MDR builds on Elements Endpoint Detection and Response (EDR). Before MDR can start monitoring your environment, you need to deploy the Elements Agent across your organization’s devices. The agent collects behavioral data and sends it to WithSecure analysts for investigation.

The same Elements Agent installer covers Windows, Mac, and Linux. Download it from Management > Downloads in Elements Security Center, then choose the deployment method that fits your environment:

Windows

• Manual (EXE): Download the EXE installer with your subscription key embedded and run it directly on each device. Suitable for small environments.
• MSI / GPO: Use the MSI file with the WithSecure MSI transformation tool to embed your subscription key, then deploy via Active Directory Group Policy or your RMM tool.
• Microsoft Intune: Deploy as a line-of-business app (MSI) or a Win32 app (EXE wrapped with IntuneWinAppUtil). Pass your subscription key as a command-line argument.
• Email invitation: Under Environment > Devices, select Add new device to send users an installation link by email. Each link covers one device and is valid for 30 days.

Mac

• Download the .mpkg installer and run a silent install with sudo installer -pkg /path/to/pkg -target /, or embed the subscription key in the package filename before deploying via MDM.

Linux

• Download the DEB, RPM, or TAR package from Management > Downloads and activate with the --subscription-key flag after installation.

Once your EDR sensors are deployed, activate your MDR subscription and enable Advanced Response so that WithSecure analysts can take containment and remediation actions on your behalf.

Assign your MDR subscription

1. In Elements Security Center, go to Management > Subscriptions.
2. Check that WithSecure MDR appears in the list. If it does, continue to the next section.
3. If it is not listed, select Assign Subscription and enter your MDR subscription code.

Enable Advanced Response

1. Go to Security Configurations > Profiles.
2. Open a profile in the profile editor and navigate to General Settings > Integrations.
3. Turn on Advanced Response and save the profile.
4. Repeat for each profile in use in your organization.
5. Confirm that the updated profiles are correctly assigned and that Advanced Response shows as enabled on your active devices.

MDR is a 24/7 service. To ensure analysts can reach your team when a confirmed threat requires immediate action, you must provide primary and secondary on-call contacts. You should also activate automated actions to allow immediate response without delays.

Add escalation contacts

1. Go to Management > Subscriptions and select WithSecure MDR from the list.
2. On the Subscription information page, add two incident response contacts. For each, enter their time zone, full name, country code, phone number, and the hours they are available to be called.
3. Make sure that Contact 1 or Contact 2 is available at all times — between them, they must cover 24/7.
4. Select Save.

Activate automated actions

1. Go to Security Configurations > Automated actions.
2. Activate the automated action for WithSecure MDR.

Your environment is now ready. WithSecure Threat Analysts will monitor your endpoints around the clock, investigate Broad Context Detections, and contact you if a confirmed threat requires your attention.