Introduction
Welcome to Field Effect.
As a new MDR Complete client, it can now be deployed, which involves seven phases. This guide provides an overview of each phase.
By this point, you should have received our welcome email and (if using a physical appliance) received some shipping information. To learn more about these pre-deployment communications, see Understanding Your Deployment.
While the network appliance is in transit, we strongly recommend you complete phases 1-5 before the network appliance arrives at your location. This will make the deployment a much more efficient exercise.
Table of contents
- Video - Understanding a Field Effect MDR deployment
- Phase 1: Create Accounts and Invite Users
- Phase 2: Complete Your Organization’s Monitoring Profile
- Phase 3: Set up Active Response
- Phase 4: Set Up Cloud Monitoring
- Phase 5: Enable the DNS Firewall
- Phase 6: Field Effect Network Appliances
- Phase 7: Install Endpoint Agents
- Conclusion
Deploying MDR Complete
The following sections provide a high-level description of each deployment phase, along with links to more in-depth Help Center articles for more assistance.
When logging into the MDR Portal for the first time, you will have the opportunity to use the in-app onboarding wizard, which will walk you through many of the phases included in this playbook. If you dismissed the onboarding wizard, want to reference the steps of a deployment, or access to Help Center articles with more details on a specific topic, see the sections below.
Phase 1: Create an MDR Portal Account & Invite Users
The Field Effect MDR Portal is at the center of your deployment, as it is where you will interact and configure your service. you should create an account for the MDR Portal as soon as possible. After creating your account, invite technical members from your organization to create their own accounts.
We recommend inviting your technical team members first, so they can help you set up and adjust Field Effect for your organization.
For help completing this phase, you may wish to also learn about:
Phase 2: Complete Your Organization’s Monitoring Profile
Some features, such as the DNS Firewall, require that you fill out the monitoring profile, so be sure to set it up as soon as you and your team gain access to the MDR Portal.
Your monitoring profile is part of the Service Profile page, and it contains details that help Field Effect better understand, contextualize, and characterize the activity being monitored. Add your organization's web domains, email domains, Public IPs, and (geographical) staff locations to this profile.
For help completing this phase, you may wish to also learn about:
Phase 3: Set up Active Response
Google Workspace and Microsoft 365 support Active Response, so it’s important to configure it before enrolling these services for cloud monitoring.
Active Response lets you define how aggressively Field Effect MDR, and our security analysts, respond to threats. This is defined through your response policy, which should align with your organization's tolerance for risk and downtime.
There are four response policy levels available (Off, Limited, Balanced, and Aggressive), and we apply the Balanced policy to new organizations by default.
Each response policy can be modified with custom exclusions (example: "never isolate host X."), and we encourage you to tailor your response policy to suite your organization's risk tolerance - especially while deploying the service.
For more on Active Response, visit:
While deploying Field Effect MDR, Active Response will be set to "notify only" mode for first two weeks of the service being deployed. This allows Field Effect MDR, and our security analysts, to establish a baseline for your organization's activity. While in notify only mode, you will still be alerted on any suspicious activity, and after the baseline is established, the Balanced profile will be enabled and respond to threats accordingly.
Phase 4: Set Up Cloud Monitoring
Enrolling a cloud service is usually as simple as providing administrator credential for each cloud service in the MDR Portal. Our Help Center has setup guides for every cloud service supported by Field Effect.
Of our cloud services, Google Workspace and Microsoft 365 support Active Response. So, it’s important to set up Active Response prior to setting up cloud services, as you will be given a chance to enable Active Response when setting up services that support it.
For help completing this phase, visit:
Phase 5: Enable the DNS Firewall
Before enabling the DNS Firewall, be sure you have completed phase 2, since it leverages the details included in your monitoring profile.
The DNS Firewall can track and block access to IP addresses associated with sites that are known to be malicious. In addition to blocking known malicious sites, you can block access to sites based on category (gambling, streaming, etc.) or use the custom allowlist and blocklist to control access to specific URLs.
For help completing this phase, visit:
Phase 6: Field Effect Network Appliances
This phase will differ depending on the type of primary appliance that was scoped for your organization (physical or virtual) and whether or not you have any secondary appliances included in your organization.
If you have a secondary appliance, it is likely a Compact Sensor.
Phase 6a: Physical appliance
The network appliance stores, monitors, and analyzes the traffic moving through your network. It is shipped to your primary location with the appropriate setup guide, but there are model-specific guides available in our Help Center.
For help completing this phase, visit:
- Getting Started: Physical Appliances
- Configuration Guides
- Appliance Management
- FAQ - Physical Appliances
Phase 6B: Self-Hosted Virtual Appliance
In some cases, you may be self-hosting a virtualized primary appliance that stores, monitors, and analyzes the traffic moving through your network. If that is the case, use the guides below to install the primary appliance in your virtual environment.
Phase 7: Install Endpoint Agents
The final phase is to install our endpoint agent on your organization’s devices. Every supported device should have an endpoint installed, as it allows several Field Effect features to function. Endpoint agents are accessible via the MDR Portal and available for Windows, macOS, and Linux (Debian/Ubuntu and RedHat).
For help completing this phase, visit:
When the endpoint agent is installed, it spends (approximately) the first 7 days in what we refer to as a “soaking period”. This allows us to establish a baseline with the endpoint device as to what typical behavior looks like. During this time, it is actively monitoring but operating in a notify-only mode. This means that, while we are still collecting data and observing behavior, no enforcement actions are taken.
Conclusion
After completing the process, you can really begin to take advantage of Field Effect.
Learn more about using Field Effect post-deployment:
- Chapter – AROs: every threat and vulnerability Field Effect detects is reported to you via an ARO (Action, Recommendation, or Observation). This chapter covers the concept of AROs and how to work with them.
- Chapter – Reports & Analysis: the MDR Portal’s Reports & Analysis section houses several dashboards for various aspects of your threat surface. This chapter introduces you to each dashboard, and how to navigate them.
- Chapter – SEAS: as a Field Effect user, you have access to the Suspicious Email Analysis Service (SEAS). Any time you or your colleagues receive a suspicious email, you can send it to SEAS and receive a full report in the MDR Portal about the submitted email.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article