This Schedule forms part of the IT Master Services Agreement and describes the scope, responsibilities and limitations relating to Monitoring and Alerting.
Monitoring provides continuous or near-continuous visibility of the health, performance and security of in-scope systems, using a combination of endpoint agents, cloud integrations and security tooling. It underpins, but is separate from, day-to-day IT Support.
Monitoring is an optional service. The scope of Monitoring for you is limited to the systems and tenants included in your Order and onboarded into our tooling.
1. Service overview
Monitoring focuses on detecting issues early so that they can be responded to before they escalate into incidents or outages. It covers:
- endpoint and server health monitoring;
- availability and performance checks on key services and infrastructure;
- security event, threat and anomaly detection across endpoints and SaaS platforms;
- alerting, triage and escalation to Cultrix support and security teams.
Remediation of issues detected by Monitoring is usually delivered under other Schedules, such as IT Support, Patch Management, Backup and Recovery or Security Services, depending on the nature of the issue.
2. Service components and tooling
Monitoring typically uses the following tools and integrations (which may evolve over time as the service improves):
- Remote monitoring and management (RMM) - agent-based health and performance monitoring for supported endpoints and servers.
- Endpoint Detection and Response (EDR) - endpoint threat detection, security telemetry and response capabilities for supported devices.
- Hosting security controls - malware scanning and web application firewalling for supported hosting environments (including Cultrix Cloud where applicable).
- Vulnerability scanning - vulnerability scanning and reporting across supported Windows and Linux systems.
- SaaS monitoring - monitoring of supported SaaS platforms (such as Microsoft 365 or Google Workspace) for suspicious activity, misconfigurations and risky behaviour.
- Security information and event management (SIEM) - centralised ingestion, correlation and analysis of security logs and events.
- Security operations centre (SOC) - 24x7 monitoring of security alerts, with triage and escalation where included.
- Security validation testing - periodic testing to assess the effectiveness of implemented security controls where included.
This tooling stack may be refined or extended over time as vendors, best practice and services evolve. Any such changes will not generally require an update to this Schedule.
3. Scope of monitoring
The scope of Monitoring is defined by what is brought under management in the monitoring tooling and by the applicable Order. It typically includes some or all of:
- Endpoints and servers where monitoring and/or security agents are deployed and correctly reporting;
- Supported hosting infrastructure protected by hosting security controls and onboarded into monitoring;
- Remote desktop or hosted environments where covered under your service package and onboarded into monitoring;
- Cloud productivity tenants (such as Microsoft 365 or Google Workspace) linked into SaaS monitoring and security integrations;
- Other supported SaaS platforms that are onboarded to the Monitoring service;
- Security logs and events ingested into the security monitoring platform for correlation and review.
Systems, tenants or environments that are not onboarded into the Monitoring tooling, or where agents are missing or offline, are considered out of scope until they are brought under management.
4. Monitoring activities
Depending on your package and onboarding, Monitoring may include:
- agent heartbeat and service availability checks on managed devices;
- disk, CPU, memory and key service monitoring on servers and critical endpoints;
- alerting on backup job failures (where Cultrix provides backup services);
- vulnerability scan scheduling and results review;
- security event correlation and threat detection across endpoints and SaaS platforms;
- automated or semi-automated responses where supported by the tooling (for example isolating an endpoint);
- regular review of high-risk alerts and trends in collaboration with RocketCyber SOC.
5. Alert handling, triage and escalation
Monitoring generates alerts that are triaged and, where appropriate, escalated for further action. In general:
- Routine health alerts are reviewed by the support team and may result in a support ticket as appropriate.
- Security alerts are ingested into the security monitoring platform for prioritisation and correlation with other events.
- High-severity security events are escalated to Support and/or your nominated contacts in line with our Incident Response Procedure.
Where a managed security operations service is included, security alerts may be reviewed on a 24x7 basis for rapid triage and escalation.
The classification of alerts, and the actions taken in response, follow our internal incident response procedures. Response times for tickets raised from Monitoring are governed by our support prioritisation and target times, rather than by the timestamp of the originating monitoring alert.
6. Service boundaries and exclusions
Monitoring is focused on detection and alerting, not on full-service remediation of every issue. In particular, Monitoring does not include, unless explicitly agreed in another Schedule or Order:
- guaranteed detection of every possible security threat, misconfiguration or performance issue;
- guaranteed prevention of malware, ransomware or other attacks;
- complete coverage of systems where agents cannot be installed or are repeatedly removed or disabled;
- management of third-party monitoring tools or dashboards outside the agreed stack;
- remediation work that falls under IT Support, Patch Management, Backup and Recovery, projects or consultancy.
Some alerts may be low-risk, informational or transient in nature and will not always result in a ticket or explicit customer communication.
7. Customer responsibilities
To ensure Monitoring is effective, you must:
- allow installation and operation of the necessary monitoring and security agents on in-scope devices and systems;
- ensure devices remain powered on and able to communicate with our tooling during agreed monitoring windows;
- inform us in advance of planned changes that may affect monitoring (for example outages, migrations or major reconfigurations);
- notify us promptly if you believe a system, tenant or environment has not been onboarded correctly.
8. Dependencies on third parties
Monitoring relies on:
- the availability and performance of the monitored systems and networks;
- the availability of third-party monitoring, security and management platforms;
- the quality and timeliness of logs and telemetry produced by monitored systems and services.
Failures or limitations in third-party platforms may temporarily affect monitoring coverage. We will act reasonably to work with relevant suppliers and restore functionality where possible.
9. Changes to this Schedule
Cultrix may update this Schedule to reflect changes in monitoring tools, best practice or services offered. We will publish updated versions on our website and, for material changes, provide reasonable notice.
Note: Monitoring and Alerting focuses on detection, alerting and escalation. Remediation and threat-response activities are delivered under the applicable Support, Patch Management, Endpoint Protection or other relevant Schedule.