SentinelOne (S1) MDR: Frequently Asked Questions (FAQs)

General

Is a Proof of Concept (PoC) available?

• Yes, we offer a 21 day Proof of Concept for new partners

What is involved with a Proof of Concept?

• Time Frame: 21 days, starting with the kickoff call
• Endpoint Limit: Unlimited
• Details outlining the PoC can be found at the following links:
  • S1 POC : Frequently Asked Questions (FAQs)
  • S1 POC : Customer Testing Guide

Will my licensing automatically convert to production at the end of the PoC?

• Yes, the SentinelOne MDR implementation will be automatically converted to production at the end of the 21 day PoC unless canceled before the conversion

What are the responsibilities of the partner?

• Management of the deployment process
  • Deployment of the SentinelOne Agents
  • Creating a Clean Baseline for the devices
  • Implementing Protection Phase
• Maintaining polices and exclusions
• Removal of duplicate or retired machines
• Providing Tier 1 support to your customers
• Contacting SonicSentry for any Tier 2 or Tier 3 issues that you are unable to resolve
• Remediate issues identified from the provided report card
• Further investigate alerts sent from the SonicSentry SOC

What are the Deliverables from SonicSentry?

• Provides training, support, and documentation
• Setup and configuration of the Syslog/SIEM settings within the SIEM/SOAR platform
• Alerting of abnormal, suspicious or malicious behavior
  • See the following article for more details on our SOC response: SOC EPP Alert Processing Summary
• Initial response to a compromise

Implementation

What if I already use SentinelOne and want to move those devices to SentinelOne MDR?

• There is a method to migrate SentinelOne devices to a new account without uninstalling and reinstalling the agent.

What devices do I need to install the SentinelOne agent on?

• The SentinelOne agent should be deployed on all devices in an environment

Is there a Multi-tenancy option?

• Yes, a parent-child architecture is in place:
  • Partners will be able to create their own customer sites and maintain policies as desired

Support

How do I contact support?

• To initiate a support request, visit https://msssupport.myportallogin.com
  • When prompted, select Endpoint Security, and then choose CC/S1 Support
• Schedule a Meeting:
  • 30 minute meeting: https://calendly.com/s1mdr/30-minute-follow-up
  • 45 minute training session: https://calendly.com/s1mdr/product-training
• Emergency Support:
  • Available 24/7 for our MDR Partners: Please call 703.565.2395
• Standard Support Hours:
  • Monday - Friday, 3:00 AM - 8:00 PM EST

How do I access SentinelOne documentation?

• Recommended resources are available at the following link: MDR for SentinelOne

Is training provided?

• SonicSentry provides training on both administrative and technical operations related to the service.

Monitoring

How are SentinelOne logs retained?

• SentinelOne syslogs are sent from the central management console to our SIEM/SOAR for SOC services
  • These logs are maintained for 1 year

Do I get access to the SIEM?

• MDR partners are granted access to our SIEM (by request) for visibility and reporting purposes

Is your SOC outsourced?

• No. Our SOC is a 24x7x365 in-house Security Operations Center.
  • NOAM partners work with our US based and full time employees.
  • EMEA partners work with our EMEA based and full time employees.

How will partners be contacted about alerts or incidents?

• Each partner should provide designated contact information for the following:
  • S1 General: General communications, updates, and release notes
  • S1 Audit Reports: Delivery of regular implementation reports twice a month (opt-out available)
  • SOC Alerts: Notification of detected threats or alerts from the SOC
  • SOC Emergency Contact: After-hours or emergency phone contact
• More details are available here: SOC EPP Alert Processing Summary

Billing

How is licensing handled?

• For Monthly Billed Partners:
  • Licensing is based on the number of active devices, pulled monthly on the last business day of the month.
  • Invoices are issued on the first business day of each month, for the previous month's usage.
• For Yearly Committed Partners:
  • If your monthly usage is over your annual commit, you will be invoiced for the overage for that month.
  • Licensing is based on the number of active devices, pulled on the last business day of the month. 

How can I view a breakdown of the number of devices per customer?

• Please reference the following article: SentinelOne (S1): Monthly Invoicing

Will duplicate or retired devices be billed?

• Yes, it is recommended to routinely audit and remove duplicate or retired devices from the portal to avoid unnecessary charges.