Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How Field Effect MDR Works

            Introduction

            Field Effect MDR is a cybersecurity solution that includes endpoint, cloud, and (for MDR Complete customers) network monitoring. When a cybersecurity situation is detected that requires action or follow-up, you will be notified via our core reporting mechanism - an ARO (Action, Recommendation, or Observation).


            This article covers how Field Effect MDR's various components work and communicate with each other across the following topics:



            How Field Effect MDR's Monitoring Works

            The following sections outlines the various aspects of our MDR service and how they interoperate.


            The Network Appliance

            The primary appliance acts as the service's main controller and can be hosted on your network (physically or virtually) or hosted by Field Effect in the cloud. Your appliance type depends on your service tier and network requirements, but our sales and support teams help ensure that the appropriate appliance(s) is selected for your deployment.


            Only one primary appliance is required, but if you have multiple locations (branch offices, etc.), they will require a secondary appliance (physical or virtual). Secondary appliances communicate with the primary appliance via an encrypted relay, where the analysis takes place.


            For MDR Core customers, we will provision you a cloud-hosted primary appliance.


            Endpoint Monitoring

            Our endpoint agent (see availability here) communicates with the primary appliance either directly (when on the same network) or through an encrypted relay connection. Depending on how the service is configured, the agent can intervene (isolate, block, etc.) when a threat is detected.


            Installers can be downloaded from the primary appliance and the MDR Portal, and they support several installation types including GPO, RMM, etc. See our Installer Guides for more on this.


            Cloud Monitoring

            Field Effect MDR integrates with several cloud services, which are set up in the MDR Portal. Once a cloud service is enrolled, we will monitor and analyze the service's telemetry and user activity for reporting and ARO creation, when appropriate. See our Cloud Monitoring Overview and integration guides for more.


            How Endpoints Communicate with the Appliance

            The endpoint agent communicates with the primary appliance in two ways: 

            • Network: when connected to the same network, they will communicate directly.
            • Relay: when the agent can not directly connect to the appliance (example: remote location), an encrypted "relay" connection is used.
              • This relay connection is the only method available for virtual deployments, where the network is not applicable.


            Each agent is configured with two domains:

            1. Resolves to the appliance's local IP
            2. Resolves to the relay


            These domains are configured automatically during the installation process, and the agent cycles between them, only connecting to a server with a valid certificate.



            Communication Security

            Our configurations are signed by our root of trust, which is hard coded into the agent. All messages sent from an agent to the appliance are additionally encrypted with the appliance key using X25519. Messages sent from the appliance to the agent are ED25519 signed with the appliance key. Further, sensitive messages such as those related to our EDR rules are separately ED25519 signed with keys that are not present on the appliance, minimizing the impact of an appliance compromise.


            The following diagram shows how the components of Field Effect MDR fit into your network and communicate with each other.


            Additional Connections

            There are some scenarios when the endpoint will connect to one of two global servers, the Identity Server and Log Server.


            Identity Server (epid.fieldeffect.net)

            Immediately after an endpoint agent is installed, it connects to the Identity Server to retrieve its configuration (your organization's network and relay domains). If the agent loses its connection for more than a week, it will reconnect to in an attempt to restore reconfigure the agent and restore the connection. 


            Log Server (installlogs.fieldeffect.net)

            This server collects data used for debugging. Following an installation, the agent provides a one-time report that includes basic host telemetry to help investigate failures. The Log Server can also request remote diagnostics via this connection.

            When an agent has an unexpected issue or disruption, it is reported to the Log Server. If it detects that the agent not running, it can automatically force the agent to restart.


            Digging Deeper into Field Effect MDR

            For MDR Complete customers that want to dive deeper into the telemetry, alerts, and data that determine when we generate AROs, you can access the Field Effect Appliance Dashboard.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0