Configuring Datto Ransomware Detection

Datto Ransomware Detection is a response‑oriented detection application designed to mitigate the impact of ransomware activity detected on an endpoint. When ransomware behavior is identified, this application can automatically take containment actions—such as isolating the affected device or attempting to terminate the encrypting process—to limit further spread while the activity is investigated.

Unlike tuning‑only detection applications, Datto Ransomware Detection focuses on response behavior after confirmed detection events. The settings described in this article control how Kaseya MDR reacts to ransomware detections; they do not change detection sensitivity, analysis logic, or investigation workflows.

Datto Ransomware Detection is configured at the organization level through Settings > Application Configurations.

What Datto Ransomware Detection does

Datto Ransomware Detection monitors endpoint activity for behavior consistent with ransomware encryption events. When such activity is detected, the application can:

• Trigger containment actions on the affected endpoint

• Generate an incident summarizing the detected activity and actions taken

• Surface context to support investigation and remediation decisions

These actions are intended to reduce impact and provide early visibility. How incidents are reviewed, escalated, or responded to depends on broader investigation workflows and SOC involvement, if applicable.

• Datto Ransomware Detection configuration does not:

• Change how ransomware activity is detected or analyzed

• Control detection thresholds or exclusion logic

• Replace investigation workflows or SOC authorization models

• Guarantee automated response in every situation

The application controls response behavior following detection, not detection logic itself.

Datto Ransomware Detection operates on endpoint telemetry that is already available in Kaseya MDR. This telemetry may be provided by integrations such as Datto EDR. For details on how Datto EDR is connected and mapped to organizations, see Integrating Datto EDR with Kaseya MDR.

Accessing Datto Ransomware Detection settings

Datto Ransomware Detection is configured from the Application Configurations area.

To access the configuration:

1. From the side navigation menu, select Settings.

2. Select Application Configurations.

3. Create or select an organization‑level override.

4. Select Datto Ransomware Detection as the application.

Configuration changes apply only at the scope where they are saved (organization override or global default).

Configuration options

When configuring Datto Ransomware Detection, the following response‑oriented settings are available.

Isolate on detection

Controls whether the affected endpoint is automatically isolated when ransomware activity is detected.

• Device isolation uses the built‑in isolation capability

• Isolation is intended to prevent lateral movement or further spread

• Isolation status is recorded as part of the generated incident

This option is typically enabled in environments where rapid containment is preferred while investigation is underway.

How this differs from SOC device isolation settings

The Isolate on detection option in Datto Ransomware Detection is an application‑level, automated response that can isolate a device immediately when ransomware activity is detected.

SOC device isolation settings, configured separately under SOC settings, control whether the Security Operations Center is authorized to perform device isolation as part of an investigation or response workflow. SOC isolation actions are investigation‑driven and do not occur automatically.

These settings serve different purposes:

• Datto Ransomware Detection isolation is detection‑triggered and automated.

• SOC isolation is authorization‑based and executed by the SOC during investigation.

Enabling one does not automatically enable the other. Each should be reviewed independently based on your response strategy and operational model.

Terminate process on detection

Controls whether the system attempts to terminate processes identified as performing ransomware‑related encryption activity.

• The application attempts to stop the encrypting process

• The outcome of the termination attempt is recorded in the incident

• Termination success is not guaranteed and depends on endpoint conditions

This option is commonly used alongside isolation to limit encryption progress.

Operational considerations

Because both available settings can affect endpoint availability, administrators should review these options carefully before enabling them broadly.

Recommended practices include:

• Starting with default settings and enabling automated response incrementally

• Validating behavior in a test organization before broader rollout

• Coordinating response behavior with investigation and recovery procedures

• Documenting configuration decisions and reviewing them periodically

Incidents generated by Datto Ransomware Detection

When ransomware activity is detected, an incident is generated that may include:

• The affected device

• The Datto Ransomware Detection settings in effect at the time of detection

• Actions taken by the application (isolation, process termination)

• Context to support investigation and remediation

These incidents provide visibility into both the detected activity and the response behavior that occurred.

Interaction with other security products

Datto Ransomware Detection operates within the Kaseya MDR application configuration model. If multiple products capable of ransomware detection are present in an environment, detections may be surfaced by one product depending on configuration and coverage.

Administrators should avoid enabling overlapping ransomware detection capabilities on the same endpoint unless intentionally designed and tested.

Related articles

• Application Configurations: Explains how application‑level settings are managed in Kaseya MDR using global defaults and organization overrides.