Managed Detection and Response (MDR)

This type of CyberApp is for ISVs that provide Managed Detection and Response (MDR) service.

CyberApp scenarios

Automatic incidents review and management

Using the Endpoint Detection and Response (EDR) API, an ISV can fetch the incidents from Acronis and automate the process of review and management.

The flow is the following:

1. The ISV fetches the incidents from Acronis.

2. The ISV processes the incidents and decides on the action to take.

3. The ISV updates the incident status in Acronis.

Manual incidents review and management by a security analyst

Using the Application Manager API, a security analyst can log in to Acronis on behalf of the end customer and review the incidents manually.

The flow is the following:

1. A security analyst navigates to the ISV’s portal and logs in.

2. The ISV’s portal provides a link to log in to Acronis Cyber Protect Cloud on behalf of the end customer.

3. The ISV’s connector sends a service user login request to Application Manager API. This will create a temporary service user account with the necessary permissions.

4. If the request is successful, the connector will receive a redirect link with the one-time token (OTT).

5. The ISV’s portal redirects the security analyst to the provided redirect link that will open the protection console.

6. The security analyst accesses the incidents in the protection console and reviews them.

Recommended extension points

To be able to extend Acronis Cyber Platform with MDR capabilities, the following extension points should be used.

CyberApp enablement form

CyberApp enablement form, to enable the CyberApp, provide credentials for accessing the ISV service, and map ISV customers to Acronis customers.

Depending on the enablement flow, the CyberApp may use:

• Partner mirroring and customers mirroring (typical flow for MDR)

  The MSP has Customer tenants in Acronis, but does not have an account and customers in ISV cloud. When enabled, this automatically creates an organization for MSP in ISV cloud. When MSP enables end customers in Acronis, the CyberApp will automatically create the corresponding customers in ISV cloud.
• Partner mapping and customers mapping

  An MSP has Customer tenants in both Acronis and ISV’s cloud. The MSP will be required to provide credentials from ISV cloud and fetch the list of end customers. This enables the CyberApp for the Partner and allows the specification of an existing customer mapping or the creation of a new corresponding customer mapping in Acronis Cyber Platform.

  Mapping an ISV customer to an Acronis customer results in enabling the CyberApp for the specific customer.

Typically, MDR CyberApps contain the following settings:

• Email of the security contact on MSP side

  The email of the security contact on behalf of the MSP that will be used to notify the MSP about the incidents escalations.

MDR is performed at the customer-level. This means that the Acronis Partner needs to enable the CyberApp for each end customer individually.

CyberApp access scopes

An MDR CyberApp would require the Access to Acronis EDR incidents to be set to:

• Read-only if the ISV is only fetching the incidents from Acronis and does not need to update them.

• Read and write if the ISV is fetching the incidents from Acronis and needs to update them.

Both permissions allow the ISV’s security analysts to log in to Acronis Cyber Protect Cloud on behalf of the end customer.

Alerts

Alerts, to display alerts and events generated by the ISV service.

It is recommended to report information about incident detections in the form of alerts.

Alerts must be submitted as a new alert type and contain the following parameters:

• Incident description.

• Email account.

Examples

For an example of how to fetch MDR incidents, see Postman collection here.

For an example of how to log in using service account, see Postman collection here.

You can download an example of MDR CyberApp here.