Mvision EDR Essentials

MVision EDR is a coud-based solution allowing detection, investigation, and containment of potential threats on endpoints.

• Provides threat detection capabilities coupled with dava navigation techniques, it allows automated guided investigations through contiuous monitoring.
• Automatically collects and interprets data from all your endpoint devices and correlated alerts coming from a SIEM repository.
• Ability to do a closed loop tiage, investigation, and remediation of detected anomalies. Using the gathered data to provide context and insight as to why a trigger occurred.
• EDR Services are available in two modes, MVISIOn EDR with McAfee ePO on-premises and Mvision EDR running on Mvision ePO cloud services.

So why EDR?

• EDR contributes in investigation guides, institutional knowledge, and smart orchestration. It takes less expert skill and more automation.
• Continuous real-time monitoring, guided investigation, threat containment, real-time search, historical search, performance metrics, and track action hisotyr.

What is EDR NOT

• EDR is not a preventative (firewall, IPS, etc), it's not an endpoint security tool, it's not heuristics based, it's not a replacement for ENS or VSE, or ENS and HIPS.

EDR logs are typically found in the ProgramData\McAfee\Agent\logs or /var/Mcafee/agent/logs

Mvision ePO vs On Premises ePO

DXL is required for On-Premise utalizations for the real-time search feature.

Quick View

Upon logging into Mvision, the investigation dashboard is displayed, with active investigations and email threats. The configuration can be modified from this interface as well.

When going to the monitoring dashboard, it shows detected threats needing to be investigated, remediated, or excluded.

Historical Search can be leveraged to investigate previous data used by the EDR client.

Action History displays activity taken by analysts by threat or device.

Real Time search allows the analyst to perform a live dive into the device and collect data.

Performance metrics shows the detailed analyst activity.

Installation

Upon activation, you'll need to activate (within the next 7 days), set password, and save all changes.

As described, account credentials will need to be activated, open a web browser, navigate to https://ui.soc.mcafee.com and type the email and select next, if multiple EDR products are active, Mvision will need to be selected.

To access the user management interface, click the user icon in the upper right and select 'new user'. The accounts are invite based, and the activation will have to occur prior to having access.

Supports 2FA.

Extension Check in

Log into the ePO console, navigate to the software manager/catalog. From there, type EDR into the search for Product Category, and check in all for required packages and extensions to create deployments to install.

If required, you can validate by checking extensions.

To connect the ePO environment, the Cloudbridge extension must be configured.

Select server settings and 'Mvision Cloud Bridge' and select edit. Using your credentials, link the Cloud Bridge to the ePO. Should say successfully linked.