FIREEYE MANAGED DEFENSE –
FIREEYE MANAGED DEFENSE – NIGHTS AND WEEKENDS
In addition to the General Terms
Applicable to all Offerings, which govern this Schedule, the following
terms govern the FireEye Managed Defense – Continuous Vigilance and
FireEye Managed Defense Nights and Weekends Subscription (each, a
“Managed Defense Subscription” or “Subscription”).
1.1. “Alert” means an alert generated by a Product,
ETP Subscription, FireEye Helix Subscription, or TAP Subscription that
FireEye has determined is potentially malicious based on its
characteristics, and that is ingested into the Managed Defense
1.2. “Covered System” means (i) a computing device
(to the extent supported by FireEye) that Customer specifies as within
the scope of the Managed Defense Subscription, and if the Customer has
purchased the HX Product or FireEye Helix Subscription, on which a
software agent has been installed to support Managed Defense
Subscription delivery, or (ii) a computing device (to the extent
supported by FireEye) whose network traffic is observable to
support Managed Defense Subscription delivery; (iii) with respect to
ETP Subscriptions or EX Product, mailboxes monitored to support
Managed Defense Subscription delivery; or (iv) any computing device
that both Customer and FireEye agree is within scope of the Managed
1.3. “Enabling Technology” means additional hardware
appliances, software and/or subscription services that will be used by
FireEye in providing the Subscription, and may include log collection
and analysis equipment.
1.4. “Managed Defense Supported Technology” means the
Products, Subscriptions, and Enabling Hardware monitored through
the Managed Defense Subscription.
1.5. “Managed Defense Reports” means the written
reports relating to Alerts that FireEye creates and makes available to
Customer through the Managed Defense Subscription. Managed Defense
Reports are FireEye Materials.
1.6 "Nights and Weekends” means the Managed Defense
Subscription under which FireEye will provide the Managed Defense
Services described in Section 2 below for Alerts that are generated by
FireEye Supported Technology during a limited period of night, weekend
and holiday hours, as agreed between FireEye and Customer.
1.7. “Nodes” refers to number of Covered Systems
within the Customer environment, which is reflected on the
1.8. “Suppressed Alerts” means Alerts that are to be
excluded from investigation and reporting because they a) relate to
previously reported incidents that have not been resolved by the
Customer; b) relate to Covered Systems that were identified as
compromised and where required resolution steps have not been
completed by the Customer; c) are not identified as being supported by
Managed Defense in the Managed Defense Service Description; or d) have
been requested to be excluded by the Customer.
2. Scope of Managed Defense – Services. During the
Subscription Term, FireEye will provide the Managed Defense
Subscription as set forth in this Section 2, according to the number
of Nodes purchased by Customer as set forth in the Subscription Order.
All services Customer requests that are not described in this Section
2 will be performed at mutually agreed upon rates as set forth in
Statements of Work. If the number of Nodes exceeds the purchased
Nodes reflected in the Subscription Order by more than ten percent
(10%), FireEye will notify Customer in writing, and will issue an
invoice for the next higher Node count at FireEye’s then-current rates
pro-rated for the remaining portion of the then-current Subscription Term.
2.1. Onboarding. The first phase of the Managed Defense
Subscription is “Onboarding,” during which FireEye will work with
Customer to deploy, connect, and test the Managed Defense Supported
Technology that will be monitored through the Managed Defense
Subscription (“Onboarding”). During Onboarding, FireEye will do the following:
a) Designate a Managed Defense Service Transition Manager who
will work in conjunction with the Customer.
b) For Customers who have purchased Managed Defense – Nights
and Weekends, establish with the Customer the hours during which the
Subscription will be provided (“Service Hours”). Service Hours may
include up to 123 hours of service per calendar week on nights and
weekends, and may include up to an additional 240 hours per year
allocated to holidays observed by the Customer.
c) Create and deliver account details for Managed Defense
Portal access, conduct training, collect implementation requirements,
establish agreed-upon installation timelines, and provide
Documentation for the Managed Defense Subscription.
d) Assist Customer with setup and configuration of
the Managed Defense Supported Technology, and test whether FireEye can
receive Alerts with supporting artifacts, and can monitor the
Customer’s Covered Systems.
e) For Managed Defense Supported Technology that has been
appropriately configured, conduct baseline monitoring activities for
up to 14 days. The intent of the baseline is to identify any Covered
Systems known to be compromised and identify active attacks occurring
in the Customer’s environment, and provide the Customer with any
recommended steps to remediate these issues.
f) Validate monitoring and alerting activity for
each Managed Defense Supported Technology.
2.2. Alert Analysis
For each validated Managed Defense Supported Technology, FireEye
will conduct the following monitoring, investigation and reporting activities:
a) Classification of Alerts. Alerts are automatically
ingested into the Managed Defense infrastructure as they are generated
by the applicable Managed Defense Supported Technology. Once ingested,
FireEye will classify the Alert as requiring further analysis or
requiring no further analysis as set forth in the table below.
b) If an Alert is classified as requiring no further
analysis, then a severity level assignment will be applied to the
Alert and a Managed Defense Report will be published to the Managed
Defense Portal as set forth in the table below, based on the severity level.
c) Initial Investigation. If an Alert is classified as
requiring further analysis, then FireEye will begin analysis of that
Alert promptly. FireEye analysts will perform an initial analysis of
the Customer’s Covered Systems to determine if the Alert is a true or
false positive, benign or suspicious activity.
d) Managed Defense Reports. If FireEye’s investigation
determines that the Alert indicates a true compromise, FireEye will
assign a “High” “Medium” or “Low” severity level. FireEye will publish
a Managed Defense Report to the Portal related to that Alert as set
forth in the table below.
e) Alerts that are investigated but are found to be benign
or a false positive will be reported as an informational report.
f) Regardless of whether FireEye’s investigation determines
that an Alert indicates a true compromise, FireEye will publish
a Managed Defense Report on the Alert to the Managed Defense Portal as
set forth in the table below, based on the severity level of
the Managed Defense Report (High, Medium, Low). Customer acknowledges
that in some cases, when FireEye’s investigation is not complete,
a Managed Defense Report may provide only an update of current status
of the Alert investigation.
Managed Defense Report Severity Level
Target Time to Classify Alert as Requiring Further Analysis
or No Further Analysis (from time of ingestion)
Target Time to Publish Managed Defense Report (from time
FireEye assigns severity level)
g) Extended Investigations; Multiple Related Alerts. When
FireEye has identified a true positive or suspicious activity, FireEye
analysts may perform an extended investigation, and/or may aggregate
and review multiple Alerts from related Covered Systems to determine
the extent of activity related to the Alert. FireEye analysts may
append results from the extended investigation or subsequent Alert
investigations to the initial Managed Defense Report if FireEye
determines that additional or subsequent Alerts are related, and in
such cases, FireEye will not be required to issue a separate Managed
Defense Report for each such related Alert.
h) Non-Remediable Alerts. FireEye has no obligation to
notify the Customer or generate a new Managed Defense Report on new
Alerts that are directly related to previous investigations or known
compromises where a Managed Defense Report has been published and
FireEye has provided recommended remediation steps, when the Customer
has acknowledged the Managed Defense Report but chooses not to or
cannot remediate the cause of these Alerts.
i) Alert Priority. FireEye may re-prioritize Alerts,
regardless of their severity classification, to provide focus to
Alerts that FireEye determines may have the largest impact to the
j) Continuity of Monitoring. All monitoring, investigation
and reporting activities described in this Section 2.2 will be
provided during the time periods as follows:
a. For Customers who have purchased Managed Defense –
Continuous Vigilance, all monitoring, investigation and reporting
activities will be provided on a 24/7/365 basis.
b. For Customers who have purchased Managed Defense – Nights and
Weekends, FireEye will monitor, investigate and report on Alerts that
were generated by Managed Defense Supported Technology during the
Service Hours agreed upon during the Onboarding phase as described in
Section 2.1(b) above (“Nights and Weekends Supported Alerts”).
Customer acknowledges that FireEye may ingest Alerts generated by
FireEye Supported Activity outside the Service Hours, and FireEye may
in some cases report on such Alerts (such as when such Alerts are
aggregated with Nights and Weekends Supported Alerts), but FireEye has
no obligation to report on Alerts that are generated by FireEye
Supported Technology outside of the Service Hours.
2.3. Managed Defense Consultant Responsibilities.
FireEye will assign a Managed Defense Consultant (MDC) to Customer’s
account to assist in the ongoing delivery of the Managed Defense
Subscription. MDCs will schedule routine meetings, deliver related
documentation and training specific to the delivery of the Managed
Defense Subscription. MDCs have no obligation to engage in activities
or respond to inquiries that are otherwise the responsibility of
standard FireEye Support such as Product-related troubleshooting or
2.4. Hunting. FireEye will conduct periodic
proactive hunting techniques on Covered Systems to look for additional
indicators of malicious or attacker activity. When FireEye’s
investigation reveals a compromise, FireEye will assign a severity
classification and publish a Managed Defense Report to the Managed
Defense Portal as set forth in the table in 2.2 above, according to
the severity classification. The hunting services described in this
Section 2.4 will not be provided under the Nights and Weekends
2.5. System Health Monitoring and Notification. For
Customers who have purchased the FireEye Email Security – Server
Edition (EX), FireEye FX, FireEye Endpoint Security (HX), FireEye
Network Security (NX), NX Smart Sensor, or FireEye PX Product, FireEye
will provide Customer with notification of system health issues such
as connectivity problems.
2.6. Containment. When the Customer has purchased
the FireEye Helix Subscription or FireEye Endpoint Security (HX)
Product, FireEye may, when appropriate, recommend containment of the
target Covered System from the Customer’s network. Unless the Customer
has opted in to any features that allow FireEye to contain Covered
Systems, Containment must be executed by the Customer. If Customer
opts in to features that allow FireEye to contain Covered Systems,
then Customer acknowledges that FireEye will contain Covered Systems,
in its discretion, to the extent of Customer’s configurations and
directions to do so. FireEye will not be responsible for any delays,
damages, liabilities, performance issues, or outages of Covered
Systems caused by containment when the Customer has either explicitly
allowed containment of the relevant Covered Systems or has opted into
FireEye containment and has not configured settings to disallow
containment of such Covered Systems.
2.7. Portal Access. Appliance Health Monitoring and
Managed Defense Reports will be provided via an online portal
(“Managed Defense Portal”), and FireEye will provide login credentials
to the Customer to enable access to the Managed Defense Portal.
Service levels for the Managed Defense Portal are as set forth on FireEye’s
Service Levels for Subscriptions page.
2.8. Incident Response (IR) Services Retainer. During
the Subscription Term, if Customer requires incident response (IR)
Professional Services, Customer will have access to FireEye’s 24/7/365
IR intake procedures. FireEye will provide contact information and
details of this service shortly after the Order Effective Date. If
Customer requires IR Professional Services, FireEye will respond,
triage and determine the need for Incident Professional Services, and
if FireEye determines that IR Professional Services are necessary,
FireEye will assign an IR Responder to work with Customer, including,
as necessary, for onsite assistance. All IR Professional Services will
be performed using the Managed Defense Supported Technology, and will
be charged on a time and materials basis, invoiced monthly in arrears,
at agreed upon hourly rates.
2.9. FireEye Intelligence Portal. During the
Subscription Term, FireEye will provide access to a FireEye
Intelligence Portal (“FIP”), subject to the following:
a) Permitted Use; Reports. Customer may access, view and
use FIP and content appearing on FIP (“FIP Content”) solely for
internal use. Customer understands and acknowledges that the FIP
Content available through the Managed Defense Subscription is more
limited than that available to customers who purchase a full
Intelligence Subscription. FIP Content is FireEye Material. Subject to
Customer’s payment obligations, FireEye grants to Customer a limited,
non-exclusive right to use FIP Content internally for Customer’s own
b) Additional Use Limitations. Customer may appoint up to
twenty (20) users of FIP at any time. Each day, all users on
Customer’s account may collectively make up to (A) one hundred twenty
five (125) queries of IP addresses and domain names and (B) one
hundred twenty five (125) queries of malware. Customer may request
additional queries, to be evaluated by FireEye on a case-by-case basis.
c) User Content. “User Content” means any communications,
images, sounds, and all the material and information that Customer or
anyone using Customer’s account contributes to or through FIP (e.g.,
comments to FIP Content, suspected malware that Customer uploads to
FIP). Customer grants FireEye a perpetual, irrevocable, worldwide,
paid-up, non-exclusive, license, including the right to sublicense to
third parties, and right to reproduce, fix, adapt, modify, translate,
reformat, create derivative works from, publish, distribute, sell,
license, transmit, publicly display, publicly perform, or provide
access to electronically, broadcast, display, perform, and use and
practice such User Content as well as all modified and derivative
works thereof. Customer represents that Customer has all necessary
rights to grant the license referenced in the preceding sentence.
FireEye may use and disclose any of the information it collects about
its customers’ use of FIP to the extent such information is de-identified.
d) Restrictions. Customer may not access FIP by any means
other than through the interface that is provided or approved by
FireEye. Customer will not collect any information from or through FIP
using any automated means, including without limitation any script,
spider, “screen scraping,” or “database scraping” application, and
Customer will not damage, disable, overburden, or impair FIP or
interfere with any other party’s use and enjoyment of FIP.
2.10. Reseller and Partner Purchases. If Customer
receives the Subscription via a FireEye authorized services or support
partner (a “Partner”), Customer agrees that the Subscription and
Managed Defense Reports may be delivered to Customer through the
Partner. Notwithstanding any other confidentiality obligations between
the parties, Customer authorizes FireEye to disclose information
related to the Subscription and Customer Data to Partner.
2.11. Managed Defense for OT. If Customer has purchased
the additional OT Monitoring feature of the Managed Defense
Subscription (“OT Monitoring Subscription”), the following terms will
govern the OT Monitoring Subscription: (a) FireEye will, in addition
to the services described in Sections 2.1-2.6 of these Managed Defense
Terms, monitor Customer’s Helix Subscription for malicious activity
based on custom rules developed by FireEye in consultation with the
Customer; (b) FireEye will perform additional hunting activities
tailored to the Customer’s environment; (c) Alerts resulting from the
activities described in (a)-(b) will be published to the Managed
Defense Portal as set forth in Section 2.2 above. Any Alerts resulting
from third party OT technology will be reviewed in Helix and actioned
through access to the central console of the third party OT
technology, to the extent permitted by the third party OT technology.
The Subscription Term for the OT Monitoring Subscription will be the
same as the Managed Defense Subscription Term.
3. Customer Responsibilities. Customer acknowledges
and agrees that FireEye’s ability to successfully deliver the Managed
Defense Subscription is dependent on the Customer’s ability to meet
its responsibilities as outlined herein.
3.1 FireEye will have no liability for any failure to deliver
the Managed Defense Subscription that may arise due to Customer’s
refusal or failure to perform its responsibilities.
a) Installation Requirements. Customer will be responsible
for the following: (i) providing network architecture diagrams,
physical, and logical access to Customer’s environment for the sole
purpose of deploying and configuring Managed Defense Supported
Technology; (ii) upgrading pre-existing Managed Defense Supported
Technology to the minimum software version as referenced within
the Managed Defense Service Description for each product or
service; (iii) providing confirmation that all Managed Defense
Supported Technology within the Customer’s environment has been
successfully configured and connected to their network according to
the individual Product’s or Subscription’s System Administration
Guide and the configurations supported as noted in the FireEye
Support Portal; (iv) providing the ability to establish a
persistent connection to the Customer’s network within the designated
port range corresponding to the country from which the Managed Defense
Subscription will be delivered as referenced within the Managed
Defense Quick Start Guide.
b) Compromised Systems. Customer recognizes that the Managed
Defense Subscription is not an alternative to an incident response
engagement for an environment that is compromised prior to the start
of the Managed Defense Subscription.
c) Credential Security. Customer will be responsible for the
following: (i) providing accurate information to FireEye for
provisioning access to (and removal of) Customer personnel access to
the Managed Defense Portal; (ii) implementing and adhering to strong
password standards; (iii) providing accurate information to FireEye
for domain whitelisting; and (iv) reporting any security issues
related to the Subscription (including the Managed Defense Portal) to
d) Network Segment Exclusion: Customer must notify FireEye
if specific network segments will not require Managed Defense
monitoring. Customer must provide detailed information regarding the
specific network segment range when possible. Examples: guest
networks, testing environments, etc.
e) Remediating Known Compromises. Customer must make a
reasonable effort to remediate any known compromises reported by
FireEye or third party vendors. FireEye may choose to suppress alerts
generated by known compromised systems until such time the compromise
f) Time and Date Settings. Customers purchasing the Nights
and Weekends Subscription must ensure that all Managed Defense
Supported Technology has accurate time and date settings, to help
ensure that Nights and Weekends Supported Alerts are accurately
categorized. FireEye will not be responsible for reporting on Alerts
generated by Managed Defense Supported Technology that does not have
up to date time and date settings.
3.2. Exclusions. Notwithstanding anything else contained in
these Terms to the contrary, FireEye shall have no obligation or
responsibility to provide the Managed Defense Subscription for (i)
Products that the Customer (or FireEye or another third party on
Customer’s behalf) has configured with a one-way feed of FireEye’s
Dynamic Threat Intelligence (DTI) Content Feed; (ii) Managed Defense
Supported Technology that has been declared end of support or that are
not currently supported; (iii) Managed Defense Supported Technology
that has no active Support Service in place; (iv) Managed Defense
Supported Technology for which software updates have not been applied;
(v) Products that have not been installed and deployed; or
(vi) Managed Defense Supported Technology that is misconfigured or
incorrectly deployed, which prevents the Managed Defense Supported
Technology from monitoring the Covered Systems. Customer acknowledges
that to facilitate FireEye’s efficient performance of the Managed
Defense Subscription, FireEye may control some features and
functionality of the Managed Defense Supported Technology, and that
such features or functionality may not be available for Customer’s
independent use during the Subscription Term.
Back To Top