McAfee MVISION Endpoint

Detection and Response

Installation Guide (FedRAMP)
Contents

Activate your account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Activate your MVISION account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Configuring Single Sign-On to log on to MVISION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

MVISION EDR roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Server and client requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Network ports and URL allow list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Install and upgrade MVISION EDR on MVISION ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Deploy MVISION EDR using MVISION ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Upgrade MVISION EDR client using MVISION ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configure MVISION EDR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Configure advanced features of MVISION EDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

View account settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Manage integrations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Investigate phishing emails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Create webhooks to manage investigations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Webhook parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1| Activate your account

Activate your account

Activate your MVISION account
Once you are registered with MVISION, you receive an email with instructions to activate your MVISION account.

For information about setting up an MVISION ePO account, see Set up an MVISION ePO account.

If the MVISION EDR UI is inactive for more than 40 minutes, the user will get logged out. Also, when the user is logged into both
MVISION ePO UI and MVISION EDR UI, and if the user logs out from MVISION ePO UI, the MVISION EDR UI gets logged out
automatically.

Important

Chrome is the officially supported browser to access MVISION EDR.

Task
1. Open the email that you have received and click Activate.
2. Enter a password and confirm it, then click Set Password.
3. Type your email address and click Next.
4. Type the password that you have set and click Sign In.
5. Select MVISION EDR from the products list.

Results

You have successfully activated MVISION and logged on to MVISION EDR.

Configuring Single Sign-On to log on to MVISION

Single Sign-On (SSO) allows you to securely authenticate multiple applications using one set of logon credentials through an
Identify Provider (IdP). You can log on to your MVISION account directly from your enterprise IdP.

To configure SSO for your MVISION account:

1. Configure the IdP application.

2. Input your Security Assertion Markup Language (SAML) configuration information in MVISION.
3. Update your IdP configuration with the information from MVISION.

The configuration you create using these steps is saved separately within the McAfee MVISION system.

Configuring the IdP application

Configure a new IdP application in your SSO solution to get the IdP URL, issuer URL, and X.509 certificate.

For instructions on how to configure your IdP application, see your identity provider's documentation.

McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP) 3

1| Activate your account

Note

You might need to use placeholder information for the ACS URL and the Audience URI when you configure your third-party
IdP. Enter the details later when you Update your IdP application SAML settings with the information from MVISION.

Input your SAML configuration information in MVISION

Configure the settings in the Identity Provider page to enable SSO using your IdP application.

1. Enter the information in the Identity Provider section.

• Issuer — Enter the Identity Provider Issuer from your IdP.

• Certificate — Download the certificate from your IdP, then click Choose File to upload the certificate to MVISION.
• Login URL — Enter the Identity Provider SSO URL from your IdP.
• Signature Algorithm — Make sure that your IdP application is configured with signature algorithm — SHA-256.
• Request Binding — Make sure that the request binding matches with your IdP application.

2. From the User List, select the users that you want to exempt from SSO.
3. After successfully saving the configuration, you can view the information in the Service Provider (MVISION) section.

• Audience — Edit your IdP application's SAML settings to update the Audience URI.
• Assertion Consumer Service URL — Edit your IdP application's SAML settings to include the SSO URL.
• Certificate — Download the certificate. Some IdPs require the MVISION service provider certificate.
• SAML Metadata — Download the SAML metadata. It contains other configuration which your IdP might require.

4. Click Save Changes.

Update your IdP application SAML settings with the information from MVISION
After saving the IdP configuration in your MVISION account, go to your IdP application and edit the SAML settings with the
information from MVISION.

1. Audience URI — Enter the Audience link from MVISION.

2. Single Sign On URL — Enter the Assertion Consumer Service URL from MVISION.
3. Configure the application to send these user attributes to the IdP provider.

• First Name — user.firstName (Possible schema of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname or

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)
• Last Name — user.lastName (Possible schema of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname or
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)
• Email — user.email (Possible schema of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email or http://
schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
• Unique User Identifier — user.email (Possible schema of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)

Note

The possible schemas provided here is for reference only. These schemas can vary depending on the IdP provider.

4 McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP)

1| Activate your account

4. Click the newly configured application to test the logon.

Note

Set your Unique User Identifier to email address. We only accept email address as the primary identifier for users.

Once you change Unique User Identifier from first name or last name to use an email address, the updated certificate has
to be downloaded from IdP application and upload again in the Identity Provider.

Note

You must and to allow them to access MVISION ePO using SSO.

Troubleshooting SSO
The error message — Misconfigured identity provider. Check your configuration and try again appears during logon if any of
these conditions are true.

• IdP SSO or MVISION IdP is not configured properly.

• The user logon using SSO has not been added to the MVISION tenancy.
• Unique User Identifier in IdP application is changed to an email address, the updated certificate is not uploaded again in
the Identity Provider.

Contact McAfee Support if you encounter this error.

MVISION EDR roles

MVISION EDR has three main roles: MVISION EDR Administrator, MVISION SOC Analyst L2, and MVISION SOC Analyst L1.

As an MVISION EDR Administrator, you can:

• Configure MVISION EDR.

• Conduct investigations, monitor threats, and perform searches in Real-time or Historical Search.
• Take action on the endpoint devices.
• Create and edit custom collectors and reactions.

As an MVISION SOC Analyst L2, you can:

• Conduct investigations, monitor threats, and perform searches in Real-time or Historical Search.
• Take action on the endpoint devices.
As an MVISION SOC Analyst L1, you can:

• Conduct investigations, monitor threats, and perform searches in Real-time or Historical Search.
As an MVISION Account Administrator, when you select the following roles for MVISION EDR and assign it to the user, the user
can:

McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP) 5

1| Activate your account

• The Configure endpoint policies (MVISION ePO only) role — Configure endpoint policies on the MVISION ePO Policy
Catalog page.
• The Configure tenant's settings and data sources role — Configure MVISION EDR tenant's settings and data sources.
• The Execute a targeted remediation action (single device) role:
Access the Device Actions option on the Monitoring dashboard when endpoints are selected.
Access Quarantine device and End Quarantine device options under Device Details → Take an action on the
Investigating dashboard.
Access the Actions option on the Real-time Search dashboard when endpoints are selected.

If the Execute a targeted remediation action (single device) option is not selected:

The Action History dashboard is not visible

The Manage threat exclusions option from the Configuration page is not visible
The Investigating dashboard is not visible
The Take actions drop-down options Exclude from threats and Dismiss from the Monitoring dashboard are
disabled and not visible
All remediation actions are disabled and do not appear on the respective dashboards.

• The Triage, scope, and conduct investigation cases role — Create an investigation from the Take action option on the
Monitoring dashboard.

If the Triage, scope, and conduct investigation cases option is not selected, the user can't see the Investigating
dashboard on the MVISION EDR menu option.

6 McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP)

2| System requirements

System requirements
Server and client requirements
Before you install MVISION EDR, make sure that your server and client systems meet all requirements (KB91345).

For information about MVISION EDR software and hardware requirements, and supported environments, see KB91345.

Network ports and URL allow list

MVISION EDR uses specific network ports to connect to DXL client and MVISION EDR client.

Note

Make sure your network settings are configured correctly and SSL traffic inspection is disabled on URL or IP address.

URL allow list

You must allow access to MVISION EDR URLs.

URL

https://ui.soc.mcafee-gov.com

https://ui.uam.mcafee-gov.com

https://api.iam.mcafee-gov.com

https://api.uam.mcafee-gov.com

https://api.iam-rs.mcafee-gov.com

https://login.iam.mcafee-gov.com

https://ui.iam.mcafee-gov.com

McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP) 7

2| System requirements

Common paths for MVISION ePO implementations

Source Destination Port Description

Browsers MVISION EDR TCP 443 Access

workspace MVISION EDR
interface

Endpoint — Enterprise TCP/UDP 53 Resolution of

McAfee® DNS server McAfee®
Agent Global Threat
Intelligence™
(McAfee GTI)
URLs.

Endpoint — MVISION EDR TCP 443 Snapshots

MVISION EDR workspace (default route,
Agent and
recommende
d one)

All Enterprise TCP 123 Network time

components NTP server synchronizati
on

Administrator MVISION ePO TCP 443

workstation

Endpoint — MVISION EDR TCP 443 Snapshot

Phoenix workspace Agent, it
Agent detects proxy
settings
automatically.

8 McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP)

2| System requirements

Specific paths — Implementation with MVISION ePO

Source Destination Port Description

Endpoint — MVISION ePO TCP 80 Policies

McAfee Agent download,

McAfee Agent TCP 443 McAfee Agent No

handlers system logs
upload.

MVISION ePO Endpoint TCP 8081 McAfee Agent

(McAfee wakeup call/
Agent) SADR (not
supported) /
Peer-to-Peer/
Relay. See
McAfee Agent
KB66797.

TCP 8082 NA Peer-to-peer

server
discovery,
RelayServer
discovery.

TCP 8083 NA RelayServer

discovery for
previous
versions of
McAfee
Agent, if
Enable
RelayServer is
selected on
the McAfee
Agent policy.
If deselected,
this port is
not open.

McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP) 9

2| System requirements

Source Destination Port Description

Endpoint — MVISION ePO TCP 443 DXL

(McAfee messaging
Agent 5.6 or (ICMP is not
DXL client) supported)
and real-time
search
queries.

Endpoint — MVISION EDR TCP 443 Send

(McAfee workspace information
Agent 5.6 or to MVISION
DXL client) EDR
workspace:

• Trace data
from
Endpoints /
MVISION
EDR client.
• Real-time
search
responses
from
Endpoints /
MVISION
EDR client.

10 McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP)

3| Install and upgrade MVISION EDR on MVISION ePO

Install and upgrade MVISION EDR on MVISION ePO

Deploy MVISION EDR using MVISION ePO
To install MVISION EDR, make sure your MVISION account is set up and activated.

Note

Upon installation or upgrade of the MVISION EDR client, you might have to reboot the client system.

Task
1. Log on to MVISION EDR as administrator.
2. Click the configuration icon on the top-right corner to access the Configuration page.
3. On the Configuration page, select Use McAfee MVISION ePO for management. Then click Save.

Important

Make sure you select the correct configuration. This setting can only be changed with the assistance of Customer
Support.

4. Deploy the MVISION EDR client to devices:

a. Log on to MVISION ePO as administrator.
b. Select Menu → Software → Product Deployment.
c. Select Advanced Options → Advanced Product Deployment, then click New Deployment.
d. Enter a name and description for the deployment task.
e. Select McAfee MVISION EDR Client as the software package.
f. Select Individual Systems or by Tag or Group to open the System Selection window.
g. From System Tree, on the System Selection page, select the devices where you want to deploy the client software,
then click OK.
h. Choose Run Immediately to start the deployment task immediately.
i. Click Save.

Note

When installing MVISION EDR client on Mac endpoints, the endpoint user is prompted with pop-ups to grant permission
for McAfeeSystemExtensions on the general tab from the security and privacy page. Also, you must allow full disk access
for McAfeeSystemExtensions and fmpd on the privacy tab.

5. On MVISION EDR, go to the Configuration page and verify whether the connection status is green to confirm the
deployment is complete, then click Done.

McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP) 11

3| Install and upgrade MVISION EDR on MVISION ePO

Upgrade MVISION EDR client using MVISION ePO

Install a newer version of the MVISION EDR client on managed systems to upgrade clients.

Note

Upon installation or upgrade of the MVISION EDR client, you might have to reboot the client system.

Task
1. Log on to MVISION ePO as administrator.
2. Select Menu → Software → Product Deployment.
3. Select Advanced Options → Advanced Product Deployment, then click New Deployment.
4. Enter a name and description for the deployment task.
5. Select McAfee MVISION EDR Client as the software package.
6. Select Individual Systems or by Tag or Group to open the System Selection window.
7. From System Tree, on the System Selection page, select the devices where you want to deploy the client software, then
click OK.
8. Click Run Immediately to start the deployment task, then click Save.

12 McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP)

4| Configure MVISION EDR

Configure MVISION EDR

MVISION EDR simplifies the process of initial configuration and helps security analysts configure the product with minimal
settings before using it.

Before you begin

Make sure that you have administrator permissions.

Task
1. Log on to MVISION EDR as administrator.
2. Select Menu → Investigating → Configuration.
3. Select Use McAfee MVISION ePO for management
4. Click Install components, then click Save.

Results

You have successfully configured MVISION EDR.

Configure advanced features of MVISION EDR

View account settings

You can view the McAfee Cloud Services Agreement and share your telemetry data.

Task
1. Log on to MVISION EDR as administrator.
2. Click the configuration icon on the top-right corner to access the Configuration page.
3. Under Finetune configuration, click View account settings.
4. Click View McAfee Cloud Services Agreement to read the document, then click Save.

Manage integrations

Investigate phishing emails

MVISION EDR analyzes emails reported as phishing to the Security Operations Center (SOC) and helps you perform the
investigation.

It identifies and extracts email addresses, subject, body, attachments, metadata, and headers for better visualization. It also lets
you view, analyze, and respond to phishing reports. MVISION EDR automatically analyzes IP addresses, fully qualified domain
names (FQDNs), and files available on the analyzed email.

Important

This feature is only supported if your tenant is hosted in a United States data center.

McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP) 13

4| Configure MVISION EDR

Task
1. Log on to MVISION EDR as administrator.
2. Click the configuration icon on the top-right corner to access the Configuration page.
3. Click Manage integrations, then click + Add to add an integration.
4. In the Name field, type the phishing email if you want to provide an email evidence of phishing and create an
investigation.

Note

Phishing emails are supported only in unsigned and unencrypted .eml and .msg formats.

5. Under the Action drop-down list, select Add Email Evidence, then click Save to add a new integration.

Create webhooks to manage investigations

You can create URLs to integrate other products with MVISION EDR. You can use these URLs to create investigations
automatically on MVISION EDR.

Task
1. Log on to MVISION EDR as administrator.
2. Click the configuration icon on the top-right corner to access the Configuration page.
3. Click Manage integrations, then click + Add to add an integration.
4. In the Name field, type the required name, then from the Action drop-down list, select Add Evidence.
5. From the Delivery method drop-down list, select Direct to Cloud, then click Save.

Results

A Webhook URL is created https://api.soc.mcafee-gov.com/wh/v1/webhook/<webhook id>

• You can regenerate the Webhook URL by clicking Regenerate and copy the Webhook URL by clicking Copy.
• You can delete an existing integration by clicking the Remove integration icon.

Webhook parameters

To create an investigation, make sure you use the appropriate URL parameters.

Parameter name Optional / Mandatory Description Example

eventSrc Optional Provides the SOC

• McAfeeESM
analyst with a
• ArcSightESM
visual indicator that
distinguishes between
ESM-initiated and ePO-
initiated investigations.

14 McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP)

4| Configure MVISION EDR

Parameter name Optional / Mandatory Description Example

The value of this

parameter appears
in the MVISION
EDR Investigating
dashboard under the
By column.

caseType Mandatory Defines the type of

• Malware
alert. Recognized values
• Network
are malware and
network and any other
value is treated as
others.

caseName Optional Gives the investigation

• <incident on
a meaningful name. If endpoint>
the name is missing, a
default case name is
assigned. The value of
this parameter appears
in the MVISION
EDR Investigating
dashboard under the
Investigation column.

caseHint Optional (highly Automatically links

• <10.20.30.40>
recommended) related investigations to
• <hostname>
avoid creating multiple
cases from alerts
related to the same
incident. Although this
parameter is optional, it
is highly recommended.

caseSummary Optional Used for the

• <incident on
description of an endpoint>
investigation.

McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP) 15

4| Configure MVISION EDR

Parameter name Optional / Mandatory Description Example

casePriority Optional Assigns a priority to an

• High
investigation.
• Medium
• Low

caseOwner Optional Assigns an investigation

• <caseowner>
to a specific user.

evidenceType Mandatory Identifies the type of

• <evidencetype>
the evidence attributes
being provided to
MVISION EDR.

<attribute name> Mandatory / Optional Depending on the

• evidenceType =
evidenceType, and its IP address
corresponding schema, <10.20.30.40>
different attributes
might need a value.

Supported evidenceType

evidenceType Attributes Description

Device To investigate an endpoint based

• Name = <host name>
on its host name.
• Host name = <host name>
If an endpoint with Microsoft
• rawData = <rawData>
Windows is managed by
MVISION ePO, MVISION EDR
takes a snapshot of the endpoint
using the Endpoint Snapshot
tool.

Identifier To investigate an endpoint based

• Name = <McAfee Agent GUID>
on its McAfee Agent GUID.
• ID = <McAfee Agent GUID>
If an endpoint with Microsoft
• rawData = <rawData>
Windows is managed by
MVISION ePO, MVISION EDR
takes a snapshot of the endpoint

16 McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP)

4| Configure MVISION EDR

evidenceType Attributes Description

using the Endpoint Snapshot

tool.

IP To investigate an external IP
• Name = <IP address>
address.
• Address = <IP address>
• rawData = <rawData>

FQDN To investigate a fully qualified

• Name = <fully qualified domain
name> domain name.

• Address = <fully qualified

domain name>
• rawData = <rawData>

URL examples for US-West data center

If your tenant is hosted in the Western United States data center, use the following examples:

• To investigate an IP address: https://api.soc.mcafee-gov.com/wh/v1/webhook/<webhook_id>/AddEvidence?

evidenceType=IP&caseName=IPInvestigation&eventSrc=McAfeeESM&caseType=malware&address=42.231.162.212&name=42.231
• To Investigate a device managed by MVISION ePO: https://api.soc.mcafee-gov.com/wh/v1/webhook/<webhook_id>/
AddEvidence?
evidenceType=Device&caseName=3BYW10RS3X86&eventSrc=ESM&caseType=malware&hostName=3BYW10RS3X86&name=3B
&name=3BYW10RS3X86
URL examples for US-East data center
If your tenant is hosted in the Eastern United States data center, use the following examples:

• To investigate an IP address: h https://api.soc.us-east-1.mcafee.com-gov.com/wh/v1/webhook/<webhook_id>/

AddEvidence?
evidenceType=IP&caseName=IPInvestigation&eventSrc=McAfeeESM&caseType=malware&address=42.231.162.212&name=42.231
• To Investigate a device managed by MVISION ePO: https://api.soc.us-east-1.mcafee.com-gov.com/wh/v1/webhook/
<webhook_id>/AddEvidence?
evidenceType=Device&caseName=3BYW10RS3X86&eventSrc=ESM&caseType=malware&hostName=3BYW10RS3X86&name=3B
&name=3BYW10RS3X86

McAfee MVISION Endpoint Detection and Response Installation Guide (FedRAMP) 17

COPYRIGHT
Copyright © 2024 Musarubra US LLC.

Trellix and FireEye are the trademarks or registered trademarks of Musarubra US LLC, FireEye Security Holdings US LLC and their affiliates in the
US and /or other countries. McAfee is the trademark or registered trademark of McAfee LLC or its subsidiaries in the US and /or other countries.
Skyhigh Security is the trademark of Skyhigh Security LLC and its affiliates in the US and other countries. Other names and brands are the
property of these companies or may be claimed as the property of others.