SentinelOne (S1) MDR: Frequently Asked Questions (FAQs)

Is a Proof of Concept (PoC) available?

• Yes, we offer a 21 day Proof of Concept for new partners

What is involved with a Proof of Concept?

• Time Frame: 21 days, starting with the kickoff call
• Endpoint Limit: Unlimited
• Details outlining the PoC can be found at the following links:
  • S1 POC : Frequently Asked Questions (FAQs)
  • S1 POC : Customer Testing Guide

Will my licensing automatically convert to production at the end of the PoC?

• Yes, the SentinelOne MDR implementation will be automatically converted to production at the end of the 21 day PoC unless canceled before the conversion

What are the responsibilities of the partner?

• Management of the deployment process
  • Deployment of the SentinelOne Agents
  • Creating a Clean Baseline for the devices
  • Implementing Protection Phase
• Maintaining polices and exclusions
• Removal of duplicate or retired machines
• Providing Tier 1 support to your customers
• Contacting SonicWall Managed Security Services for any Tier 2 or Tier 3 issues that you are unable to resolve
• Remediate issues identified from the provided report card
• Further investigate alerts sent from the SonicWall MSS SOC

What are the Deliverables from SonicWall MSS?

• Provides training, support, and documentation
• Setup and configuration of the Syslog/SIEM settings within the SIEM/SOAR platform
• Alerting of abnormal, suspicious or malicious behavior
  • See the following article for more details on our SOC response: SOC EPP Alert Processing Summary
• Initial response to a compromise

What devices do I need to install the SentinelOne agent on?

• The SentinelOne agent should be deployed on all devices in an environment

Is there a Multi-tenancy option?

• Yes, all SentinelOne accounts are setup with a ‘Parent-Child’ architecture
  • Partners will be able to create their own customer sites and maintain policies as desired
  • Customers will not be able to create their own tenants within the partner's Account

How do I contact support?

• To start a support ticket, partners can visit https://msssupport.myportallogin.com and when asked to select a product, select Endpoint Security, and then CC/S1 Support.
• Meetings can be scheduled via the CC/S1 Support Calendly page
  • 30 minute meeting: https://calendly.com/s1mdr/30-minute-follow-up
  • 45 minute training session: https://calendly.com/s1mdr/product-training
• If there is an emergency, we always recommend calling our office at 703.565.2395
• Standard Support hours for Capture Client are currently 8 AM - 8 PM EST Monday - Friday
  • MDR partners are provided with 24/7 Emergency Support
    • Please call our office at 703.565.2395 if Emergency Support is needed

How do I access SentinelOne documentation?

• Recommended documentation that all partners are provided once onboarding has started can be found via SonicWall's Knowledge Base.
  • MDR for SentinelOne
• All other documentation is available by request from our support team

Is there official training for SentinelOne available for partners?

• SonicWall MSS will train the partner on all support and administrative topics

How are SentinelOne logs retained?

• SentinelOne syslogs are sent from the central management console to our SIEM/SOAR for SOC services
  • These logs are maintained for 1 year

Do I get access to the SIEM?

• MDR partners are granted access to our SIEM (by request) for visibility and reporting purposes

Is your SOC outsourced?

• No. Our SOC is a 24x7x365 in-house Security Operations Center.
  • NOAM partners work with our US based and full time employees.
  • EMEA partners work with our EMEA based and full time employees.

How am I contacted if there’s an issue?

• We ask for each partner to provide the preferred contact info for the following categories:
  • S1 General
    • This will be used for all Sentinel 1 related general communication to include news, release notes, etc
  • Audit Report
    • This is where we will send your Sentinel 1 implementation report cards
      • Likewise, you may indicate you would like to opt-out on receiving the twice-a-month report cards
  • SOC Alerts
    • The contact in the event our SOC Analysts find abnormal, suspicious, or malicious activity
    • This would also be the contact that would receive advanced alerting from our SIEM
      • Please let us know if you would like to separate this into two separate contacts
  • Emergency Contact
    • Phone numbers in the event we need/you would like us to contact you after hours or in an emergency
• Please reference the following article: SOC EPP Alert Processing Summary

How am I licensed for SentinelOne?

• SentinelOne MDR invoicing is conducted monthly
  • The invoice will be a total of all devices belonging to our partner and the invoice will be provided on the first business day of the month
  • How do I get a breakdown of my devices per customer?
    • Please reference the following article: SentinelOne (S1): Monthly Invoicing

Will I be charged for duplicate or offline/retired devices?

• Yes, we ask that partners monitor and remove duplicated or machines that have been retired but still in the portal.