Configuration Steps
- Connect a supported RMM to SaaS Alerts
- Configure your RMM to present the MSFT Entra Device ID to SaaS Alerts. KB Article here.
- N-Central Only: Ensure you have followed the “Schedule an Automation Policy for Public IP Addresses” section in the N-Central KB.
- Map RMM Organizations to SaaS Alerts Organizations
- Map Devices to their corresponding Accounts
- Optional: Utilize the automation to simplify mapping and unmapping.
- Optional: Enable Respond and utilize templates to create your first rule
RMM Configuration
After attaching your supported RMM (Connectwise Automate, Datto RMM, Kaseya VSA, N-Able N-Central RMM ,Ninja RMM, and Syncro RMM) to the SaaS Alerts platform, proceed to the second step (RMM Organization Mapping) of the wizard.
Don’t forget:
- Configure your RMM to present the MSFT Entra Device ID to SaaS Alerts. KB Article here.
- N-Central Only: Ensure you have followed the “Schedule an Automation Policy for Public IP Addresses” section in the N-Central KB.
Note: If you have an existing RMM connection, you can access the RMM Organization Mapping screen by accessing the Organizations screen from the main navigation menu, editing the Organization that the RMM is connected to and then clicking the edit pencil and then clicking the RMM tool you wish to update (NinjaOne shown in example).
Organization Mapping
In order for the devices from the RMM to be attached to the proper organization within SaaS Alerts, it is necessary to map the RMM organizations to the corresponding SaaS Alerts organizations.
Each RMM organization can be mapped only once. Each time an RMM is mapped, it will automatically move from the Unmapped tab to the Mapped tab, and that RMM organization will no longer be able to be selected in the drop down.
If a mistake is made, or an organization needs to be unmapped, head to the Mapped tab, and you can remove the mapping there by clicking the X next to the organization.
Note: When you unmap an Organization, all Devices and their Account mappings will be removed within 15 minutes.
When all mappings are complete, choose Finish.
It will take 15 minutes for the devices to be imported, and for the suggested mappings to be presented in the Unify tab. You will not see any devices until this backend process finishes.
Confidence Rating
One of the main things that is required to understand at the core of Unify is the Confidence Rating.
From within the Unify module, the Confidence Rating indicates how confident Unify is that the suggested account(s) for the device are accurate.
From within the Analysis module and when viewing events and alerts, the Confidence Rating indicates how confident Unify is that the detected device proposed for that event is accurate.
The Confidence Score is calculated by comparing device data imported from the RMM to all events for that device’s respective Organization.
The Unify Module
The Unify module is used to map the devices that are imported to their respective Accounts, as well as to see and remove devices that are mapped to Accounts. You access it by clicking the Unify icon on the main navigation menu.
"Unmapped Devices" tab
The Unmapped Devices tab is used to:
- View which Devices have not been mapped to any accounts
- Inspect the OS, device type, Entra Device ID status, the recent IP addresses in use on the device and the recent users on the local device.
- Inspect which account(s) have been suggested for a device and see the confidence rating
- Take action on devices by either mapping an account directly, launching the account mapping tool or by ignoring the device.
Begin by selecting (or searching for) a specific Organization with the devices that need to be mapped, or select All Organizations. The number next to the Organization is the total number of unmapped devices.
Next, utilize the filters and options provided, and then click Retrieve Suggested Accounts.
Only devices with a single suggested account - Often, a device will have multiple suggested accounts with varying degrees of confidence ratings. This filter will return devices with only a single suggested account. Often, devices with a single account are a stronger indicator of confidence, regardless of the confidence score.
Show all unmapped devices, regardless of confidence rating - Sometimes a device will have no suggested accounts at all. This occurs when the Unify algorithm is unable to match SaaS activity to a device. Checking this will instruct Unify to return all devices, and from there you can manually map accounts to those devices.
Minimum confidence - This field will filter the device list to provide only accounts above the specified confidence level. By default, the minimum confidence filter is set to 50%. Increase this to have Unify recommend only Accounts where additional event and device data beyond IP and OS match.
Devices and their Suggested Accounts
Based on the filters selected, the devices will be displayed in the table.
The rows are colored-coded based on the confidence score: >=70% green, >=50% = yellow, >=0 white.
The Devices column lists the device names as well as icons to indicate detected OS, device type (desktop, laptop, etc.) and Entra Device ID information. Hovering over each component in the device column provides additional information about the device.
Hover over the Device Name, and it displays the last time the device checked into the RMM as well as the last time Unify pulled the information from the RMM.
Hover over the OS icon and it will provide the OS details.
Hover over the Device Type icon and it will display the device type description.
Hover over the Microsoft Entra icon and it will provide that device’s Entra Device ID or instructions on how to enable it if it’s missing.
For each device, a list of Suggested Account(s) is presented. The Suggested Account(s) for each device is calculated 15 minutes after mapping an Organization, as well as being recalculated once per day.
The Confidence Rating column provides the confidence rating for the account in question, or if there are multiple suggested accounts, the range of all the accounts.
The following is a general overview of the confidence score:
- Less than 50%: There are not enough data points in historical SaaS events for any account that matches the underlying data in the device. This is considered not to be confident, and mapping may not make sense unless you are confident in the account/device suggestion.
- At least 50%: This is a “magic” number for Unify. This rating indicates that the device is a known device and likely means that the Public IP address and the Operating System matches 100% between the device and the account(s) that have been suggested. However, organizations with imaged systems with the same OS coming from the same IP address behind a corporate firewall or SASE solution can cause a 50% confidence score for many accounts and you may not want to trust it.
- Over 65%, that means that the IP and OS match exactly, and that some additional combination of device name and locally logged on username or Microsoft Entra Device ID also matches the event ‘s data. Anything over 65% is considered to be a strong indication of confidence.
Mapping and Ignoring Devices
The Potential Accounts column provides the account, or the number of accounts suggested if there are multiple accounts that match.
Clicking the folder with the down arrow will add that device to the ignore list and remove it from the Unmapped Devices tab and placed into the Ignored Devices tab.
When there is a single account suggested, clicking the icon with the person will map that account to the device in one action.
In the event that there are multiple accounts suggested, using the pencil icon will open up the Account Mapping tool.
Each account that is suggested for this device will be displayed in the Potential Accounts on the left side of the mapping tool. Included will be the confidence rating for that account.
Any mapped accounts will be added to the Mapped Accounts list on the right side of the mapping tool.
The number of accounts can be increased or decreased based on the Confidence drop down on both the Potential Accounts and Mapped Accounts lists.
An account, or multiple accounts can be selected by clicking on them. When selected, the account will change from white to yellow. From there, accounts can be moved from left to right, or from right to left by utilizing the directional buttons in the middle of the lists.
Once complete, click the Save and Close button to lock in the mappings.
Note: the button will only be active if changes have been made.
Manually Mapping Accounts
In some cases, the account you need to map to the device is not offered as a suggested account for that device.
Unless this is occurring because it is a new device and/or the account in question has not performed enough activity on the device yet, it is recommended not to manually map a device. Why? Because, if that specific account could not be suggested automatically for the device, it’s unlikely, we will be able to connect that account’s activity back to the device as part of the event/alert enrichment process.
It’s recommended that you determine the cause of the account not being suggested, rather than manually mapping it.
That said, here’s how you manually map an account to a device.
Set the Confidence drop down in the Potential Accounts list to All:
Then, begin to type the account into the Account search field:
The account will be displayed in the Potential Accounts list, now. It can be added just like any other account with an actual confidence rating.
Providing Feedback
Throughout Unify, thumbs up and thumbs down buttons have been placed to encourage feedback to be provided. This feedback is critical to tune Unify and continue to make it a better product and to provide you a better experience. Please use it often.
When the negative feedback button or icon is clicked, an additional feedback box will appear to provide granular information.
"Mapped Devices" tab
The Mapped Devices tab is used to:
- View which Accounts have mapped devices
- See which devices are mapped to a particular Account
- Remove device mappings
Begin by selecting (or searching for) a specific Organization with the mapped devices that you would like to see, or select All Organizations. The number next to the Organization is the total number of mapped devices. Click the Retrieve Mapped Devices button to display the mapped devices.
The Device column lists the device names as well as icons to indicate detected OS, device type (desktop, laptop, etc.) and Entra Device ID information. Hovering over each component in the device column provides additional information about the device.
Hover over the Device Name, and it displays the last time the device checked into the RMM as well as the last time Unify pulled the information from the RMM.
Hover over the OS icon and it will provide the OS details.
Hover over the Device Type icon and it will display the device type description.
Hover over the Microsoft Entra icon and it will provide that device’s Entra Device ID or instructions on how to enable it if it’s missing.
The Unify Type column displays whether the device is a Single mapped device, or a Shared device, and the number of accounts mapped to that device.
The Mapped Account(s) column will display the first account(s) that are mapped to the device with the View/Edit Accounts button that will launch the Account Mapping tool, where you can view, add or remove all of the mapped accounts.
"Ignored Devices" tab
From this screen you are able to review and undo devices previously set to be ignored by the MSP Admin during the mapping process. Once you remove a device from the ignored list, it will be available for mapping under the "Unmapped Devices" tab.
"Automation" tab
Mapping Automation
Turning the "Automatically Map Devices" toggle to ON will enable the selection of options to automatically map the highest rated suggested accounts to their respective devices.
Devices will be mapped as long as they are not in the ignore list, are not already mapped, and meet the settings from the "Configuration Options" section.
The automation runs once per day.
This feature has not been upgraded to support Shared devices, yet. It will map a single account to the device, and then ignore that device for any subsequent accounts.
Map devices for all organizations - This toggles whether this automation will impact all organizations (with an exclude list), or only specific organizations (include list). This toggle is used in conjunction with the organization pick list below it.
Only map if there is a single suggested account above confidence score - if OFF, the account with the highest confidence score out of all possible accounts will be mapped. If ON, mapping will only occur if there is only a single suggested account over the minimum confidence score.
Minimum confidence score - Map the account to the device when the confidence score is equal to or greater than this value. 65% is a good indicator or accuracy, a 75% confidence score is very solid and 100% is nearly certain.
Alert priority for automated mappings - An alert is generated anytime an automated mapping occurs. Setting this to Medium will create an alert that will likely generate a ticket in your PSA. Setting it to low will still log the alert, but will not be sent to your PSA.
Create Alert against - When the alert is created, choose whether the alert is created against your MSP’s organization, or whether it is logged against the organization for which the device(s) below.
Send one alert per - Choose whether you want an alert to be generated for each device mapping, or whether you would like to include all mappings for a single organization in one alert.
Map RMM(s) Organizations - This mirrors a similar setting in the RMM integration wizard. Turning this ON will automatically map Organizations if the name in the RMM matches the SaaS Alerts Organization 100% (including letter case, punctuation and spaces). This removes the need to map RMM Organizations manually for Unify device suggestions to begin populating.
Clicking the Run What If button will show you what would happen IF you were to save the current Automating Mapping settings. Once the data populates, you can choose to Accept and Commit Mappings Now to process the results immediately, rather than waiting until the scheduled run time.
Unmapping Automation
Turning the "Automatically Map Devices" toggle to ON will enable the selection of options to automatically map the highest rated suggested accounts to their respective devices.
Devices will be mapped as long as they are not in the ignore list, are not already mapped, and meet the settings from the "Configuration Options" section.
The automation runs once per day.
This feature has not been upgraded to support Shared devices, yet. It will map a single account to the device, and then ignore that device for any subsequent accounts.
Unmap if device has not checked in within - When provided by the RMM or integrated product, Unify will unmap devices automatically when they have not checked into the integrated product within this amount of time. This is great to clean up mappings when devices have gone dormant.
Add device to the Ignore List when unmapping due to check-in date - Used in combination with the check in setting above, this moves the newly unmapped device into the Ignore List, so that it does not clutter up your unmapped list, and/or create a cycle of mapping/unmapping.
Unmap if confidence score for mapped account drops below - When an account's confidence rating for device it is mapped to drops below the specified amount, the device will be automatically unmapped.
Alert priority for automated unmappings - An alert is generated anytime an automated mapping occurs. Setting this to Medium will create an alert that will likely generate a ticket in your PSA. Setting it to low will still log the alert, but will not be sent to your PSA.
Create Alert against - When the alert is created, choose whether the alert is created against your MSP’s organization, or whether it is logged against the organization for which the device(s) below.
Send one alert per - Choose whether you want an alert to be generated for each device mapping, or whether you would like to include all mappings for a single organization in one alert.
Unmap devices for all organizations - When ON, Unify will process all devices for all organizations, except the ones that are selected in the list, below. When OFF Unify will process only the organizations selected in the list, below.
Real Time Alerts and Analyze Device Column
Once the first account to device is mapped within Unify, the Real Time Alerts and the Analyze modules will be enhanced with a Unify-powered Device column, and a corresponding filter. The Device column provides additional context to the event about the device that is performing the activity.
Events will have devices categorized into the following types (called the “Unify Status”) and, in most cases, a corresponding confidence rating:
- Mapped (to this account) - A device with only a single mapped account and it is the account related to this event.
- Mapped (to another account) - A device with only a single mapped account and it is NOT the account related to this event.
- Shared (includes this account) - A device with multiple accounts mapped, and it includes the account related to this event.
- Shared (other accounts) - A device with multiple accounts mapped, and it does NOT include the account related to this event.
- Unmapped - a device within the organization, and it is NOT mapped to any accounts.
- Unmanaged, Unknown - a device could not be correlated to any of the data within the event. This could be a BYOD device, a device that needs an agent installed on it, or an actual threat actor.
- Incomplete Event Data - The source event does not have the device metadata required to perform the analysis.
Event Details - Unify Tab
To understand why the device that is displayed was the detected device, what device metadata was used to calculate the confidence rating and to take action (like mapping), click on the device in the device column on that event.
The Event Details flyover will open and have the Unify tab in focus. The table on this screen shows the values and ratings for each of the device’s metadata and what the result of the comparison was. These values roll up to the main confidence rating.
Mapping Directly from an Event
For certain detected device Unify Statuses, mapping actions can be taken:
- Unmapped - The account can be mapped to the device.
- Mapped (to another account) - The account on the event can replace the account that is currently mapped to the device, or the device can be turned into a shared device by adding the account to the device’s mapped account list.
- Shared (other accounts) - Add the account to the existing list of accounts on the shared device.
Note: Changing the mappings on a device will NOT adjust historical events and alerts in the system. The mappings will only impact FUTURE events.
Providing Feedback
Throughout Unify, thumbs up and thumbs down buttons have been placed to encourage feedback to be provided. This feedback is critical to tune Unify and continue to make it a better product and to provide you a better experience. Please use it often.
When the negative feedback button or icon is clicked, an additional feedback box will appear to provide granular information.
Under the hood: Unify Detection Algorithm Process Order and Additional, Device Field Details
While a lot of what happens behind the scenes inside the Unify Algorithm is secret sauce, here is a general overview of how the detection process works.
- Enough data? - Does the source event have the device metadata required for Unify to perform its analysis? If so, continue. If not, set the Unify Status on the event as Incomplete Event Data.
- Device check for organization - Are there any devices at all for the organization in question? If so, continue. If not, set the Unify Status on the event to Organization without devices.
- Microsoft Entra Device ID - If the source event includes a Microsoft Entra Device ID, Unify will check all devices within the account’s organization for a match. If one is found, regardless of whether it is mapped to the specific account or not, the device with the matching Microsoft Entra Device ID will be the detected device. Otherwise, continue.
- Account Mapped Devices - Iterate through all of the devices that include the account as a mapped account and compute a confidence rating for each. If any of the devices have a confidence rating of 50% or higher, choose the device with the highest confidence rating as the detected device. Otherwise, continue.
- All Organization Devices - Iterate through all of the devices that exist in the organization and compute a confidence rating for each. If any of the devices have a confidence rating of 50% or higher, choose the device with the highest confidence rating as the detected device. Otherwise, continue.
- Unknown, Unmanaged - If no devices were detected as part of the prior steps, set the Unify Status as Unknown, Unmanaged.
While all of this calculation is happening, additional fields on the event are being set to aid in creating Respond rule triggers and filters. They are:
- device.unifyDetected.confidence - stores the calculated confidence rating for the detected device, if there was a detected device.
- device.isMapped - if the account in question has mapped devices (single or shared) this will be set to TRUE. Otherwise, it is set to FALSE.
- device.sourceInfo.isMobile - If the OS of the device is detected as IOS or Android, this field will be set to TRUE. Otherwise, it is set to FALSE.
- device.sourceInfo.os - Includes the operating system as presented by the source event.
- device.unifyDetected.details.eventDeviceEntraIdWithDeviceEntraId - If the source event includes a Microsoft Entra Device ID and it matches the detected device’s ID, this will be set to 1. If it includes the ID and does not match the detected device’s ID, it will be set to 0. If no Entra Device ID was present in the source event, the field will not be written to the event.
Unify-Powered Respond Rules
Unify, when combined with Respond, enables the ability to check that events are occurring on known (or unknown) devices based on the device metadata.
To enable Unify Respond conditions, click on the event property filter next to the event you would like to enhance with Unify conditions.
When setting up Respond event conditions that utilize Unify functionality, it is important to understand the main event properties and how they impact the Respond trigger logic:
Unify Device Status - Start here in most cases.
This can be used as:
- is one of (and provide a list of statuses you are checking against)
- Or Equal to / Not Equal to (and a specific status)
- Be careful with is not one of, because SaaS Alerts may add a new status in the future, that would not be “one of” the items you originally selected and could cause the rule to fire unexpectedly.
Unify Device Confidence - This will be included on any event, EXCEPT for Incomplete Event Data events.
Incomplete Event Data events will not have this rating, because there is no rating to offer.
Use this field to get more specific than the Unify Status (above). The Unify status measures for <50% (Unmanaged, Unknown) or 50% or greater (Mapped, Shared, Unmapped statuses).
For example, you may want to ensure that a detected device is even more confident than just an IP/OS match and test that other metadata matches as well. In this case, checking to see if the device is less than 65% would be a good way to accomplish this.
Unify: Is Mapped: - Determines whether the account in question is listed as an account on ANY device within Unify. This is a parameter that was left over from previous versions of Unify, where it was a mandatory field for Respond+Unify, but is optional as of Unify v3.
Note: This field was often confused by partners. It does NOT mean a device was detected; only that the account HAS mapped devices.
Unless you are doing something very crafty with this, it is recommended to leave this parameter out of future Respond rules.
Device: Is Mobile OS - If the OS of the device is detected as IOS or Android, this field will be set to TRUE. Otherwise, it is set to FALSE.
Because mobile devices are not supported (yet) in Unify, this parameter is required to ensure that Respond does NOT trigger against mobile devices when they are “Unmanaged, Unknown”, because they will always be unknown until mobile device support is turned on.
In almost all cases, this parameter should be included in Unify rules with the value set to FALSE.
Device: OS - Includes the operating system as presented by the source event.
This parameter can be used in any Respond rule, but is often combined with Unify functionality. Use it to get granular with Respond rules.
For instance, maybe you want to ensure that account activity is not occurring from Linux, because you know that no one at any of your organizations utilizes Linux.
Or, maybe you want to be really certain about account activity occurring on servers, so you pair this OS with a higher Unify Device Confidence Rating:
Unify Entra Device ID Match - If the source event includes a Microsoft Entra Device ID and it matches the detected device’s ID, this will be set to 1. If it includes the ID and does not match the detected device’s ID, it will be set to 0. If no Entra Device ID was present in the source event, the field will not be written to the event.
If you expect every single device within your managed environment to be Microsoft Entra Device ID enrolled, you can create alerts or lock accounts based on the Entra Device ID not matching, like so:
Or, maybe you want to ignore Outside Approved Location alerts if it’s a VERY confident managed, known device by only alerting if the following occurs:
FAQ
If I had a RMM setup prior, what do I need to do to turn on Unify?
Go to the RMM Organization Mapping screen by accessing the Organizations screen from the main navigation menu, editing the Organization that the RMM is connected to and then clicking the edit pencil next to the RMM.
What is the confidence score, and how is it calculated?
The confidence score is calculated by comparing the data from the last 30 days of events to the data in devices from the RMM. Currently the data being compared are:
- Public IP address
- Operating system
- Account email address
- Account full name
- Name of the device
- Current logged in user
- Recently logged in users
- Microsoft Entra Device ID
Why do I not see the proper user recommended for the device?
The suggested account functionality requires real activity for the account in question, and the events associated with that activity must have a public IP address match and an OS match (or a MSFT Entra Device ID match) with the device. This means that if there are no recorded alerts for an account that have those items matching with their respective device in the last 30 days, the account will not be offered as a suggested account for the device.
Why do I see so many accounts suggested for the devices for my corporate office clients?
Because the IP and OS are heavily weighted, an office with many people on similar operating systems will cause all of the accounts in that office to reach 50% confidence. In situations where this occurs, it is recommended that the minimum confidence score filter be increased to at least 55% to ensure that at least a partial match in the device name and the current user is considered.
Another way to combat this is to enable Microsoft: Entra Device ID checking. To learn how to configure this significant enhancement (read: basically a requirement) for Unify head over to this KB article.
I am getting an Unknown device on an event or an alert for a device that I am sure is a known, managed device. Why?
Most often it is because of an IP address mismatch between the SaaS application and the device in the RMM. Two reasons we see this:
- SASE solutions, and split tunnel VPNs. Sometimes the RMM agent will report one IP address, and the SaaS Application reports a completely different one.
- Timing. For instance, a device that moves from an office setting to a coffee shop will change IP addresses. It’s common for SaaS activity to occur on the new coffee shop IP address before the RMM has been updated with the new IP. This delay causes a mismatch between IP addresses.
SaaS Alerts Unify addresses this two ways:
- Real-time IP check. When the algorithm detects a device that seems like a match, but the only difference is an IP address, it will reach out to the RMM in real-time to get the latest IP address for that device and recompare. If IP received from the RMM matches, Unify will consider that device a match. If it does not match, the device will be marked as Unmanaged, Unknown.
For Microsoft: Entra Device ID. To learn how to configure this significant enhancement (read: basically a requirement) for Unify head over to this KB article.
Does Unify support mobile devices or servers?
It does not at this time.
Future releases will address this.
Does Unify support IPV6?
It does not at this time.
Future releases will likely address this.
Why do I not see all the devices for my organization?
There are a few reasons that can cause this to happen.
- The device is an unsupported device. Right now, we do not import servers, mobile devices, printers or networking devices.
- The device is missing key fields. For instance, if we do not see a public IP address, or an Operating System for the device in the connected product, we will skip over that device.
- The device does not have any accounts with a confidence rating. If we do not find enough SaaS activity tied to an account to match an account to a device, that device will not be listed in the Unmapped accounts section.
Comments
0 comments
Please sign in to leave a comment.