2023 Q3 Kaseya’s Datto EDR & RocketCyber Update Webinar

MSP | 0 comments

Sorry, “innovation update” webinar.

None of this is confidential to the best of my knowledge. The webinar is recorded and I expect all of the new features to make their way into the documentation if they haven’t already. Quotes are best effort, I’m typing them up as they go, so they might not be exact. Some quotes have been cleaned up for grammar and spelling. Finally, the post isn’t chronological, I ordered things so that it fits into understandable narrative.

Today’s webinar features Mike Puglia and JV Varma.

My Key Takeaways

If you paid attention to the other recent product updates, you’ll find the same things here. Better Autotask and BMS integration, especially for billing, ability to launch the Datto RMM web remote from the other product’s console, integrations with Compliance Manager.

Q3 and Q4 updates look like they are addressed at real MSP issues. It also looks like they have Huntress in their sights. Maybe they couldn’t buy them?

I’m also a fan of adding the same capabilities across all the products at once: PSA billing integration, RMM Web Remote launches, Compliance Manager integration, etc. It makes the whole product line more coherent and I can trust expect that I’ll have similar features across products.

Datto EDR

Integrated billing with Autotask and BMS. This is not surprising; they announced a similar feature for Datto RMM in an earlier webinar. To repeat myself, I’d guess that on average, MSPs have 2-3% shrinkage. Eliminating this would be a huge gross profit boost to the industry.

Now – if only Kaseya could bill us MSPs correctly!

Ransomware Rollback

Moving into GA, not available to all partners until EOM.

From the screenshots it looks to me like it can’t be much past beta, the UI is a stock .Net UI, the controls don’t even adjust vertically with the expanded windows – but they do horizontally.1

I’d be anxious to test this. I wonder if it is fast enough to catch all of the files in the newer Rust-based variants of ransomware, some of which are said to be so fast that the encryption is over by the time you’ve isolated the process.

I would also like to hear how it works with cloud storage. What happens if I rollback hundreds of files to OneDrive? Those kind of changes don’t always play nicely.

This isn’t ransomware removal or a BCDR replacement.

Back to the EDR

You can launch the Datto RMM web remote from the EDR dashboard. Another feature we’ve seen come across the Kaseya product line. BMS integration? “Early 2024”

There are now alert suppression rules. I’m not a Datto EDR user, I’m surprised that this wasn’t already a feature.

Especially for a product for the Channel, alert fatigue is real and it should be a core part of any mature product.

If I understood, hashes are only supported as of now. Wow.

“EDR by its nature is a little chatty.” You don’t say.

A quick aside here, we have the opposite problem with Huntress, which is so quiet it is nearly impossible to know if it is doing anything, other than taking their word for it. We’ve got porridge that is too hot and another that is too cool.

Upcoming EDR Things

Your clients will be able to listed out as separate organizations, with locations as you want. Again, I’m not a user but, this is new??2 How do you have a non-multi-tenant product in the Channel?

You will be able to automatically sync EDR locations based on the RMM site3. The RMM is “the source of truth.”

This is an interesting choice, a sync to IT Glue would make a lot of sense to me, the difference, I suppose, is that ITG philosophically doesn’t write back to integrations.

How is SSO going to work? Do I need a Datto EDR login and an RMM login? What if my permissions are different?

You will be able to schedule scans4 by site (and location?)

JV states that you don’t have to switch back and forth between the EDR and the RMM but doesn’t show if you can jump from the RMM to the EDR. If we are going for labor efficiency that is just as important as EDR to RMM.


You can go beyond global policies that you have today, and can apply policies to specific sites or locations.6 Coming in Q4.

Automated Responses Coming:

Some rules will let you customize the response but “with great power comes great responsibility” and you can’t edit all of them. “We have to make sure that you are not causing undue stress to the system… such as isolation.” I really wish I had been live to ask what that meant. Whose system?


Mike reminds us to turn on two new apps. I thought that AI dog was supposed to do this?

IOC Detection

This came out a bit ago. Mike straight up causes it threat-hunting. Watch out Huntress. Related: it is interesting to hear them call this out as part of RocketCyber but not Datto EDR. Assuming this is trying to get some marketshare away from Huntress, why not add it in both places?

Integration with DarkwebID. Oh yay. Now I can get IDAgent alerts in two places (guess where I can’t suppress alerts? Oh yeah, IDAgent) You actually have to create a user new user in DarkwebID for this to work.

PSA integration with AT and BMS is now available based on:

  • Firewalls
  • Agents
  • Agents + Firewalls
  • M365 Seats

As I commented above, this is a positive change. It solves a real problem that MSPs face.

Linux Advanced Breach Detection App

Sounds like IOCs for Linux?


Many security incidents have automated remediation available. If RC has a script ready you can click a button to run it.

RC doesn’t want to be too aggressive, so they won’t take these actions for you. Huntress does the same thing, sometimes, not always. I have yet to have clarity from either company on when the SOC will take action for you and when it won’t. And what actions they will take.

I don’t know that it is a hill I’ll die on, but I’d lose a couple of limbs: if you can fix it, then fix it. The security threats are coming harder and faster every day. A key part of industry expansion and delivering more value is security automation.

Why can’t I launch the web remote from here?

Alert Syncing in RocketCyber and EDR

Acknowledge the incident on either side and it will be marked as acknowledged on the other.

Same thing with Autotask tickets. Resolve the issue in RocketCyber, closes the tickets. Close the ticket in Autotask, resolves the incident in RocketCyber.

Upcoming RocketCyber changes

Syslog collector, be able to ingest and store generic syslogs for 1 year. Sounds like standard formats only. Have a JSON webhook? You’re still out of luck. With great irony, as I imagine every one of there integrations is JSON on the backside.

Here is the business case for ingesting JSON: you (Kaseya) don’t know why I need it, for the same reasons I’d want to ingest raw syslogs for WAPs. Compliance, CYA, security incident investigations. Parsing and saving syslog messages is more complicated than saving raw JSON. All you need to do is save the source – I’d suggest giving each webhook a customized URL – and then save the text. Done.

Reporting: you can schedule to go out via email or run on-demand.

And you can choose…. Executive reports. More coming soon. Neither more nor soon defined.

The screenshot looks like it could have been designed by Huntress Which is great, they have nice looking reports our clients like.

RocketCyber Report Screenshot

Huntress Report Screenshot

This only shows one of six informative pages. Huntress still has a giant leg up.

SaaS Alerts Integration

SaaS Alerts integration is coming. Depending on how this works, it would be a major boost for SaaS Alerts against Huntress’ new M365 “EDR” (it’s a SOC).

It isn’t clear what else the SaaS Alerts integration will bring over. SaaS Alerts works with far more cloud applications than RocketCyber does, so there is a lot of potential for both sides.

Syslog data is now natively ingestible with Datto WAPs. Then switches, DNA, Secure Edge. Mike says that it hasn’t come earlier because the Datto Networking team is making changes to the logs specifically for RocketCyber.

Compliance Manager Integration

This is a major theme across all of the Kaseya product webinars (interesting that they didn’t mention myITProcess)


  1. Someone is going to tell me that the UI stuff is because Kaseya has focused on the core features first. Which makes my point: they haven’t had time to finish the product. Or if it’s finished, it literally doesn’t look like it.

    And look, it’s OK. I’ve launched products that were not as mature as they would eventually become. Just don’t call it a mature product until it’s actually grown up a little.
  2. See note 1
  3. See note 2
  4. See note 3
  5. See note 4


What's your $0.02?

This site uses Akismet to reduce spam. Learn how your comment data is processed.