FAQs for Trellix Insights
Last Modified: 2023-05-17 11:49:20 Etc/GMT
Affected Products
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
FAQs for Trellix Insights
Technical Articles ID:
Last Modified: 2023-05-17 11:49:20 Etc/GMT Environment
Trellix Insights
What are the roles associated with Trellix Insights? Trellix Insights has three roles defined: Trellix Insights Administrator Access, Trellix Insights General Access, and Receive Notification. Must I provide all available roles to my user with which I want to Access Insights? Currently, you can provide any one of the three roles defined for Trellix Insights, which is sufficient to access Trellix Insights. There's no difference between an administrator user of Insights and a general user of Insights. To receive Insights-generated notifications, you must have the Receive Notification Role assigned. Other than Insights roles, are there any roles that are mandatory for a user to access Insights? Yes, the user who accesses Insights must have the MVISION ePolicy Orchestrator (ePO) Administrator role assigned. I don't want to provide the MVISION ePO Administrator role to the invited user. Can the invited user still access Insights? The MVISION ePO Administrator role is mandatory. You can't access Trellix Insights without providing this role. If I already have an MVISION account, can I invite a user from this account and provide Insights access to that user? Yes, if the existing user has Insights Roles, you can invite the user to Insights. When I invite another user for Insights Access, what are the other roles that need to be given to that invited user? Apart from the Insights roles, you must provide the invited user with the ePO Administrator role. Which email ID and license keys must I provide? You must provide the email ID that's mapped to the license key. This email ID is typically provided at the time of purchase of the ePO license from us. Insights validates the email ID and license key combination against the IT Licensing database. If the two aren't mapped, you see an error message. How do I fix the error: User isn't authorized for Insights? This error means that the user doesn't have an Insights Role assigned. The administrator must provision an Insights Role. How do multiple users within the same ePO manager use the Insights scope from on-premises or the MVISION ePO console? Do they need to add provision for MVISION ePO and the Insights scope for each account? An MVISION account with Insights scope is needed to access Trellix Insights. From that account, multiple users can be invited and given Insights scope. NOTE: When using on-premises ePO, one other step is needed. These users must be created inside on-premises ePO with one of the following ePO permission sets: Administrator, Executive Reviewer, or Global Reviewer. Set Authentication type as MVISION Authentication. I can see Campaign Detection in the Insights dashboard but I don't receive notifications for it. Why? The role Receive Notifications must be assigned to the logged-on user. Only users with the Receive Notifications role assigned receive notifications. Why must I log on to each individual server in a multiple ePO server setup? Currently Trellix Insights data is limited to the ePO server that you're logged on to. When you use multiple ePO servers, you must to log on to each server separately to see the server's data. I didn't receive the activation. Which email account was it sent from? Activation emails are sent from How can I tell which email ID is linked to a license key? Open a support case with Technical Support. Support contacts Licensing to obtain the information. After the onboarding process is completed, you see the onboarding page on subsequent logons. Why? View the association status for your license key in the Settings option. It must be in the Approved state. If in the Pending state, check your email account for the mail sent out by the onboarding process, and then click the Approve Association link in the mail. Can I change the sector and country after completing onboarding? Yes, you can change the sector and country value anytime. Go to the Settings page, and select the needed sector and country. How do I perform an Insights Extension installation? For MVISION setup, we perform the extension installation. For on-premises setup, use the Software Catalog to roll out the extension. I ran a malicious sample but no telemetry data is displayed in Insights. Why? You must use a supported version of the McAfee Agent/Trellix Agent (5.6 and later) and not set up and use Threat Intelligence Exchange. If these requirements aren't met, Insights doesn't receive the telemetry data. How does Insights decide which is the latest AM Core Content Version? The Insights back-end polls a Services URL to determine the latest AM Core Content Version. How does Insights decide whether an event is resolved or not? The Insights back-end matches telemetry against IoCs from all campaigns. If a match is found, a detection notification is generated. The Insights manager makes a REST API call to verify whether ENS handles these detections. If they aren't found in the ePO database for a given TargetHash and MAGUID, those events are considered unresolved. As an Insights user, do I see all devices managed by ePO in the Insights Web Console? Insights supports the following devices:
Affected ProductsLanguages:This article is available in the following languages: |