Team: Huntress Managed Security Information and Event Management (SIEM)
Environment: Datto RMM
Summary: How to add Datto RMM to your Huntress Managed SIEM to collect alert events.
Overview
The Datto RMM integration allows you to collect alerts from your Datto RMM account into Huntress Managed SIEM. This includes open and resolved alerts across all devices and sites in your account, covering security events such as ransomware detection, antivirus status changes, Windows Event Log alerts, patch management, and device performance monitoring.
In this Article
Prerequisites
Datto RMM Configuration
Step 1: Enable API Access
Step 2: Generate API Keys
Step 3: Identify your Platform
Huntress Configuration
Step 1: Navigate to Source Management
Step 2: Enter Configuration Details
Step 3: Save and Validate
Validation
Troubleshooting
Credential Validation Fails
No Data Appearing After Successful Validation
Rate Limit Errors
HTTP 403 / IP Block
Known Limitations
Additional Resources
Prerequisites
Before configuring the Datto RMM integration in Huntress, ensure the following:
- You have an active Datto RMM account with administrative access.
- API Access must be enabled in your Datto RMM account (Setup > Global Settings > Access Control).
- You have generated an API Key and API Secret Key for a user in your Datto RMM account.
- You know which platform (cluster) your Datto RMM account is hosted on (e.g., Pinotage, Merlot, Concord, etc...).
- You have a Huntress account with Huntress Managed SIEM enabled.
Datto RMM Configuration
Step 1: Enable API Access
1. Log in to your Datto RMM account.
2. Navigate to Setup > Global Settings > Access Control.
3. Toggle Enable API Access to On.
4. Click Save.
Step 2: Generate API Keys
1. Navigate to Setup > Users.
2. Click the username you want to use for API access.
3. Click Generate API Keys.
4. Copy and securely store both the API Key and API Secret Key — the secret key will not be shown again.
Step 3: Identify Your Platform
Your Datto RMM platform determines the API base URL. You can identify your platform from your Datto RMM login URL:
| Platform | Login URL Contains |
| Pinotage | pinotage[.]centrastage[.]net |
| Merlot | merlot[.]centrastage[.]net |
| Concord | concord[.]centrastage[.]net |
| Vidal | vidal[.]centrastage[.]net |
| Zinfandel | zinfandel[.]centrastage[.]net |
| Syrah | syrah[.]centrastage[.]net |
Huntress Configuration
Step 1: Navigate to Source Management
- Log in to your Huntress account.
- Navigate to SIEM > Source Management.
- Click Add Source.
- In the source catalog, locate Datto RMM under the RMM category.
- Click Add.
Step 2: Enter Configuration Details
Fill in the following fields:
| Field | Value |
| Name | A descriptive name for this source (e.g., "Datto RMM - Production") |
| Platform | Select your Datto RMM platform from the dropdown (Pinotage, Merlot, Concord, Vidal, Zinfandel, or Syrah) |
| API Key | The API Key generated in Datto RMM |
| API Secret Key | The API Secret Key generated in Datto RMM |
Step 3: Save and Validate
- Click Create to save the source.
- Huntress will validate your credentials by requesting an access token from the Datto RMM API
- If validation succeeds, the source will be created and begin collecting alerts on the next polling cycle.
- If validation fails, verify your API Key, API Secret Key, and platform selection.
Validation
After creating the source, verify that data is flowing into the Huntress Platform.
Navigate to SIEM > Log Search.
Filter by the Datto RMM source you just created.
-
Confirm that alert events appear within a few minutes.
Note: Timing depends on your polling interval and whether there are active alerts in your Datto RMM account.
Verify that alert details include the device hostname, alert type, priority, and site information.
If your Datto RMM account has no current open or recently resolved alerts, the initial data pull may return empty results. This is expected behavior; events appear in the Huntress Platform as new alerts are generated.
Troubleshooting
Credential Validation Fails
If your credentials fail to validate during setup, use these steps to verify your Datto RMM configuration.
- Verify API access is enabled. In Datto RMM, go to Setup > Global Settings > Access Control and confirm the toggle is On.
- Regenerate API keys. If the API Secret Key was not stored correctly, generate a new key pair under Setup > Users.
-
Check platform selection. Ensure the platform selected in the Huntress Platform matches your Datto RMM login URL.
No Data Appearing After Successful Validation
If validation is successful but logs are not appearing in the Huntress Platform, check the status of your alerts and polling cycles.
Check for active alerts. Verify your Datto RMM account has open or recently resolved alerts.
Wait for the next poll cycle. Data collection occurs on a scheduled interval. Allow a few minutes for the first batch of events to appear.
Check source status. In the Huntress Platform, go to SIEM > Source Management and verify the source shows an Active status.
Rate Limit Errors
Datto RMM limits API requests to 600 GET requests per 60 seconds across the entire account. If multiple users or integrations make API calls simultaneously, you may reach these limits.
Note: Huntress automatically retries on the next polling cycle if it encounters a rate limit.
If rate limit errors persist, reduce the number of concurrent API consumers on your Datto RMM account.
HTTP 403 / IP Block
Datto RMM may temporarily block an IP address if rate limits are persistently exceeded. If an IP block occurs, wait five minutes before the block is automatically lifted. No action is required in the Huntress Platform as the next poll cycle resumes automatically.
Known Limitations
Alert data and activity logs only. This integration collects alert events (open and resolved) and activity logs. It does not currently ingest device audit data.
Account-wide collection. Alerts are collected across the entire Datto RMM account. Per-site filtering is not currently supported.
Token expiry: Datto RMM API tokens expire after 100 hours. Huntress handles token refresh automatically.
No real-time streaming. Data is collected via REST API polling rather than a real-time push. Expect a slight delay between an alert being generated in Datto RMM and appearing in Huntress SIEM.