MDR for Windows Defender: Frequently Asked Questions (FAQs)

Is a Proof of Concept (PoC) available?

• Yes, we offer a 14-day Proof of Concept for new users.

What is involved with a Proof of Concept?

• Time Frame: 14 days, starting with the kickoff call.
• Endpoint Limit: Unlimited.

Will my licensing automatically convert to production at the end of the PoC?

• Yes, the MDR for Windows Defender implementation will be automatically converted to production at the end of the 14 day PoC unless canceled before the conversion.

What are the Deliverables from SonicSentry?

• Architecture setup and configuration
  • Initial provisioning of the MDR Agent Dashboard
  • Creation and organization of device groupings
  • Creation and activation of initial recommend policies and templates
• Training and Support
  • Provide training, support, and documentation as outlined per offering details.
  • Syslog/SIEM settings provisioning within the SIEM/SOAR platform
• Security Operations Center (SOC) services
  • Detection and alerting of identified abnormal, suspicious or malicious activity
  • Response and mitigation as outlined by our [[EPP Alert Processing Summary|241204134551910]]

What are my responsibilities?

• Management of the deployment process.
  • Deployment of the MDR Agent to all workstations and servers.
  • Creating a ‘Clean Baseline’ for the devices.
  • Creating and Assignment of Device groups.
  • Creation, assignment and maintaining of policy parameters.
• Providing Tier 1 support to direct end-user customers that are part of the PoC.
• Contacting SonicSentry for any Tier 2 or Tier 3 issues that you are unable to resolve.
• Monitoring of environment health.
  • Removal of duplicate or retired machines.
• Further investigate, respond and remediate alerts sent from the SonicSentry SOC.

How do I move forward after the PoC?

• Infocyte team sends a Wrap-Up email at the end of the PoC indicating that the PoC is being converted to Production, and that Billing will be going live.
  • Infocyte team Confirms the following has been setup and configured properly.
    • Preferred Contact info
      • SOC General
      • SOC Alerts
      • SOC Emergency (Phone Number)
    • SOC services

What are the methods that I can deploy the agents?

• Please reference the following article: MDR For Windows Defender Agent Install Instructions

What access do I get to the Infocyte console?

• The purpose of granting access is for visibility and management of Agents and Policies.
• We do not monitor Alerts out of the portal.
• All logs/alerts are pushed to our XDR platform and that is where our SOC monitors and processes alerts.
• Any modifications maded beyond the directed areas of the Infocyte portal could cause a degradation in alerting and cause a compromise to be missed.

We recommend at least one key admin per instance. The admin can perform the following actions:

• Add/Remove users.
• Modify/ Assign Named Policies.
• Delete Decommissioned Agents from the Portal.
• Create Suppression Rules to Alerts.
• Create Automatic Responses to Alerts.
• Create Custom Alert Notifications.

Analyst level users can perform functions such as:

• Review logs/ alerts.
• Review policies.
• Respond to Security Events.
• Move devices between locations.
• Cannot remove devices or modify security/ policy/ suppression settings.
• Cannot manage user settings.

Why are there so many alerts showing? Why do I have hosts listed as ‘Compromised’? Why isn’t the SOC doing anything about this?

• There will always be alerts listed if you are on our MDR offering.
• Infocyte (like a true EDR) is very chatty and we love that!
• We ingest all alert data from the hundreds of Infocyte portals we manage to our XDR platform.
  • This is where our SOC triggers and processes/triages actionable alerts.
• There will be many times where we log into the Infocyte portal and start ‘acknowledging’ alerts while performing investigations.
  • We do not want third parties doing this as it can effect our investigations.
• Just because the portal says ‘Compromised’ does not mean it’s actually compromised.
  • One single alert will enable ‘compromised’ flag on the endpoint.

Is there a Multi-tenancy option for the Infocyte console?

• No. All Infocyte ARR agents are deployed to one console.

Can I use 2FA/MFA to log into a Infocyte console?

• Yes native OTP/2FA is mandatory for every account.

Can I use the Infocyte ARR agent in a VDI environment?

• The recommended way of deploying Infocyte Agents on virtual machines is to install them as a standalone package (Installing Agents on each virtual machine separately).
• Pre-installing the Agent on a Base machine and cloning the virtual machine, results in inherited agent IDs from the master image, and the result will be machines not presenting themselves to the the web UI.
• Reference: Infocyte: Agent on VDI or VM Deployment (datto.com).

Support

How do I contact support?

• To start a support ticket, please visit https://msssupport.myportallogin.com select Endpoint Security, and then Infocyte Support.
• Meetings can be scheduled via the Infocyte Support Calendly page.
  • 30 minute meeting: Infocyte 30 Minute Meeting.
• If the matter is urgent, we always recommend calling our office at 703.565.2395.
• Standard Support hours for Infocyte are currently 8 AM - 5 PM EST Monday - Friday (excluding holidays).
  • MDR for Windows Defender provides 24/7 Emergency Support for business service outages.
    • Please call our office at 703.565.2395 if Emergency Support is needed.

Is there official training for Infocyte available?

Yes, SonicSentry will train on all support and administrative topics in your MDR for Windows Defender kickoff Call, and subsequent check in calls.

Is your SOC outsourced?

• No. SonicSentry. runs a 24x7x365 in-house Security Operations Center. 

How am I contacted if there’s an issue?

• We ask for the preferred contact info for the following categories:
  • SOC General
    • This will be used for all general communication to include news, release notes, etc.
  • SOC Alerts
    • The contact in the event our SOC Analysts find abnormal, suspicious, or malicious activity.
  • SOC Emergency
    • Phone numbers in the event we need/you would like us to contact you after hours or in an emergency.
• Please reference the following article: [[EPP Alert Processing.|241204134551910]]

Billing

How am I licensed for MDR for Windows Defender?

• Invoicing is conducted monthly.
  • We at SonicSentry pull numbers for invoicing on the last business day of the month.
  • The invoice will be a total of all devices and will be provided on the first business day of the month.
  • Please Note that SonicSentry bills forward.
    • This means the invoice received is for the current month, based on the number of devices from the last business day of the previous month.

Will I be charged for duplicate or offline/retired devices?

• Yes, we ask that duplicate, decomissioned, and retired devices be removed from the portal.
  • Our support team can show you easy methods on how to identify such machines.