Getting Started with RocketCyber SOC

This article provides guidance on the recommended steps for an MSP to begin the onboarding process with the RocketCyber SOC-as-a-Service.

The 24/7 cyber security monitoring service is about to begin providing insight across your customer's Endpoint, Network and Cloud attack vectors. To see how your security stack aligns with the RocketCyber SOC, you can visit our frequently updated integrations site.

  1. Signup for the 21-day SOC-as-a-Service trial
  2. Secure your login account with 2FA 
  3. Navigate to Provider Settings to apply >
    provider-settings-1
    1. Branding: Upload your logo
    2. Permissions: Add users at the MSP level if needed
    3. Notifications: Add an Email and Phone for security incident notifications (PSA integration will be covered later)
  4. AppStore - Browse the AppStore to disable/enable apps while you are in context as the MSP. This will apply your choice of apps downstream to all tenants created.
    app-store
  5. Add Customers (Provisioning tenants)
    1. by PSA Integration (bulk) - The most popular options for onboarding your fleet of customers is to add your PSA's API Key. This enables you as the MSP to have a fully integrated ticket communication from the RocketCyber SOC. For provisioning, the PSA integration offers a bulk import wizard, presenting an option to choose all or selective customers you desire to onboard. See Importing Customers from PSA.
    2. by Add Customers Dropdown (individually) - from the menu click "Add Customer" and give the customer a name. (My MSP Internal Network).
      add-customer-1
  6. Defense-in-Depth (Layered Security) - now it's time to begin the threat monitoring process for your first customer. This will be accomplished in several parts:
    1. Agent deployment - (endpoint threat data) navigate to All Customers / Customer Deployment / select your preferred method of delivery, i.e. RMM script, PowerShell. Upon deployment, devices will be in continuous cyber security monitoring mode identifying malicious / suspicious activity. The type of threat activity is dependent upon the apps you've enabled from the AppStore in addition to other integrations outlined below.
    2. Firewall configuration - (network threat data) navigate to the dashboard and find the Firewall Log Analyzer app. See Configuring the Firewall App.
    3. Microsoft 365 configuration: (cloud threat data) navigate to the dashboard and find one of the Microsoft 365 apps. See Configuring the Office 365 Apps.
    4. HaveIBeen Pwned configuration: (cloud threat data) navigate to Integrations / Dark Web to set up dark web monitoring for Microsoft 365 users. See Set Up HaveIBeenPwned
    5. Anti-virus configuration: (malware data) The majority of the NGAV apps are connected using an API Key. The exception would be for Microsoft Defender, which is a full command and control app. See Configuring NGAV Apps
    6. Email Security configuration: (spam/phishing data) Our current integration is with Ironscales and is configured with an API key. Other email security vendors are currently in development.
    7. Threat intelligence configuration: (threat intel feed data) The integration with intelligence providers consume real time threats from a vendor and put them into action, resulting in a positive/negative verdict. See Configuring AlienVault Threat Feed.
  7. Schedule SOC Onboarding Meeting - if you have deployed before the onboarding meeting occurs, the security analyst will review configurations, whitelisting, incident tickets and provide recommendations for improvement. It is highly recommended to schedule a meeting before, after and on a periodic basis with your account team.

RocketCyber practices and prioritizes development efforts to a Defense-in-Depth strategy, aligning to the security stack for MSPs. It is encouraged to configure all layers outlined above for each customer to eliminate any potential blind spot to the SOC, putting the customer at risk.