SentinelOne (S1) MDR: Frequently Asked Questions (FAQs)

Description

General

Is a Proof of Concept (PoC) available?

  • Yes, we offer a 21 day Proof of Concept for new partners

What is involved with a Proof of Concept?

Will my licensing automatically convert to production at the end of the PoC?

  • Yes, the SentinelOne MDR implementation will be automatically converted to production at the end of the 21 day PoC unless canceled before the conversion

What are the responsibilities of the partner?

  • Management of the deployment process
    • Deployment of the SentinelOne Agents
    • Creating a Clean Baseline for the devices
    • Implementing Protection Phase
  • Maintaining polices and exclusions
  • Removal of duplicate or retired machines
  • Providing Tier 1 support to your customers
  • Contacting SonicWall Managed Security Services for any Tier 2 or Tier 3 issues that you are unable to resolve
  • Remediate issues identified from the provided report card
  • Further investigate alerts sent from the SonicWall MSS SOC

What are the Deliverables from SonicWall MSS?

  • Provides training, support, and documentation
  • Setup and configuration of the Syslog/SIEM settings within the SIEM/SOAR platform
  • Alerting of abnormal, suspicious or malicious behavior
  • Initial response to a compromise
Implementation

What devices do I need to install the SentinelOne agent on?

  • The SentinelOne agent should be deployed on all devices in an environment

Is there a Multi-tenancy option?

  • Yes, all SentinelOne accounts are setup with a ‘Parent-Child’ architecture
    • Partners will be able to create their own customer sites and maintain policies as desired
    • Customers will not be able to create their own tenants within the partner's Account
Support

How do I contact support?

  • To start a support ticket, partners can visit https://msssupport.myportallogin.com and when asked to select a product, select Endpoint Security, and then CC/S1 Support.
  • Meetings can be scheduled via the CC/S1 Support Calendly page
  • If there is an emergency, we always recommend calling our office at 703.565.2395
  • Standard Support hours for Capture Client are currently 8 AM - 8 PM EST Monday - Friday
    • MDR partners are provided with 24/7 Emergency Support
      • Please call our office at 703.565.2395 if Emergency Support is needed

How do I access SentinelOne documentation?

  • Recommended documentation that all partners are provided once onboarding has started can be found via SonicWall's Knowledge Base.
  • All other documentation is available by request from our support team

Is there official training for SentinelOne available for partners?

  • SonicWall MSS will train the partner on all support and administrative topics
Monitoring

How are SentinelOne logs retained?

  • SentinelOne syslogs are sent from the central management console to our SIEM/SOAR for SOC services
    • These logs are maintained for 1 year

Do I get access to the SIEM?

  • MDR partners are granted access to our SIEM (by request) for visibility and reporting purposes

Is your SOC outsourced?

  • No. Our SOC is a 24x7x365 in-house Security Operations Center.
    • NOAM partners work with our US based and full time employees.
    • EMEA partners work with our EMEA based and full time employees.

How am I contacted if there’s an issue?

  • We ask for each partner to provide the preferred contact info for the following categories:
    • S1 General
      • This will be used for all Sentinel 1 related general communication to include news, release notes, etc
    • Audit Report
      • This is where we will send your Sentinel 1 implementation report cards
        • Likewise, you may indicate you would like to opt-out on receiving the twice-a-month report cards
    • SOC Alerts
      • The contact in the event our SOC Analysts find abnormal, suspicious, or malicious activity
      • This would also be the contact that would receive advanced alerting from our SIEM
        • Please let us know if you would like to separate this into two separate contacts
    • Emergency Contact
      • Phone numbers in the event we need/you would like us to contact you after hours or in an emergency
  • Please reference the following article: SOC EPP Alert Processing Summary
Billing

How am I licensed for SentinelOne?

  • SentinelOne MDR invoicing is conducted monthly
    • The invoice will be a total of all devices belonging to our partner and the invoice will be provided on the first business day of the month
    • How do I get a breakdown of my devices per customer?

Will I be charged for duplicate or offline/retired devices?

  • Yes, we ask that partners monitor and remove duplicated or machines that have been retired but still in the portal.

Related Articles

  • Avanan: IRaaS SOP
    Read More
  • Infocyte: Exclusions
    Read More
  • CrowdStrike exclusions for other security applications/AVs
    Read More
not finding your answers?
was this article helpful?