CrowdStrike (CS): Frequently Asked Questions (FAQs)

Frequently Asked Questions about our CrowdStrike MDR offering.

GENERAL

Is a Proof of Concept (PoC) available?

• Yes, we offer a 21-day Proof of Concept for new partners.

What is involved with a Proof of Concept?

• Time Frame: 21 days, starting with the kickoff call
• Endpoint Limit: Unlimited
• Details outlining the PoC can be found here: CS : Proof of Concept (POC)

Will my licensing automatically convert to production at the end of the PoC?

• Yes, the CrowdStrike MDR implementation will be automatically converted to production at the end of the 21 day PoC unless canceled before the conversion.

What are the responsibilities of the partner?

• Management of the deployment process
  • Deployment of the CrowdStrike Agents
  • Creating a Clean Baseline for the devices
  • Implementing Protection Phase
• Maintaining polices and exclusions
• Removal of duplicate or retired machines
• Providing Tier 1 support to your customers
• Contacting SonicSentry for any Tier 2 or Tier 3 issues that you are unable to resolve
• Remediate issues identified from the provided report card
• Further investigate alerts sent from the SonicSentry SOC

What are the Deliverables from SonicSentry?

• Provides training, support, and documentation
• Setup and configuration of the Syslog/SIEM settings within the SIEM/SOAR platform
• Alerting of abnormal, suspicious or malicious behavior
  • See the following article for more details on our SOC response: EPP Alert Processing
• Initial response to a compromise

IMPLEMENTATION

What if I already have CrowdStrike deployed and want to move to the CrowdStrike MDR offering?

• An existing CrowdStrike CID can be migrated to our MDR service provided the following conditions are met:
  • The existing CID must be located at one of the following URLs/Clouds:
    • https://falcon.us-2.crowdstrike.com/
    • https://falcon.eu-1.crowdstrike.com/login/
  • The existing license owners will need to sign off on the migration.
• Alternatively, you will can uninstall and reinstall the CrowdStrike sensor to have the devices register into your CrowdStrike MDR account.

What devices do I need to install the CrowdStrike agent on?

• The CrowdStrike agent should be deployed on all devices in an environment

Is Multi-Tenancy supported?

• Yes. A parent-child architecture is in place:
  • Partners will have access to multiple sites (Child CIDs) under a single parent account (CID).
  • Sub-sites (Child CIDs) can be administered independently.

SUPPORT

How do I contact support?

• To initiate a support request, visit https://msssupport.myportallogin.com
  • When prompted, select Endpoint Security, then CS Support.
• Schedule a Meeting: 
  • 30 minute meeting: https://calendly.com/cs-mdr/30-minute-follow-up
  • 45 minute training session: https://calendly.com/cs-mdr/product-training
• Emergency Support:
  • Available 24/7 for our MDR Partners: Please call 703.565.2395
• Standard Support Hours:
  • Monday-Friday, 3:00 AM to 8:00 PM EST

How do I access CrowdStrike documentation?

• Recommended resources are available at the following link: MDR: CrowdStrike (CS)

Is there official training for CrowdStrike available for partners?

• SonicSentry provides training on both administrative and technical operations related to the service.

MONITORING

How are CrowdStrike logs retained?

• CrowdStrike syslogs are sent from the central management console to our SIEM/SOAR for SOC services
  • These logs are maintained for 1 year

Do I get access to the SIEM?

• MDR partners are granted access to our SIEM (by request) for visibility and reporting purposes

Is your SOC outsourced?

• No. Our SOC is a 24x7x365 in-house Security Operations Center.
  • NOAM partners work with our US based and full time employees.
  • EMEA Partners work with our EMEA based and full time employees.

How will partners be contacted about alerts or incidents?

• Each partner should provide designated contact information for the following:
  • CS General: General communications, updates, and release notes
  • CS Audit Reports: Delivery of regular implementation reports twice a month (opt-out available)
  • SOC Alerts: Notification of detected threats or alerts from the SOC
  • SOC Emergency Contact: After-hours or emergency phone contact
• More details are available here: SOC EPP Alert Processing Summary

BILLING and LICENSING

How is licensing handled?

• For Monthly Billed Partners:
  • CrowdStrike MDR invoicing is conducted monthly
  • Licensing is based on the number of active devices, pulled on the last business day of the month
  • Invoices are issued on the first business day of each month
• For Yearly Committed Partners:
  • If your monthly usage is over your annual commit, you will be invoiced for the overage for that month
  • Licensing is based on the number of active devices, pulled on the last business day of the month

How do I view a breakdown of the number of devices per customer?

• Please reference the following article: CrowdStrike (CS): Monthly Invoicing

Will duplicate or retired devices be billed?

• Yes. It is recommended to routinely audit and remove duplicate or retired devices from the portal to avoid unnecessary charges.