Integrations & Tickets

Overview

ET Ducky supports both native ticketing (ET Ducky tickets stored in your organization) and third-party integrations (Jira, ServiceNow). You can use one or both: create and view native tickets from the dashboard and Run Troubleshooting, and optionally connect Jira or ServiceNow so automated troubleshooting can link to and update external tickets. End users on any agent-installed machine can submit a support ticket without opening the full desktop app via the ET Ducky Support shortcut.

Integrations Page

Available from the user menu (avatar dropdown): Integrations. Only organization admins can add or edit integrations.

Ticketing (Jira, ServiceNow)

  • Add integration — Choose provider (Jira or ServiceNow), enter base URL, credentials (API token or Basic), and optional project/table, host field, and query template.
  • One active integration per organization — When you run troubleshooting or view tickets by agent, the active integration is used to list and update tickets.
  • Credentials are stored securely; only metadata (URL, project) is shown in the UI.
  • Use Edit to change settings; leave password/token blank to keep the existing credential.

Once configured, you can select tickets from the integration when using Run Troubleshooting and push the resulting report back to the ticket.

Tickets Page

Available from the top nav or user menu: Tickets. Shows two views:

All tickets (ET Ducky)

Lists all native ET Ducky tickets for the current organization: title, device (agent), status, assigned to, submitted by, and created date. Tickets appear here when created from the dashboard or when end users submit via the ET Ducky Support shortcut on an agent.

  • Filter bar — Search by title or device name, filter by status (Open, In Progress, Resolved, Closed), or filter by assignee. Filters apply instantly without a network request.
  • Inline status — Change a ticket’s status directly from the Status dropdown in the row; the change is saved immediately.
  • Inline assignment — Assign a ticket to any org member from the Assigned to dropdown in the row.
  • View notes — Click any ticket title to open the ticket detail modal, where you can read all notes and add new ones. Notes are appended in chronological order.
  • Start live session — Click Start live session next to a ticket to open a live agent session. The session modal opens directly to the Guided Troubleshooting tab with that ticket pre-selected, ready to run diagnostics.

By agent (includes Jira / ServiceNow)

Select an agent from the dropdown to load tickets for that device. The list includes native ET Ducky tickets for that agent and, if an integration is configured, tickets from Jira or ServiceNow that match the agent (e.g. by host name). Columns: title, source (ETDucky/Jira/ServiceNow), status, updated, link (for integration tickets), and a Start live session button.

Native ET Ducky Tickets

  • Create from dashboard — When running Guided Troubleshooting, you can create a new ET Ducky ticket (title, optional description) instead of linking to a Jira/ServiceNow ticket. The ticket is associated with the agent and appears on the Tickets page.
  • Ticket notes — Click any ticket title on the Tickets page to open the detail modal. Add notes (e.g. steps taken, findings, follow-up actions) and view the full note history in chronological order. Notes also get added automatically when you push a troubleshooting summary to a native ticket.
  • Status lifecycle — Update status directly from the Tickets page table (inline dropdown) or from the Guided Troubleshooting result step (select ticket and new status, then click Apply to ticket). Statuses: Open, In Progress, Resolved, Closed.
  • Native tickets are permanent — Unlike ETW event data, native tickets are stored indefinitely with no automatic retention policy. They accumulate until you close or manually delete them.
  • Reportable — Tickets and ticket notes are available as data sources in the Data Explorer and Smart Reports. Filter by status, group by device, or chart ticket volume over time. Built-in templates: “Ticket Status Breakdown” and “Tickets by Device.”

End-User Support Shortcut

Users on a machine where the ET Ducky agent is installed can submit a support ticket without opening the full desktop app or having dashboard access.

How it works

  • The installer creates an ET Ducky Support shortcut on the Desktop and in the Start Menu (under the ET Ducky Agent folder).
  • Launching the shortcut runs the agent with --support: a small form opens (subject, description, optional name). Submitting the form sends the ticket to your organization via a local listener on the agent; the agent then forwards it to the cloud API using its own credentials.
  • No full desktop app UI and no technician login required. Tickets appear in the dashboard under Tickets (All tickets) and under the corresponding agent in By agent.

Security

The support listener runs only on 127.0.0.1; the agent bearer token is not exposed to the form. Only the organization that owns the agent receives the ticket.

Approved Applications

Maintain a workspace-scoped list of approved software. Smart Reports uses the list to surface unapproved installations across your fleet — e.g. “show me apps installed in the fleet that aren’t approved.”

Add an approved app

  • Open Integrations and find the Approved Applications card.
  • Enter the application name (matched case-insensitively against installed-software inventory) and an optional note explaining why it’s approved.
  • Click Add. The entry is visible to every member of the workspace immediately.

Querying against the list

Once the list has entries, open Smart Reports and ask questions like:

  • “Which agents have software installed that’s not on the approved list?”
  • “Show me unapproved apps installed in the last 30 days.”

The report planner joins your installed-software inventory against the approved list and excludes matches.

Only organization admins can edit the list. All members can read it (so unprivileged queries still work).

Behavioral Detection Allowlist

Suppress false positives from the agent’s built-in behavioral-detection rules by exempting specific (process, rule) pairs. For example, AI coding assistants legitimately read many files for context analysis, which can trip the mass-file-access rule. Adding claude.exe + mass-file-access stops the false positive without disabling the rule for any other process.

Adding an exemption

  • Open Integrations and find the Behavioral Detection Allowlist card.
  • Enter the process name (e.g. claude.exe, backup-agent) and pick the rule it should be exempt from (mass-file-access, suspicious-exec-chain, privilege-escalation, reverse-shell-heuristic, etc.).
  • Add an optional note for posterity. Click Add.

How enforcement works

  • The cloud API filters out detections matching the allowlist before they're persisted, so suppressed events never appear in the dashboard or fire alerts.
  • Agents fetch a per-org copy from /api/agents/me/behavioral-allowlist at startup and on configuration polls — future agent versions can self-filter so the bytes never leave the host.
  • Exemptions are scoped per-rule. claude.exe exempt from mass-file-access is still subject to every other rule.

Only organization admins can edit the allowlist. Keep entries narrow — broad exemptions weaken the protection model.