Aurora/Cylance MDR: Frequently Asked Questions (FAQs)

Frequently Asked Questions about our Aurora (formerly Cylance) MDR offering.

• Please note we are updating documentation to reflect Aurora instead of Cylance.

Sections

• General
• Implementation
• Aurora Agent Implementation
• Support
• Monitoring
• Billing

 

General

Is a Proof of Concept (PoC) available?

Yes, we offer a 21-day Proof of Concept for new partners.

What is involved with a Proof of Concept?

• Time Frame: 21 days, starting with the kickoff call
• Endpoint Limit: Unlimited
• Details outlining the PoC can be found here: Aurora/Cylance: Proof of Concept (POC)

Will my licensing automatically convert to production at the end of the PoC?

• Yes, the Aurora implementation will be automatically converted to production at the end of the 21 day PoC unless canceled before the conversion

What are the responsibilities of the partner?

• Management of the deployment process
  • Deployment of the Aurora agents (Protect and Focus) to all workstations and servers
  • Creating a ‘Clean Baseline’ for the devices
  • Implementation of the Script Control feature
  • Creating and Assignment of tenant zones
  • Creation, assignment and maintaining of policy parameters.
• Providing Level 1 support to direct end-user customers
• Contacting SonicSentry for any Level 2 or Level 3 issues that you are unable to resolve
• Monitoring of environment health
  • Removal of duplicate or retired machines
  • Address issues or inconsistencies identified from the provided report card
• Further investigate, respond and remediate alerts sent from the SonicSentry SOC

What are the deliverables from SonicSentry?

• Architecture setup and configuration
  • Initial provisioning of Aurora tenants in a non multi-tenancy environment
  • Provisioning of multi-tenancy environment (Where applicable per offering details)
  • Provisioning and staging of initial recommend policies and templates
  • Syslog/SIEM settings provisioning within the SIEM/SOAR platform
• Training and Support
  • Provides training, support, and documentation
• Security Operations Center (SOC) services (Where applicable per offering details)
  • Detection and alerting of identified abnormal, suspicious or malicious activity
  • Initial response as outlined by our EPP Alert Processing Summary
  • ‘Report Cards’ sent twice a month in assistance with monitoring of environment health

What are the differences between the endpoint offerings?

• Aurora/Cylance Tier 1
  • Licensing for PROTECT
  • Training & Support (M-F 8 AM - 8 PM EST)
    • No emergency after hours support
  • No SOC Services
• Aurora/Cylance Tier 3
  • Licensing for Protect and Focus (Formerly OPTICS)
    • Protect is the AV agent
    • Focus is the EDR agent
  • Training & Support (M-F 3 AM - 8 PM EST)
    • Emergency after hours support available
  • SOC Services
    • Ingestion and Analysis of security logs
      • 1 Year log retention
    • Detection of anomalistic security events
    • Initial Mitigation Steps Performed
    • Implementation ‘Report Cards’ sent twice a month
• Aurora/Cylance MDR for Endpoint (Primary Offering)
  • Licensing for Protect and Focus (Formerly OPTICS)
    • Protect is the AV agent
    • Focus is the EDR agent
  • Training & Support (M-F 3 AM - 8 PM EST)
    • Emergency after hours support available
  • SOC Services
    • Ingestion and Analysis of security logs
      • 1 Year log retention
    • Detection of anomalistic security events
    • Initial Mitigation Steps Performed
    • Implementation ‘Report Cards’ sent twice a month

Implementation

What are the differences between the agents with my offering?

• PROTECT
  • This is the AV product/agent
• FOCUS (Formerly OPTICS)
  • This is the Aurora EDR agent developed by ArticWolf to integrate with the Protect agent
  • This is managed in the same dashboard as the Protect agent
  • Used for additional investigation of files that are quarantined/blocked by the Protect agent
  • This is used by our SOC team to respond and isolate a device when a Critical incident is identified
    • See the following article for more details on our SOC response: EPP Alert Processing
• DattoEDR
  • This agent has been sunset and replaced with Focus

Do I need to install all of the agents?

• PROTECT
  • Should be deployed on all devices
• FOCUS (Formerly OPTICS)
  • Should be deployed by all Tier 3 and MDR partners
    • Is not available for Tier 1 partners
  • Should be deployed to any devices that have the Protect agent installed, as long as the following hardware requirements are met
    • i5 equivalent or better
    • 4 GB of Memory
    • 1 GB of Disk space for indexing and local caching
• DattoEDR (Formerly Infocyte)
  • This agent has been sunset and replaced with Focus

Can I manage all the agents from the same portal?

• Yes, now that we are transitioning away from DattoEDR to Focus
• Both the Protect and Focus agents are managed in the same dashboard

Aurora Agent Implementation

What are the methods that I can deploy the agents?

• PROTECT
  • Download the install file from the Aurora console
    • Settings > Deployments
  • Install can be run manually or through a scripted command prompt
    • Details for installing can be found in the Install and Admin Guides available here: Install Aurora Protect Desktop agent
    • A basic command prompt example can be found here: Command Line Install Examples
• FOCUS (Formerly OPTICS)
  • Download the install file from the Aurora console
    • Settings > Deployments
  • Install can be run manually or through a scripted command prompt
    • Details for installing can be found in the Install and Admin Guides available here: Install the Aurora Focus agent
    • A basic command prompt example can be found here: Command Line Install Examples

Is there a Multi-tenancy option for the Aurora/Cylance Portal?

• A Multi-Tenant Console (MTC) is available by request
• Multi-tenancy is setup with a ‘Parent-Child’ architecture
  • Partners will be able to create their own customer tenants and maintain template policies
  • Customers will not be able to create their own tenants within the partners MTC
• The benefits of multi-tenancy include
  • Granular separation of customers for management and reporting
  • Single login capabilities for multiple customer tenants
  • Enhanced reporting capabilities

Can I use 2FA/MFA to log into an  Aurora/Cylance console?

• Native OTP/2FA is now available for logging into the Aurora Tenants.
  • Available documentation to assist with setting up OTP/2FA can be found here: OTP/2FA for Aurora/Cylance Tenant Logins
• There is the ability to configure an SSO (Single Sign On) and enforce 2FA/MFA through the SSO
  • The SSO must support SAML 2.0
  • Available documentation to assist with setting up an SSO can be found here: Enhanced Authentication

Support

How do I contact support?

• To initiate a support request, visit https://msssupport.myportallogin.com
  • When prompted, select Endpoint Security, and then Cylance Support.
• Schedule a Meeting:
  • 45 minute meeting: Bookings: Aurora Cylance Follow Up
  • 45 minute training session: Bookings: Aurora Cylance Training
• Emergency Support:
  • Available 24/7 for our MDR and Tier 3 Partners: Please call 703.565.2395
• Standard Support Hours for Cylance:
  •  Monday - Friday, 3:00 AM - 8:00 PM EST

How do I access Cylance documentation?

• Recommended resources are available at the following link: MDR for Cylance/Aurora

Is training provided?

• SonicSentry provides training on both administrative and technical operations related to the service.

 

Monitoring

How are the logs retained?

• Aurora logs are maintained on each endpoint on a rotating 30 day schedule
  • C:\Program Files\Cylance\Desktop\Log (Requires Admin Rights)
• Protect and Focus events and syslogs are sent from the central management console to our SIEM/SOAR for SOC services
  • These logs are maintained for 1 year

Do I get access to the SM?

• Tier 3 and MDR partners are granted access to our SIEM (by request) for visibility and reporting purposes

Is your SOC outsourced?

• No. Our SOC is a 24x7x365 in-house Security Operations Center
  • NOAM partners work with our US based and full time employees
  • EMEA partners work with our EMEA based and full time employees

Can you monitor Windows Defender if it’s still enabled with Cylance?

• No, we are not currently able to monitor Windows Defender activity/alerts with Aurora

How will partners be contacted about alerts or incidents?

• Each partner should provide designated contact information for the following:
  • Aurora/Cylance General: General communications, updates and release notes
  • Aurora/Cylance Audits: Delivery of regular implementation reports twice a month (opt-out available)
    
  • SOC Alerts: Notification of detected threats or alerts from the SOC
  • SOC Emergency Contact: After-hours for emergencies phone contact
• More details are available here: SOC EPP Alert Processing Summary

Billing

How is licensing handled?

• For Monthly Billed Partners:
  • Licensing is based on the number of active PROTECT devices,  pulled monthly on the last business day of the month
  • Invoices are issued on the first business day of each month, for the previous month's usage
• For Yearly Committed Partners: 
  • If your monthly usage is over your annual commit, you will be invoiced for the overage for that month
  • Licensing is based on the number of active PROTECT devices, pulled monthly on the last business day of the month

How can I view a breakdown of the number of devices per customer?

• Refer to this article for more information: Aurora/Cylance Monthly Invoicing

Will duplicate or retired devices be billed?

• Retired devices that are still in the portal ARE included in invoice numbers
• Duplicate devices with the same DNS Hostname are NOT included in invoicing numbers
• It is recommended to routinely audit and remove duplicate or retired devices from the portal to avoid unnecessary charges