Sophos MDR: Frequently Asked Questions (FAQs)

Is a Proof of Concept (PoC) available?

• Yes, we offer a 14 day Proof of Concept.

What is involved with a Proof of Concept?

• Time Frame: 14 days, starting with the kickoff call
• Endpoint Limit: Unlimited
• Details outlining the PoC can be found at the following links:
• Sophos (POC) : Frequently Asked Questions (FAQs)

What happens at the end of my Proof of Concept?

• There is nothing you need to do to continue services.  The MDR for Sophos implementation will be automatically converted to production at the end of the 14 day PoC unless canceled before the conversion.  

What are my responsibilities?

• Management of the deployment process
  • Deployment of the Agent to all workstations and servers with necessary "Intercept X Advanced with XDR" licensing
  • Creating a ‘Clean Baseline’ for the devices
  • Creation, assignment and maintaining of device policies
  • Ensuring upkeep of API integrations and connector health for syslog ingestion
  • Creation of new Connectors in the SIEM for new Client onboardings
  • Ensure SonicSentry SOC access to Portal/ Agent groups for monitoring
• Monitoring of environment health
  • Removal of duplicate or retired machines
• Further investigate, respond and remediate alerts sent from the SonicSentry SOC

What are the Deliverables from SonicSentry?

• Architecture setup and configuration
  • Initial provisioning of MDR Integration and access to SIEM Dashboard
  • Validation of necessary licensure and SonicSentry access to the Sophos Partner Portal
• Training and Support
  • Provide training, support, and documentation as outlined per offering details.
  • Syslog/SIEM settings provisioning within the SIEM/SOAR platform
• Security Operations Center (SOC) services
  • Detection and alerting of identified abnormal, suspicious or malicious activity
  • Response and mitigation as outlined by our EPP Alert Processing Summary

Implementation

What devices do I need to install the Sophos agent on?

• The Sophos agent should be deployed on all devices in an environment

Support

How do I contact support?

• To start a support ticket, please visit https://msssupport.myportallogin.com When asked to select a product, select Endpoint Security, then Sophos Support.
• Meetings can be scheduled via the Sophos Support Calendly page
  • 30 minute meeting: https://calendly.com/SophosMDR/30minuteFollow
  • 30 minute training session on SIEM/SOAR: https://calendly.com/XDR-Training
• If there is an emergency, we always recommend calling our office at 703.565.2395
• Standard Support hours for Sophos are currently 8 AM - 5 PM EST Monday - Friday
  • MDR for Sophos provides 24/7 Emergency Support

How do I access MDR for Sophos  documentation?

• Recommended documentation once onboarding has started can be found via SonicWall's Knowledge Base.
  • MDR for Sophos
• All other documentation is available by request from our support team

Is there official training for MDR for Sophos available?

• SonicSentry will train on all support and administrative topics relevant to the offering

Monitoring

How are Sophos logs retained?

• Sophos syslogs are sent from the central management console to our SIEM/SOAR for SOC services
  • These logs are maintained for 1 year

Do I get access to the SIEM?

• Yes, you are granted access to our SIEM for client onboarding and reporting purposes

Is your SOC outsourced?

• No. Our SOC is a 24x7x365 in-house Security Operations Center.
  • NOAM is covered by our US based and full time employees.
  • EMEA is covered our EMEA based and full time employees.

How am I contacted if there’s an issue?

• We ask for the following contact numbers and email addresses:
  • Sophos General
    • This will be used for all Sophos related general communication to include news, release notes, etc
  • SOC Alerts
    • The contact in the event our SOC Analysts find abnormal, suspicious, or malicious activity
    • This would also be the contact that would receive advanced alerting from our SIEM
      • Please let us know if you would like to separate this into two separate contacts
  • Emergency Contact
    • Phone numbers in the event we need/you would like us to contact you after hours or in an emergency
• Please reference the following article: SOC EPP Alert Processing Summary

Billing

How am I billed for Sophos?

• MDR for Sophos invoicing is conducted monthly
  • The invoice will be a total of all devices that have been active in the Sophos Portal during the month will be provided on the first business day of the following month.  
  • How do I get a breakdown of my devices per site/ customer?
    • Please reference the following article: Sophos: Monthly Invoicing

Will I be charged for duplicate or offline/retired devices?

• Yes, we ask that duplicate and decommissioned devices be removed from the portal to avoid unnecessary charges.