Introduction

For partners deploying a new client, this playbook outlines the phases involved.   This guide will provide an overview of each of these phases.

Table of contents

• Initial Onboarding
• Deploying Field Effect MDR
  • Phase 1: Create Accounts and Invite Users
  • Phase 2: Complete Your Client’s Monitoring Profile
  • Phase 3: Configure Active Response
  • Phase 4: Set Up Cloud Monitoring
  • Phase 5: Enable the DNS Firewall
  • Phase 6:  Network Appliances
  • Phase 7: Install Endpoint Agents
• Conclusion

Initial Onboarding

To begin the process, our Customer Success team will reach out to introduce themselves and get you ready for your deployment.

After receiving your client's shipping details, we will ship the network appliance. This appliance needs to be physically installed in your client's environment. It’s used to monitor the traffic within their network.

While the network appliance is in transit, we strongly recommend that your client completes phases 1 to 5 before the network appliance arrives. 

This will make the deployment a much more efficient exercise

Deploying Field Effect MDR

The following sections provide a high-level description of each phase, along with links to more in-depth knowledge base articles to help you complete each phase.

Phase 1: Create Accounts and Invite Users

Field Effect is managed through the Field Effect MDR Portal

You should already have an account and we recommend inviting your client's technical team members first, so they can help set up and adjust Field Effect for their organization.

For help completing this phase, visit:

Chapter: User Management

• Creating an Account
• Inviting Users
• User Management

Phase 2: Complete Your Client’s Monitoring Profile

Now that your client has access to the MDR Portal, the next phase is to complete their organization’s monitoring profile. This is part of the Service Profile page It contains information that helps Field Effect, and our analysts, better understand, contextualize, and characterize the activity being monitored.

The monitoring profile stores the client's organization’s web domains, email domains, Public IPs, and (geographical) staff locations.

Some features, such as the DNS Firewall, require that you fill out the monitoring profile, which is why we recommend setting it up as soon as you have access to the MDR Portal.

For help completing this phase, visit:

Chapter: Service and Organizational Profile

• The Monitoring Profile: Overview
• The Monitoring Profile: Editing & Updating

Phase 3: Configure Active Response

Google Workspace and Microsoft 365 support Active Response, so it’s important to configure it before enrolling these services for cloud monitoring.

Active Response lets you define how aggressively Field Effect MDR, and our security analysts, respond to threats. This is defined through your response policy, which should align with your, and your end clients', organizational tolerance for risk and downtime.

There are four response policy levels available (Off, Limited, Balanced, and Aggressive), and we apply the Limited policy to new organizations by default.

Each response policy can be modified with custom exclusions (example: "never isolate host X."), and we encourage you to tailor your response policy to suite your organization's risk tolerance - especially while deploying the service.  

For more on Active Response, visit:

• Chapter: Active Response 

  • Active Response: Overview

  • Response Policies: Overview

  • Response Actions: Overview

  • Configuring an Active Response Policy

Phase 4: Set Up Cloud Monitoring

Field Effect supports cloud monitoring for several cloud services. For this phase, set up the client’s supported cloud services in the MDR Portal for cloud monitoring. Our knowledge base has setup guides for every cloud service supported by Field Effect.

Of our cloud services, Google Workspace and Microsoft 365 support Active Response. It’s important to set up Active Response prior to setting up cloud services, as you will be given a chance to enable Active Response when setting up services that support it.

For help completing this phase, visit:

Chapter: Cloud Monitoring

• Cloud Monitoring: Overview & Setup
• Active Response for Cloud Services
• Integrating Microsoft 365 with Field Effect Cloud Monitoring
• Integrating Google Workspace with Field Effect Cloud Monitoring

Phase 5: Enable the DNS Firewall

Before enabling the DNS Firewall, ensure that phase 2 has been completed since the DNS Firewall leverages the details included in your client’s monitoring profile. 

The DNS Firewall can track and block access to IP addresses associated with sites that are known to be malicious. In addition to blocking known malicious sites, client organizations can block access to sites based on category (gambling, streaming, etc.) or use the custom allowlist and blocklist to control access to specific URLs.

For help completing this phase, visit:

Chapter: DNS Firewall

• DNS Firewall: Overview
• Setting up the DNS Firewall
• Adjusting DNS Firewall Categories
• Using the Custom Allowlist
• Using the Custom Blocklist

Phase 6:  Network Appliances

The network appliance stores, monitors, and analyzes the traffic moving through your client's network. Each appliance ships with the appropriate setup guide, but they are also available in our knowledge base.

If the client requested a Field Effect hosted virtual machine, the physical network appliance can be ignored, and focus should be put on setting up the virtual appliance.

For help completing this phase, visit:

Chapter: Field Effect Appliances

• Field Effect Physical Appliance: Overview
• Field Effect Virtual Appliances: Overview
  • Installing a Virtual Appliance in AWS
  • Installing a Virtual Appliance in Azure

Phase 7: Install Endpoint Agents

The final phase is to install the endpoint agent on the client organization’s devices. Every device in the organization should have an endpoint installed, as it allows several Field Effect features to function.

Endpoint agents are accessible via the MDR Portal and available for Windows, macOS, and Linux (Debian and RedHat).

For help completing this phase, visit:

• The Downloads Page
• Managing the Endpoint Agent: macOS
• Managing the Endpoint Agent: Windows
• Managing the Endpoint Agent: Linux

Conclusion

These steps outline the phases of a Field Effect deployment. After completing the process, you can really begin to take advantage of Field Effect.

Learn more about using Field Effect post-deployment:

• Chapter – AROs: every threat and vulnerability Field Effect detects is reported to you via an ARO (Action, Recommendation, or Observation). This chapter covers the concept of AROs and how to work with them.
• Chapter – Reports & Analysis: the MDR Portal’s Reports & Analysis section houses several dashboards for various aspects of your threat surface. This chapter introduces you to each dashboard, and how to navigate them.
• Chapter – SEAS: as a Field Effect user, you have access to the Suspicious Email Analysis Service (SEAS). Any time you or your colleagues receive a suspicious email, you can send it to SEAS and receive a full report in the MDR Portal about the submitted email.