Cloud Threat Analytics: Frequently Asked Questions

Description

General

What is Cloud Threat Analytics?

Our Cloud Threat Analytics offering provides monitoring for user and administrative anomalistic behavior. Our service will detect and alert on known and new cyber threats inside support cloud SaaS applications using behavioral analytics and dynamic threat models. This is accomplished by feeding logs into our SaaS platform that allows our SOC teams to gain insight into the environment provide Threat Analytics and active alerting.

Is Cloud Threat Analytics email security? How does Cloud Threat Analytics differ from Avanan?

Our Cloud Threat Analytics offering is not email security, nor does it account for spam filtering. As an example, while we do have certain detections that focus on specific email account behavior, our Microsoft 365 monitoring under this offering identifies IOCs (indicators of compromise) relating to Microsoft 365 user account activity as a whole. All alerts and detections stem from information found within the audit logs that are generated by Microsoft for each respective Microsoft 365 environment.

What are the M365 license requirements?

Our recommendation is to use a minimum of Business Basic or E1 license along with Azure Active Directory P1 licensing. 

  • Azure AD premium (P1 or higher) provides more detail for alerts.
  • Azure AD P1 can be added to any subscription as a standalone add-on.
  • If you want Azure AD P1 included in the subscription you must sell Business Premium or E3.

Does this offering work with 3rd Party Retail M365 Providers (GoDaddy, etc)?

We support M365 tenants purchased directly from Microsoft or a Microsoft partner.  3rd party retail purchases (GoDaddy, etc) may or may not work and are not officially supported.

What are the Google Workspace license requirements?

A Google Workspace license that supports third party integrations is required. Third party integrations are supported by Google Workspace Enterprise, Business (Starter, Standard, and Plus), Education (Fundamentals, Standard, Plus) and Cloud Identity Premium. Google Workspace Essentials Starter and "Enterprise Essentials" licenses do not support third party integration and won't connect to SaaS Alerts.

Is a Proof of Concept available?

Yes. A 14-day PoC is available.

  • Begins with a kickoff call with a Threat Analyst
  • Initial environment (commonly the internal environment) is onboarded during the call
  • Relevant alerts will be generated during the trial period

Will the PoC automatically convert to production?

Yes. Unless canceled prior to the end of the 14-day period, the PoC will automatically convert to a production subscription.

Partner Responsibilities

  • Provide SonicSentry with onboarding and technical contact information
  • Configure SaaS applications to be monitored
  • Onboard additional modules (Respond, Unify, Fortify) and maintain application connections
  • Investigate and remediate SOC alerts in the environment

SonicSentry Deliverables

  • Platform support and onboarding guidance
  • Configuration and architecture setup
  • Provisioning of the environment within the SaaS Alerts Portal
  • Explanation and setup instructions for optional modules (Respond, Unify, Fortify)
  • SOC services including:
    • Behavioral threat detection and alerting
    • Mitigation actions for confirmed threats
    • Custom threat detection rules informed by SonicWall threat intelligence
        

Implementation

Is setup required for each SaaS environment?

Yes. Each environment to be monitored requires a separate application registration.

Is client identification required?

Yes. For billing and incident response accuracy, each environment must be named clearly.

Why is Microsoft 365 email read permission required?

To analyze behavior related to file sharing via email, SaaS Alerts requires read permission to access metadata (e.g., sender, recipient, and file attachment names). Email content is never accessed or stored. Microsoft’s current API design necessitates this permission level.

What access is required for Google Workspace?

A Super Administrator account is required for initial connection.

How do I onboard additional environments?

Additional tenants can be added via the SaaS Alerts portal using the predefined organization prefix.
To request support, visit: https://SonicSentrysupport.myportallogin.com
Choose Cloud Security > Cloud Threat Analytics Support.

What is ‘Respond’?

Respond allows for automated mitigation of threats based on predefined rules. Actions include:

  • Blocking sign-ins and expiring sessions for compromised users
  • Manual and automated actions with a <10% false positive threshold
  • Organization-specific response policies

Enable via: Managing Respond Connections

What is ‘Fortify’?

Fortify assists with Microsoft 365 security posture management:

  • Perform tenant-wide vulnerability scans
  • Apply Microsoft security recommendations
  • Monitor security score regression
  • Quick setup and deployment via step-by-step onboarding materials

What is ‘Unify’?

Unify is a SaaS Alerts feature that links multiple user accounts and devices to a single identity using behavioral data and confidence scoring. This helps detect threats more accurately by providing unified visibility into user activity across platforms.

Monitoring & Alerting

Which accounts are monitored?

All unique, active accounts within connected SaaS platforms are monitored and billable. The following are excluded:

  • Microsoft 365 accounts with “Block Sign-In” enabled
  • Shared mailboxes (recommended to be configured with Block Sign-In)
  • Deleted accounts in "soft delete" state (retained for 30 days)
  • Guest accounts

Where are logs ingested?

Logs are ingested into the SaaS Alerts platform and retained for one year. SonicSentry SIEM integration is under development.

Is portal access included?

Yes. Access is granted after an onboarding walkthrough with a Threat Analyst.

Does this service include environment hardening?

No. The offering focuses on monitoring, alerting, and response—not environment configuration or hardening.

What types of Indicators of Compromise (IoCs) are detected?

A dynamic list of IoCs is maintained in the Alert Types Knowledge Base. This list evolves with the threat landscape.

How are alerts communicated?

SOC alerts are sent to the primary contact email. High-confidence compromises also trigger a phone call to the emergency contact.

Does SonicSentry disable compromised accounts?

Yes. If a compromise is confirmed and the Respond module is enabled, SonicSentry will disable the affected account and log out all active sessions.

Is reporting available?

Yes. Automated reports can be configured upon request. Manual report access is available via the portal.

Support

How do I request support?

Submit a ticket at: https://msssupport.myportallogin.com

Select: Cloud Security > Cloud Threat Analytics Support

Meetings:

Emergency Support:

Call: 703.565.2395

Support Hours:

Monday–Friday, 8:00 AM–5:00 PM EST (excluding U.S. holidays)

Billing

How am I licensed/billed for this service?

  • This offering is consumption based and month to month.
  • All unique accounts within the SaaS instances are billable.
    • Example of M365 exclusions listed above.
  • We will audit accounts on the last business day of the month.
  • An invoice will be sent on the first business day of the month based on the audited numbers.
  • Please email MSSAccounting@SonicWall.com for all billing questions/concerns.
  • Billable accounts can also be viewed anytime in the SaaS Alerts portal under the “Organizations” tab.

May I limit monitoring to certain user accounts?

Yes & No

  • If an account has the ability to logged in they will be monitored and billed.
  • If you would not like an account monitored/billed you will have to disable login to that account.

General Information

What is Cloud Threat Analytics?

Cloud Threat Analytics provides monitoring for user and administrative anomalous behavior across supported cloud SaaS applications. The service detects and alerts on both known and emerging cyber threats using behavioral analytics and dynamic threat models. Logs are ingested into a centralized SaaS platform, enabling SonicWall SonicSentry Security Operations Center (SOC) analysts to deliver real-time Threat Analytics and active alerting.

Is Cloud Threat Analytics an email security solution?

No. This offering is not a replacement for email security or spam filtering. While it includes behavior-based detections that may involve email accounts, the focus is on user activity and indicators of compromise (IOCs) within SaaS applications such as Microsoft 365. Alerts are generated using audit logs provided by the application itself, rather than through email filtering mechanisms.

What Microsoft 365 license types are supported?

A minimum of Business Basic or E1, in combination with Azure Active Directory P1, is recommended. Azure AD Premium (P1 or higher) enables more detailed threat visibility and alerting capabilities.

  • Azure AD P1 may be purchased as an add-on to existing plans.
  • To include Azure AD P1 within a license, consider using Business Premium or E3.

Are third-party retail Microsoft 365 providers supported?

Microsoft 365 tenants must be purchased directly from Microsoft or an official Microsoft partner. Support for third-party retail platforms (e.g., GoDaddy) is not guaranteed.

What are the licensing requirements for Google Workspace?

A Google Workspace license that allows third-party integrations is required. Supported editions include:

  • Enterprise, Business Starter/Standard/Plus, Education (Fundamentals, Standard, Plus), and Cloud Identity Premium
  • Note: Google Workspace Essentials Starter and Enterprise Essentials do not support required integrations.

Proof of Concept (PoC)

Is a Proof of Concept available?

Yes. A 14-day PoC is available.

  • Begins with a kickoff call with a Threat Analyst
  • Initial environment (commonly the internal environment) is onboarded during the call
  • Relevant alerts will be generated during the trial period

Will the PoC automatically convert to production?

Yes. Unless canceled prior to the end of the 14-day period, the PoC will automatically convert to a production subscription.

Partner Responsibilities

  • Provide SonicSentry with onboarding and technical contact information
  • Configure SaaS applications to be monitored
  • Onboard additional modules (Respond, Unify, Fortify) and maintain application connections
  • Investigate and remediate SOC alerts in the environment

SonicWall SonicSentry Deliverables

  • Platform support and onboarding guidance
  • Configuration and architecture setup
  • Provisioning of the environment within the SaaS Alerts Portal
  • Explanation and setup instructions for optional modules (Respond, Unify, Fortify)
  • SOC services including:
    • Behavioral threat detection and alerting
    • Mitigation actions for confirmed threats
    • Custom threat detection rules informed by SonicWall threat intelligence

Implementation Details

Is setup required for each SaaS environment?

Yes. Each environment to be monitored requires a separate application registration.

Is client identification required?

Yes. For billing and incident response accuracy, each environment must be named clearly.

Why is Microsoft 365 email read permission required?

To analyze behavior related to file sharing via email, SaaS Alerts requires read permission to access metadata (e.g., sender, recipient, and file attachment names). Email content is never accessed or stored. Microsoft’s current API design necessitates this permission level.

What access is required for Google Workspace?

A Super Administrator account is required for initial connection.

How do I onboard additional environments?

Additional tenants can be added via the SaaS Alerts portal using the predefined organization prefix.

To request support, visit: https://msssupport.myportallogin.com

Choose Cloud Security > Cloud Threat Analytics Support.

What is ‘Respond’?

Respond allows for automated mitigation of threats based on predefined rules. Actions include:

  • Blocking sign-ins and expiring sessions for compromised users
  • Manual and automated actions with a <10% false positive threshold
  • Organization-specific response policies

Enable via: Managing Respond Connections

What is ‘Fortify’?

Fortify assists with Microsoft 365 security posture management:

  • Perform tenant-wide vulnerability scans
  • Apply Microsoft security recommendations
  • Monitor security score regression
  • Quick setup and deployment via step-by-step onboarding materials

What is ‘Unify’?

Currently, Unify does not support mapping multiple users to a single device. Enhancement requests are in progress.

Monitoring & Alerting

Which accounts are monitored?

All unique, active accounts within connected SaaS platforms are monitored and billable. The following are excluded:

  • Microsoft 365 accounts with “Block Sign-In” enabled
  • Shared mailboxes (recommended to be configured with Block Sign-In)
  • Deleted accounts in "soft delete" state (retained for 30 days)
  • Guest accounts

Where are logs ingested?

Logs are ingested into the SaaS Alerts platform and retained for one year. SonicSentry SIEM integration is under development.

Is portal access included?

Yes. Access is granted after an onboarding walkthrough with a Threat Analyst.

Does this service include environment hardening?

No. The offering focuses on monitoring, alerting, and response—not environment configuration or hardening.

What types of Indicators of Compromise (IoCs) are detected?

A dynamic list of IoCs is maintained in the Alert Types Knowledge Base. This list evolves with the threat landscape.

How are alerts communicated?

SOC alerts are sent to the primary contact email. High-confidence compromises also trigger a phone call to the emergency contact.

Does SonicSentry disable compromised accounts?

Yes. If a compromise is confirmed and the Respond module is enabled, SonicSentry will disable the affected account and log out all active sessions.

Is reporting available?

Yes. Automated reports can be configured upon request. Manual report access is available via the portal.

Support

How do I request support?

Submit a ticket at: https://msssupport.myportallogin.com

Select: Cloud Security > Cloud Threat Analytics Support

Meetings:

Emergency Support:

Call: 703.565.2395

Support Hours:

Monday–Friday, 8:00 AM–5:00 PM EST (excluding U.S. holidays)

Billing & Licensing

How is billing handled?

  • Usage-based monthly billing
  • Charges apply to all unique monitored accounts
  • Exclusions: see Monitoring section
  • Account counts are audited on the last business day of the month
  • Invoices issued on the first business day of the following month

How can I view billable accounts?

Log into the SaaS Alerts portal and select the “Organizations” tab. For billing inquiries, contact: MSSAccounting@SonicWall.com

Can I limit which accounts are billed?

Only accounts with login capability are monitored and billed. To exclude an account, disable sign-in.

Related Articles

  • MPSS Frequently Asked Questions (FAQs)
    Read More
  • Getting Started with MPSS
    Read More
  • MSS FMM: NSM - Frequently Asked Questions (FAQs)
    Read More

Categories

Managed Security Services
Cloud Managed Detection and Response
Cloud Threat Analytics
not finding your answers?
Ask the Community