CrowdStrike (CS): Frequently Asked Questions (FAQs)

General

Is a Proof of Concept (PoC) available?

Yes, we offer a 21-day Proof of Concept for new partners

What is involved with a Proof of Concept?

• Time Frame: 21 days, starting with the kickoff call
• Endpoint Limit: Unlimited
• Details outlining the PoC can be found here: CS : Proof of Concept (POC)

Will my licensing automatically convert to production at the end of the PoC?

• Yes, the CrowdStrike MDR implementation will be automatically converted to production at the end of the 21 day PoC unless canceled before the conversion

What are the responsibilities of the partner?

• Management of the deployment process
  • Deployment of the CrowdStrike Agents
  • Creating a Clean Baseline for the devices
  • Implementing Protection Phase
• Maintaining polices and exclusions
• Removal of duplicate or retired machines
• Providing Tier 1 support to your customers
• Contacting SonicWall MSS for any Tier 2 or Tier 3 issues that you are unable to resolve
• Remediate issues identified from the provided report card
• Further investigate alerts sent from the SonicWall MSS SOC

What are the Deliverables from SonicWall MSS?

• Provides training, support, and documentation
• Setup and configuration of the Syslog/SIEM settings within the SIEM/SOAR platform
• Alerting of abnormal, suspicious or malicious behavior
  • See the following article for more details on our SOC response: EPP Alert Processing
• Initial response to a compromise

---

Implementation

 

What if I already have CrowdStrike deployed and want to move to the CrowdStrike MDR offering?

• Our CrowdStrike MDR offering requires devices to be registered in accounts created under our overall management.
• You will need to uninstall and reinstall the CrowdStrike sensor to have the devices register in the CrowdStrike MDR account.

What devices do I need to install the CrowdStrike agent on?

• The CrowdStrike agent should be deployed on all devices in an environment

Is there a Multi-tenancy option?

• Yes, all CrowdStrike MDR accounts are setup with a ‘Parent-Child’ architecture
  • Partners will be able to create their own customer sites and maintain policies as desired
  • Customers will not be able to create their own tenants within the partner's Account

---

Support

How do I contact support?

• To start a support ticket, partners can visit https://msssupport.myportallogin.com and when asked to select a product, select Endpoint Security, and then CS Support.
• Meetings can be scheduled via the CrowdStrike Support Calendly page:
  • 30 minute meeting: https://calendly.com/cs-mdr/30-minute-follow-up
  • 45 minute training session: https://calendly.com/cs-mdr/product-training
• If there is an emergency, we always recommend calling our office at 703.565.2395
• Standard Support hours for CrowdStrike MDR are currently 8 AM - 8 PM EST Monday - Friday
  • MDR partners are provided with 24/7 Emergency Support
    • Please call our office at 703.565.2395 if Emergency Support is needed

How do I access CrowdStrike documentation?

• We have created the following link for recommended documentation that all partners are provided once onboarding has started
  • MDR: CrowdStrike (CS)

Is there official training for CrowdStrike available for partners?

• SonicWall MSS will train the partner on all support and administrative topics

---

Monitoring

How are CrowdStrike logs retained?

• CrowdStrike syslogs are sent from the central management console to our SIEM/SOAR for SOC services
  • These logs are maintained for 1 year

Do I get access to the SIEM?

• MDR partners are granted access to our SIEM (by request) for visibility and reporting purposes

Is your SOC outsourced?

• No. SonicWall MSS runs a 24x7x365 in-house Security Operations Center. All employees are US based and full time employees.

How am I contacted if there’s an issue?

• We ask for each partner to provide the preferred contact info for the following categories:
  • CS General
    • This will be used for all CrowdStrike related general communication to include news, release notes, etc
  • CS Audit Report
    • This is where we will send your CrowdStrike implementation report cards
      • Likewise, you may indicate you would like to opt-out on receiving the twice-a-month report cards
  • SOC Alerts
    • The contact in the event our SOC Analysts find abnormal, suspicious, or malicious activity
    • This would also be the contact that would receive advanced alerting from our SIEM
      • Please let us know if you would like to separate this into two separate contacts
  • SOC Emergency Contact
    • Phone numbers in the event we need/you would like us to contact you after hours or in an emergency
• Please reference the following article: EPP Alert Processing

---

Billing

How am I licensed for CrowdStrike?

• CrowdStrike MDR invoicing is conducted monthly
  • The invoice will be a total of all devices belonging to our partner and the invoice will be provided on the first business day of the month
  • How do I get a breakdown of my devices per customer?
    • Please reference the following article: CrowdStrike (CS): Monthly Invoicing

Will I be charged for duplicate or offline/retired devices?

• Yes, we ask that partners monitor and remove duplicated devices or machines that have been retired but are still in the portal.