FIREEYE MANAGED DEFENSE
In addition to the General Terms Applicable to all Offerings, which
govern this Schedule, the following terms govern the FireEye Managed
Defense – Continuous Vigilance (Managed Defense) Subscription. (the
“Managed Defense Subscription” or “Subscription”).
1.1. “Alert” means an alert generated by a Product,
ETP Subscription, FireEye Helix Subscription, or TAP Subscription that
FireEye has determined is potentially malicious based on its
characteristics, and that is ingested into the Managed Defense
1.2. “Covered System” means (i) a computing device
(to the extent supported by FireEye) that Customer specifies as within
the scope of the Managed Defense Subscription, and if the Customer has
purchased the HX Product or FireEye Helix Subscription, on which a
software agent has been installed to support Managed Defense
Subscription delivery, or (ii) a computing device (to the extent
supported by FireEye) whose network traffic is observable to
support Managed Defense Subscription delivery; (iii) with respect to
ETP Subscriptions or EX Product, mailboxes monitored to support
Managed Defense Subscription delivery; or (iv) any computing device
that both Customer and FireEye agree is within scope of the Managed
1.3. “Enabling Hardware” means additional hardware
appliances that will be used by FireEye in providing the Subscription,
and may include log collection and analysis equipment.
1.4. “Managed Defense Supported Technology” means the
Products, Subscriptions, and Enabling Hardware monitored through
the Managed Defense Subscription.
1.5. “Managed Defense Reports” means the written
reports relating to Alerts that FireEye creates and makes available to
Customer through the Managed Defense Subscription.
1.6. “Nodes” or “Node Band” refers to number
of Covered Systems within the Customer environment, which is reflected
on the Subscription Order.
1.7. “Suppressed Alerts” means Alerts that are to be
excluded from investigation and reporting because they a) relate to
previously reported incidents that have not been resolved by the
Customer; b) relate to Covered Systems that were identified as
compromised and where required resolution steps have not been
completed by the Customer; c) are not identified as being supported
by Managed Defense in the Managed Defense Operations Manual; or d)
have been requested to be excluded by the Customer.
2. Scope of Managed Defense – Continuous Vigilance (CV)
Services. During the Subscription Term, FireEye will provide
the Managed Defense Subscription as set forth in this Section 2,
according to the Node Band purchased by Customer as set forth in the
Subscription Order. All services Customer requests that are not
described in this Section 2 will be performed at mutually agreed upon
rates as set forth in Statements of Work. If the number of Nodes
exceeds the Node Band reflected in the Subscription Order by more than
ten percent (10%), FireEye will notify Customer in writing, and will
issue an invoice for the next higher Node Band at FireEye’s
then-current rates pro-rated for the remaining portion of the
then-current Subscription Term.
2.1. Onboarding. The first phase of the Managed Defense
Subscription is “Onboarding,” during which FireEye will work with
Customer to deploy, connect, and test the Managed Defense Supported
Technology that will be monitored through the Managed Defense
Subscription (“Onboarding”). During Onboarding, FireEye will do the following:
a) Designate a Managed Defense Transition Manager who will
work in conjunction with the Customer.
b) Create and deliver account details for Managed Defense
Portal access, conduct training, collect implementation requirements,
establish agreed-upon installation timelines, and provide
Documentation for the Managed Defense Subscription.
c) Assist Customer with setup and configuration of
the Managed Defense Supported Technology, and test whether FireEye can
receive Alerts with supporting artifacts, and can monitor the
Customer’s Covered Systems.
d) For Managed Defense Supported Technology that has been
appropriately configured, conduct baseline monitoring activities for
up to 14 days. The intent of the baseline is to identify any Covered
Systems known to be compromised and identify active attacks occurring
in the Customer’s environment, and provide the Customer with any
recommended steps to remediate these issues.
e) Validate monitoring and alerting activity for
each Managed Defense Supported Technology.
2.2. Alert Analysis
For each validated Managed Defense Supported Technology, FireEye
will conduct the following monitoring, investigation and reporting activities:
a) Classification of Alerts. Alerts are automatically
ingested into the Managed Defense infrastructure as they are generated
by the applicable Managed Defense Supported Technology. Once ingested,
FireEye will classify the Alert as requiring further analysis or
requiring no further analysis within thirty (30) minutes of the time
the Alert was ingested into the Managed Defense infrastructure.
b) If an Alert is classified as requiring no further
analysis, then a severity level assignment will be applied to the
Alert and a Managed Defense Report will be published to the Managed
Defense Portal as set forth in the table below, based on the severity level.
c) Initial Investigation. If an Alert is classified as
requiring further analysis, then FireEye will begin analysis of that
Alert promptly. FireEye analysts will perform an initial analysis of
the Customer’s Covered Systems to determine if the Alert is a true or
false positive, benign or suspicious activity.
d) Managed Defense Reports. If FireEye’s investigation
determines that the Alert indicates a true compromise, FireEye will
assign a “High” “Medium” or “Low” severity level. FireEye will publish
a Managed Defense Report to the Portal related to that Alert as set
forth in the table below.
e) Alerts that are investigated but are found to be benign
or a false positive will be reported as an informational report.
f) Regardless of whether FireEye’s investigation determines
that an Alert indicates a true compromise, FireEye will publish
a Managed Defense Report on the Alert to the Managed Defense Portal as
set forth in the table below, based on the severity level of
the Managed Defense Report (High, Medium, Low). Customer acknowledges
that in some cases, when FireEye’s investigation is not complete,
a Managed Defense Report may provide only an update of current status
of the Alert investigation.
Managed Defense Report Severity Level
Target Time to Classify Alert as Requiring Further Analysis
or No Further Analysis (from time of ingestion)
Target Time to Publish Managed Defense Report (from time
FireEye assigns severity level)
g) Extended Investigations; Multiple Related Alerts. When
FireEye has identified a true positive or suspicious activity, FireEye
analysts may perform an extended investigation, and/or may aggregate
and review multiple Alerts from related Covered Systems to determine
the extent of activity related to the Alert. FireEye analysts may
append results from the extended investigation or subsequent Alert
investigations to the initial Managed Defense Report if FireEye
determines that additional or subsequent Alerts are related, and in
such cases, FireEye will not be required to issue a separate Managed
Defense Report for each such related Alert.
h) Non-Remediable Alerts. FireEye has no obligation to
notify the Customer or generate a new Managed Defense Report on new
Alerts that are directly related to previous investigations or known
compromises where a Managed Defense Report has been published and
FireEye has provided recommended remediation steps, when the Customer
has acknowledged the Managed Defense Report but chooses not to or
cannot remediate the cause of these Alerts.
i) Alert Priority. FireEye may re-prioritize Alerts,
regardless of their severity classification, to provide focus to
Alerts that FireEye determines may have the largest impact to the
j) Continuity of Monitoring. All monitoring, investigation
and reporting activities described in this Section 2.2 will be
provided on a 24/7/365 basis.
2.3. Engagement Manager Responsibilities. FireEye
will assign a Threat Assessment Manager (TAM) to Customer’s account to
assist in the ongoing delivery of the Managed Defense Subscription.
TAMs will schedule routine meetings, deliver related documentation and
training specific to the delivery of the Managed Defense Subscription.
TAMs have no obligation to engage in activities or respond to
inquiries that are otherwise the responsibility of standard FireEye
Support such as Product-related troubleshooting or configuration
2.4. Hunting. FireEye will conduct periodic
proactive hunting techniques on Covered Systems to look for additional
indicators of malicious or attacker activity. When FireEye’s
investigation reveals a compromise, FireEye will assign a severity
classification and publish a Managed Defense Report to the Managed
Defense Portal as set forth in the table in 2.2 above, according to
the severity classification.
2.5. System Health Monitoring and Notification. For
Customers who have purchased the FireEye EX, FX, HX, NX, NX Smart
Sensor, or PX Product, FireEye will provide Customer with notification
of system health issues such as connectivity problems.
2.6. Containment. When the Customer has purchased
the FireEye Helix Subscription or HX Product, FireEye may, when
appropriate, recommend containment of the target Covered System from
the Customer’s network. Containment must be executed by the Customer.
2.7. Portal Access. Appliance Health Monitoring
and Managed Defense Reports will be provided via an online portal
(“Managed Defense Portal”), and FireEye will provide login credentials
to the Customer to enable access to the Managed Defense Portal.
Service levels for the Managed Defense Portal are as set forth in
Section 3 below.
2.8. Incident Response (IR) Services Retainer. During
the Subscription Term, if Customer requires incident response (IR)
Professional Services, Customer will have access to FireEye’s 24/7/365
IR intake procedures. FireEye will provide contact information and
details of this service shortly after the Order Effective Date. If
Customer requires IR Professional Services, FireEye will respond,
triage and determine the need for Incident Professional Services, and
if FireEye determines that IR Professional Services are necessary,
FireEye will assign an IR Responder to work with Customer, including,
as necessary, for onsite assistance. All IR Professional Services will
be performed using the Managed Defense Supported Technology, and will
be charged on a time and materials basis, invoiced monthly in arrears,
at agreed upon hourly rates.
2.9. FireEye iSIGHT Intelligence Portal. During the
Subscription Term, FireEye will provide access to a FireEye iSIGHT
Intelligence Portal (“FIIP”), subject to the following:
a) Permitted Use; Reports. Customer may access, view and
use FIIP and content appearing on FIIP (“FIIP Content”) solely for
internal use. Customer understands and acknowledges that the FIIP
Content available through the Managed Defense Subscription is more
limited than that available to customers who purchase a full iSIGHT
Subscription. FIIP Content is FireEye Material. Subject to Customer’s
payment obligations, FireEye grants to Customer a limited,
non-exclusive right to use FIIP Content internally for Customer’s own
b) Additional Use Limitations. Customer may appoint up to
twenty (20) users of FIIP at any time. Each day, all users on
Customer’s account may collectively make up to (A) one hundred twenty
five (125) queries of IP addresses and domain names and (B) one
hundred twenty five (125) queries of malware. Customer may request
additional queries, to be evaluated by FireEye on a case-by-case basis.
c) User Content. “User Content” means any communications,
images, sounds, and all the material and information that Customer or
anyone using Customer’s account contributes to or through FIIP (e.g.,
comments to FIIP Content, suspected malware that Customer uploads to
FIIP). Customer grants FireEye a perpetual, irrevocable, worldwide,
paid-up, non-exclusive, license, including the right to sublicense to
third parties, and right to reproduce, fix, adapt, modify, translate,
reformat, create derivative works from, publish, distribute, sell,
license, transmit, publicly display, publicly perform, or provide
access to electronically, broadcast, display, perform, and use and
practice such User Content as well as all modified and derivative
works thereof. Customer represents that Customer has all necessary
rights to grant the license referenced in the preceding sentence.
FireEye may use and disclose any of the information it collects about
its customers’ use of FIIP to the extent such information is de-identified.
d) Restrictions. Customer may not access FIIP by any means
other than through the interface that is provided or approved by
FireEye. Customer will not collect any information from or through
FIIP using any automated means, including without limitation any
script, spider, “screen scraping,” or “database scraping” application,
and Customer will not damage, disable, overburden, or impair FIIP or
interfere with any other party’s use and enjoyment of FIIP.
2.10. Reseller and Partner Purchases. If Customer
receives the Subscription via a FireEye authorized services or support
partner (a “Partner”), Customer agrees that the Subscription and
Managed Defense Reports may be delivered to Customer through the
Partner. Notwithstanding any other confidentiality obligations between
the parties, Customer authorizes FireEye to disclose information
related to the Subscription and Customer Data to Partner.
2.11. Managed Defense for ICS. If Customer has
purchased the additional ICS Monitoring feature of the Managed Defense
Subscription (“ICS Monitoring Subscription”), the following terms will
govern the ICS Monitoring Subscription: (a) FireEye will, in addition
to the services described in Sections 2.1-2.6 of these Managed Defense
Terms, monitor Customer’s TAP Subscription for malicious activity
based on custom rules developed by FireEye in consultation with the
Customer; (b) FireEye will perform additional hunting activities
tailored to the Customer’s environment; (c) Alerts resulting from the
activities described in (a)-(b) will be published to the Managed
Defense Portal as set forth in Section 2.2 above; and (d) additional
Enabling Hardware will be provided (“ICS Enabling Hardware”). The ICS
Enabling Hardware constitutes Third Party Material, and the hardware
components of such ICS Enabling Hardware must be returned to FireEye
or the relevant third party upon termination or expiration of
the Managed Defense Subscription Term. Customer acknowledges that the
third party owner of the ICS Enabling Hardware is a third party
beneficiary of the right to enforce the obligation to return the ICS
Enabling Hardware as set forth above. The Subscription Term for the
ICS Monitoring Subscription will be the same as the Managed Defense
3. Customer Responsibilities. Customer acknowledges
and agrees that FireEye’s ability to successfully deliver the Managed
Defense Subscription is dependent on the Customer’s ability to meet
its responsibilities as outlined herein.
3.1 FireEye will have no liability for any failure to deliver
the Managed Defense Subscription that may arise due to Customer’s
refusal or failure to perform its responsibilities.
a) Installation Requirements. Customer will be responsible
for the following: (i) providing network architecture diagrams,
physical, and logical access to Customer’s environment for the sole
purpose of deploying and configuring Managed Defense Supported
Technology; (ii) upgrading pre-existing Managed Defense Supported
Technology to the minimum software version as referenced within
the Managed Defense Operations Manual for each product or
service; (iii) providing confirmation that all Managed Defense
Supported Technology within the Customer’s environment has been
successfully configured and connected to their network according to
the individual Product’s or Subscription’s System Administration
Guide and the configurations supported as noted in the FireEye
Support Portal; (iv) providing the ability to establish a
persistent connection to the Customer’s network within the designated
port range corresponding to the country from which the Managed Defense
Subscription will be delivered as referenced within the Managed
Defense Quick Start Guide.
b) Compromised Systems. Customer recognizes that the Managed
Defense Subscription is not an alternative to an incident response
engagement for an environment that is compromised prior to the start
of the Managed Defense Subscription.
c) Credential Security. Customer will be responsible for the
following: (i) providing accurate information to FireEye for
provisioning access to (and removal of) Customer personnel access to
the Managed Defense Portal; (ii) implementing and adhering to strong
password standards; (iii) providing accurate information to FireEye
for domain whitelisting; and (iv) reporting any security issues
related to the Subscription (including the Managed Defense Portal) to
d) Network Segment Exclusion: Customer must notify FireEye
if specific network segments will not require Managed Defense
monitoring. Customer must provide detailed information regarding the
specific network segment range when possible. Examples: guest
networks, testing environments, etc.
e) Remediating Known Compromises. Customer must make a
reasonable effort to remediate any known compromises reported by
FireEye or third party vendors. FireEye may choose to suppress alerts
generated by known compromised systems until such time the compromise
3.2. Exclusions. Notwithstanding anything else contained in
these Terms to the contrary, FireEye shall have no obligation or
responsibility to provide the Managed Defense Subscription for (i)
Products that the Customer (or FireEye or another third party on
Customer’s behalf) has configured with a one-way feed of FireEye’s
Dynamic Threat Intelligence (DTI) Content Feed; (ii) Managed Defense
Supported Technology that has been declared end of support or that are
not currently supported; (iii) Managed Defense Supported Technology
that has no active Support Service in place; (iv) Managed Defense
Supported Technology for which software updates have not been applied;
(v) Products that have not been installed and deployed; or
(vi) Managed Defense Supported Technology that is misconfigured or
incorrectly deployed, which prevents the Managed Defense Supported
Technology from monitoring the Covered Systems. Customer acknowledges
that to facilitate FireEye’s efficient performance of the Managed
Defense Subscription, FireEye may control some features and
functionality of the Managed Defense Supported Technology, and that
such features or functionality may not be available for Customer’s
independent use during the Subscription Term.
4. Managed Defense Portal Availability
4.1 Uptime. FireEye shall undertake commercially
reasonable efforts to ensure the Managed Defense Portal availability
for 99.9% of the time during each calendar month.
a) “Service Outage” means the Managed Defense Portal is not
available due to a failure or a disruption in the Managed Defense
Portal that is not the result of Scheduled Maintenance, Emergency
Maintenance, a force majeure event or of the act or omission of Customer.
b) “Scheduled Maintenance Period" is the period during
which weekly scheduled maintenance of the Managed Defense Portal may
c) "Emergency Maintenance" means any time outside
of Scheduled Maintenance that FireEye requires to apply critical
patches or fixes or undertake other urgent maintenance. If Emergency
Maintenance is required, FireEye will notify Customer, to the extent
possible under the circumstances, and provide the expected time frame
of the Emergency Maintenance and availability of the Managed Defense
Portal during the Emergency Maintenance.
d) "System Availability" means the number of
minutes in any calendar month minus the aggregate number of minutes of
all Service Outages that occur during that calendar month.
a) If the Managed Defense Portal does not meet the monthly
service availability defined in 4.1, FireEye will provide a credit to
the Customer in accordance to the table below (“Credit”) for a
validated Service Level Claim (defined below). The percent of Managed
Defense Portal availability per calendar month (in the table below) is
equal to the result, expressed as a percentage, of the number of
minutes of System Availability in a calendar month divided by the
total number of minutes in the calendar month.
Percent of Managed Defense Portal Availability
per Calendar Month
b) For determining the Credit, the duration of a Service
Outage will be measured as the time starting when Customer experiences
a disruption in availability of the Managed Defense Portal and ending
when a successful solution or workaround allowing for full restoration
of the Managed Defense Portal is provided by FireEye to Customer.
Customer must notify FireEye in writing of any Service Outage no later
than fifteen (15) days after the calendar month in which the Service
Outage occurred (“Service Level Claim”) to be entitled to a Credit for
that Service Outage.
c) Any Credits earned by Customer hereunder will be applied
to the Subscription Fees owed by Customer for the next Subscription
Term for which the Credit applies. If Credits cannot be applied to
future Subscription Fees because the Subscription Term has terminated
for non-renewal or for a material uncured breach by Customer, such
credits shall become null and void. If Credits cannot be applied to
future Subscription Fees because the Subscription Term has terminated
due to a material uncured breach by FireEye, FireEye will promptly pay
Customer the amount of the Credit. Customer shall not be entitled to
receive a Credit that exceeds 10% of its prorated monthly Subscription
Fee for a Service Outage for the applicable calendar month.
Back To Top