Skip to main content

Integrations

Defend integrates deeply with other products in The One Stack. Threats flow into your service desk, escalations page your on-call team, device context enriches alert severity, and recovery triggers automated rollback.

Defend + RMM

Defend and RMM share the same unified agent binary. This integration goes beyond installation:

  • Response scripts — The "Run Script" response action executes remediation scripts via the RMM scripting engine
  • Kill process — Process termination is executed through the RMM agent's command channel
  • Isolate/unisolate — Network isolation is enforced by the agent, with the RMM management channel (port 443) kept open for continued management
  • Device context — RMM inventory data (OS version, installed software, patch level) enriches Defend detections

Defend + PSA

Security detections flow directly into your service desk:

  • Auto-ticket creation — Critical and high-severity detections can automatically create security incident tickets in PSA
  • Security incident queue — Tickets created by Defend are tagged and routed to your security queue
  • Investigation link — PSA tickets include a direct link back to the Defend investigation workspace
  • Resolution sync — When a detection is resolved in Defend, the linked PSA ticket is updated

Configure auto-ticket creation in Settings → Response Automation → PSA Integration.

Defend + On-Call

Critical detections can page your on-call rotation:

  • Escalation rules — Define which detection severities trigger an on-call page
  • Rotation awareness — Pages go to whoever is currently on-call, following your On-Call schedule
  • Acknowledgment — On-call acknowledgment is logged in the Defend response audit trail

Defend + CMDB

CMDB device metadata enriches Defend's detection context:

  • Device criticality — A detection on a "Critical" CMDB asset (domain controller, file server) is escalated in severity
  • PHI tagging — Devices tagged as handling Protected Health Information (PHI) in CMDB trigger HIPAA-specific compliance checks
  • Business context — CMDB asset owner and department are shown in the investigation workspace

Defend + People

People product data enhances insider threat detection:

  • Departing employees — Users flagged as departing in People trigger elevated monitoring for data exfiltration
  • User context — Investigation workspace shows the user's role, department, and access level from People
  • Session management — The "Reset User Session" and "Force Password Reset" actions coordinate with People's identity management

Defend + AI Platform

Jarvis AI powers investigation assistance:

  • Attack narratives — AI-generated plain-English summaries of attack sequences
  • Investigation suggestions — Recommends next investigative steps based on the detection type and telemetry
  • KQL assistance — Helps analysts write custom hunting queries

Defend + Backups

The Backups integration powers ransomware recovery:

  • Rewind Recovery — Automated file system rollback to pre-attack state (see Rewind Recovery)
  • Backup health — Defend checks backup availability and freshness for enrolled devices
  • Recovery testing — Dry-run tests validate the recovery pipeline without performing actual restores

Defend + M365

For organizations with Microsoft 365 E5 licensing:

  • Security signals — M365 device compliance and risk scores are ingested via webhook
  • Correlation — M365 security events are correlated with endpoint telemetry for enriched detection context
  • Subscription management — Graph webhook subscriptions are automatically renewed
ℹ️M365 integration requires E5 licensing and a configured webhook. The integration is optional — Defend operates fully without it.

Next Steps