Specification of ESET Security Services

PREAMBLE.

1.1ESET Security Service´s purpose is to support the Customer with cybersecurity Issues and anomalies that range from missing detections, file analysis, digital forensics, incident response, and other security-related Issues, Events, or Threats that occur in the Customer´s IT infrastructure in accordance with the conditions defined in this Annex.

1.2ESET Security Services include the following services:

a)ESET Detection and Response Essential service

b)ESET Detection and Response Advanced service

c)ESET Detection and Response Ultimate service

d)ESET MDR service

1.3Each ESET Security Service consists of the specific features as described below:

Feature / Service	ESET Detection and Response Essential	ESET Detection and Response Advanced
Digital forensic incident response (DFIR) assistance	✓	✓
Malware detection support	✓	✓
Malware file expert analysis	✓	✓
Customized Threat Hunting for all current threats	–	✓
Customized rules and exclusions optimization	–	✓
Automatic rules and exclusions optimization	–	–
Continual expert-led threat hunting	–	–
24/7 expert-led continuous monitoring, hunting triage and response	–	–
Deployment & Upgrade	–	–
Expert assistance for MDR alerts with more context	–	–

Table 1: Overview of specific features for reactive Services (triggered upon Requests)

Feature / Service	ESET MDR	ESET Detection and Response Ultimate
Automatic rules and exclusions optimization	✓	–
Continual expert-led threat hunting	✓	✓
24/7 expert-led continuous monitoring, hunting triage and response	✓	✓
Customized Threat Hunting for all current threats	–	✓
Customized rules and exclusions optimization	–	✓
Digital forensic incident response (DFIR) assistance	–	✓
Malware detection support	–	✓
Malware file expert analysis	–	✓
Deployment & Upgrade	–	✓
Expert assistance for MDR alerts with more context	–	✓

Table 2: Overview of specific features for proactive Services (managed)

1.4Table A below contains the description of features that are provided by ESET at Request. For each feature there is stated the description of the Issue/ Request types, activities performed by ESET, required inputs from the Customer and resulting Outputs.

Table A – Features at Request

Feature	Issue / Request type	ESET activity description	Required inputs and resulting Outputs
Digital forensic incident response (DFIR) assistance	Digital forensic incident response assistance / DFIR assistance, i.e. an incident needs to be investigated, it's an ongoing incident, and interaction is provided (phone call, remote connection). This is not full-blown DFIR, it is DFIR assistance.	The incident is investigated online. A consultation of cybersecurity-related topics from a technical standpoint is provided. This may lead to a file analysis and/or digital forensic. Activities are limited to malware /cybersecurity attack-related cases only and not cases such as PR issue mitigation and similar areas.	Input: Data from the environment, access to the environment; questions and/or level of detail is specified; info about already investigated/identified facts. Output: any of the following: consultancy, changes in the environment, Report, redirection to another service.
Malware detection support	Malware: missing detection, i.e. Malware is not detected.	The submitted file, URL, domain or IP is analyzed, and if found malicious, detection is added, and information about the malware family is provided.	Input: Product version, file/URL/domain/IP, Product version. Output: if the input is found malicious, information about added detection (incl. detection name) is provided; otherwise, a clean status is confirmed.
	Malware: cleaning problem, i.e. Malware is detected but cannot be cleaned.	Cleaning of the submitted file is tested and improved if found to be problematic. In special cases, a standalone cleaner application might be provided.	Input: Product version, file, logs, information about the environment. Output: if cleaning is improved, information about the planned fix is provided; standalone cleaner application/procedure if applicable.
	Malware: ransomware infection, i.e. The system is infected with ransomware.	Ransomware infection is evaluated, and if decryption is possible, a decryptor is provided (existing or new). Otherwise, basic mitigation and prevention hints are provided.	Input: Product version, examples of encrypted files, payment info file, logs, malware sample Output: decryptor (if possible); otherwise, basic mitigation and prevention hints.
	False positive, i.e. File, URL, domain, or IP is falsely detected.	Submitted file, URL, domain, or IP is analyzed, and if found falsely detected, detection is removed.	Input: Product version, file/URL/domain/IP, logs, screenshots. Output: if the input is found malicious, information about removed detection is provided.
	General: Suspicious behavior investigation	Based on the description of suspicious behavior and other provided data, the behavior is analyzed, and a potential solution is suggested.	Input: Product version, suspicious behavior description, logs, information about environment, additional data on request, incl. remote connection in specific cases. Output: if possible, the problem is resolved, along with basic information.
Malware file expert analysis	Basic file analysis, i.e. Basic info about the file is needed.	Is the submitted file clean or malicious? If clean, basic info is provided. If malicious, reasons for detection, malware family, and basic info about functionality is provided.	Input: file; questions are specified Output: analysis result, along with basic information.
Malware file expert analysis	Detailed file analysis, i.e. Detailed info about malware is needed.	Is the submitted file clean or malicious? If clean, basic info is provided. If malicious, reasons for detection, malware family, and detailed info about functionality is provided.	Input: file. Output: analysis result, along with detailed information.
Customized Threat Hunting for all current threats	EI: Threat Hunting	Environment is inspected using EI. Information will be provided on any Threats or weaknesses. Advice will be provided. Individual steps will be defined in checklist.	Input: assessment form, access to the environment. Output: Threat Hunting Report.
Customized rules and exclusions optimization	EI: rules support, i.e. Support related to rule creation, modification or disfunction, e.g., to detect specific malware behavior.	Specified rule or behavior is analyzed, and consultation is provided.	Input: version of EI, rules, specification of the problem, if it turns out to be a bug—logs, database/database access. Output: consultation and recommendation on how to set up the desired rule
	EI: exclusions support, i.e. Support related to exclusion creation, modification, or disfunction is needed.	Specified exclusion or behavior is analyzed, and a consultation is provided.	Input: version of EI, exclusion, specification of the problem, if it turns out to be a bug— logs, database/database access. Output: consultation and recommendation on how to set up the desired exclusion.
	EI: Initial Optimization	After the installation of EI to a new environment, EI generates a large number of false positives (FP). One-time action. Most frequent FP detections in the EI environment are checked. Exclusions are created. Custom rules may be created, or rules may be modified to reflect expectations.	Input: Assessment form, access to the environment, or exported data. Output: Optimization Report, changes within the EI environment, such as creation/modification of rules and exclusions
Deployment & Upgrade	Deployment and Upgrade:	Complimentary professional service to perform initial deployment of EI and related products /components required for proper EI operation or upgrades to their latest version. One time action (either Deployment or Upgrade based on the Request of the Customer). ESET team will deploy or upgrade the EI console and related ESET Products/ components specified in this Annex, Section 7.2 (as agreed with the Customer). Deployment & Upgrade will be carried out by ESET by deploying/ upgrading of 100 units of Products/ components unless stated otherwise in the Service Plan. Information on how to finish these deployments and upgrades is shared with Customers.	Input: Assessment form, access to the environment Output: Product deployed or upgraded.
Expert assistance for MDR alerts with more context	EI: general security related question.	Security expert's guidance and all-around help at disposal for the customer	Input: depends on type and content of Request Output: depends on type and content of Request

1.5Table B below contains the description of features that are provided by ESET proactively. For each feature there is stated the description of the activities performed by ESET, required inputs from the Customer and resulting Outputs.

Table B: Features provided proactively

Feature	ESET activity description	Required inputs and resulting Outputs
Automatic rules and exclusions optimization	Rule sets and exclusions optimization based on signals from customer's environment.	Input: access to the environment Output: optimized environment
Continual expert-led threat hunting	EI: Threat Hunting (pro-active) Constant threat hunting, where security experts evaluate and correlate detection into a structured and mapped incident.	Input: access to the environment Output: Incidents generated in EI (with response where possible)
24/7 expert-led continuous monitoring, hunting triage and response	EI: Threat Monitoring. A 24/7 human-led service, which leverage IoC, IoA, UEBA, AI, comprehensive internal and external TI feeds and similar sophisticated monitoring and detection technics to protect customers' environment. This feature will unveil and unhide malicious activity and perform containment and eradication action to prevent severe damages.	Input: access to the environment Output: Incidents generated in EI (with a response where possible)

Feature

ESET activity description

Required inputs and resulting Outputs

Automatic rules and exclusions optimization

Rule sets and exclusions optimization based on signals from customer's environment.

Input: access to the environment

Output: optimized environment

Continual expert-led threat hunting

EI: Threat Hunting (pro-active)

Constant threat hunting, where security experts evaluate and correlate detection into a structured and mapped incident.

Input: access to the environment

Output: Incidents generated in EI (with response where possible)

24/7 expert-led continuous monitoring, hunting triage and response

EI: Threat Monitoring.

A 24/7 human-led service, which leverage IoC, IoA, UEBA, AI, comprehensive internal and external TI feeds and similar sophisticated monitoring and detection technics to protect customers' environment. This feature will unveil and unhide malicious activity and perform containment and eradication action to prevent severe damages.

Input: access to the environment

Output: Incidents generated in EI (with a response where possible)

2 Definitions

2.1Unless a particular provision of this Annex implies otherwise, the meanings of all capitalized terms contained in this Annex will be as defined in this Article, in the main body of the Terms, or as ascribed to them in the particular provisions herein. Such capitalized terms, when defined, will be placed into quotation marks.

2.2"Availability" refers to the time during which ESET and its subcontractors are available to provide Services to Customers and respond within the SLA.

2.3"Assessment Form" refers to a document created by ESET for the purpose of collecting the information required to perform specific activities included in the Service.

2.4"Critical Event(s)" refers to Events that are deemed by ESET as requiring further attention, as they might represent a potential Threat.

2.5"Detection" refers to information displayed in EI intended to warn of a potential Threat. EI includes the ESET rule-based detection engine for indicators of attack. The rules are written to identify suspicious malicious behavior triggering Detection with defined severities. Each triggered Detection is displayed in the Detection section with a clear identification of where it happened (computer), and which executable and process have triggered it. It is accompanied by the severity information, as defined in the rules mentioned above, and a priority can be assigned to each Detection.

2.6"Event" refers to any event that happened at the endpoints in the Customer’s infrastructure that are being monitored and recorded by EI. These Events are reported to EI from EI Connectors that are deployed on the endpoints within the Customer’s infrastructure. These Events are analyzed by Specialists as part of the Threat Hunting and Threat Monitoring activities.

2.7"EI" refers to the ESET Inspect or ESET Inspect On-Prem, ESET's endpoint detection and response product (EDR).

2.8"EI Connector" refers to a small application that acts as a translator/communication interface between installed ESET security Products and the EI server. It extracts all relevant low-level events from ESET security Products and sends them to the EI server. The EI Connector requires the ESET security Product to be installed before deployment. The EI Connector needs its own license to work properly and send Events to the EI server. The EI Connector is crucial for situations when Events from an endpoint cannot be delivered to the EI server; for example, when there is no network connection available. Data is then stored locally on the endpoint and delivered as soon as the device’s network connection is restored.

2.9"Issue" refers to a cyber security-related problem occurring in the Customer´s IT infrastructure that the Customer wishes to report, and that is defined in the Table A.

2.10"Report" refers to a type of final Service output—a document created by ESET that contains a summary of actions performed by ESET Specialists their findings, recommendations, and any other information deemed relevant to the particular Service activity sub-type (e.g., the Threat Hunting Report or a malware analysis Report) and shall be delivered to the Customer via email.

2.11"Request" refers to any request in relation to the security of their environment and Products deployed within, where the request is not a Product error report, including any Issue reported by the Customer to ESET. To avoid any doubt, Requests relate to (but are not limited to) filling incident analyses, response and mitigation, Threat hunting and EI security-related topics (not product errors), such as rule and exclusion (internal functionalities), and support and optimization.

2.12"Response Times" refer to the maximum times that are guaranteed for the Initial Human Response.

2.13"Response Types" refer to the classification of the responses to the Request into the following three categories: 1. Automated System Response; 2. Initial Human Response; and 3. Final Output.

a)"Automated System Response" refers to an email automatically generated by ESET’s ticketing system to confirm that a Request has been submitted successfully by the Customer.

b)"Initial Human Response" refers to the first reply from an ESET Specialist in response to a successfully submitted Request. This response type is subject to the guaranteed response times defined in the SLA.

c)"Final Output" refers to the final response from the ESET Specialist to the submitted Request. The type of the Final Output varies based on the activities related to different Issue and Request types (e.g., a report, analysis results, or recommendations) and is not labelled as a solution, as finite solutions cannot be guaranteed for all security issue types. The Final Output time cannot be guaranteed and is done on a best-effort basis due to variations in the nature of the reported Issues.

2.14"Security Profile" refers to a document created by ESET as a result of the initial assessment and the information thereby recorded in the Assessment Form.

2.15"Service Level Agreement" or "SLA" refers to an agreement between ESET and the Customer with a commitment from ESET to the Customer defining the Availability of Security Services and the maximum guaranteed times for the Initial Human Response to correctly submitted Request.

2.16"Severity Levels" refer to the specification of the nature and urgency of submitted Request . The Severity Levels also determine the time of the Initial Human Response as defined in the SLA. Severity Levels are classified into the following three different levels: A. Critical; B. Serious; and C. Common. ESET reserves the right to change the Severity Level based on the outcomes of its initial analysis.

a)"Requests of Critical Nature" refer to the Requests that have been confirmed to affect business continuity. Common examples of Requests of Critical Nature are a live ransomware infection, live incident, false positives that incorrectly block a benign mission or a critical business application, etc.

b)"Requests of Serious Nature" refer to Requests with a strong suspicion that business continuity might be affected. Common examples are reporting false positives detected on important files, investigating potentially suspicious behavior, etc.

c) "Requests of Common Nature" refer to Requests of a non-serious nature and do not affect business continuity. Common examples are a retrospective investigation of a historical incident, help with the setup of ESET Enterprise Inspector rules/exclusions, planned detailed malware analysis, etc. This Severity Level includes activities that are planned (e.g., scheduled Threat Hunting) and any Requests that might arise during their delivery.

2.17"Specialist" refers to an employee of ESET or of its subcontractor that provides Services to Customers.

2.18"Threat" refers to the possibility of a malicious attempt to damage or disrupt the Customer’s computer network or system.

3 Terms for Provision of the Security Services

3.1ESET shall start to provide the Security Service after the Order Acceptance and for a definite period as stated in the Order Acceptance.

3.2The Services described in the table A shall be provided based on the Request of the Customer. When submitting the Request, the Customer shall provide all information required by the form or the Specialist

3.3If, when submitting a Request, the Customer provides inaccurate or incomplete information, the Specialist shall demand the information to be completed or corrected; in the meantime, no period or solution time shall be running under the Terms.

3.4All Requests shall be submitted by the Customer on either a services support request form or a HELPDESK phone line. No CLIR or other similar function restricting the identification of the calling line must be activated on the Customer’s contact phone numbers at the time of submitting such Request. If all HELPDESK lines are busy, the Customer shall leave a message in the voicemail, which is considered as a proper Request submission.

3.5Submission of the Request shall be taken to mean the following:

a)When using a dedicated request form: The proper completion of all required data and confirmations in the form, and the subsequent receipt from ESET of an automatically generated email message confirming that the Request was successfully submitted.

b)When using the HELPDESK phone line number: The provision of all information required by the Specialist, and the subsequent receipt from ESET of an automatically generated email message confirming that the Request was successfully submitted.

3.6If a confirmation email message is not received by the Customer within ten (10) minutes after attempting to submit the Request, the Customer shall call the HELPDESK or use escalation contacts.

3.7Services support request form, HELPDESK phone line and escalation contacts are specified in the Order Acceptance sent to the Customer.

3.8The Request shall be considered resolved when any of the following occurs:

a)ESET provides the Customer with the Output defined in the Table A for the respective Issue / Request type via email.

b)Upon the expiration of twenty-four (24) hours after sending the second notice demanding the required cooperation.

3.9Provision of the Security Services shall be possible under the condition that the Customer has purchased the relevant Security Service for an adequate number of seats as calculated by the ESET Partner or ESET, if no ESET Partner is involved there. Provided that the Customer modifies the Product licenses they use (excluding a renewal), including when they increase the number of seats during the provision of the Security Service, they are also obliged to modify the Security Service to reflect this change. For the avoidance of any doubts, such modification is subject to an additional fee.

4 SLA

4.1The Availability of ESET Security Services shall be 24/7/365.

4.2Response times for the Initial Human Response to correctly submitted Request depend on the type of Severity level as follows:

a)Requests of Critical Nature have a guaranteed two-hour (2h) SLA for the Initial Human Response.

b)Requests of Serious Nature have a guaranteed four-hour (4h) SLA for the Initial Human Response.

c)Requests of a Common Nature have a guaranteed twenty-four-hour (24h) SLA for the Initial Human Response.

4.3The Response times as stated above shall not apply

a)to the features described in the Table B because the ESET activity is continuous and

b)to the specific features from the Table A because the ESET activity is planned and performed in the agreed timeframe. The features from the table A are the following: EI: Initial Optimization and Deployment and Upgrade.

5 Description of ESET Detection and Response Essential service

5.1The ESET Detection and Response Essential service is a security support service provided by ESET that consists of the features as defined in the sec. 1.3 of annex no. 2. Table A contains for each feature the description of the Issue/ Request types, the activities performed by ESET, the inputs required from the Customer and the resulting Outputs.

5.2The activities relating to the specific Issue/ Request type are performed by the Specialist at the Customer´s Request to help the Customer.

5.3To use the ESET Detection and Response Essential service, the Customer has to obtain and have installed in its IT environment at least: (i) ESET endpoint Products for its endpoint devices and (ii) have those end-point devices managed by the ESET management console product. The Customer hereby acknowledges that in case of non-compliance with the prerequisites mentioned in the previous sentence, the ESET Detection and Response Essential service will not be available and functional to the full extent. In such cases, ESET shall bear no liability for undelivered and undeliverable parts of the ESET Detection and Response Essential service.

6 Description of ESET Detection and Response Advanced service

6.1The ESET Detection and Response Advanced service is a security support service provided by ESET that consists of the features as defined in the sec. 1.3 of annex no. 2. Table A contains for each feature the description of the Issue/Request types, the activities performed by ESET, the inputs required from the Customer and the resulting Outputs.

6.2To use the ESET Detection and Response Advanced service, the Customer has to obtain and have installed in its IT environment at least:

a)ESET endpoint Products for its endpoint Products (Endpoint/Server Security/Mail Security products + Management Agent and EI Connectors) for its endpoint devices,

b)have those endpoint devices managed by ESET management console product ESET PROTECT / ESET PROTECT On-Prem and

c)EI.

7 Description of ESET Detection and Response Ultimate service

7.1The ESET Detection and Response Ultimate service is a security support service provided by ESET that consists of the features as defined in the sec. 1.3 of annex no. 2. Table A and Table B contain for each feature the description of the Issue/ Request types (if applicable), the activities performed by ESET, the inputs required from the Customer and the resulting Outputs.

7.2To use the ESET Detection and Response Ultimate service, the Customer has to:

a)obtain and have installed in its IT environment at least:
i. EI compatible ESET end-point Products (Endpoint/Server Security/Mail Security products + Management Agent and EI Connectors) for its end-point devices,
ii. have those end-point devices managed by ESET management console product ESET PROTECT / ESET PROTECT On-Prem and
iii. EI.

Those Products/components need to be deployed on minimum versions specified by the Specialists. For this purpose, Deployment and Upgrade activity specified in this Annex shall be performed by ESET, depending on the information on the Customer´s environment.

b)As Deployment and Upgrade activity concerns deployment/upgrade of a limited number of Product units by ESET, as specified in the Table above, and as the proper deployment of certain Products defined above is a prerequisite to provide the ESET Detection and Response Ultimate service, the Customer is obliged to perform deployment/upgrade of the rest of Products and endpoints within sixty (60) days after ESET´s instruction and provision of deployment/upgrade manual. Failure to perform the required deployment/upgrade by the Customer shall be deemed as failure to provide required cooperation, and ESET reserved the right to restrict or limit the provision of the ESET Detection and Response Ultimate service until such failure is remedied.

c)Ensure that hardware and operating system are always in line with hardware requirements and OS requirements of Products/ components;

7.3When using this ESET Detection and Response Ultimate service, the Customer shall not change any rules, exclusions, or settings of EI without ESET´s prior approval or knowledge. The breach of this obligation may negatively impact the functioning of the Service and/or EI, and ESET shall not be liable for any damages thereof.

8 Description of ESET MDR service

8.1The ESET MDR service is a security support service provided by ESET that consists of the features as defined in the sec. 1.3 of annex no. 2. Table B contains for each feature the description of the activities performed by ESET, the inputs required from the Customer and the resulting Outputs.

8.2To use the ESET MDR Service, the Customer has to obtain and have installed in its IT environment at least:

a)EI-compatible ESET endpoint Products (Endpoint/Server Security/Mail Security products + Management Agent and EI Connectors) for its end-point devices,

b)have those endpoint devices managed by ESET management console product ESET PROTECT and

c)ESET Inspect.

8.3ESET endpoints Products need to be deployed on the compatible version with ESET Inspect.

8.4When using this ESET MDR service, the Customer shall not change any rules, exclusions, or settings of EI without ESET´s prior approval or knowledge. The breach of this obligation may negatively impact the functioning of the Service and/or EI, and ESET shall not be liable for any damages incurred thereof.

˄˅