Cloud Threat Analytics: Frequently Asked Questions

Description

General

What is Cloud Threat Analytics?

Our Cloud Threat Analytics offering provides monitoring for user and administrative anomalistic behavior. Our service will detect and alert on known and new cyber threats inside support cloud SaaS applications using behavioral analytics and dynamic threat models. This is accomplished by feeding logs into our SaaS platform that allows our SOC teams to gain insight into the environment provide Threat Analytics and active alerting.

Is Cloud Threat Analytics email security? How does Cloud Threat Analytics differ from Avanan?

Our Cloud Threat Analytics offering is not email security, nor does it account for spam filtering. As an example, while we do have certain detections that focus on specific email account behavior, our Microsoft 365 monitoring under this offering identifies IOCs (indicators of compromise) relating to Microsoft 365 user account activity as a whole. All alerts and detections stem from information found within the audit logs that are generated by Microsoft for each respective Microsoft 365 environment.

What are the M365 license requirements?

Our recommendation is to use a minimum of Business Basic or E1 license along with Azure Active Directory P1 licensing. 

  • Azure AD premium (P1 or higher) provides more detail for alerts.
  • Azure AD P1 can be added to any subscription as a standalone add-on.
  • If you want Azure AD P1 included in the subscription you must sell Business Premium or E3.

Does this offering work with 3rd Party Retail M365 Providers (GoDaddy, etc)?

We support M365 tenants purchased directly from Microsoft or a Microsoft partner.  3rd party retail purchases (GoDaddy, etc) may or may not work and are not officially supported.

What are the Google Workspace license requirements?

A Google Workspace license that supports third party integrations is required. Third party integrations are supported by Google Workspace Enterprise, Business (Starter, Standard, and Plus), Education (Fundamentals, Standard, Plus) and Cloud Identity Premium. Google Workspace Essentials Starter and "Enterprise Essentials" licenses do not support third party integration and won't connect to SaaS Alerts.

Is a Proof of Concept available?

Yes. A 14-day PoC is available.

  • Begins with a kickoff call with a Threat Analyst
  • Initial environment (commonly the internal environment) is onboarded during the call
  • Relevant alerts will be generated during the trial period

Will the PoC automatically convert to production?

Yes. Unless canceled prior to the end of the 14-day period, the PoC will automatically convert to a production subscription.

Partner Responsibilities

  • Provide SonicSentry with onboarding and technical contact information
  • Configure SaaS applications to be monitored
  • Onboard additional modules (Respond, Unify, Fortify) and maintain application connections
  • Investigate and remediate SOC alerts in the environment

SonicSentry Deliverables

  • Platform support and onboarding guidance
  • Configuration and architecture setup
  • Provisioning of the environment within the SaaS Alerts Portal
  • Explanation and setup instructions for optional modules (Respond, Unify, Fortify)
  • SOC services including:
    • Behavioral threat detection and alerting
    • Mitigation actions for confirmed threats
    • Custom threat detection rules informed by SonicWall threat intelligence
        

Implementation

Is setup required for each SaaS environment?

Yes. Each environment to be monitored requires a separate application registration.

Is client identification required?

Yes. For billing and incident response accuracy, each environment must be named clearly.

Why is Microsoft 365 email read permission required?

To analyze behavior related to file sharing via email, SaaS Alerts requires read permission to access metadata (e.g., sender, recipient, and file attachment names). Email content is never accessed or stored. Microsoft’s current API design necessitates this permission level.

What access is required for Google Workspace?

A Super Administrator account is required for initial connection.

How do I onboard additional environments?

Additional tenants can be added via the SaaS Alerts portal using the predefined organization prefix. Cloud Threat Analytics On-boarding
To request support, visit: https://SonicSentrysupport.myportallogin.com
Choose Cloud Security > Cloud Threat Analytics Support.

What is ‘Respond’?

Respond allows for automated mitigation of threats based on predefined rules. Actions include:

  • Blocking sign-ins and expiring sessions for compromised users
  • Manual and automated actions with a <10% false positive threshold
  • Organization-specific response policies

Enable via: Managing Respond Connections

What is ‘Fortify’?

Fortify assists with Microsoft 365 security posture management:

  • Perform tenant-wide vulnerability scans
  • Apply Microsoft security recommendations
  • Monitor security score regression
  • Quick setup and deployment via step-by-step onboarding materials

What is ‘Unify’?

Unify is a SaaS Alerts feature that links multiple user accounts and devices to a single identity using behavioral data and confidence scoring. This helps detect threats more accurately by providing unified visibility into user activity across platforms.

Monitoring, Alerting, and Billing

Which accounts are Monitored and Billable?

A full explanation of Monitored and Billable Accounts can be found here: Billable Accounts Definition

How am I licensed/billed for this service?

  • This offering is consumption based and month to month.
  • We will audit accounts on the last business day of the month.
  • An invoice will be sent on the first business day of the month based on the audited numbers.
  • Please email MSSAccounting@SonicWall.com for all billing questions/concerns.
  • Billable accounts can also be viewed anytime in the SaaS Alerts portal under the “Organizations” tab.

Where are logs ingested?

Logs are ingested into the SaaS Alerts platform and retained for one year. SonicSentry SIEM integration is under development.

Is portal access included?

Yes. Access is granted after an onboarding walkthrough with a Threat Analyst.

What types of Indicators of Compromise (IoCs) are detected?

A dynamic list of IoCs is maintained in the Alert Types Knowledge Base. This list evolves with the threat landscape.

How are alerts communicated?

SOC alerts are sent to the primary contact email. High-confidence compromises also trigger a phone call to the emergency contact.

Does SonicSentry disable compromised accounts?

Yes. If a compromise is confirmed and the Respond module is enabled, SonicSentry will disable the affected account and log out all active sessions.

Is reporting available?

Yes. Automated reports can be configured upon request. Manual report access is available via the portal.

Support

How do I request support?

Submit a ticket at: https://msssupport.myportallogin.com

Select: Cloud Security > Cloud Threat Analytics Support

Meetings:

Emergency Support:

Call: 703.565.2395

Support Hours:

Monday–Friday, 8:00 AM–5:00 PM EST (excluding U.S. holidays)

Related Articles

  • SaaS Alerts: Viewing Logs
    Read More
  • SaaS Alerts Features: Respond, Unify, Fortify
    Read More
  • Avanan CDR: Frequently Asked Questions (FAQs)
    Read More

Categories

Managed Security Services
Cloud Managed Detection and Response
Cloud Threat Analytics
not finding your answers?
Ask the Community