Capture Client (CC) MDR: Frequently Asked Questions (FAQs)

Frequently Asked Questions about our Capture Client MDR offering.

GENERAL

Is a Proof of Concept (PoC) available?

Yes, we offer a 21 day Proof of Concept for our new partners.

What is involved with a Proof of Concept?

• Time Frame: 21 days, starting with the kickoff call
• Endpoint Limit: Unlimited
• Details outlining the PoC can be found here:
  • POC CC : Frequently Asked Questions (FAQs)
  • POC CC : Customer Testing Guide

Will my licensing automatically convert to production at the end of the PoC?

• Yes, we will convert the tenant to Capture Client MDR monthly services at the end of the 21 day POC to continue protection and begin billing in the next billing phase.
• You can opt out of moving to production prior to the end of your 21 day PoC.

What are the responsibilities of the partner?

• Management of the deployment process
  • Deployment of the Capture Client Agents
  • Creating a Clean Baseline for the devices
  • Implementing Protection Phase
• Maintaining polices and exclusions
• Removal of duplicate or retired machines
• Providing Tier 1 support to your users
• Contacting SonicSentry for any Tier 2 or Tier 3 issues that you are unable to resolve
• Remediate issues identified from the provided report card
• Further investigate alerts sent from the SonicSentry SOC

What are the Deliverables from SonicSentry Services?

• Provides training, support, and documentation
• Setup and configuration of the Syslog/SIEM settings within the SIEM/SOAR platform
• Alerting of abnormal, suspicious or malicious behavior
  • See the following article for more details on our SOC response: EPP Alert Processing
• Initial response to a compromise

IMPLEMENTAION

What if I already use Capture Client and want to move those devices to Capture Client MDR?

• Capture Client MDR is hosted in a different location with a different URL from Capture Client Advanced or Premier without MDR.
• Devices will need to be removed from previous Capture Client and registered to the Capture Client MDR portal.
• There is a way to migrate Capture Client agents to the new Capture Client MDR portal.
  • There are some pre-requisites that need to be confirmed prior to attempting to migrate, please review the information at the following link.
    • Capture Client migration across consoles
• You can also uninstall and reinstall the Capture Client agents if you desire.

What devices do I need to install the Capture Client agent on?

• Capture Client agent should be deployed on all devices in an environment.

Is Multi-Tenancy supported?

• Yes, all Capture Client accounts are setup with a ‘Parent-Child’ architecture.
  • Partners will be able to create their own tenants and maintain policies as desired.
  • Individual tenants under the account can be administered independently.

SUPPORT

How do I contact support?

• To initiate a support request, visit https://msssupport.myportallogin.com
  • When prompted, select Endpoint Security, then choose CC/S1 Support
• Schedule a Meeting:
  • 30 minute meeting: https://calendly.com/cc-mdr/30-minute-follow-up
  • 45 minute training session: https://calendly.com/cc-mdr/product-training
• Emergency Support:
  
  • Available 24/7 for our MDR Partners: Please call 703.565.2395
• Standard Support Hours:
  • Monday - Friday, 3:00 AM - 8:00 PM EST

How do I access Capture Client documentation?

• Recommended resources are available at the following link: MDR for Capture Client

Is training provided?

• SonicSentry provides training on both administrative and technical operations related to the service.

MONITORING

How are Capture Client logs retained?

• The SentinelOne agent syslogs are sent from the central management console to our SIEM/SOAR for SOC services
  • These logs are maintained for 1 year

Do I get access to the SIEM?

• MDR partners are granted access to our SIEM (by request) for visibility and reporting purposes

Is your SOC outsourced?

• No. Our SOC is a 24x7x365 in-house Security Operations Center.
  • NOAM partners work with our US based and full time employees.
  • EMEA partners work with our EMEA based and full time employees.

How will partners be contacted about alerts or incidents?

• Each partner should provide designated contact information for the following:
  
  • CC General: General communications, updates, and release notes
  • CC Audit Reports: Delivery of regular implementation reports twice a month (opt-out available)
  • SOC Alerts: Notification of detected threats or alerts from the SOC
  • SOC Emergency Contact: After-hours or emergency phone contact
• More details are available here: SOC EPP Alert Processing Summary

BILLING and LICENSING

How is licensing handled?

• For Monthly Billed Partners:
  • Every month on the 26th (+/- 2 days) a snapshot of current usage is taken and will be used to provide your next invoice
    • Please be sure to cleanup any unwanted/duplicate devices etc.. by the 24th, at the latest, to avoid being billed for them
  • The invoice will then be provided by your distributor.
  • The License Report is also available via MySonicWall on the 1st.
• For Yearly Committed Partners:
  • If your monthly usage is over your annual commit, you will be invoiced for the overage for that month
  • Every month on the 26th (+/- 2 days) a snapshot of current usage is taken and will be used to provide your next invoice
    • Please be sure to cleanup any unwanted/duplicate devices etc.. by the 24th, at the latest, to avoid being billed for them

How do I get a breakdown of my devices per customer?

• You can see current license usage when logged into MySonicWall under the Monthly Billing section
• Additional information for using MySonicWall and viewing usage is available at the following link, specifically License Report starting on page 30.
  • MySonicWall MSSP Monthly Billing

Will duplicate or retired devices be billed?

• Yes. It is recommended to routinely audit and remove duplicate or retired devices from the portal to avoid unnecessary charges.