Professional Documents
Culture Documents
mcafee_mvision_endpoint_detection_and_response_installation_guide_(fedramp)_2024-04-18-14-25-02
mcafee_mvision_endpoint_detection_and_response_installation_guide_(fedramp)_2024-04-18-14-25-02
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Manage integrations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Webhook parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1| Activate your account
For information about setting up an MVISION ePO account, see Set up an MVISION ePO account.
If the MVISION EDR UI is inactive for more than 40 minutes, the user will get logged out. Also, when the user is logged into both
MVISION ePO UI and MVISION EDR UI, and if the user logs out from MVISION ePO UI, the MVISION EDR UI gets logged out
automatically.
Important
Task
1. Open the email that you have received and click Activate.
2. Enter a password and confirm it, then click Set Password.
3. Type your email address and click Next.
4. Type the password that you have set and click Sign In.
5. Select MVISION EDR from the products list.
Results
The configuration you create using these steps is saved separately within the McAfee MVISION system.
For instructions on how to configure your IdP application, see your identity provider's documentation.
Note
You might need to use placeholder information for the ACS URL and the Audience URI when you configure your third-party
IdP. Enter the details later when you Update your IdP application SAML settings with the information from MVISION.
2. From the User List, select the users that you want to exempt from SSO.
3. After successfully saving the configuration, you can view the information in the Service Provider (MVISION) section.
• Audience — Edit your IdP application's SAML settings to update the Audience URI.
• Assertion Consumer Service URL — Edit your IdP application's SAML settings to include the SSO URL.
• Certificate — Download the certificate. Some IdPs require the MVISION service provider certificate.
• SAML Metadata — Download the SAML metadata. It contains other configuration which your IdP might require.
Update your IdP application SAML settings with the information from MVISION
After saving the IdP configuration in your MVISION account, go to your IdP application and edit the SAML settings with the
information from MVISION.
Note
The possible schemas provided here is for reference only. These schemas can vary depending on the IdP provider.
Note
Set your Unique User Identifier to email address. We only accept email address as the primary identifier for users.
Once you change Unique User Identifier from first name or last name to use an email address, the updated certificate has
to be downloaded from IdP application and upload again in the Identity Provider.
Note
You must and to allow them to access MVISION ePO using SSO.
Troubleshooting SSO
The error message — Misconfigured identity provider. Check your configuration and try again appears during logon if any of
these conditions are true.
• Conduct investigations, monitor threats, and perform searches in Real-time or Historical Search.
• Take action on the endpoint devices.
As an MVISION SOC Analyst L1, you can:
• Conduct investigations, monitor threats, and perform searches in Real-time or Historical Search.
As an MVISION Account Administrator, when you select the following roles for MVISION EDR and assign it to the user, the user
can:
• The Configure endpoint policies (MVISION ePO only) role — Configure endpoint policies on the MVISION ePO Policy
Catalog page.
• The Configure tenant's settings and data sources role — Configure MVISION EDR tenant's settings and data sources.
• The Execute a targeted remediation action (single device) role:
Access the Device Actions option on the Monitoring dashboard when endpoints are selected.
Access Quarantine device and End Quarantine device options under Device Details → Take an action on the
Investigating dashboard.
Access the Actions option on the Real-time Search dashboard when endpoints are selected.
If the Execute a targeted remediation action (single device) option is not selected:
• The Triage, scope, and conduct investigation cases role — Create an investigation from the Take action option on the
Monitoring dashboard.
If the Triage, scope, and conduct investigation cases option is not selected, the user can't see the Investigating
dashboard on the MVISION EDR menu option.
System requirements
Server and client requirements
Before you install MVISION EDR, make sure that your server and client systems meet all requirements (KB91345).
For information about MVISION EDR software and hardware requirements, and supported environments, see KB91345.
Note
Make sure your network settings are configured correctly and SSL traffic inspection is disabled on URL or IP address.
URL
https://ui.soc.mcafee-gov.com
https://ui.uam.mcafee-gov.com
https://api.iam.mcafee-gov.com
https://api.uam.mcafee-gov.com
https://api.iam-rs.mcafee-gov.com
https://login.iam.mcafee-gov.com
https://ui.iam.mcafee-gov.com
• Trace data
from
Endpoints /
MVISION
EDR client.
• Real-time
search
responses
from
Endpoints /
MVISION
EDR client.
Note
Upon installation or upgrade of the MVISION EDR client, you might have to reboot the client system.
Task
1. Log on to MVISION EDR as administrator.
2. Click the configuration icon on the top-right corner to access the Configuration page.
3. On the Configuration page, select Use McAfee MVISION ePO for management. Then click Save.
Important
Make sure you select the correct configuration. This setting can only be changed with the assistance of Customer
Support.
Note
When installing MVISION EDR client on Mac endpoints, the endpoint user is prompted with pop-ups to grant permission
for McAfeeSystemExtensions on the general tab from the security and privacy page. Also, you must allow full disk access
for McAfeeSystemExtensions and fmpd on the privacy tab.
5. On MVISION EDR, go to the Configuration page and verify whether the connection status is green to confirm the
deployment is complete, then click Done.
Note
Upon installation or upgrade of the MVISION EDR client, you might have to reboot the client system.
Task
1. Log on to MVISION ePO as administrator.
2. Select Menu → Software → Product Deployment.
3. Select Advanced Options → Advanced Product Deployment, then click New Deployment.
4. Enter a name and description for the deployment task.
5. Select McAfee MVISION EDR Client as the software package.
6. Select Individual Systems or by Tag or Group to open the System Selection window.
7. From System Tree, on the System Selection page, select the devices where you want to deploy the client software, then
click OK.
8. Click Run Immediately to start the deployment task, then click Save.
Task
1. Log on to MVISION EDR as administrator.
2. Select Menu → Investigating → Configuration.
3. Select Use McAfee MVISION ePO for management
4. Click Install components, then click Save.
Results
You can view the McAfee Cloud Services Agreement and share your telemetry data.
Task
1. Log on to MVISION EDR as administrator.
2. Click the configuration icon on the top-right corner to access the Configuration page.
3. Under Finetune configuration, click View account settings.
4. Click View McAfee Cloud Services Agreement to read the document, then click Save.
Manage integrations
MVISION EDR analyzes emails reported as phishing to the Security Operations Center (SOC) and helps you perform the
investigation.
It identifies and extracts email addresses, subject, body, attachments, metadata, and headers for better visualization. It also lets
you view, analyze, and respond to phishing reports. MVISION EDR automatically analyzes IP addresses, fully qualified domain
names (FQDNs), and files available on the analyzed email.
Important
This feature is only supported if your tenant is hosted in a United States data center.
Task
1. Log on to MVISION EDR as administrator.
2. Click the configuration icon on the top-right corner to access the Configuration page.
3. Click Manage integrations, then click + Add to add an integration.
4. In the Name field, type the phishing email if you want to provide an email evidence of phishing and create an
investigation.
Note
Phishing emails are supported only in unsigned and unencrypted .eml and .msg formats.
5. Under the Action drop-down list, select Add Email Evidence, then click Save to add a new integration.
You can create URLs to integrate other products with MVISION EDR. You can use these URLs to create investigations
automatically on MVISION EDR.
Task
1. Log on to MVISION EDR as administrator.
2. Click the configuration icon on the top-right corner to access the Configuration page.
3. Click Manage integrations, then click + Add to add an integration.
4. In the Name field, type the required name, then from the Action drop-down list, select Add Evidence.
5. From the Delivery method drop-down list, select Direct to Cloud, then click Save.
Results
• You can regenerate the Webhook URL by clicking Regenerate and copy the Webhook URL by clicking Copy.
• You can delete an existing integration by clicking the Remove integration icon.
Webhook parameters
To create an investigation, make sure you use the appropriate URL parameters.
Supported evidenceType
IP To investigate an external IP
• Name = <IP address>
address.
• Address = <IP address>
• rawData = <rawData>
Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and their affiliates in the
US and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other countries.
Skyhigh Security is the trademark of Skyhigh Security LLC and its affiliates in the US and other countries. Other names and brands are the
property of these companies or may be claimed as the property of others.