MANDIANT MANAGED DEFENSE –
MANDIANT MANAGED DEFENSE – NIGHTS AND WEEKENDS
In addition to the General Terms
Applicable to all Offerings, which govern this Schedule, the following
terms govern the Mandiant Managed Defense – Continuous Vigilance and
Mandiant Managed Defense Nights and Weekends Subscription (each, a
“Managed Defense Subscription” or “Subscription”).
1.1. “Alert” means an alert generated by a Product,
ETP Subscription, FireEye Helix Subscription, or TAP Subscription that
Mandiant has determined is potentially malicious based on its
characteristics, and that is ingested into the Managed Defense
1.2. “Covered System” means (i) a computing device
(to the extent supported by Mandiant) that Customer specifies as
within the scope of the Managed Defense Subscription, and if the
Customer has purchased the HX Product or Helix Subscription, on which
a software agent has been installed to support Managed Defense
Subscription delivery, or (ii) a computing device (to the extent
supported by Mandiant) whose network traffic is observable to support
Managed Defense Subscription delivery; (iii) with respect to ETP
Subscriptions or EX Product, mailboxes monitored to support Managed
Defense Subscription delivery; or (iv) any computing device that both
Customer and Mandiant agree is within scope of the Managed Defense Subscription.
1.3. “Enabling Technology” means additional hardware
appliances, software and/or subscription services that will be used by
Mandiant in providing the Managed Defense Subscription, and may
include log collection and analysis equipment.
1.4. “Managed Defense Supported Technology” means the
Products, Subscriptions, and Enabling Hardware monitored through
the Managed Defense Subscription.
1.5. “Managed Defense Reports” means the written
reports relating to Alerts that Mandiant creates and makes available
to Customer through the Managed Defense Subscription. Managed Defense
Reports are FireEye Materials.
1.6 "Nights and Weekends” means the Managed Defense
Subscription under which Mandiant will provide the Managed Defense
Services described in Section 2 below for Alerts that are generated by
Managed Defense Supported Technology during a limited period of night,
weekend and holiday hours, as agreed between Mandiant and Customer.
1.7. “Nodes” refers to number of Covered Systems
within the Customer environment, which is reflected on the
1.8. “Suppressed Alerts” means Alerts that are to be
excluded from investigation and reporting because they a) relate to
previously reported incidents that have not been resolved by the
Customer; b) relate to Covered Systems that were identified as
compromised and where required resolution steps have not been
completed by the Customer; c) are not identified as being supported by
Managed Defense in the Managed Defense Service Description; or d) have
been requested to be excluded by the Customer.
2. Scope of Managed Defense Services. During the
Subscription Term, Mandiant will provide the Managed Defense
Subscription as set forth in this Section 2, according to the number
of Nodes purchased by Customer as set forth in the Subscription Order.
All services Customer requests that are not described in this Section
2 will be performed at mutually agreed upon rates as set forth in
Statements of Work. If the number of Nodes exceeds the purchased
Nodes reflected in the Subscription Order by more than ten percent
(10%), Mandiant will notify Customer in writing, and will issue an
invoice for the next higher Node count at Mandiant’s then-current
rates pro-rated for the remaining portion of the then-current
2.1. Onboarding. The first phase of the Managed Defense
Subscription is “Onboarding,” during which Mandiant will work with
Customer to deploy, connect, and test the Managed Defense Supported
Technology that will be monitored through the Managed Defense
Subscription (“Onboarding”). During Onboarding, Mandiant will do the following:
a) Designate a Managed Defense Service Transition Manager who
will work in conjunction with the Customer.
b) For Customers who have purchased Managed Defense – Nights
and Weekends, establish with the Customer the hours during which the
Subscription will be provided (“Service Hours”). Service Hours may
include up to 123 hours of service per calendar week on nights and
weekends, and may include up to an additional 240 hours per year
allocated to holidays observed by the Customer.
c) Create and deliver account details for Managed Defense
Portal access, conduct training, collect implementation requirements,
establish agreed-upon installation timelines, and provide
Documentation for the Managed Defense Subscription.
d) Assist Customer with setup and configuration of
the Managed Defense Supported Technology, and test whether FireEye can
receive Alerts with supporting artifacts, and can monitor the
Customer’s Covered Systems.
e) For Managed Defense Supported Technology that has been
appropriately configured, conduct baseline monitoring activities for
up to 14 days. The intent of the baseline is to identify any Covered
Systems known to be compromised and identify active attacks occurring
in the Customer’s environment, and provide the Customer with any
recommended steps to remediate these issues.
f) Validate monitoring and alerting activity for
each Managed Defense Supported Technology.
2.2. Alert Analysis
For each validated Managed Defense Supported Technology, Mandiant
will conduct the following monitoring, investigation and reporting activities:
a) Classification of Alerts. Alerts are automatically
ingested into the Managed Defense infrastructure as they are generated
by the applicable Managed Defense Supported Technology. Once
ingested, Mandiant will classify the Alert as requiring further
analysis or requiring no further analysis as set forth in the table
b) If an Alert is classified as requiring no further
analysis, then a severity level assignment will be applied to the
Alert and a Managed Defense Report will be published to the Managed
Defense Portal as set forth in the table below, based on the severity level.
c) Initial Investigation. If an Alert is classified as
requiring further analysis, then Mandiant will begin analysis of that
Alert promptly. Mandiant analysts will perform an initial analysis of
the Customer’s Covered Systems to determine if the Alert is a true or
false positive, benign or suspicious activity.
d) Managed Defense Reports. If Mandiant’s investigation
determines that the Alert indicates a true compromise, Mandiant will
assign a “High” “Medium” or “Low” severity level. Mandiant will
publish a Managed Defense Report to the Portal related to that Alert
as set forth in the table below.
e) Alerts that are investigated but are found to be benign
or a false positive will be reported as an informational report.
f) Regardless of whether Mandiant’s investigation
determines that an Alert indicates a true compromise, Mandiant will
publish a Managed Defense Report on the Alert to the Managed Defense
Portal as set forth in the table below, based on the severity level of
the Managed Defense Report (High, Medium, Low). Customer acknowledges
that in some cases, when Mandiant’s investigation is not complete,
a Managed Defense Report may provide only an update of current status
of the Alert investigation.
Managed Defense Report Severity Level
Target Time to Classify Alert as Requiring Further Analysis
or No Further Analysis (from time of ingestion)
Target Time to Publish Managed Defense Report (from time
Mandiant assigns severity level)
g) Extended Investigations; Multiple Related Alerts.
When Mandiant has identified a true positive or suspicious
activity, Mandiant analysts may perform an extended investigation,
and/or may aggregate and review multiple Alerts from related Covered
Systems to determine the extent of activity related to the
Alert. Mandiant analysts may append results from the extended
investigation or subsequent Alert investigations to the
initial Managed Defense Report if Mandiant determines that additional
or subsequent Alerts are related, and in such cases, Mandiant will not
be required to issue a separate Managed Defense Report for each such
h) Non-Remediable Alerts. Mandiant has no obligation to
notify the Customer or generate a new Managed Defense Report on new
Alerts that are directly related to previous investigations or known
compromises where a Managed Defense Report has been published
and Mandiant has provided recommended remediation steps, when the
Customer has acknowledged the Managed Defense Report but chooses not
to or cannot remediate the cause of these Alerts.
i) Alert Priority. Mandiant may re-prioritize Alerts,
regardless of their severity classification, to provide focus to
Alerts that Mandiant determines may have the largest impact to the
j) Continuity of Monitoring. All monitoring, investigation
and reporting activities described in this Section 2.2 will be
provided during the time periods as follows:
a. For Customers who have purchased Managed Defense –
Continuous Vigilance, all monitoring, investigation and reporting
activities will be provided on a 24/7/365 basis.
b. For Customers who have purchased Managed Defense – Nights and
Weekends, Mandiant will monitor, investigate and report on Alerts that
were generated by Managed Defense Supported Technology during the
Service Hours agreed upon during the Onboarding phase as described in
Section 2.1(b) above (“Nights and Weekends Supported Alerts”).
Customer acknowledges that Mandiant may ingest Alerts generated
by Mandiant Supported Activity outside the Service Hours, and Mandiant
may in some cases report on such Alerts (such as when such Alerts are
aggregated with Nights and Weekends Supported Alerts), but Mandiant
has no obligation to report on Alerts that are generated by Mandiant
Supported Technology outside of the Service Hours.
2.3. Managed Defense Consultant
Responsibilities. Mandiant will assign a Managed Defense
Consultant (MDC) to Customer’s account to assist in the ongoing
delivery of the Managed Defense Subscription. MDCs will schedule
routine meetings, deliver related documentation and training specific
to the delivery of the Managed Defense Subscription. MDCs have no
obligation to engage in activities or respond to inquiries that are
otherwise the responsibility of standard Mandiant Support such as
Product-related troubleshooting or configuration questions.
2.4. Hunting. Mandiant will conduct periodic
proactive hunting techniques on Covered Systems to look for additional
indicators of malicious or attacker activity. When Mandiant’s
investigation reveals a compromise, Mandiant will assign a severity
classification and publish a Managed Defense Report to the Managed
Defense Portal as set forth in the table in 2.2 above, according to
the severity classification. The hunting services described in this
Section 2.4 will not be provided under the Nights and Weekends
2.5. System Health Monitoring and Notification. For
Customers who have purchased the FireEye Email Security – Server
Edition (EX), FireEye FX, FireEye Endpoint Security (HX), FireEye
Network Security (NX), NX Smart Sensor, or FireEye PX Product,
Mandiant will provide Customer with notification of system health
issues such as connectivity problems.
2.6. Containment. When the Customer has purchased
the FireEye Helix Subscription or FireEye Endpoint Security (HX)
Product, Mandiant may, when appropriate, recommend containment of the
target Covered System from the Customer’s network. Unless the Customer
has opted in to any features that allow Mandiant to contain Covered
Systems, Containment must be executed by the Customer. If Customer
opts in to features that allow Mandiant to contain Covered Systems,
then Customer acknowledges that Mandiant will contain Covered Systems,
in its discretion, to the extent of Customer’s configurations and
directions to do so. Mandiant will not be responsible for any delays,
damages, liabilities, performance issues, or outages of Covered
Systems caused by containment when the Customer has either explicitly
allowed containment of the relevant Covered Systems or has opted
into Mandiant containment and has not configured settings to disallow
containment of such Covered Systems.
2.7. Portal Access. Appliance Health Monitoring and
Managed Defense Reports will be provided via an online portal
(“Managed Defense Portal”), and Mandiant will provide login
credentials to the Customer to enable access to the Managed Defense
Portal. Service levels for the Managed Defense Portal are as set forth
Service Levels page.
2.8. Incident Response (IR) Services Retainer. During
the Subscription Term, if Customer requires incident response (IR)
Professional Services, Customer will have access to Mandiant's
24/7/365 IR intake procedures. Mandiant will provide contact
information and details of this service shortly after the Order
Effective Date. If Customer requires IR Professional
Services, Mandiant will respond, triage and determine the need for
Incident Professional Services, and if Mandiant determines that IR
Professional Services are necessary, Mandiant will assign an IR
Responder to work with Customer, including, as necessary, for onsite
assistance. All IR Professional Services will be performed using
the Managed Defense Supported Technology, and will be charged on a
time and materials basis, invoiced monthly in arrears, at agreed upon
2.9. Mandiant Intelligence Portal. During the
Subscription Term, Mandiant will provide access to a Mandiant
Intelligence Portal (“MIP”), subject to the following:
a) Permitted Use; Reports. Customer may access, view and
use MIP and content appearing on MIP (“MIP Content”) solely for
internal use. Customer understands and acknowledges that the MIP
Content available through the Managed Defense Subscription is more
limited than that available to customers who purchase a full
Intelligence Subscription. MIP Content is Mandiant Material. Subject
to Customer’s payment obligations, Mandiant grants to Customer a
limited, non-exclusive right to use MIP Content internally for
Customer’s own business purposes.
b) Additional Use Limitations. Customer may appoint up to
twenty (20) users of MIP at any time. Each day, all users on
Customer’s account may collectively make up to (A) one hundred twenty
five (125) queries of IP addresses and domain names and (B) one
hundred twenty five (125) queries of malware. Customer may request
additional queries, to be evaluated by Mandiant on a case-by-case basis.
c) User Content. “User Content” means any communications,
images, sounds, and all the material and information that Customer or
anyone using Customer’s account contributes to or through MIP (e.g.,
comments to MIP Content, suspected malware that Customer uploads to
MIP). Customer grants Mandiant a perpetual, irrevocable, worldwide,
paid-up, non-exclusive, license, including the right to sublicense to
third parties, and right to reproduce, fix, adapt, modify, translate,
reformat, create derivative works from, publish, distribute, sell,
license, transmit, publicly display, publicly perform, or provide
access to electronically, broadcast, display, perform, and use and
practice such User Content as well as all modified and derivative
works thereof. Customer represents that Customer has all necessary
rights to grant the license referenced in the preceding
sentence. Mandiant may use and disclose any of the information it
collects about its customers’ use of MIP to the extent such
information is de-identified.
d) Restrictions. Customer may not access MIP by any means
other than through the interface that is provided or approved by
Mandiant. Customer will not collect any information from or through
MIP using any automated means, including without limitation any
script, spider, “screen scraping,” or “database scraping” application,
and Customer will not damage, disable, overburden, or impair MIP or
interfere with any other party’s use and enjoyment of MIP.
2.10. Reseller and Partner Purchases. If Customer
receives the Subscription via a Mandiant authorized services or
support partner (a “Partner”), Customer agrees that the Subscription
and Managed Defense Reports may be delivered to Customer through the
Partner. Notwithstanding any other confidentiality obligations between
the parties, Customer authorizes Mandiant to disclose information
related to the Subscription and Customer Data to Partner.
2.11. Managed Defense for OT. If Customer has purchased
the additional OT Monitoring feature of the Managed Defense
Subscription (“OT Monitoring Subscription”), the following terms will
govern the OT Monitoring Subscription: (a) Mandiant will, in addition
to the services described in Sections 2.1-2.6 of these Managed Defense
Terms, monitor Customer’s Helix Subscription for malicious activity
based on custom rules developed by Mandiant in consultation with the
Customer; (b) Mandiant will perform additional hunting activities
tailored to the Customer’s environment; (c) Alerts resulting from the
activities described in (a)-(b) will be published to the Managed
Defense Portal as set forth in Section 2.2 above. Any Alerts resulting
from third party OT technology will be reviewed in Helix and actioned
through access to the central console of the third party OT
technology, to the extent permitted by the third party OT technology.
The Subscription Term for the OT Monitoring Subscription will be the
same as the Managed Defense Subscription Term.
3. Customer Responsibilities. Customer acknowledges
and agrees that Mandiant’s ability to successfully deliver the Managed
Defense Subscription is dependent on the Customer’s ability to meet
its responsibilities as outlined herein.
3.1 Mandiant will have no liability for any failure to
deliver the Managed Defense Subscription that may arise due to
Customer’s refusal or failure to perform its responsibilities.
a) Installation Requirements. Customer will be responsible
for the following: (i) providing network architecture diagrams,
physical, and logical access to Customer’s environment for the sole
purpose of deploying and configuring Managed Defense Supported
Technology; (ii) upgrading pre-existing Managed Defense Supported
Technology to the minimum software version as referenced within
the Managed Defense Service Description for each product or
service; (iii) providing confirmation that all Managed Defense
Supported Technology within the Customer’s environment has been
successfully configured and connected to their network according to
the individual Product’s or Subscription’s System Administration
Guide and the configurations supported as noted in the FireEye
Support Portal; (iv) providing the ability to establish a
persistent connection to the Customer’s network within the designated
port range corresponding to the country from which the Managed Defense
Subscription will be delivered as referenced within the Managed
Defense Quick Start Guide.
b) Compromised Systems. Customer recognizes that the Managed
Defense Subscription is not an alternative to an incident response
engagement for an environment that is compromised prior to the start
of the Managed Defense Subscription.
c) Credential Security. Customer will be responsible for the
following: (i) providing accurate information to Mandiant for
provisioning access to (and removal of) Customer personnel access to
the Managed Defense Portal; (ii) implementing and adhering to strong
password standards; (iii) providing accurate information to Mandiant
for domain whitelisting; and (iv) reporting any security issues
related to the Subscription (including the Managed Defense Portal)
to Mandiant immediately.
d) Network Segment Exclusion: Customer must notify Mandiant
if specific network segments will not require Managed Defense
monitoring. Customer must provide detailed information regarding the
specific network segment range when possible. Examples: guest
networks, testing environments, etc.
e) Remediating Known Compromises. Customer must make a
reasonable effort to remediate any known compromises reported
by Mandiant or third party vendors. Mandiant may choose to suppress
alerts generated by known compromised systems until such time the
compromise is remediated.
f) Time and Date Settings. Customers purchasing the Nights
and Weekends Subscription must ensure that all Managed Defense
Supported Technology has accurate time and date settings, to help
ensure that Nights and Weekends Supported Alerts are accurately
categorized. Mandiant will not be responsible for reporting on Alerts
generated by Managed Defense Supported Technology that does not have
up to date time and date settings.
3.2. Exclusions. Notwithstanding anything else contained in
these Terms to the contrary, Mandiant shall have no obligation or
responsibility to provide the Managed Defense Subscription for (i)
Products that the Customer (or Mandiant or another third party on
Customer’s behalf) has configured with a one-way feed of Mandiant’s
Dynamic Threat Intelligence (DTI) Content Feed; (ii) Managed Defense
Supported Technology that has been declared end of support or that are
not currently supported; (iii) Managed Defense Supported Technology
that has no active Support Service in place; (iv) Managed Defense
Supported Technology for which software updates have not been applied;
(v) Products that have not been installed and deployed; or
(vi) Managed Defense Supported Technology that is misconfigured or
incorrectly deployed, which prevents the Managed Defense Supported
Technology from monitoring the Covered Systems. Customer acknowledges
that to facilitate Mandiant’s efficient performance of the Managed
Defense Subscription, FireEye may control some features and
functionality of the Managed Defense Supported Technology, including
by applying updates, and that such features or functionality may not
be available for Customer’s independent use during the Subscription Term.
Back To Top