Symantec MSS Portal Users Guide

Symantec Managed Security
Services Portal User's Guide

Symantec Managed Security Services Portal User's
Guide
The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Documentation version 5.13
Legal Notice
Copyright © 2014 Symantec Corporation.
All rights reserved.
Federal acquisitions: Commercial Software - Government Users Subject to Standard License

Terms and Conditions.
Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec

Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks
of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be "commercial computer software"
and "commercial computer software documentation" as defined in FAR Sections 12.212 and
DFARS Section 227.7202.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043 USA
http://www.symantec.com
Contents
Chapter 1 Introducing the Symantec Managed Security

Services Portal ................................................................. 7
About the Symantec Managed Security Services Portal ......................... 7
About the Symantec DeepSight™ Intelligence Portal ............................. 8
What's new in the portal .................................................................. 9
Accessing the MSS portal .............................................................. 10
Setting up your login using Symantec VIP credentials .................... 10
Accessing the portal via VIP ..................................................... 11
Accessing the MSS portal when multiple accounts are found for
an email address .............................................................. 12
Accessing the MSS portal via Certificate ..................................... 12
Recovering from a forgotten password ........................................ 13
Accessing the DeepSight Intelligence portal outside of the MSS
portal ................................................................................... 14
About Chat .................................................................................. 14
About supported browsers .............................................................. 15
Where to get more information about the MSS portal ........................... 15
Chapter 2 Navigating the Home page ................................................ 16

About the Home page ................................................................... 16
Reviewing the Service Monitor bar ................................................... 17
Customizing the Service Monitor bar .......................................... 20
Reading the Activity Stream ............................................................ 21
Using the DeepSight Intelligence Global Incidents module .................... 22
Understanding the ThreatCon level .................................................. 24
Chapter 3 Managing settings .............................................................. 25
About settings .............................................................................. 25

About user profiles ........................................................................ 26
Editing profile settings as a user ................................................ 26
Editing profile settings as an administrator ................................... 30
About your organization's profile ...................................................... 35
About entitlements .................................................................. 36
Viewing organizations as a user ................................................ 36
Contents 4
Editing organization settings as an administrator ........................... 37

About alerts ................................................................................. 39
My Alerts .............................................................................. 39
Configuring MSS alerts .................................................................. 39
About email formats and encryption settings ................................ 40
Editing MSS notification settings ................................................ 40
Configuring DeepSight Intelligence alerts .......................................... 43
Adding a new alert .................................................................. 43
Managing technology lists ........................................................ 47
Adding a new technology list ..................................................... 48
Performing a bulk XML upload .................................................. 49
Performing a bulk CPE upload .................................................. 49
Performing a bulk Qualys CPE upload ........................................ 50
Submitting a Missing Technology form ........................................ 51
Managing delivery methods ...................................................... 51
Using DeepSight Intelligence Groups ............................................... 58
Printing or exporting ...................................................................... 59
Chapter 4 Managing the Dashboard .................................................. 61

About the Dashboard .................................................................... 61
Setting automatic Dashboard refreshing and revolving ................... 63
Customizing your Dashboard .......................................................... 63
Configuring the modules ................................................................ 64
Chapter 5 Managing incidents ............................................................ 66

About incidents ............................................................................ 66
Searching incidents ...................................................................... 67
Using the advanced search feature ............................................ 68
About incident correlation ............................................................... 68
Tracking malicious file activity ................................................... 68
Unmasking true source IP addresses ............................................... 69
Changing the Incidents grid display .................................................. 70
Updating multiple incidents simultaneously ........................................ 72
Reviewing and editing incident details ............................................... 74
Reviewing IP address details .......................................................... 78
Configuring certain incident-related features ...................................... 79
Managing authorized scanners ................................................. 79
Managing registered networks .................................................. 80
Managing custom fields ........................................................... 81
Managing custom severity rules ................................................ 82
Contents 5
Chapter 6 Managing requests ............................................................. 85

About requests ............................................................................ 85
Creating a new request .................................................................. 85
Searching requests ....................................................................... 86
Reviewing request details .............................................................. 88
Editing requests ........................................................................... 89
Changing the grid display ............................................................... 89
Chapter 7 Managing devices ............................................................... 93
About devices .............................................................................. 93

Searching for devices .................................................................... 93
Changing the grid display ............................................................... 94
Reviewing device details ................................................................ 96
Chapter 8 Managing assets .................................................................. 98

About assets ............................................................................... 98
Registering an asset ..................................................................... 99
Managing asset attributes .............................................................. 99
Importing assets ......................................................................... 101
Uploading vulnerability scans ........................................................ 103
Grouping assets ......................................................................... 104
Using the advanced search feature ................................................ 105
Updating asset information ........................................................... 106
Updating multiple assets simultaneously .................................... 106
Editing a single asset ............................................................. 106
Deleting an asset ........................................................................ 107
Changing the grid display ............................................................. 107
Chapter 9 Viewing logs ........................................................................ 110

Viewing logs .............................................................................. 110
Exporting the log grid data ...................................................... 111
Constructing a log query .............................................................. 112
Constructing a log query using Enhanced Query ............................... 115
Reviewing your log query results in Enhanced Query ......................... 117
Managing user defined lists .......................................................... 118
Tips to improve your online log queries ........................................... 119
Tips to improve your online log queries ........................................... 121
Contents 6
Chapter 10 Viewing reports .................................................................. 123

About reports ............................................................................. 123
Viewing reports .......................................................................... 123
Chapter 11 Using the DeepSight™ Intelligence Portal .................... 126

Using Alerts ............................................................................... 126
Using My Alerts .................................................................... 127
Using All Alerts ..................................................................... 128
Using Advanced Search ......................................................... 129
Selecting alerts to be delivered during vacation ........................... 147
Setting vacation mode ........................................................... 147
Using Research ......................................................................... 148
Researching IDS Statistics ..................................................... 149
Researching Ports Statistics ................................................... 151
Researching Antivirus Statistics .............................................. 151
Viewing Analyst Watch content ................................................ 151
Using IP lookup .................................................................... 154
Using URL/domain lookup ...................................................... 156
Using Port lookup ................................................................. 157
Using MD5/SHA256 lookup .................................................... 158
Using Malcode lookup ........................................................... 158
Submitting suspect files ......................................................... 158
Using Intelligence ....................................................................... 159
Using Datafeeds ......................................................................... 160
Feed details ......................................................................... 161
User Audit Log ..................................................................... 163
Using Custom Reports ................................................................. 164
Report categories ................................................................. 164
Mining DeepSight Intelligence data ........................................... 175
Using report modifiers ............................................................ 178
Configuring the reports .......................................................... 180
Printing or exporting .................................................................... 183
Glossary ............................................................................................................. 185

Index ................................................................................................................... 187
Chapter 1
Introducing the Symantec
Managed Security Services
Portal
This chapter includes the following topics:
■ About the Symantec Managed Security Services Portal
■ About the Symantec DeepSight™ Intelligence Portal
■ What's new in the portal
■ Accessing the MSS portal
■ Accessing the DeepSight Intelligence portal outside of the MSS portal
■ About Chat
■ About supported browsers
■ Where to get more information about the MSS portal
About the Symantec Managed Security Services Portal

Symantec's Managed Security Services (MSS) portal is designed to give you visibility
into your company's security posture and provide you with a deeper perspective
on how to mitigate risks in the global threat landscape.
The MSS portal includes at-a-glance summary pages, localization of content,
information on critical emerging threats and vulnerabilities, and recommendations
on how to respond to incidents and threats to your network. Your information is
Introducing the Symantec Managed Security Services Portal 8
About the Symantec DeepSight™ Intelligence Portal
restricted using an organizational hierarchy so that only those with the correct
permission can view it. The portal has the following functional areas:
Home The Home shows your activity stream, a customizable Service Monitor
bar, and an assortment of modules showing incident information,
ThreatCon status, and news alerts. See “About the Home page”
on page 16.
Dashboard The Dashboard page lets you create multiple dashboards customized
with your preferred information modules. See “About the Dashboard”
on page 61.
Incidents The Incidents page contains all incidents that occurred on your
network. See “About incidents” on page 66.
Requests The Requests page lets you view your organization's requests and
submit new ones. See “About requests” on page 85.
Devices The Devices page contains all of the devices that Symantec manages
and monitors for you. The default view shows the non-terminated
devices within or affecting your organization, sorted by health status.
See “About devices” on page 93.
Assets The Assets page lets you modify the list of assets that your
organization has registered with MSS. See “About assets” on page 98.
Logs The Logs page contains a log query builder and query management
features. See “Viewing logs” on page 110.
Reports The Reports page leads to a collection of reports on Requests,

Incidents, Assets, and Organizations, as well as reports for Payment
Card Industry (PCI) and Sarbanes–Oxley (SOX) Compliance
standards. See “About reports” on page 123.
Settings Located at the top of every page, click Settings to view your
entitlements, access your user and organization profiles, and modify
notifications. See “About settings” on page 25.
Note that some of these functions are available only to Administrators.
About the Symantec DeepSight™ Intelligence Portal

The DeepSight™ Intelligence Portal provides actionable intelligence covering the
complete threat lifecycle, from initial vulnerability to active attack. With personalized
notification triggers and expert analysis, the system enables enterprises to prioritize
IT resources in order to better protect critical information assets against a potential
attack. If you have questions, comments, or feedback on this system, please send
an email to DeepSightFeatureRequests@symantec.com.
What's new in the portal
Alerts The Alerts page is where you can view any of the alerts delivered to
you, as well as view the vulnerability, malicious code, and security
risk databases, and perform a variety of other alerts-related tasks.
See “Using Alerts” on page 126.
Research The Research page gives you access to an assortment of statistics

data and lookup tools. See “Using Research” on page 148.
Intelligence The Intelligence page presents Analyst Journals written by the

DeepSight Intelligence Threat Analyst Team throughout the day, and
a subscription-only Managed Adversary & Threat Intelligence
(MATI) sub-tab to access MATI service reports. See “Using
Intelligence” on page 159.
Datafeeds The Datafeeds page displays the files for the various feeds that your
client has requested, as well as the files that are available for
download. You also can access related datafeed documentation and
tools.See “Using Datafeeds” on page 160.
Custom Reports The Custom Reports page is where you can customize any of the
pre-configured reports to mine the DeepSight Intelligence or Global
Intelligence Network (GIN) database and extract actionable
intelligence that is specific to your organization's environment. See
“Using Custom Reports” on page 164.
Settings Located at the top of every page, click Settings to view your licenses,
access your user and organization profiles, and modify notifications.
See “About settings” on page 25.
Note that some of these functions are available only to Administrators.
What's new in the portal

The latest MSS portal release provides these changes:
■ Analyzing related malware events from firewall and endpoint logs to create a
correlated incident containing expanded information that is ready for export to
PDF
■ Enabling users to define custom incident severity rules
■ The Logs tab now includes Enhanced Query, presenting a revamped user
interface for you to create your log queries and explore new visual features and
enhanced reporting functionality
■ Analyzing logs collected from monitored web proxies and network address
translation gateways to resolve the true source IP address of an incident
Accessing the MSS portal
■ A greatly improved DeepSight Intelligence Global Incidents map module on the

Home page showing activity from data gathered over the last hour, refreshed
every 15 minutes; expandable to its own browser window with more detailed
information and additional navigation controls
The latest DeepSight Intelligence portal release provides these changes:
■ Rebranding DeepSight to DeepSight Intelligence, resulting in minor name
changes to many products and licenses
■ Delivering Managed Adversary and Threat Intelligence (MATI) Service reports
■ Providing new DeepSight Intelligence datafeeds: advanced IP reputation and
advanced URL reputation
■ Improving data accuracy based on new datafeeds, behaviors, and other relevant
attributes
■ Improving domain and IP address lookups with additional information
■ Modifying the user interface to improve usability

You can access the portal with a Symantec Validation & ID Protection Service (VIP)
token. Once you are authenticated, you can download and activate an X.509
certificate to speed your login. New users first must set up an account.
If you have difficulty with logging into the portal, call your regional SOC at the
numbers below:
Table 1-1 Regional SOC Telephone Numbers
Region Toll-Free International
Americas +1-888-467-4748 +1-703-414-4444
Americas Brazil 0-800-75-20180 N/A

(English only)
EMEA N/A +44-(0)-207-949-0200
APJ N/A +61-2-9086-8400 (Sydney, Australia)
+81-3-5114-4700 (Tokyo, Japan)
Setting up your login using Symantec VIP credentials

Before you can use VIP to access the portal, you must register your token.
To set up your login using Symantec VIP credentials

1 In a Web browser, go to https://mss.symantec.com.
2 At the Login page, type your primary email address.
3 At the bottom of the Login page, click the Forgot your password? link.
4 Retrieve your temporary password from your email and type or paste it into
the Password field.
5 If you want your Email Address to display automatically the next time you log
in, click the Remember Me check box.
6 Click Login.
7 In the Create a New Password page, type your new password into the
Password and Confirm Password fields.
The password must be from 8 to 16 characters and contain 1 capital letter, 1
number, and 1 special character.
8 Click Confirm.
9 In the Register Symantec Credential page, type the Symantec Credential
ID.
10 In the Security Code 1 field, type the Security Code currently displayed on
your token.
11 Wait for the Security Code on your token to change, then in the Security Code
2 field, type the new Security Code.
12 Optionally, type a name for your token.
13 Click Register.
Accessing the portal via VIP

The portal uses a secure two-factor authentication process.
Note: To access the portal, you must use a browser that supports 128-bit encryption
and JavaScript.
To access the portal via VIP

2 At the Login page, type your primary email address and password.
3 If you want your Email Address to display automatically the next time you log
in, click the Remember Me check box.
4 Click Login.
5 In the VIP Authentication page, type the Security Code currently displayed
on your soft token.
6 Click Login.
Note: If authentication fails on the first attempt, wait for the token code to change
and try again. Contact the SOC if you have difficulties logging in to the portal.
Accessing the MSS portal when multiple accounts are found for an
email address
For customers who have multiple MSS portal accounts associated with an email
address, you must select your account when you log in. Each separate account
must have a VIP token registered with it.
To access the portal when multiple accounts are found
2 At the Login page, type your primary email address and password.
3 Click Login.
4 At the Multiple Accounts Found page, select the account you want to use
for this session.
5 Click Login.
6 If this account does not yet have a registered token associated with it, you
must register a token. See “Setting up your login using Symantec VIP
credentials” on page 10.
If this account does have an associated token registered, then in the VIP
Authentication page, type the Security Code currently displayed on your token
and click Login.
Accessing the MSS portal via Certificate

You can access the portal more quickly by downloading and installing an X.509
certificate. See “Enabling certificate access” on page 29. You must first access the
portal to download the certificate.
Note: To access the portal, you must use a browser that supports 128-bit encryption
and JavaScript.
To access the portal via Certificate

2 When the Login page appears, type your primary email address and password,
and click Login.
A known issue with Mozilla Firefox 27 and above may require that you change a
configuration item in your browser.
To modify security.tls.version.max in Firefox 27 and higher
1 In Firefox's navigation bar, type about:config and press Enter.
2 On the Configuration page, in the Search field, type tls.
This step is only to save you from having to scroll down a very long page to
reach the target item.
3 Locate the row that begins with security.tls.version.max and double-click
it.
4 In the Enter integer value window, type 1.
5 Click OK and close the browser tab.
Note: Contact the SOC if you have difficulties logging in to the portal.
Recovering from a forgotten password

If you have forgotten your password, follow these steps.
To recover from a forgotten password
2 At the Login page, type your primary email address.
3 Under the Password field, click the Forgot your password? link.
4 Retrieve your temporary password from your email and type or paste it into
the Password field.
5 Click Login.
6 In the Create a New Password page, type your new password into the
Password and Confirm Password fields.
7 Click Confirm.
8 Continue to log in as usual.
Accessing the DeepSight Intelligence portal outside of the MSS portal
Accessing the DeepSight Intelligence portal outside

of the MSS portal
After integration, your DeepSight Intelligence portal password is replaced by your
MSS portal password. This is important to remember when accessing the DeepSight
Intelligence portal directly from outside the MSS portal's DeepSight Intelligence
tab.
Table 1-2 Are DeepSight Intelligence and MSS portal accesses integrated?
Integrated? Use the following credentials
■ DeepSight Intelligence user name

No
■ DeepSight Intelligence password
■ DeepSight Intelligence user name

Yes
■ MSS portal password
About Chat
Chat is an instant messaging application that lets you have a text conversation with
an MSS Team Member. A transcript of the chat will be emailed to you at your request
and, if applicable, will be stored with a related case.
Note: During times of heavy activity, you may encounter a queue window after
submitting your question or issue.
To use Chat
1 At the top right or bottom left of any page, click the Chat link.
2 Type your identifying information in the spaces provided.
3 Click in the Message text box and type your issue or question.
4 Click Submit.
5 In the Chat window, type your responses in the lower text box, clicking the
Send button as needed to transmit your responses.
6 When the session has ended, the Chat window displays a post-chat survey.
Please click the option buttons next to your answers, provide additional
feedback as needed, and click Submit.
About supported browsers
About supported browsers

The MSS portal supports Microsoft Internet Explorer 8 and above, and the latest
Google Chrome, Apple Safari, and Mozilla Firefox browsers.
Note: Internet Explorer's compatibility mode is not currently supported.
Note: Ensure that Internet Explorer's zoom setting is at 100% for the best readability.
You can find this setting either in the lower right side of the browser's Status Bar
or in the main menu under View.
Where to get more information about the MSS portal

Should you need any additional information, you can post questions to the Security
Operations Center staff, at any time, using the Requests feature.
See “Creating a new request” on page 85.
You can also use the Chat feature.
See “About Chat” on page 14.
Finally, you can access the online help system by clicking the Help link on any
page.
Chapter 2
Navigating the Home page
■ About the Home page
■ Reviewing the Service Monitor bar
■ Reading the Activity Stream
■ Using the DeepSight Intelligence Global Incidents module
■ Understanding the ThreatCon level
About the Home page

After you log on to the portal, you will see the Home page. The Home page displays
the following modules:
Service Monitor Bar The Service Monitor bar displays a customizable set of monitors that
you can click to filter the Activity Stream. The monitors displayed also
change depending on your subscriptions.
Activity Stream The Activity Stream gives you an up-to-the-second feed of the threats
affecting in your organization and alerts impacting your devices and
assets.
Symantec The Symantec ThreatCon module is a measurement of the global

ThreatCon threat exposure, delivered as part of the DeepSight Intelligence portal.
DeepSight The DeepSight Intelligence Global Incidents module is a summation

Intelligence Global of incidents detected by the Global Intelligence Network and presented
Incidents to the DeepSight Intelligence portal without severity calculations. The
map is updated every 15 minutes.
Navigating the Home page 17
Reviewing the Service Monitor bar
Open Incidents by The Open Incidents by Asset Criticality module provides a count of
Asset Criticality (7 unique incidents of the selected severity that contain at least one asset
days) of the selected criticality over the past 7 days. The severity increases
from chart bottom to top, and asset value increases from left to right.
You can click a linked value to see a filtered Incidents grid or, if the
linked value is 1, go directly to the Incident Detail page.
Service Summaries The Service Summaries module lists links to the the most recent reports
and alerts. For MSS customers, it shows Service Alerts and Customer
Monthly Reports. For DeepSight Intelligence users, it shows the
DeepSight Intelligence Weekly and Monthly Summaries.
Note: All dates/times in the portal are local unless otherwise indicated.

You can customize the set of monitors displayed across the top of the Home page.
The monitors available change depending on your subscriptions. By default,
customers who subscribe only to MSS can access the monitors noted in the following
table as having MSS as the source, and customers who subscribe to both MSS
and DeepSight Intelligence can access the DS-sourced monitors as well. Note that
you can only display 12 monitors at one time.
Note: When the system returns zero results for a data item, you see a green
checkmark instead of zero.
Table 2-1 Service Monitor bar items and their descriptions
Service Monitor Item Description Source

Service
Assigned to Me Any incidents assigned to you. MSS

Note: Initially displayed by default for MSS-only
subscribers.
Assigned to Me Today Open incidents assigned to you in the past 24 MSS

hours.
Assigned to Me Today - Incidents assigned to you in the past 24 hours MSS

Closed that have been closed.
Assigned to Me This Open incidents assigned to you in the past week. MSS
Week
Table 2-1 Service Monitor bar items and their descriptions (continued)

Service
Assigned to Me This Incidents assigned to you in the past week that MSS
Week - Closed have been closed.
Assigned to Me This Open incidents assigned to you in the past month. MSS
Month
Assigned to Me This Incidents assigned to you in the past month that MSS
Month - Closed have been closed.
Emergency Assigned to Emergency incidents assigned to you in the past MSS

Me Today 24 hours.
Critical Assigned to Me Critical incidents assigned to you in the past 24 MSS

Today hours.
Warning Assigned to Me Warning incidents assigned to you in the past 24 MSS

Today hours.
Informational Assigned Informational incidents assigned to you in the past MSS

to Me Today 24 hours.
Assigned to Org Incidents assigned to anyone in your organization. MSS

subscribers.
Assigned to Org Today Open incidents assigned to anyone in your MSS

organization in the past 24 hours.
Assigned to Org This Open incidents assigned to anyone in your MSS

Week organization in the past week.
Assigned to Org This Open incidents assigned to anyone in your MSS

Month organization in the past month.
Critical Alerts Today Any critical or emergency incidents or requests MSS

in the past 24 hours.
subscribers.
Critical Alerts This Week Any critical or emergency incidents or requests MSS
in the past week.
Critical Alerts This Any critical or emergency incidents or requests MSS

Month in the past month.

Service
Outstanding Critical Emergency and critical incidents older than 24 MSS

Incidents hours, with a New or In Progress status.
subscribers.
Critical Incidents Today Critical incidents opened in the past 24 hours. MSS
Critical Incidents This Critical incidents opened in the past week. MSS
Week
Critical Incidents This Critical incidents opened in the past month. MSS
Month
Device Alarms Open device alarms. MSS
These are devices requiring attention, specifically

devices that are in Service Hold or Hold for
Customer status, generating a High severity alarm
and/or Waiting for Customer, or showing a Critical
or Warning device health.
subscribers.
Device Alarms Today Open device alarms in the past 24 hours. MSS
Device Alarms This Open device alarms in the past week. MSS
Week
Device Alarms This Open device alarms in the past month. MSS
Month
New Vulnerabilities New vulnerabilities published in the last 24 hours. DS

Note: Initially displayed by default for DS-only
subscribers.
Revised Vulnerabilities Vulnerabilities revised during the last 24 hours. DS

subscribers.
New Malcode New malcode alerts published in the last 24 hours. DS

subscribers.

Service
Analyst Journal Entries All published Analyst Journal entries for the past DS
seven days.
subscribers.
Threat Alerts The latest published threat alerts. DS

subscribers.
MATI Reports All published MATI reports for the past seven DS
days.
subscribers. Also, requires MATI license.
Customizing the Service Monitor bar

You can customize the Service Monitor bar by selecting from the list of available
monitors.
Note: The Service Monitor bar displays no less than 5 and no more than 12 monitors
at a time.
To customize the Service Monitor bar

1 On the portal Home page, to the right of the Service Monitors bar, click the
gear-shaped icon.
2 In the Customize Service Monitor window, select a monitor in the Service
Monitors Available pane and click the left-facing arrow to add the monitor to
your bar. To remove a monitor from your bar, select a monitor in the Service
Monitors Displayed pane and click the right-facing arrow.
To see what any of the monitors do, select a monitor and read its description
and related count in the Definition and Current Count box.
3 Select monitors in the Service Monitors Displayed pane and then click the
up and down arrows to configure the monitors to your preferred order.
4 Click Apply Updates.
Reading the Activity Stream
Reading the Activity Stream

The Activity Stream gives you an up-to-the-second view of the threats affecting
your organization and alerts impacting your devices and assets. The stream can
be filtered by type, status, severity, flagged, and subscription-specific monitor. You
can change the date range for covered activity, switch to a view of statistics bar
item data, enable the stream to display the most recent incident only or include
incident history, and toggle automatic list refreshing. You can flag alerts in the
stream and click the arrow for a detail window.
To read the Activity Stream alerts
1 On the Home page, in the Activity Stream module, click Auto-Refresh to
toggle the stream refresh on or off, as you prefer.
2 In the Activity Stream window, click an alert. Depending on the type of alert
you clicked, the portal displays a detail window with more information about
the alert. This detail window links you to related information and lets you add
comments that are appended to the alert.
3 Click the expansion link at the top of the detail window to open the page in a
separate browser window.
4 Click the left-facing arrow icon in the top right side of the detail window to close
it.
To filter the Activity Stream
1 On the Home page, to the left of the Activity Stream module, click one of the
displayed links, as noted below, or check the box next to the Alert Type, Status,
Severity, and subscription-specific monitor (MSS and DeepSight) you want
to see. Expand the subscription filter lists to further narrow the displayed activity.
■ My Default: Loads the filters you saved as your default set.
■ Select All: Selects all filters.
■ Flagged: Displays in the stream only those alerts that you have flagged
regardless of checked filters.
2 Click Save as default to save your current filter set to be loaded when My
Default is clicked. Click Hide to hide the button.
3 To change the stream date range, at the top of the stream area, click 1, 7, 30,
or 90 to set the stream to reflect that number of days.
Using the DeepSight Intelligence Global Incidents module
Using the DeepSight Intelligence Global Incidents

module
The new DeepSight Intelligence Global Incidents module on the Home page provides
a graphical representation of threat and malware activity detected by Symantec's
Global Information Network (GIN). The majority of the map indicators show data
gathered over the last hour, with the exception of sparklines, which show activity
for the last 24 hours. All data is refreshed every 15 minutes.
The map module has two forms: the mini-map on the Home page, and the expanded
map in its own browser window. Both map forms show the activity bubbles, but the
expanded map also provides the Location and Threat tabs, which contain more
detailed information and additional navigation controls.
The map bubbles show the following information:
■ Number, displaying the threat count—a combination of malware and attacks
detected by sensors—for the last hour. Note that bubbles showing a count of
zero are suppressed by default. A zero bubble indicates that the sensor returned
no detected activity in the last data refresh, but activity had been detected at
some time during the last 24 hours. Click the box next to Show all sensors
reporting activity in the last 24 hours in the Location tab to see such bubbles.
■ Color, indicating activity trends over the last hour. Red indicates that activity in
that location has increased by more than 10%, green shows that activity has
decreased by more than 10%, and blue indicates that activity has increased or
decreased by an amount less than or equal to 10%.
The Location and Threat tabs show the following information:
■ On the Location tab, the following information is displayed next to continent
and country level entries: a sparkline showing activity over the last 24 hours,
the total threat count over the last hour, and a trend arrow with the percentage
of increase or decrease in activity over the last hour. Only the three countries
and cities showing the highest amount of activity over the last hour are shown.
■ The Threats tab displays the top ten attack threat categories and top ten malware
threat categories detected in the last hour for the continent, country, or city on
the map. Click a threat category to see the three activities under that category
that were most often detected in the last hour.
■ Both tabs show widgets to collapse all, expand all, and reset the list entries.
When the map data has refreshed, you see a new data notification icon to the
right of the Reset widget.
Using the DeepSight Intelligence Global Incidents module
To conduct research with the Global Incidents map

1 On the MSS portal Home page, in the map module title bar, click the map
expansion icon.
2 In the expanded map, navigate to your preferred location using one of the
following methods:
■ The quickest method is to click the Search bar on the Location tab and
type your city name. When you see your city in the search list, click it to
see that city name in the Place list and zoom the map in to that location.
■ Expand the Place list on the Location tab to see the countries and cities
listed there. Your country is listed only if it is one of the three countries on
that continent with the highest threat counts. Likewise, your city is listed
only if it is one of the three cities in your country with the highest threat
counts. Click the city name to zoom the map to that location.
■ Use the map widgets to navigate. The default view shows activity at the
continent level. Use the + and - icons in the upper right of the map to zoom
in or out. Click and hold to drag the map view to your preferred location.
3 On the Location tab, the following information is displayed next to continent

and country level entries: a sparkline showing activity over the last 24 hours,
the total threat count over the last hour, and a colored trend arrow with the
percentage of increase (red) or decrease (green) in activity over the last hour.
If the trend is unchanged from the previous data refresh, the arrow is replaced
with a hyphen symbol. For detailed city-level data, click the city name, and
then click the map bubble over the city.
In the Threat Info window, note the link to the region affected, a sparkline
showing activity over the last 24 hours, the total threat count over the last hour,
and a link to the Threat Details window. The Threat Details window shows
the total threat count and lists the threats detected in that region, with a count
of each threat in the last hour and during the last 24 hours.
4 The Threats tab displays the top ten attack threat categories and top ten
malware threat categories. Click a threat category to see the three activities
under that category that were most often detected in the last hour. Then, click
a threat category to see the three cities receiving the largest amount of that
threat. For detailed city-level data, click the city name, and then click the map
bubble over the city.
In the Threat Info window, note the link to the region affected, a sparkline
showing activity over the last 24 hours, the total threat count over the last hour,
and a link to the Threat Details window. The Threat Details window shows
the total threat count and lists the threats detected in that region, with a count
of each threat in the last hour and during the last 24 hours.
Understanding the ThreatCon level
5 Near the top of the Location and Threats tabs, click the box next to Show all
sensors reporting activity in the last 24 hours to see those bubbles that
are suppressed due to periods of inactivity, also known as “zero bubbles.” A
zero bubble indicates that the sensor returned no detected activity in the last
data refresh, but activity had been detected at some time during the last 24
hours.
6 When the map data is refreshed and you see the new data notification icon,
click Reset.
7 When you are finished using the map, close the browser window. Closing this
window does not affect your MSS portal session.
Note: The map module employs Microsoft's® Bing™ Maps Platform API. For Terms
of Use, see Microsoft® Bing™ Maps Platform APIs’ Terms Of Use.
Understanding the ThreatCon level

The Symantec ThreatCon rating is a measurement of the global threat exposure,
delivered as part of the DeepSight Intelligence. It includes a numerical rating from
1 to 4 and an explanation of the reason for the ThreatCon rating. The ThreatCon
rating suggests an appropriate security posture based on network conditions.
DeepSight Intelligence Threat Analysts set the value based on conditions reported
by sensors and their evaluations of intelligence gathered during the previous day.
The four levels of Threat Conditions are:
■ Level 1: Low: Basic network posture
■ Level 2: Medium: Increased alertness
■ Level 3: High: Known threat
■ Level 4: Extreme: Full alert
Chapter 3
Managing settings
■ About settings
■ About user profiles
■ About your organization's profile
■ About alerts
■ Configuring MSS alerts
■ Configuring DeepSight Intelligence alerts
■ Using DeepSight Intelligence Groups
■ Printing or exporting
About settings
The Settings pages are where you manage your profile, your organization's profile,
and your alert subscriptions. Administrators might see more options depending on
their permission level.
Note: The MSS portal is set to time out after 120 minutes without user activity. This
setting is not customizable. Activating the Auto-Refresh feature on the Home page's
Activity Stream or the Dashboards page will not affect the 120 minute timeout
setting. Only direct user interaction will reset the timer.
Managing settings 26
About user profiles
About user profiles

Each customer organization has contacts that exist at various levels of the
organization, as well as administrators who can edit contact profile information other
than their own. Non-administrators can only edit their own information.
Non-administrative users can see the name of a person above or next to them in
the hierarchy if they have been assigned to this data. For example, if a user is
assigned to a request that originated from an organization higher than their own,
they will be able to see the name of the requestor and the associated request data.
See “Editing profile settings as a user” on page 26.
See “Editing profile settings as an administrator” on page 30.
Editing profile settings as a user

Depending on your access, you have a subset of available settings that you can
edit:
■ Your password
■ Register, un-register, enable, and disable the VIP tokens that you use
■ Enable and disable X.509 certificates that you use, if you have certificate access
enabled
■ Your contact information (such as email, phone, and address)
■ Alerts that you receive
To edit your profile
1 On any page, click Settings in the upper-right corner.
2 In the Profile page, note the Roles and Permissions and User Details areas
and the row of tabs at the bottom of the page. Some of your user settings are
editable in the User Details area, others are located under the various tabs.
Click the appropriate tab for the type of information you want to edit.
The tabs are:
■ VIP Tokens: This tab is where you register and enable VIP tokens.
■ Certificates: This tab is where you manage your X.509 login certificates.
■ Managed Devices: This is where you can see the devices you manage. If
you are not designated as a device manager, you can ignore this tab.
■ Organizations: This tab is where you see your organization and
sub-organization details.
About user profiles
■ Contact Information: This tab is where you manage your email addresses,
telephone numbers, and mailing addresses.
To edit user details

1 In the Profile page, in the upper right of the User Details area, click Options
and select Edit.
2 Edit the available data fields as you wish. You might be restricted from editing
certain fields depending on your permission level.
To edit your email addresses, telephone numbers, and mailing addresses, go
to the Contact Information tab.
3 When you are finished editing, click Save.
To change your password
and select Change Password.
2 Type your old password and press the Tab key.
3 Type your new password, press the Tab key, and type the new password
again.
4 Click Save.
To edit contact information
1 In the Profile page, click the Contact Information tab.
2 In the Contact Information tab, click the Edit icon in the upper right of the tab
area.
3 In the Email area, edit the existing addresses, click the Add Email link to add
an alternate address, or click the red X next to the alternate email address you
want to delete.
4 In the Phone area, edit the existing numbers, click the Add Phone link to add
an alternate number, or click the red X next to the alternate telephone number
you want to delete.
5 In the Address area, edit the current information as needed.
About user profiles
Editing language settings

By default, the portal uses the language setting detected from your Web browser.
However, you have the option of changing your language setting at the login screen
or in Settings, Profile. Currently, the portal supports Japanese and English.
To change language settings
and select Edit.
2 Click the Language list and select either English or Japanese.
3 When you are finished, click Save.
Editing VIP credentials

The portal lets you add, enable, and delete Symantec Validation & ID Protection
Service (VIP) credentials, which are also called tokens. You can also set one as
your primary credential. Your primary token is used to authenticate you over the
phone with the SOC.
To register additional VIP credentials
1 In the Profile page, click the VIP Tokens tab. The credential you used when
you first logged in should be listed.
2 In the VIP Tokens tab, click the Register button.
3 In the Register Symantec Credential page, type the Symantec Credential
ID.
4 In the Security Code 1 field, type the Security Code currently displayed on
your token.
5 Wait for the Security Code on your token to change, then in the Security Code
2 field, type the new Security Code.
6 Optionally, type a name for your token.
7 Click Register.
To enable or disable a VIP credential
1 In the Profile page, click the VIP Tokens tab.
2 In the VIP Tokens tab, locate the credential you want to enable or disable and
click the Enable or Disable button as appropriate.
About user profiles
To unregister a VIP credential

1 In the Profile page, click the VIP Tokens tab. The credential you used when
you first logged in should be listed.
2 In the VIP Tokens tab, locate the credential you want to unregister and click
Unregister.
Enabling certificate access

The portal lets you add an X.509 certificate to your profile. Using an X.509 certificate
lets you bypass the VIP authentication step during login on a machine with a
certificate installed.
To enable X.509 authentication permission
◆ Contact your administrator to enable the x509 Authentication Allowed
permission on your profile. Once this permission is enabled, you can proceed
with the following instructions.
To obtain a client certificate
1 In the Profile page, click the Certificates tab.
2 In the Certificates tab, click the Create button.
3 In the Create Certificate window, click the Days before Expiration pull-down
menu and select an expiration period.
The available values are 30 days, 90 days, 180 days, 1 year, 2 years, or 3
years.
4 Optionally, click in the Name text box and type a name for the certificate.
5 Click Create.
Certificates are enabled by default upon creation, but must be downloaded
and installed before they can be used.
To install a client certificate
click the Edit link next to Client Certificates.
2 In the Certificates tab, locate the certificate you want to install and click the
Download button in that certificate's grid row.
3 In the Export Certificate window, type a password and then confirm it.
The password must be 8 to 16 characters, have 1 capital letter, 1 number, and
1 special character for it to be accepted.
4 Click Export.
About user profiles
5 In the File Download window, click Open.

6 In the Certificate Import Wizard, click Next.
7 In the File to Import page, click Next.
8 Type the private key password you used when you exported the certificate and
click Next.
9 Select where to place the certificate or opt to let the wizard automatically choose
a location, then click Next.
10 Click Finish.
11 Click OK.
To delete a certificate
1 In any portal page, click the Settings link.
3 In the Certificates tab, locate the certificate you want to delete and click the
Delete button.
4 At the prompt, click OK.
Editing profile settings as an administrator

Editing your own profile is much the same as described for a regular user (Editing
profile settings as a user), but with more options available.
As an administrator, you can edit most of the available settings for yourself, your
users, and your organization:
■ All user details
■ Reset passwords for your organization's users
■ Register, un-register, enable, disable, and unlock VIP tokens for you and your
users
■ Enable and disable X.509 certificates for you and your users, as well as enable
and disable certificate access
■ All alerts that your users receive
To edit a user's profile
1 On any page, click Settings in the upper-right corner.
2 Under the Settings page title, click the Users link.
About user profiles
3 In the Users grid, click the user's email address link.

4 In the user's detail page, note the User Details and Roles and Permissions
areas and the row of tabs at the bottom of the page. Click the appropriate tab
for the type of information you want to edit. The tabs are:
■ VIP Tokens: This tab is where you register, enable, and unlock VIP tokens.
■ Certificates: This tab is where you manage your X.509 login certificates.
■ Managed Devices: This is where you change device management settings.
If you are not designated as a device manager, you can ignore this tab.
■ Organizations: This tab is where you see your organization and
sub-organization details.
■ Contact Information: This tab is where you manage your email addresses,
telephone numbers, and mailing addresses.
Refer to the previous section for detailed information on editing user details.
Cloning existing DeepSight Intelligence portal user accounts

The portal includes a method for streamlining DeepSight Intelligence portal user
account creation by cloning an existing account. You identify a current account with
the settings and licenses that you want the new user account to have and clone it.
Note: After cloning the account, the new account user must log in to test and activate
the delivery methods. See “Managing delivery methods” on page 51.
To clone an existing DeepSight Intelligence portal user account

2 In the Users grid, locate the user you wish to use as the template account.
3 Click the Clone link at the end of the row.
4 In the Clone User window, complete the fields using the new user information.
5 Determine whether you want the new user to be a Customer Administrator, or
if you wish to copy the current user's alerts configuration, and check the boxes
as appropriate.
Copying the alert configuration to the new user account can save you a great
deal of time, especially if you have several new users to add to the system.
6 Click Clone.
About user profiles
7 Monitor the status messages for a successful outcome. Click the link below
the summary for a more detailed list of account attributes that were cloned.
8 Click Close.
Changing user roles and permissions

The portal uses roles and permissions to set selective access.
To set user roles and permissions
1 On the user's Settings page, in the title bar of the Roles and Permissions
area, click Edit.
2 Select the roles and permissions you want to enable or disable for that user.
See Table 3-1 and Table 3-2 for role and permission details.
3 When you are finished editing, click Submit.
The role-based access control settings are:
Table 3-1 User roles and descriptions
Role System Description
Administrator DeepSight Administators have write access to all base

Intelligence functions. This user also has write access to
non-device Requests and all MSS Notifications.
MSS
They can edit their own profile and also edit profile
information for contacts in their organization and
sub-organizations.
Incident Manager MSS This user has read and write access to all base
functions except Vulnerability Uploads and Users.
This user also has write access to non-device
Requests and all MSS Notifications.
Incident Reviewer MSS This user has read-only access to the Home page,
Dashboard, Incidents, Devices, Assets, and
Reports. This user also can edit their own profile,
read non-device Requests, and edit/write all MSS
Notifications
Asset User MSS This user can view assets and devices. Upon login,
the Portal displays the Assets grid.
About user profiles
Table 3-2 Additional user permissions and descriptions
Permission System Description
Edit Assets MSS Toggles the ability to edit asset

information.
Web Services enabled MSS Toggles Secure Web Service access.
X509 Authentication Allowed MSS Toggles the ability to allow

authentication via X.509 certificate.
View Logs MSS Toggles the ability to view device logs.
Submit Requests MSS Toggles ability to submit MSS Requests.
Upload Vulnerability Scans MSS Toggles the ability to upload

Vulnerability Scans.
Receive MSS Alerts MSS Toggles the ability to receive MSS alerts.
Configure Alerts DeepSight Lets the user configure their own alert
Intelligence notifications.
MSS
Manage Delivery Methods DeepSight Lets the user manage their alert delivery
Intelligence methods.
Manage Monitors DeepSight Lets the user manage their own

Intelligence monitors.
Manage Technology Lists DeepSight Lets the user manage their own tech
Intelligence lists.
Configure SMB Alerts DeepSight Lets the user manage small/medium

Intelligence business (SMB) alert notifications.
Unlocking a user's VIP credentials

Administrators can unlock a user's VIP credentials.
To unlock a VIP credential
3 In the user's detail page, click the VIP Tokens tab.
4 In the VIP Tokens tab, locate the credential you want to unlock and click the
Unlock button.
About user profiles
Resetting a user's password

Administrators can reset user passwords using the steps below.
Note: Users wanting to reset their passwords can do so from the Login page using
the Forgot Password link. See “Recovering from a forgotten password” on page 13.
To reset a user's password

3 In the user's detail page, click Reset Password.
4 In the confirmation prompt, click Proceed.
5 In the subsequent system message window, click OK.
6 Use your company's processes to notify the user that the password is reset.
Deleting a user
Only administrators can delete user accounts.
To delete a user
3 In the user's detail page, click Delete User.
4 In the confirmation prompt, click Proceed.
Assigning or unassigning DeepSight Intelligence licenses

Reference the following list to determine the license to assign or unassign:
■ Symantec Cyber Security DeepSight Intelligence Portal Standard Pack
Subscription License
■ Symantec Cyber Security DeepSight Intelligence Portal Enterprise Pack
■ Symantec Cyber Security DeepSight Intelligence Portal Advanced Enterprise
Pack Subscription License
■ Symantec Cyber Security DeepSight Intelligence Portal Advanced Enterprise
Pack Crossgrade Subscription License
About your organization's profile
■ Symantec Cyber Security DeepSight Intelligence Datafeed Security Risk

■ Symantec Cyber Security DeepSight Intelligence Datafeed Vulnerability
■ Symantec Cyber Security DeepSight Intelligence Datafeed Domain and URL
Reputation Subscription License
■ Symantec Cyber Security DeepSight Intelligence Datafeed Advanced Domain
and URL Reputation Subscription License
■ Symantec Cyber Security DeepSight Intelligence Datafeed IP Reputation
■ Symantec Cyber Security DeepSight Intelligence Datafeed Advanced IP
Reputation Subscription License
Perform the following steps to assign or unassign a DeepSight Intelligence license.
To assign a DeepSight Intelligence license to a user
3 In the user's detail page, scroll down to the License tab, and click Assign
License.
4 In the Assign Licenses window, locate the license you want to assign to the
user, and click the box next to the number.
If instead you are unassigning a license, click the box to remove or clear the
check mark.
5 Click Submit.

The portal uses the organization hierarchy to determine who can see what data.
The organizations in the hierarchy are assigned a range of IP addresses, known
as netblocks. An organization’s netblock assignment can overlap or duplicate that
of another organization. The customer determines their own netblock assignments
based on how their network is set up. Contacts assigned to a specific organization
are able to see the requests, incidents, and devices for their own organization and
for their sub-organizations; however, the sub-organization cannot see up the
hierarchy.
The DeepSight Intelligence portal uses the organization profile area to administer
licenses across an organization.
About entitlements
An entitlement is the quantity of a Service that you purchase. You purchase
monitoring or managing services for a quantity of nodes, devices, IPs, servers, or
blocks of devices, nodes, or servers, according to the Service Description. The
terms of the agreement governing the purchase typically indicates a fixed start and
end date (fixed-term entitlement), but some negotiated agreements contain an
auto-renewal provision (autorenewal entitlement). As devices are registered with
the service, the amount of open entitlement available for additional devices is
decreased. As an example, a customer may have purchased under a fixed-term
agreement monitoring services for 150 firewalls—the entitlement—but initially used
only 100, leaving 50 open entitlements to be leveraged for additional devices during
the term of the agreement.
The portal helps you keep track of your entitlements so that you know which devices
are assigned to which entitlements. You also can see when an entitlement is nearing
expiration, so that you can begin the process of renewing the service or plan for
termination of the service.
Note: How the devices are counted under Entitlements depends on the type of
device, its role (such as failover designation or high availability pairing), and the
terms of the contracted service. Please direct any questions to your Service
Manager.
Viewing organizations as a user

The portal lets you view detailed information about your organization.
To view an organization
◆ In the Org Profile page, click the link in the View by Organization area for
the organization you want to view. The information at the link will be only for
that single organization.
To view an organization's users
1 In the Org Profile page, click the Users tab.
2 In the Users grid, click the Last Name to view user details.
To view license summaries
◆ In the Org Profile page, click the License Summary tab.
To view licenses
◆ In the Org Profile page, click the Licenses tab.
To view ThreatCon IPs
◆ In the Org Profile page, click the ThreatCon IPs tab.
To view MSS entitlements
1 In the Org Profile page, click the MSS Entitlements tab.
2 In the MSS Entitlements grid, click a Search Code to view details for that
entitlement.
To view devices
1 In the Org Profile page, click the Devices tab.
2 In the Devices grid, click the Search Code to view details for the device.
3 In the Devices grid, click the Reporting IP address for details of the listed IP
address.
To view branding
◆ In the Org Profile page, click the Branding tab.
Editing organization settings as an administrator

The portal lets customer administrators edit certain information about an
organization.
To edit customer details
1 In the Org Profile page, in the Customer Details area, click Edit.
2 Add or modify organizational information as needed.
3 Click Submit.
To edit an organization's user information
1 In the Org Profile page, click the Users tab.
2 In the Users grid, click the user's Email to go to the user's profile page.
To view license summaries
◆ In the Org Profile page, click the License Summary tab.
To edit licenses and assignments
1 In the Org Profile page, click the Licenses tab.
2 Use the buttons across the top of the tab (All, Active, Inactive, Expiring in
30 days) to filter the license list.
3 To access license details, in the Licenses grid, click the license number.
4 In the License Details page, you have the following options:
■ In the Assigned tab, click Manage License to assign or unassign the
license.
■ In the License Pack History tab, view the history information.
To add escalation contacts

1 In the Org Profile page, click the Escalation Contacts tab.
2 At the upper right of the Escalation Contacts grid, click Add New Contact.
3 In the Add New Contact window, type the check the box next to the contact's
business function, either Analysis or Engineering.
4 In the Search field, type all or part of the contact's name or email address and
click the Search button.
5 In the results grid, locate the preferred contact's row and click Create Contact.
6 After you have added your contacts (no more than four per business function),
arrange them in your preferred order by clicking Up or Down in the Contact
Order column of the contacts you want to reorder.
To remove/replace escalation contacts
1 In the Org Profile page, click the Escalation Contacts tab.
2 In the Escalation Contacts grid, locate the contact you want to remove or
replace and click Remove.
3 In the Remove Contact window, perform one of the following actions:
■ If you want to remove the current contact and reorder the existing ones to
fill any resulting gap, click Remove and Reorder.
■ If you want to replace the current contact with another user, click in the
Search field, type all or part of the contact's name or email address and
click the Search button. In the results grid, locate the preferred contact's
row and click Create Contact.
To add ThreatCon IPs

1 In the Org Profile page, click the ThreatCon IPs tab.
2 In the ThreatCon IPs grid, click Add IP Address.
3 In the pop-up window, type the IP address.
4 Click OK.
About alerts
To delete ThreatCon IPs

1 In the Org Profile page, click the ThreatCon IPs tab.
2 In the ThreatCon IPs grid, click Delete.
3 In the confirmation window, type click OK.
About alerts
Alerts covers various notifications from Symantec to you and your organization.
The portal lets you configure alerts from both MSS and DeepSight Intelligence,
depending on your subscriptions. You configure and receive only those alerts
generated by your subscribed services.
See “Configuring MSS alerts” on page 39.
See “Configuring DeepSight Intelligence alerts” on page 43.
My Alerts
The My Configured Alerts tab gives you access to every alert delivered to your user
account. The alerts from the previous month are displayed by default, sorted
alphabetically. The initial display and all subsequent displays can be sorted by
clicking on any column heading.
An existing notifications monitor may be re-configured by selecting it in My
Configured Alerts and editing its settings in the subsequent page.
To reconfigure an alert
1 From the My Configured Alerts grid, scroll to the alert you want to edit, and
click Edit.
2 In the alert's settings page, modify the settings as needed.
3 Click Save.
To delete an alert
1 From the My Configured Alerts grid, scroll to the alert you want to delete, and
click Delete.
2 In the confirmation prompt, click OK.
Configuring MSS alerts

This section discusses how to configure MSS alerts.
See “About email formats and encryption settings” on page 40.
See “Editing MSS notification settings” on page 40.
About email formats and encryption settings

The portal supports the following MSS email notification format options:
Full Text The email is sent in plain text with a description of the reason for the
notification.
Sanitized Text The email is sent in plain text but contains a URL linking directly to the
incident details.
XML The email is sent using XML, allowing you to parse the information into
your own reports.
HTML This format is similar to Full Text, but in HTML.
Mobile Friendly The email is sent in a condensed, mobile-friendly format.
For further details regarding these formats, including examples, see the Symantec
MSS Automated Email Notifications Format Guide.
The portal also supports the following email encryption options:
No Encryption The email is sent unencrypted with a description of the reason for the
notification.
PGP Encryption The email is sent using PGP encryption with a description of the reason
for the notification.
Editing MSS notification settings

The portal lets you change the MSS notification settings governing Requests,
Incidents, the Daily Summary, and Service Alerts.
By default, the portal notifies users of alarms that are associated with devices in
their organization. You can choose to be notified of requests that are assigned to,
requested by, or associated with devices in only your organization, or of your
organization and all sub-organizations. You can also further define which category
of notification you want to receive. You will always be notified of updates to any
requests you create.
You can choose to be notified of incidents that are assigned to you, your
organization, your sub-organization, or any combination of these affected
organizations. You can also opt to be re-notified by email once per GMT day for
incidents that continue to have key event activity.
You can configure incident alerts by using the following options:
■ Incident Severity Threshold: Choose the severity threshold for this alert.
■ Incident Category: Leave unassigned or choose one or more categories.
■ Asset Criticality Threshold: Choose the asset criticality threshold for this alert.
■ Asset Groups: Leave unassigned or choose one or more groups.
You can opt to receive the Daily Service Summary, as well as individual service
alerts. The Daily Summary includes the title and first line of the service alerts for
that day; if you do not subscribe to the individual alerts, you still can view the full
alert text by logging in to the portal. Note that all new portal users are automatically
set to receive service alerts.
You can also set the notification thresholds for incidents and the daily and weekly
digests. If you prefer, you can opt to be notified of global emerging threats and set
your preferred contact phone number.
You can select a different email format per address for each notification type. The
valid formats for each notification type are:
Requests ■ Full Text

■ Sanitized Text
■ XML
■ HTML
■ Mobile Friendly
Incidents ■ Full Text

■ Sanitized Text
■ XML
■ HTML
■ Mobile Friendly
Daily Summary ■ HTML
Service Alerts ■ HTML

■ Full Text
Weekly/Daily Incidents ■ Full Text

Digest ■ Sanitized Text
To change requests notification settings

1 In the Settings page, click the Alerts link.
2 In the Alerts page, click the Configure MSS Alerts tab.
3 On the MSS page, click Requests on the left.
4 On the Requests page, select your preferred Organizational Relationship

settings, the alert Categories that you want to receive, and your preferred
Email Format.
5 Click Save.
To change incident notification settings
3 On the MSS page, click Incidents on the left.
4 On the Incident page, in the Alert Type area, type a name for this particular
alert notification.
5 In the Delivery Method area, choose the email address where you want to
receive the notification. Also specify an email format.
6 In the Notification Settings area, select an incident severity threshold. To
narrow the threshold to specific type of incidents, choose a one or more incident
categories and click the right-facing arrow.
You may also select an asset criticality threshold to further refine the notification
parameters. To narrow the threshold to specific assets, choose a one or more
asset groups and click the right-facing arrow.
7 Select your preferred Organization Relationship setting.
8 If you want to be notified each day that your specified incident/asset criteria
continues to generate key event activity, click the re-notify check box at the
bottom of the page.
9 Click Save.
To change daily summary settings
3 On the MSS page, click Daily Summary on the left.
4 On the Daily Summary Settings page, select your preferred email format and
your preferred 24-hour period end time.
To change service alert notification settings
3 On the MSS page, click Service Alerts on the left.
Configuring DeepSight Intelligence alerts
4 On the Service Alerts page, select an email format for each email address.
5 Click Save.
To change daily and weekly digest notification settings
3 On the MSS page, click Weekly/Daily Incidents Digest on the left.
4 On the Service Alerts page, select an email format for each email address.
5 Click Save.

This section discusses how to configure DeepSight Intelligence alerts.
See “Adding a new alert” on page 43.
See “Managing technology lists” on page 47.
See “Adding a new technology list” on page 48.
See “Performing a bulk XML upload” on page 49.
See “Performing a bulk CPE upload” on page 49.
See “Performing a bulk Qualys CPE upload” on page 50.
See “Submitting a Missing Technology form” on page 51.
See “Managing delivery methods” on page 51.
Adding a new alert

In the DeepSight Intelligence portal, you create a monitor that sends you alerts
when activity important to you occurs on the Internet. The first task is to decide
what type of monitor you need to configure.
To add a new DeepSight Intelligence alert
2 In the Alerts page, click the Configure DeepSight Alerts tab.
3 In the left side tab list, click the monitor you want to create.
Under Alert Type, click the Sample link to see an actual alert delivered by the
associated monitor type.
4 Type a name for the monitor that you are creating and then choose a delivery
method.
5 Provide particular parameters for the alert monitor. Every alert type has several
configuration options. The number of configuration options and their parameters
differ based on the selected alert type. Some will ask you to define an alert
threshold, another will ask for tech lists, and still others need domain lists
entered or uploaded.
Note: When creating a Brand Protection monitor in the Portal interface, be

sure to check the Include Subdomains check box if you want the monitor to
send alerts for the subdomains associated with the domains that you enter.
Alternatively, to upload a CSV file containing the domains you want to monitor,
see To bulk upload domains for Domain and Brand Protection monitors
6 When you are finished creating the monitor, click Save.

The alert monitor types displayed differs depending on your DeepSight Intelligence
subscription. The following table describes the available monitors.
Table 3-3 Alert monitor types
Monitor type Alert description
Daily Report This monitor delivers the Daily Report of Internet news and activity
or a notice that the summary is available.
Weekly Report This monitor delivers the Weekly Report of news and activity or a
notice that the summary is available.
Monthly Report This monitor delivers the Monthly Report of news and activity or a
notice that the summary is available.
Event Activity This activity monitor delivers alerts to you whenever the DeepSight
Intelligence statistical analysis engine detects a specific category
of events identified in your monitor configuration is being exploited
based on the key predictors alerting model.
Note: This alert type cannot be delivered by RSS.
Port Activity This activity monitor delivers alerts to you whenever the DeepSight
Intelligence statistical analysis engine detects a specific port
identified in your monitor configuration is being targeted based on
the key predictors alerting model.
Table 3-3 Alert monitor types (continued)
Industry Activity This activity monitor delivers alerts to you whenever the DeepSight
Intelligence statistical analysis engine detects that the number of
anomalous sensors reporting an activity within an industry identified
in your monitor configuration exceeds the previous high-watermark
of anomalous activity by at least three anomalous sensors for at
least two hours.
Tech List Activity This activity monitor delivers alerts to you whenever the DeepSight
Intelligence statistical analysis engine detects a specific technology
included in a technology list in your monitor configuration is being
targeted based on the key predictors alerting model.
Security Risk This monitor delivers alerts to you whenever new adware or
spyware is identified within a technology included in a technology
list in your monitor configuration.
Vulnerability This monitor delivers alerts to you whenever a security flaw is

discovered within a technology included in a technology list in your
monitor configuration.
Malicious Code This monitor delivers alerts to you whenever a new malicious code
is discovered within a technology included in a technology list in
your monitor configuration.
Threat Alert This monitor delivers alerts to you whenever the DeepSight
Intelligence Threat Analyst Team develops intelligence of a new
threat or observes activity associated with a threat to a technology
included in a technology list in your monitor configuration.
Threat Analysis This monitor delivers alerts to you whenever the DeepSight
Intelligence Threat Analyst Team identifies a high-urgency threat
that promises widespread exploitation and significant impact. It
includes a thorough analysis of the threat to a technology included
in a technology list in your monitor configuration.
ThreatCon A ThreatCon alert is issued to you whenever there is credible

evidence of a significant event that Symantec's analysts determine
affects the threat landscape.
Table 3-3 Alert monitor types (continued)
Research Report This monitor delivers in-depth reports from the DeepSight
Intelligence Threat Analyst Team. Research Reports may include
research into future threats, reports such as the Symantec Internet
Threat Report, and other information that the team uncovers during
research activities.
Domain This monitor delivers alerts to you whenever one of your domains
is mentioned within a malicious code alert or is targeted in an
Internet event. During monitor configuration, you have the option
of uploading a CSV file containing up to 5,000 domains. See “To
bulk upload domains for Domain and Brand Protection monitors”
on page 46.
Network Infection This monitor delivers alerts to you whenever our sensors discover
malicious activity originating from the IP address space that you
have provided.
Brand Protection This monitor delivers alerts to you whenever our sensors detect
phishing sites targeting one of your domains. During monitor
configuration, you have the option of uploading a CSV file
containing up to 5,000 domains. See “To bulk upload domains for
Domain and Brand Protection monitors” on page 46.
To bulk upload domains for Domain and Brand Protection monitors

1 Using Microsoft Excel or your preferred text editor, create a comma-separated
list of the domains you want to monitor. Use the format of domain.com only;
for example, domain.com would be recognized, but www.domain.com would
not.
2 If using Microsoft Excel, save the file in the CSV (comma-delimited) format.
3 In the portal, on the Settings page, click the Alerts link.
4 In the Alerts page, click the Configure DeepSight Alerts tab.
5 On the alert configuration page for either Domain or Brand Protection, type an
alert name and choose a delivery method.
6 Under the Enter Domain Names area, click the Browse button next to Upload
a Domain List.
7 Locate the list you want to upload and click Open.
8 Click Upload.
A message under the Upload a Domain List field displays the number of
domains added successfully. If the result is not what you expect, click Reset,
then check your upload file to ensure that you are using the proper format for
the domain names and that each is separated by a comma. Then, upload the
file again using the steps above.
9 When you are finished creating the monitor, click Save.
Managing technology lists

A technology list is a grouping of hardware and/or software used to identify
technologies in use within your organization. A list might include all of the
technologies used in your enterprise or groupings of them. Because you can make
as many technology lists as you require, you might decide to use one or more of
these common strategies in making effective technology lists.
The technology list is the most powerful filter in the alerting system. It is the preferred
method for reducing the number of alerts being delivered to you. Identifying the
technologies used by your organization in a technology list provides effective,
low-noise alerting for monitors based on technology lists. Technology lists require
time to configure, especially if you decide to specify your technologies down to the
version and patch level. For an enterprise, creating detailed technology lists may
be impractical unless technology lists are built based on areas of responsibility.
The portal provides two pre-configured technology lists:
■ All technologies
■ Top 100 Technologies
All Technologies
The All Technologies technology list is exactly that, a list that contains every
technology within the DeepSight Intelligence portal technologies database. When
this list is used in a monitor, the monitor will trigger for every alert issued throttled
only by monitor thresholds. While useful, it is informationally noisy. When using the
All Technologies list, keep in mind that controlling the number of alerts delivered
to you with monitor thresholds may prevent delivery of some relevant alerts.
Note: You can configure an All Technologies technology list by including the
technology category All.
Top 100 Technologies

The Top 100 Technologies technology list is based on the 100 technologies most
commonly configured by DeepSight Intelligence customers. The Top 100
Technologies are recalculated every week. As a result, the list changes as
technologies come in to and fall out of favor. The list may have one of your important
technologies in it today, but your technology may be removed when the Top 100
is recalculated. It does effectively reduce alerting noise by preventing alerts on
more obscure technologies.
Adding a new technology list

You can create an unlimited number of technology lists. It is helpful to have an
inventory of systems and services with vendor names and revision levels before
creating new lists.
To create a new technology list
1 At the bottom of the Manage Technology List page, click Add New
Technology List.
2 In the Technology List configuration page, type a name for the technology list.
3 Select the category of the technology.
4 In the Vendor area, specify the vendor of the technology you want to include
on the technology list.
You can select a vendor and then click the Include icon (a blue arrow with a
plus sign) to add a vendor's entire product line to your technology list. Also, if
you want to remove an item that you placed in the Selections area, click the
item and then click the Exclude icon (a red arrow with a minus sign).
5 In the Products area, specify the product you want to include on the technology
list.
You can select a product and then click the Include icon to add all versions of
the product to your technology list.
6 In the Versions area, select the version or versions of the technology to include
on the list and click Include.
7 Additional technologies can be added to the list by selecting another vendor
and repeating the last two steps above.
8 Check Include Related Technology Packages if you want every package
installed with a technology by default to be included in the technology list.
9 Check or uncheck the Internal Sharing and Internal Copying check boxes
to specify if you would like to share lists or allow people within your organization
to copy your Technology List.
10 Click Save when your list is complete.
Performing a bulk upload
Performing a bulk XML upload

You can create a new technology list by uploading a customized xml file using the
Master Technology List template format. Note that you must use the given format.
To create a new technology list through bulk XML upload
1 At the bottom of the Manage Technology List page, click Add New Technology
List.
2 In the Manage Technology List page, click the XML Upload tab on the left.
3 Click Browse.
4 In the Choose File to Upload dialog box, select a valid xml technology list file.
The file should be well-formed xml and must retain the format of the Master
Technology List template.
5 Click Open.
6 Type a name for the technology list you want to create.
7 Click Upload.
Performing a bulk CPE upload

Similar to the common technology list, the Common Platform Enumerator (CPE)
technology list feature lets you create a technology list that contains the CPE Names
of your technologies as another way to fashion alerts.
You can create a new technology list by uploading a customized CPE file using the
CPE Technology List template format. Note that you must use the given format.
Note: You are permitted to create a technology list only at Product/Version level
with maximum of 1,000 CPE string entries through bulk CPE Upload. For other
features (i.e., Category/Vendor level inclusion) please use Manual Selection or bulk
XML upload.
To create a new technology list through bulk CPE upload

List.
2 In the Manage Technology List page, click the CPE Upload tab on the left.
3 Click Browse.
4 In the Choose File to Upload dialog box, select a valid CPE technology list file.
The text file contents must have the format of the CPE Technology List template.
5 Click Open.
8 Click Upload.
Performing a bulk Qualys CPE upload

Similar to the CPE technology list feature, the Qualys CPE technology list upload
lets you create a technology list that contains the Qualys CPE information.
You can create a new technology list by uploading a Qualys-generated xml file.
Note that you must use the Qualys format.
To create a new technology list through bulk Qualys CPE upload
List.
2 In the Manage Technology List page, click the Qualys CPE Upload tab on
the left.
3 Click Browse.
4 In the Choose File to Upload dialog box, select a Qualys-generated xml file.
5 Click Open.
8 Click Upload.
Submitting a Missing Technology form

This feature lets you notify Symantec of a technology that is missing from the
database and you want added.
To submit a Missing Technology form
List.
2 In the Manage Technology List page, click the Missing Technology tab on
the left.
3 Complete the fields as they are labled.
4 Click Send.
Managing delivery methods

Delivery methods are simply places to send an alert. Any standard delivery method
add-on can be configured to deliver alerts in one of three ways:
■ To email
■ To SMS
■ To RSS
RSS, unlike the other delivery methods, cannot be configured beyond assigning
the delivery method a name; it does not receive alerts, it retrieves alerts; and your
RSS delivery method cannot be deleted from your account. While your DeepSight
Intelligence portal user account can have as many delivery methods as you require,
each user account can have only one RSS delivery method.
When your account has multiple delivery methods, it allows you greater flexibility
in monitor configuration. Delivery methods are used in monitors to deliver alerts
matching the technology and threshold criteria set in the monitor to the appropriate
device. Different types of delivery methods imply a different level of urgency for
delivery. For instance, you may want to receive a risk level 1 (low) Malicious Code
alert for an important technology in an email, but it is unlikely you would want your
pager or cell phone to disturb you with that same alert. For that reason, we refer to
high and low priority delivery methods throughout this documentation.
Delivery method configuration components

The Delivery Method page is composed of a number of elements used to create a
new delivery method. These are:
■ Delivery method name: Enter a name for the delivery method. In larger
organizations it is important that the delivery method name be descriptive enough
that other notifications users will be able to identify who should receive alerts
when a delivery method is selected within monitors.
■ Delivery method type: The standard delivery method may be configured as email
or SMS. The RSS delivery method is included with each service license assigned
to a user's account. XML email is licensed as an Integration add-on.
■ Delivery method address or number: This input field must be syntactically correct
in order to function properly. Email addresses must comply with RFC
specifications and be syntactically correct. Telephone numbers must contain
only numbers: do not enter a '1' before the number. Country codes may be
necessary outside of the United States and Canada. Check the text below the
configuration screen for the most up-to-date information about the use of country
codes.
Note: Once configured, the Delivery Method Type cannot be changed. The Delivery
Method must be deleted and then recreated as the type of Delivery Method you
want.
Table 3-4 Delivery method selection criteria
Delivery Method What is delivered/ Additional Notes Available Detail Levels Available Alert Format
Type
email Delivers any alert type in the selected All detail levels for all alert Text, PDF, or HTML
format and detail level by electronic mail. types.
Note: Format selected
Note: Detail levels are during monitor
selected during monitor configuration.
configuration.
RSS Allows an RSS client to retrieve alerts Full Details RSS 2.0
after authentication.
SMS Delivers any alert type to any Notice: A short alert Text
SMS-enabled device. format that is, at most, a
couple of sentences long.
URL: Delivers a Notice

plus a related URL.
XML email Delivers XML encoded alerts as an email Full Details XML
attachment. See the Appendix for more
details.
Table 3-5 Address or Number configuration requirements
Delivery Method Type Address or Number requirements
Email Email addresses must comply with RFC specifications and be

syntactically correct. The correct format is:
username@your_domain.com
SMS When entering a phone number for your SMS delivery method in
the US, Canada, or location reachable via an area code, please
enter the number starting with the area code. Do not enter a '1'
before the number.
Example: if your SMS number is (703) 555-1212 then enter

7035551212
Alternatively, you can configure your SMS delivery method with

the SMS domain used by your SMS service provider. To do this
you must obtain the domain name used by your SMS service
provider for their SMS services. This is rarely the same domain
as the service provider's primary DNS name. To do this, you will
need to get your new service provider's SMS domain name and
enter your old SMS number using this format:
<area code><phone number>@<service provider's SMS domain>
Example: If your SMS number is (703) 555-1212 then enter

7035551212@<sms.serviceprovider.com>
Note: The alternative Address or Number configuration method
allows you to use your originally assigned SMS number in the
event that you change SMS service providers and decide to carry
the originally assigned SMS number to a new SMS service
provider.
XML email Enter a legal email address. It must be syntactically correct; for
example: john.doe@example.com. The XML email delivers an
XML attachment.
Web Services The Address or Number is not available for configuration. The
Web Service client polls the Web Service for new alerts and pulls
that information.
Note: The RSS delivery method pulls information from different RSS capable pages,
as a result the Address or Number configuration is actually done within the RSS
reader.
SMS alerts outside of the US and Canada

Currently Symantec can deliver alerts to the US and Canada as well as the following
countries with area codes:
Table 3-6 Additional Area Code accessible locations
Country Area Code
Bahamas 242
Bermuda 441
Cayman Islands 345
Dominican Republic 809
Puerto Rico 787
U.S. Virgin Islands 340
Country codes must be used for locations other than those listed above. When
entering a phone number for a location that requires a country code, enter '011',
the country code, and the phone number without spaces or other delimiters.
Example: If the SMS number is 61 1 2345 6789 then enter 01161123456789
Currently we can deliver SMS alerts to the following countries reachable using a
country code:
Table 3-7 Country code accessible locations
Country Country Code
Australia 61
Austria 43
Belgium 32
Finland 358
France 33
Germany 49
Hong Kong 852
Ireland 353
Israel 972
Table 3-7 Country code accessible locations (continued)
Country Country Code
Italy 39
Japan 81
Liechtenstein 423
Malaysia 60
Netherlands 31
New Zealand 64
Philippines 63
Saudi Arabia 966
Singapore 65
South Africa 27
Spain 34
Switzerland 41
United Kingdom 44
Venezuela 58
Contact customer support if you require service to a country not listed here.
Configuring your Default RSS Delivery Add-on

Your RSS delivery method requires no configuration within the DeepSight
Intelligence portal, however, you can give the delivery method a descriptive name.
The delivery method appears as an item on your Delivery Methods page. The RSS
icon appears in the Address/Number column of the page. Double-clicking the RSS
icon reveals the RSS DeviceID within the URL.
The RSS delivery method complies with RSS 2.0 and uses Basic Authentication
over SSL certificate encryption. Your RSS reader must be able to authenticate over
HTTPS to use your RSS delivery method. Configuration of your default RSS Delivery
Add-on occurs within a compatible RSS reader. Clicking a RSS icon in the DeepSight
Intelligence portal takes you to an XML page of the item; you simply copy and paste
the URL into your RSS reader.
Configuring a Default Delivery Add-on

A standard Delivery Method Add-on can be configured in the following ways:
■ Email
■ SMS
Each of your unconfigured Delivery Method Add-ons is listed in the following table.
Table 3-8 Unconfigured Delivery Methods
Column Entry
Name Default DeepSight Delivery Add-on
Type Not Configured
Activation Status Not Configured
Address/ Number Blank
Test Blank
Defining a standard delivery method

The DeepSight Intelligence portal supports two delivery methods: email (default)
and SMS. Each of your standard/default Delivery Method Add-ons is listed in your
Delivery Methods listing.
To configure a Default Delivery Add-on
1 In the Delivery Methods grid, click the name of the unconfigured method you
want to configure.
2 In the Delivery Method Configuration window, select a delivery method type.
You may choose Email or SMS.
3 Type a name for the delivery method.
4 In the Address or Number field, type an email address or a telephone number
for SMS delivery methods.
The email address must be syntactically correct:
(username@your_domain.com).
The phone number must be entered as numbers without spaces, parentheses,
or other delimiters (7035551212).
5 Click OK.
6 In the Delivery Methods grid, click Test at the right of the delivery method
row.
7 Retrieve the test message.

8 Activate the delivery method as described in Activating a delivery method.
Creating a new XML delivery method

If you have the XML Integration Add-on, there is a Add New XML Delivery Method
button below your Delivery Methods listing. You may create multiple XML Delivery
Methods for flexibility in building your custom XML systems.
To configure a new XML delivery method
1 Below the Delivery Methods grid, click Add New XML Delivery Method.
2 Type a name for the delivery method.
3 In the Address or Number field, type an email address.
The email address must be syntactically correct:
(username@your_domain.com).
4 Click OK.
5 In the Delivery Methods grid, click Test at the right of the delivery method
row.
6 Retrieve the test message.
7 Activate the delivery method as described in Activating a delivery method.
Activating a delivery method

When creating a new delivery method, the delivery method will not be available for
configuration within Monitors until activation is completed. Once activation is
complete, alert deliveries begin when one of your monitor configurations triggers
an alert.
Note: All email, SMS, and XML email delivery methods must be activated before
alert delivery begins. Web Services delivery methods do not require activation.
Using DeepSight Intelligence Groups
Table 3-9 Activation notes
Delivery Method Activation notes
Email The delivery method activation code is the four characters found
in the test message in a line that reads: Delivery Method activation
XML
code is: A1A5 (or some other unique value).
Click the Enter Activation Code link for the newly configured
delivery method on the Configured Delivery Methods page. This
presents a page with an input field for the activation code. Enter
the activation code and click Continue.
RSS Activation is not required.
SMS The delivery method activation code is the four characters found
at the bottom of the test message in a line that reads: Delivery
Method activation code is: A1A5 (or some other unique value).
Click the Enter Activation Code link for the newly configured
delivery method on the Configured Delivery Methods page. This
presents a page with an input field for the activation code. Enter
the activation code and click Continue.
Web Services Activation is not required.
To activate a delivery method

1 In the Delivery Methods grid, select a method that is displaying Enter
Activation Code in the Activation Status column.
2 Click Enter Activation Code.
3 In the Activation window, type the code you retrieved and click OK.
4 Click OK in the activation success prompt.
Using DeepSight Intelligence Groups

Note: This feature is available for Vulnerability, Security Risk, and Malcode monitors
only.
The DeepSight Intelligence Groups feature is a way of grouping alert monitors with
users so that teams can more easily address alerts.
After creating a DeepSight Intelligence Group, you must create or edit alert monitors
to use your group as a delivery method. Once that is done, your group will begin
receiving alerts that your group members can process as part of alerts workflow.
Printing or exporting
To create a DeepSight Intelligence Group

1 In the Settings page, click the DeepSight Groups link.
2 Click Create Group in the upper right of the grid.
3 In the DeepSight Alert Group window, type a group name and an optional
description.
4 Select users from the Available pane and click the right-facing arrow to move
them into the Selected pane.
Note: At least one of the users must be a Customer Administrator. This person
will have the ability to maintain the group.
5 Click Create.
The portal lets you generate printer-friendly views of most of the interface's pages
and export data from many of the grids. If you see an icon for Print or Export on
the right side above the grid or report, then the functionality exists for that item.
Note: If you want to include your brand header on your printouts, you must enable
the option to print background images and colors in your web browser. In Internet
Explorer, click Tools > Internet Options, click the Advanced tab, scroll to the
Printing section, and check the Print background colors and images box. In
Firefox, click File > Page Setup, and check the Print Background (colors &
images) box.
The Export function captures grid data, including hidden columns, and converts it
to a comma-separated values (.csv) format for viewing and manipulation in the
compatible application of your choosing. For incident grids, the portal exports 180
days of data; for requests and asset grids, all data is exported.
To print a report or grid
1 Customize the report or grid you intend to print. The output will contain only
those columns that are displayed in the grid.
2 Click the Print link located on the right side above the report or grid.
3 Print the view using your browser's print function.
To export grid data

1 Click the Export icon located on the right side above the grid.
2 In the Opening ReportData.csv window, click Save to Disk.
3 Click OK.
4 If your browser is configured to automatically route downloads to a specific
location, you will find ReportData.csv there. Otherwise, in the Enter name of
file to save to... window, modify the file name as desired, navigate to your
preferred download location, and click Save.
Chapter 4
Managing the Dashboard
■ About the Dashboard
■ Customizing your Dashboard
■ Configuring the modules
About the Dashboard

The Dashboard tab lets you customize an array of your favorite modules from the
following list:
Table 4-1 Dashboard modules and their descriptions
Module Description Customization Options
DeepSight Intelligence Global This module is a summation of incidents None

Incidents detected by the Global Intelligence Network
and presented to DeepSight Intelligence
without severity calculations. The map is
updated every 15 minutes.
Open Incidents by Asset The Open Incidents by Asset Criticality The time configuration options are 1, 7,
Criticality module provides a count of unique incidents 30, 60, 90, and 180 days.
of the selected severity that contain at least
one asset of the selected criticality over a
selected amount of time. The severity
increases from chart bottom to top, and asset
value increases from left to right. You can
click a linked value to see a filtered Incidents
grid or, if the linked value is 1, go directly to
the Incident Detail page.
Managing the Dashboard 62
About the Dashboard
Table 4-1 Dashboard modules and their descriptions (continued)
Module Description Customization Options
Incident Category The Incident Category module contains a The time configuration options are 1, 7,
chart displaying the breakdown of incidents 30, 60, 90, and 180 days.
by category. You can customize the time
frame and the severity of the incidents
included in the graph. Hovering over elements
in the module provides additional information
about the incidents in each category.
Incident Classification This module contains a chart displaying the The time configuration options are 1, 7,
breakdown of incidents by classification. You 30, 60, 90, and 180 days.
can customize the time frame included in the
graph. Hovering over elements in the module
provides additional information about the
incidents in each classification.
Incident Classification This module displays the top 5 most frequent The time configuration options are 7, 30,
Frequency incident classifications over a selected 60, 90, and 180 days.
amount of time. More data is shown when a
data point is hovered within the graph.
Incident Frequency The Incident Frequency module displays You can modify this module to display
incidents over a selected amount of time. The a select set of severities.
module breaks down incidents by severity
The time configuration options are 7, 30,
and lets you choose which severity types you
60, 90, and 180 days.
would like to display over which period of
time. The severities can also be deselected
and selected within the legend. More data is
shown when a data point is hovered within
the graph.
Open Items The Open Items module contains a list of the You can modify this module to display
top 50 open items according to your a select set of severities.
preferences.
The time configuration options are 1, 7,
30, 60, 90, and 180 days.
Security Monitor The Security Monitor module provides a You can configure the timeframe to 1,
high-level view of your current security 7, 30, 60, 90, and 180 days.
incident posture.
Symantec News The Symantec News module displays a list The time configuration options are 1, 7,
of Service Alerts, Threats, and Advisories in 30, 60, 90, and 180 days.
a convenient feed for quick viewing.
Customizing your Dashboard
Setting automatic Dashboard refreshing and revolving

The Dashboard has an auto-refresh option like that on the Home page. The
auto-refresh interval is set at five minutes. The Dashboard also has an option to
automatically rotate through your set of dashboards. If active, the display moves
on to the next dashboard every five minutes.
To toggle automatic refreshing and rotating
1 On the Dashboard page, in the upper right above the customization button,
click the Auto-Refresh link to toggle it on and off.
2 To the right of Auto-Refresh is the Auto-Rotate link. Click the Auto-Rotate link
to toggle it on and off.
Customizing your Dashboard

You can rearrange the Dashboard modules to suit your preference. You can also
create different module sets by using the Customize feature.
To create a custom Dashboard set
1 On the Dashboard page, click Create New.
2 Drag and drop or double-click the modules you want from the selection area
at the top of the page.
3 Rearrange the modules to your preference.
4 Type a name for the custom set, if desired.
5 Click Save.
To modify a Dashboard set
1 On the Dashboard page, click the name of the dashboard you want to modify.
2 Click Customize.
3 If you prefer, click the title and type a new name for the set.
4 Drag and drop or double-click the modules you want from the selection area
at the top of the page.
5 Click the X icon in a module's title bar to delete it from this set.
6 Click Save.
Configuring the modules
To delete a Dashboard set

1 On the Dashboard page, click the name of the dashboard you want to delete.
2 Click Delete.
To rearrange Dashboard modules
1 On the Dashboard page, click Customize.
2 Hover your mouse pointer over a module title bar. When the pointer changes
to move mode (displays four opposing arrows), drag (click and hold the mouse
button) the module to your preferred location. An empty frame with a dashed
border appears in the target location as you perform the dragging motion.
3 When the module is over your preferred location, release the mouse button.

You can configure some of the modules as described in the following procedures.
To configure the Open Incidents by Asset Criticality module
1 On the Dashboard page, in the Open Incidents by Asset Criticality module,
click the Edit button.
2 In the Edit properties of the widget window, select a timeframe you prefer
to see in the module.
3 Click Save.
To configure the Incident Category module
1 On the Dashboard page, in the Incident Category module, click the Edit
button.
2 In the Edit properties of the widget window, select a timeframe and the
severities that you prefer to see in the module.
3 Click Save.
To configure the Incident Classification module
1 On the Dashboard page, in the Incident Classification module, click the Edit
button.
2 In the Edit properties of the widget window, select a timeframe that you
prefer to see in the module.
3 Click Save.
To configure the Incident Classification Frequency module

1 On the Dashboard page, in the Incident Classification Frequency module,
click the Edit button.
3 Click Save.
To configure the Incident Frequency module
1 On the Dashboard page, in the Incident Frequency module, click the Edit
button.
2 In the Edit properties of the widget window, select a timeframe and the
severities you prefer to see in the module.
3 Click Save.
To configure the Open Items module
1 On the Dashboard page, in the Open Items module, click the Edit button.
2 In the Edit properties of the widget window, select the severities you prefer
3 Click Save.
To configure the Security Monitor module
1 On the Dashboard page, in the Security Monitor module, click the Edit button.
3 Click Save.
To read Symantec News items
◆ On the Dashboard page, in the Symantec News module, click the link to the
article you want to read.
Chapter 5
Managing incidents
■ About incidents
■ Searching incidents
■ About incident correlation
■ Unmasking true source IP addresses
■ Changing the Incidents grid display
■ Updating multiple incidents simultaneously
■ Reviewing and editing incident details
■ Reviewing IP address details
■ Configuring certain incident-related features
About incidents
Incidents are identified through analysis of an organization’s device logs. Incidents
range from routine network occurrences to actual attacks against an organization’s
systems. The SOC Technology Platform (STP) analyzes device logs to find patterns
that indicate potential weaknesses or compromises in the client’s system.
The portal categorizes incidents using the following severity levels:
These are Informational incidents with no impact to the client. They are presented
for informational/reporting purposes.
Managing incidents 67
Searching incidents
Warning incidents are suspicious and may require additional investigation by the
client. They are not a high-risk attack and do not require immediate action to
mitigate the impact of the attack.
These are Critical incidents, which are high-risk attacks or possible compromises.
Immediate action is necessary to mitigate the impact of these incidents.
Emergency incidents are high-risk attacks that resulted in a validated compromise.

Immediate action is necessary to mitigate the impact of these incidents.
The Incidents page displays incidents related to the registered networks (a.k.a.
netblocks) assigned to your organization. Users at the company-level organization
will see all incidents for that company.
If you do not have access to an incident's destination organization, or there are no
organizations associated with this incident, the Destination Organization column
displays External. If you have access to more than one of the associated destination
organizations, the column displays Multiple.
Searching incidents
The portal provides a simple search feature that allows you to instantly view an
incident.
Note: If you type an invalid IP address or incident ID number (wrong format or

character length) in the Search field, the portal displays the message Invalid
Security Incident or IP Address. If you typed valid search criteria but the system
finds no relevant data, the portal displays the message No matching incident
found.
To search for an incident

1 At the top of any Incidents page, click inside the Search field.
2 Type a complete incident ID number, source IP address, or fragment of
comment text.
3 If you are searching for comment text, be sure to check the Search in
comments check box.
4 Click Search.
About incident correlation
Using the advanced search feature

The MSS portal includes an advanced search method on certain grid pages.
To run an advanced search
1 On the Incidents page, click the Advanced Search button above the grid.
At the top of the grid, note the appearance of a set of empty selection boxes.
2 Click the first selection box and select an attribute to search for from the items
listed (for example, Severity).
3 In the second selection box, select an operator. The default operator is = (equal
to).
4 In the third selection box, click and select or type the value of the attribute you
choose at the start (for example, Emergency).
5 Click the + (plus sign) icon at the end of the line to add another row and continue
entering search parameters.
Use the X icon to remove a row.
6 When you are finished entering search parameters, click Run.
About incident correlation

Under certain circumstances, the portal can identify links between separate events
to gain an enhanced view of an incident: this is incident correlation. The information
you see depends on the activity that generated the events.
Correlation can show malicious file activity and tell you if or how it has affected your
organization. These correlated incidents are marked in the Incident grid with the
following icon:
Currently, correlation is supported between certain firewalls from Palo Alto Networks,
Sourcefire, Checkpoint, and FireEye, and antivirus and intrusion prevention system
(IPS) products from Symantec and McAfee.
Tracking malicious file activity

Regarding malicious file activity, when the portal identifies a link between malicious
file download events generated by network security device logs and similar events
from endpoint logs, the resulting incident is marked as correlated. For example, a
firewall log generates an event showing that it detected the download of a file known
to be malware. Subsequently, an endpoint log generates an event stating that the
Unmasking true source IP addresses
same known malware file was blocked. These events are combined to create a
correlated incident with a wealth of information that you can opt to export to PDF
for analysis and remediation. See “To view correlated incident events” on page 76.
The correlated incident provides an overlay with the following information, if available:
outcome, file name, reputation, source URL, MD5/SHA256 hash, and malware
behavior, including affected operating systems, known effects of infection, and the
associated malware subtypes.
Note the following definitions to better understand the expanded file information.
Outcome The result of firewall or endpoint protection action/inaction relating to this

event. Outcome shows as one of the following terms:
■ Blocked: Malicious file transfer blocked.

■ Not Blocked: Malicious file was downloaded.
■ Protected: Host protected by endpoint protection.
■ Infected: Host infected by malicious file.
Reputation Indicates the trust level that Symantec assigns to a file, based on a stringent
evaluation methodology. Reputation shows as one of the following terms:
■ Symantec Trusted: This file is Symantec Trusted.

■ Good: Symantec has a high indication that the file is trusted.
■ Trending Good: Symantec does not yet have enough information about
the file to assign a trust level, but early indications are that the file is good.
■ Unproven: Symantec does not have enough information about the file to
assign a trust level to the file.
■ Poor: Symantec has a few indications that the file is not trusted.
■ Untrusted: Symantec has a high indication that the file is not trusted.
Prevalence Indicates how frequently Symantec's global community of users downloaded

this file. Treat files with low prevalence with caution.
First Seen Indicates when Symantec's global community of users first downloaded this
file. Treat new files with caution.
Unmasking true source IP addresses

Depending on your network architecture, devices that use one translated IP address
to conceal multiple systems can also mask true incident and event source IP
addresses. When presented to the responder, these incidents often require additional
work to resolve or identify their actual source IP address. True Source IP Address
Resolution reduces the time needed to reveal affected hosts and enables faster
incident response times. See “To view an incident’s true source IP address
resolution” on page 77.
Changing the Incidents grid display
Incidents are marked with one of the following icons:
Endpoint: This is the IP address of an endpoint in your network and is

displayed when Symantec MSS is able to resolve the true source IP address.
Refer to the Events tab for more details. If this IP address belongs to a network
firewall or web proxy, register it as an asset or contact Symantec MSS for
assistance.
Network Address Translation: This is the IP address used for masquerading

connections from multiple sources. This icon is displayed when Symantec
MSS is not able to resolve the true source IP address. This incident may
contain logs from multiple sources that were hidden behind this IP address.
Symantec uses logs from translating devices to resolve the true source IP
address. Select the Events tab and use the Info button for any event to see
why client resolution was not possible.
Web Proxy: This is the IP address used by a web proxy to establish

connections on behalf of clients. This icon is displayed when Symantec MSS
is not able to resolve the true source IP address. This incident may contain
logs from multiple proxy clients. Symantec uses logs from web proxies to
resolve the client IP address. Select the Events tab and use the Info button
for any event to see why client resolution was not possible.
The resolved incident provides an overlay with the following information, if available:
a source host address resolution diagram, source host details, your affected assets,
and the logging devices involved.

Data can be filtered to refine what appears in the grid. You can filter the grid to
display different combinations of data by using the filters on the left side bar. When
you are satisfied with your selection, you can name and save the filter set for future
use.
Available filters appear on the left side of the page. The number of items matching
the filter appears next to the filter link. When you apply a filter to the grid, the selected
filter item is removed from the set and displayed at the top of the page as a filter
selection, and the available filter sets change based on the remaining data.
Additionally, the grid can be customized to show more or fewer columns, and the
data can be sorted by any of the displayed columns.
To change the grid timeframe using a preset
1 In the Timeframe area of the left side bar, click your preferred timeframe preset.
2 Below the Pick Date Range link, choose whether to display the incidents’
Created date, Key Event Activity date or both. The differences are:
■ Created date only: Checking only this box filters the grid to display incidents
with a creation timestamp that falls within the selected timeframe. This is
the default grid setting.
■ Key Event Activity date only: Checking only this box filters the grid to display
incidents with key event activity that falls within the selected timeframe.
■ Both: Checking both boxes causes the grid to display incidents with a
creation timestamp that falls within the specified timeframe as well as any
additional results where the latest key event activity falls within the specified
timeframe.
3 Click the (undo) link next to the selected timeframe at the top of the left side
bar to return to the default timeframe.
To change the grid timeframe by picking a date range
1 In the Timeframe area of the left side bar, click the Pick Date Range link.
2 Click in the Start date field and type a date, or click the calendar widget on
the right end of the field and navigate to your preferred start date.
3 Click in the End date field and type a date, or click the calendar widget on the
right end of the field and navigate to your preferred end date.
4 Click Apply.
5 Below the Pick Date Range link, choose whether to display the incidents’
Created date, Key Event Activity date or both.
To filter the grid
1 In the left side bar, click one or more entries under the available filter sets to
narrow the focus of the grid data. You can select multiple items within a filter
set. Once you have selected all the items in one category that you want to
view, and move to another filter set, you cannot go back to the previous set to
select again unless those previous selections are undone.
For example, if you were to select Critical and Emergency under Severity, then
select External under Organization, you would notice that the Severity filter set
is no longer displayed. To display that filter set and choose other severities,
you must first undo the ones you have selected.
2 Click Show All at the bottom of the filter set to see all of the filters available
for that set. Show All only appears if there are more than five filters within a
set.
3 Click Show Less at the bottom of the filter set to display only the top five filters.
4 At the top of the left side bar, click the (undo) link next to a filter selection you
want to remove, or click Undo All to remove all of the filter selections.
Updating multiple incidents simultaneously
To save your filter for later use

1 When you have made all of your preferred filter selections, click the Save button
in the left side bar in the Saved Filters area.
2 In the Save Filter window, type a name for your filter.
3 Click Save.
4 Click the Select Filter list to access your saved filter.
To sort the grid
1 Click any displayed column heading to sort the grid by that column in ascending
order.
2 Click the column heading again to sort the grid by that column in descending
order.
To customize the grid columns
1 In the upper right side of the grid, click Customize Columns.
2 In the Customize Columns window, click an entry in the Columns Displayed
area in the left pane, then click the arrow pointing rightward, to remove the
column from the grid view. You can add columns by clicking an entry in the
Columns Available area in the right pane, then clicking the arrow pointing
leftward.
3 Change the column display order by selecting entries in the left pane and
clicking the Up and Down buttons until you have your preferred order.
4 You can set the grid sort order as well by clicking the Sort Order selection list
and clicking your preferred sort column.
5 Click the Set as Default View check box if you want this customized view to
be your default view for this grid.
6 When you have finished customizing the grid, click Apply Updates.
To toggle the filter bar
1 At the top of the left side bar, click the leftward-facing arrow to hide the filter
bar.
2 At the top left of the grid, click the rightward-facing arrow to view the filter bar.
Updating multiple incidents simultaneously

The Incidents grid lets you select a set of incidents so that you can update certain
information in all of them simultaneously.
You can bulk update any of the following incident information:
■ Status
■ Closure code
■ Severity
■ Assignment
■ Comment
■ Reference number
■ Priority
To perform an incident bulk update
1 In the Incidents grid, click the check box at the start of the row of all incidents
you want updated simultaneously.
You can also click the check box at the top of that grid column to select all of
the incidents on that grid page. Note that this action does not select all incidents
across a multi-page grid, only those on the page currently displayed.
2 Click the Update button at the top of the grid.
3 In the Update Incident window, modify the incident information as needed.
Note that where you are restricted to a set of values, the field is a selection
list. The other fields let you type your information free-form. Comments added
in this window are appended to all of the selected incidents' activity logs.
4 Click Save.
The lets you generate printer-friendly views of most of the interface's pages and
export data from many of the grids. If you see an icon for Print or Export on the
right side above the grid or report, then the functionality exists for that item. Note
that the Intelligence tab content does not support this Print/Export feature.
images) box.
Reviewing and editing incident details
compatible application of your choosing. For incident grids, the exports 180 days
of data; for requests and asset grids, all data is exported.
To export grid data
3 Click OK.

On the Incident Detail page, you can view the basic information for an incident
including the source IP, source and destination organizations, classification,
category, and creation time. An Incident Trend graph shows you a count of incidents
with the same classification and category as this particular incident over 7, 14, or
30 days. The lower half of the page shows tabs containing an analyst assessment,
events, incident description, and related events, assets, incidents, and requests.
To edit incident details
1 In the Incident page, click the incident’s Incident ID link.
2 On the left side of the page are various details about the incident, and on the
right side is an incident trends chart. The chart shows trend lines for the
incident's key events over a selectable preset timeframe of 7, 14, or 30 days.
3 In the Incident Details page, click the gear icon located on the right side of
the Incident Details area title bar, and then click Edit to:
■ change incident severity
■ change assignment
■ change status
■ add a comment
■ add a reference number, if you prefer

■ complete custom fields (See “Managing custom fields” on page 81.)
Note: You can change the incident severity, but be aware that the quickly evolving
threat environment can require the SOC to override your setting with a different
severity, if necessary.
To view DeepSight Intelligence information for an IP address

1 In the Incident Detail page, click the search icon next to the IP address.
2 In the resulting Search window, review the reputation, activity, and location
information from the MSS portal for that IP address.
Note: This feature is only available to combined MSS/DeepSight Intelligence

licensees.
3 Click OK to close the window.

To request SOC help for an incident
the Incident Details area title bar, and then click Request SOC Help.
2 In the Requests page, complete the form as needed and click Submit.
To view incident severity rules for an incident
the Incident Details area title bar, and then click View Incident Severity
Rules.
2 In the Severity Rules grid, review the displayed entries, and then click Create
New Rule if you want to define a custom severity rule for similar incidents.
Otherwise, click Cancel.
3 Continue creating your custom incident severity rule. See “Managing custom
severity rules” on page 82.
To view the incident assessment

◆ In the Incident Details page, scroll down to the Assessment tab. It is the top
tab displayed by default and shows the Key Events, Description, and Analyst
Assessment for the incident.
Key Events are the most important events for this incident, as chosen by our
Analysts, and the first that you should examine when evaluating the incident.
Other related events are displayed below the Key Events on this tab and can
be viewed by clicking the See More link or by clicking the Events tab and
expanding the Other Events grid.
To view non-correlated incident events
1 In the Incident Details page for a non-correlated incident, click the Events
tab.
2 In the Key Events grid, expand the + sign to the left of the Event Name to
view any related assets (or related hosts if Managed Endpoint Protection data
is present), click the Source IP link for details for the listed IP address, click
the Source link for details on the source organization(s), or Destination link
for details on the destination organization(s).
If an event’s source or destination displays as Multiple, click the drop-down
list arrow next to that word to view the associated organizations.
3 Expand the Other Events grid by clicking Show More at the right of the title
bar. This grid contains the same types of information as the Key Events grid,
but for events deemed less important for incident evaluation.
4 Click the numbered link in the Logs column to display a separate browser
window with the associated logs. See “Viewing logs” on page 110.
To view correlated incident events
1 In the Incidents grid, locate a correlated incident. Such incidents are marked
with the following icon:
2 In the Incident Details page, click the Events tab.

3 In the Key Events grid, select how you want to view the grid: as a Group or
a List. This option is not available if there are no grouped events.
4 Optionally, if Group view is available, click the + sign to the left of the Event
Name to expand the Correlated Events grid, then click the numbered link in
the Logs column to display a separate browser window with the associated
logs. See “Viewing logs” on page 110.
5 In the Key Events grid, locate an event to investigate, and click the File Info
button for the malicious file overlay. See “About incident correlation” on page 68.
6 Click the links available in the overlay for more information.
7 In the File Info overlay, you can click Export PDF to create and download a
Portable Document Format file containing more malware file information.
8 Click OK.
To view an incident’s true source IP address resolution
1 In the Incidents grid, click the incident you want to investigate.
2 In the Incident Details page, note the icon to the right of the IP address. See
“Unmasking true source IP addresses” on page 69.
4 In the Key Events grid, select how you want to view the grid: as a Group or
a List. This option is not available if there are no grouped events.
5 In the Key Events grid, locate an event to investigate, and click the Info button
for the true source overlay.
6 Click the links available in the overlay for more information.
7 Click OK.
To construct a log query from incident details
2 Click Construct Log Query.
3 In the Construct Log Query window, ensure that the Source IP and Device
Name entries are correct.
4 Click a Time Period for the report to cover or click Custom and use the
calendar widget to set a custom date range.
5 Click Run Query.
To view related assets
1 In the Incident Details page, click the Assets tab.
2 In the Assets tab, click the Asset Name to view details about the asset or click
the Primary IP to view IP address details.
To view related devices
1 In the Incident Details page, click the Devices tab.
2 In the Devices grid, click the Search Code to view device details.
You can see only those devices to which you have access.
Reviewing IP address details
To review and add incident comments

1 In the Incident Details page, click the Comments tab.
2 In the Comments tab, read the recent comment or add your own by clicking
Add Comment.
3 When you are finished typing you comment, click Submit.
To view incident activity log
◆ In the Incident Details page, click the Activity Log tab.
To view incident attachments
1 In the Incident Details page, click the Attachments tab.
2 In the Attachments tab, click the name of the file you want to download.
To view related incidents
1 In the Incident Details page, click the Related Incidents tab.
2 In the Related Incidents grid, click the Incident ID to view details for the
related incident.
To view related requests
1 In the Incident Details page, click the Related Requests tab.
2 In the Related Request grid, click the Request ID to view details for the related
request.
Reviewing IP address details

You can access IP address details from either the main Incidents page or an Incident
Detail page.
To view IP address details from the Incidents grid
◆ In the Incidents grid, click Source IP(s), if the link is available.
To view IP address details in the Incident Detail page
1 In the Incident Detail page, click Source IP(s), if the link is available.
2 In the Events tab, locate the event you want to investigate and click its Source
IP.
To view registered networks
◆ In the IP Address Detail page, click the Registered Networks tab.
◆ In the IP Address Detail page, click the Related Incidents tab.
Configuring certain incident-related features
To view attacks by source IP

◆ In the IP Address Detail page, click the Attacks by Source IP Address tab.
To view vulnerability scan information
◆ In the IP Address Detail page, click the Vulnerability Scan Information tab.
◆ In the IP Address Detail page, click the Related Assets tab.

The portal lets administrators manage certain features related to your organization's
incidents.
These features are:
■ Authorized Scan: This feature lets you designate IP addresses or a range of
addresses, depending on your organization's implementation, as authorized
sources of network security scans.
■ Registered Networks: Also known as netblocks, customer self-service of this
information should greatly speed security monitoring of organizational topology
changes.
■ Custom Fields: This feature lets you add your own data fields to incident details.
■ Custom Severity Rules: This feature lets you customize incident severity rules
to fit your organization's environment.
Managing authorized scanners

Administrators can manage their organization's authorized scanners directly in the
portal.
To add an authorized scanner
1 In the Incidents tab, click Settings. The Authorized Scan feature is displayed
by default.
2 Do one of the following:
■ For IPv4 or IPv6 addresses, type an IP address in the Start IP Address
field. If you need to input a range of addresses, type the end of the range
in the End IP Address field.
■ If you are using CIDR notation, type the IP address range in the CIDR
Notation field.
3 Select a start and end date for this authorization or check the Always
Authorized check box.
4 Type a scanner description.
5 Click Add.
To edit an authorized scanner
1 In the Authorized Scan grid, locate the scanner you want to edit and click the
Edit button on the right.
2 In the Update Authorized Scan area above the grid, modify the auto-populated
fields as needed.
3 Click Save.
To delete an authorized scanner
1 In the Authorized Scan grid, locate the scanner you want to remove and click
the Delete button on the right.
Managing registered networks

Administrators can manage their organization's registered networks in the portal.
Registered networks are the IP address ranges that your organization owns and
that you want the SOC to monitor or manage. This feature supports both IPv4 and
IPv6.
To add a registered network
1 In the Incidents tab, click Settings.
2 Click Registered Networks on the left.
3 Do one of the following:
■ For IPv4 or IPv6 addresses, type an IP address in the Start IP Address
field. If you are adding a range of addresses, type the end of the range in
the End IP Address field.
■ If you are using CIDR notation, type the IP address range in the CIDR
Notation field.
4 Type a name for this netblock.

5 Select the network type.
The options are:
■ Internal is the designation for your networks that are not publically routable.
These can be private ranges designated by the Internet Assigned Numbers
Authority (IANA) (for example, 10.0.0.0/8, 172.16.0.0/12, and

192.168.0.0/16) or another range that you use only internally.
■ External is the designation for your networks that are publically routable.
■ DMZ is the designation for your networks that reside in your DMZ.
■ Unknown is for your networks that do not fit the other types.
Note: The Type designation here is for your reference only and does not in any
way affect or change the analysis done against your networks.
6 Click Add.
To edit a registered network
1 In the Registered Networks grid, locate the netblock you want to edit and
click the Edit button on the right.
2 In the data entry area above the grid, modify the auto-populated fields as
needed.
3 Click Save.
To delete a registered network
1 In the Registered Networks grid, locate the netblock you want to remove and
click the Delete button on the right.
Managing custom fields

Administrators can manage custom data entry fields for their organization's incidents.
To create a custom field
2 Click Custom Fields on the left.
3 In the Custom Fields page, type a name for the field you are creating.
4 Select the field type.
The options are:
■ List lets you create a selection list.
■ Field lets you create a text field.
■ Date lets you create a date field.
5 If you chose List, type the values (at least two are required) that you want to
populate the selection list. Click the + (plus) icon to add another Values field.
6 Optionally, type the field's description.
7 Click Add.
To edit a custom field
1 In the Custom Fields grid, locate the custom field you want to edit and click
the Edit button on the right.
2 In the data entry area above the grid, modify the auto-populated fields as
needed.
3 Click Save.
To delete a custom field
1 In the Custom Fields grid, locate the custom field you want to remove and
click the Delete button on the right.
Managing custom severity rules

Administrators can create and modify custom severity rules for their organization's
incidents.
To create a custom severity rule
2 Click Custom Severity Rules on the left.
3 In the Custom Severity Rules page, select a criterion and an associated value
that corresponds to incidents requiring a custom severity rule. Use only those
criteria that you need; you are not required to use all of them for every rule.
The criteria and their associated values are:
■ Classification lets you choose one or more classifications (for example,
Botnet Infection or Backdoor Trojan Infection). You may define only one
Classification row per rule.
■ Default Severity lets you select the default severity of the incidents that
you want affected by this custom rule (for example, all incidents with a
severity level of Warning). This criterion is best paired with at least one
other criterion to narrow the scope of affected incidents. The options are
Emergency, Critical, Warning, or Informational. You may define only one
Default Severity row per rule.
■ Asset Criticality lets you specify an asset criticality level for your rule (for
example, all assets that your organization have identified as Critical). The
options are Critical, High, Medium, and Low. You may define only one Asset
Criticality row per rule.
■ Asset Group lets you narrow the rule to affect only those incidents that
impact a specific asset group. If your organization does not use the asset
grouping feature, this criterion will not appear. You may select multiple
Asset Groups per rule.
4 Click the green + icon as needed to add more criteria. When a rule has more
than two or more rows, a red X icon appears to the right of every row. Click
this icon to delete the row.
5 Click the Rule Name field and type a name for this severity rule.
6 Optionally, click the Description field and type a short description for the rule.
If you use this field, the text appears as a tooltip when you hover your pointer
over an information icon next to the rule name in the custom rule grid.
7 Click Custom Severity Level and choose the severity level for the affected
incidents. The options are Emergency, Critical, Warning, or Informational.
8 If your custom severity is Critical or Emergency, click the Receive Escalation
Call selection box if you want the SOC to call your organization's escalation
contact when an incident triggers this rule.
9 Click Save.
To edit a custom severity rule
1 In the Custom Severity Rules grid, click the Edit icon (shaped like a pencil)
at the far right side of the row you want to edit.
2 After the selected row populates the data fields above the grid, modify the rule
criteria as needed, following the instructions provided in the previous procedure.
4 If needed, click the Rule Name field and modify the rule's name.
5 If needed, click the Description field and modify the rule's description.
6 Click Custom Severity Level and modify it as needed. The options are
Emergency, Critical, Warning, or Informational.
7 If your custom severity is Critical or Emergency, review your choice for the
Receive Escalation Call selection box and select or deselect the box, as
needed.
8 Click Save.
To copy a custom severity rule
1 In the Custom Severity Rules grid, click the Copy icon (shaped like
overlapping squares) at the far right side of the row you want to copy.
2 After the selected row populates the data fields above the grid, modify the rule
criteria as needed, following the instructions provided in the previous procedure.
4 Click the Rule Name field and modify the rule's name. Rule names must be
unique.
5 If needed, click the Description field and modify the rule's description.
6 Click Custom Severity Level and modify it as needed. The options are
Emergency, Critical, Warning, or Informational.
7 If your custom severity is Critical or Emergency, click the Receive Escalation
Call selection box if you want the SOC to call your organization's escalation
contact when an incident triggers this rule.
8 Click Save.
To delete a custom severity rule
1 In the Custom Severity Rules grid, click the Delete icon (the black X) at the
far right side of the row you want to delete.
2 In the confirmation prompt, click Yes to confirm rule deletion.
To view the revision history for a custom severity rule
1 In the Custom Severity Rules grid, in the Creation Date column, click the
History icon next to the rule's date and time entry.
If a rule has not been modified since being created, there is no version history
to view and no History icon appears.
2 In the Incident Severity Rule Revision History window, review the available
entries.
3 Click Close.
Chapter 6
Managing requests
■ About requests
■ Creating a new request
■ Searching requests
■ Reviewing request details
■ Editing requests
■ Changing the grid display
About requests
The portal displays the following request types:
Alarm (AL) This is generated automatically, such as in the case of a device outage.
Service Case This is opened by customers either through the portal’s New Request
(SC) link or by contacting the SOC. Service Cases include policy changes.
The Requests page displays service cases and alarms for your organization. The
default view shows all active requests sorted by urgency.
Creating a new request

The Request Topics page, accessible through the New Request link in either the
upper right or lower left corner of the portal, lets you communicate with the SOC
by opening a service case on a specific topic.
Managing requests 86
Searching requests
To create a new request

1 In any portal page, click the New Request link in either the upper right or lower
left corner.
2 In the Requests topics page, click the link for the request you want to make.
3 Click the option button next to the appropriate priority level for the request.
4 If available, select the applicable organization.
5 Type detailed information regarding the request in the text boxes provided.
Note that the maximum length is about 3,000 characters.
6 In the request form, type a reference number, if applicable.
7 Under Attachment(s), click Browse next to the File to upload text box, and
locate the file you want to upload.
The maximum number of files that you can attach to a request during an update
session is five, and each file can be no larger than 10 MB.
8 When you have located the file to upload, click Open.
The file is scanned for viruses before being attached to the request.
9 Under Comment, type an optional comment.
10 Click Submit.
Searching requests
The portal provides a requests search feature. You can search for requests by
typing in the Search field either an exact Request ID, or part of a request reference
number, contact name, request description, or activity log text. If the search returns
one result, the portal displays the result in a Request Detail page. If the search
returns more than one result, the results are displayed in a grid.
When searching for the request reference number, contact name, request
description, or activity log text fields, the portal compares the search text with
possible results using SQL's LIKE operator. SQL provides the following wildcard
characters for searching using LIKE.
Table 6-1 Search field wildcard characters
Wildcard Description Example

Character
% Any string of zero or Searching on ‘%computer%’ finds requests with

more characters. the word ‘computer’ in the searchable fields.
Searching requests
Table 6-1 Search field wildcard characters (continued)
Wildcard Description Example

Character
_ (underscore) Any single character. Searching on ‘_ean’ finds requests with four-letter
words that end with ‘ean’ (mean, Dean, Sean,
and so on).
[] Any single character Searching on ‘[C-P]arsen’ finds requests with

within the specified words ending with ‘arsen’ and starting with any
range ([a-f]) or set single character between C and P; for example,
([abcdef]). Carsen, Larsen, Karsen, and so on.
[^] Any single character Searching on ‘de[^l]%’ finds requests with words
not within the starting with ‘de’ and where the following letter is
specified range not ‘l’.
([^a-f]) or set
([^abcdef]).
When you need to search for text that includes characters normally considered
wildcards, use the backslash ‘\’ escape character just before the wildcard. For
example, to search for ‘60%’ where % is not a wildcard, type ‘60\%’ in the text
search box. Similarly, to search for ‘60\’, type ‘60\\’. The escape character only
applies to the wildcard characters and the escape character itself.
To search for a request
1 At the top of any Requests page, click inside the Search field.
2 Type one of the following:
■ A complete request ID number
■ Complete or partial request reference number
■ Complete or partial contact name
■ Partial request description
■ Partial activity log
3 Click Search.
■ If the search returns one result, the portal displays the result in a Request
Detail page.
■ If the search returns more than one result, they are displayed in a grid. Click
the Request ID link to see the Request Detail page.
Reviewing request details
■ If the search returns no results, the portal displays a blank Request Detail
page with the message “Requested data cannot be found.” and the search
text you entered displayed at the page’s subtitle line.
Reviewing request details

On the Request Details page, you can view the basic information of a particular
request and selectively view the request description and activity, associated assets,
comments, and related requests and incidents.
To review request details
1 In the portal, click the Requests tab.
2 In the Requests grid, click a request link to go to the Request Detail page.
To review request input
1 In the Request Details page, click the Request Input tab.
2 In the Request Input tab, read the Description and Request Input areas.
1 In the Request Details page, click the Assets tab.
2 In the Assets grid, click the active links to view asset details.
To review and add request comments
1 In the Request Details page, click the Comments tab.
2 In the Comments tab, read the recent comment or add your own by clicking
Add Comment.
3 When you are finished typing you comment, click Submit.
To view request activity log
◆ In the Request Details page, click the Activity Log tab.
To view request attachments
1 In the Request Details page, click the Attachments tab.
2 In the Attachments tab, click the name of the file you want to download.
See “Editing requests” on page 89.
1 In the Request Details page, click the Related Incidents tab.
2 In the Related Incidents grid, click the Incident ID to view details for the
related incident.
Editing requests

1 In the Request Details page, click the Related Requests tab.
2 In the Related Requests grid, click the Request ID to view details for the
related request.
Editing requests
You can update a request’s activity, upload files to be attached to a request, and
change the organization to which it is assigned.
Note: You will only be able to reassign a request to another organization to which
you have access.
To edit a request
1 In the Request Detail page, click the Edit icon.
2 Modify the editable fields as you prefer.
3 In the Edit Request page, click Assigned to to expand the drop-down list.
4 In the Edit Request page, type the reference number in the Reference # text
box.
5 When you are finished editing, click Submit.
To attach a file to the request
1 In the Request Details page, click the Attachments tab.
2 In the Attachments tab, click Browse next to the File to upload text box, and
locate the file you want to upload.
The maximum number of files that you can attach to a request during an update
session is five, and each file can be no larger than 10 MB.
3 When you have located the file to upload, click Open.
The file is scanned for viruses before being attached to the request.
4 Under Comment, type an optional comment.
5 Click Upload.
Changing the grid display

use.
1 In the Timeframe area of the left side bar, click your preferred timeframe preset.
1 In the Timeframe area of the left side bar, click the Pick Date Range link.
4 Click Apply.
To filter the grid
set.
3 Click Save.
To sort the grid
order.
order.
leftward.
bar.
images) box.
To export grid data
3 Click OK.
Chapter 7
Managing devices
■ About devices
■ Searching for devices
■ Reviewing device details
About devices
The Devices page displays the devices Symantec manages and monitors for you.
You can browse for results using the faceted filters or look up a device in the Search
field.
Searching for devices

The Devices grid shows the devices for your organization.
To search for a device
1 At the top of the Devices page, click inside the Search field.
2 Type a device name or search code.
3 Click Search.
Managing devices 94

use.
1 In the Last Logs Received area of the left side bar, click your preferred
timeframe preset.
1 In the Last Logs Received area of the left side bar, click the Pick Date Range
link.
4 Click Apply.
To filter the grid
set.
Managing devices 95

3 Click Save.
To sort the grid
order.
order.
leftward.
bar.
Managing devices 96
Reviewing device details
images) box.
To export grid data
3 Click OK.

You can view the details of a device from the Devices page. The Device Detail page
provides information about a particular device and lets you view the device
description, related devices, related requests, related organizations, related
entitlements, change managers, and traffic reports. The ability to view detail items
depends on your access level or permissions.
Managing devices 97
To view device details

1 In the MSS portal, click the Devices tab.
2 In the Devices grid, click the Search Code to go to the Device Detail page
and review details of the selected device.
To view related devices
1 In the Device Detail page, click the Related Devices tab.
2 In the Related Devices grid, click the Search Code to go to the Device Detail
page and review details of the selected device.
1 In the Device Detail page, click the Related Requests tab.
2 In the Related Requests tab, click the Request ID to view the related request.
To view affected organizations
1 In the Device Detail page, click the Related Organizations tab.
2 In the Related Organizations grid, click the organization Name to view details
of the related organization.
To view related entitlements
◆ In the Device Detail page, click the Related Entitlements tab.
To view change managers
1 In the Device Detail page, click the Change Managers tab.
2 In the Change Managers grid, click the Last Name to view change manager
details.
To view the traffic report
1 In the Device Detail page, click the Traffic Report tab.
2 In the Traffic Report tab, click the timeframe you want to view for each chart.
Chapter 8
Managing assets
■ About assets
■ Registering an asset
■ Managing asset attributes
■ Importing assets
■ Uploading vulnerability scans
■ Grouping assets
■ Using the advanced search feature
■ Updating asset information
■ Deleting an asset
About assets
Assets are the workstations, servers, and other resources protected by your network
security infrastructure. Register assets via the MSS portal, using pre-defined
attributes or customizable tags, to enable richer impact assessment and assist in
security incident remediation.
The Assets page displays your registered assets filtered by organization and asset
value, along with a tag cloud to aid in narrowing the displayed assets.
Managing assets 99
Registering an asset
Registering an asset
You add an asset in the portal in several ways.
To register an asset
1 Perform one of the following actions:
■ Add an asset as part of an asset upload file. See “Importing assets”
on page 101.
■ Use the Vulnerability Scan feature to create new and modify existing assets
based on the scan content. See “Uploading vulnerability scans” on page 103.
■ In a Device Detail page, click the Add as Asset button. This automatically
populates several Asset Details fields. See “Reviewing device details”
on page 96.
■ In the main Assets page, click Manage Assets selection list in the upper
right and, select Create New Assets. Continue the steps below.
2 Type an asset name. This is a required field.

3 Type a primary IP address. This is a required field. Other IP addresses can be
added later.
4 Select the organization that is responsible for the asset.
5 Select the asset's operating system.
6 Choose an asset value: Low, Medium, High, or Critical.
7 Type the asset's domain, host name, and MAC address.
8 Optionally, add more IP addresses, location information, compliance
designation, and one or more tags to help you find this and similar assets.
Under the Compliance tab, you can choose one of the following designations
for the asset: PCI, SOX, HIPAA, GLBA, or Contains Personally Identifiable
Information.
9 In the Summary area, select a system function, an existing asset group, and
type a description of the asset, if needed.
10 Click Submit.
Managing asset attributes

Asset Managers have options to customize their asset details, particularly the
selection list values for Operating System, Compliance Restrictions, and System
Functions.
Managing assets 100
Managing asset attributes
Before editing the selection list values, it is very important to understand the
following:
■ You can change or delete the default values.
■ When you update or delete a value in one of the lists, that change is applied to
all assets.
■ Changes to these attributes are done at your organization level and cascade
down to your sub-organizations.
To add asset attribute values from the Assets grid
1 In the Assets grid, check one or more assets to receive the customized values.
2 At the upper right side of the grid, click the Manage Assets selection list, then
select Manage Asset Attributes.
3 In the Asset Attributes window, choose the list you want to customize.
The options are Operating System, Compliance Restrictions, and System
Functions.
4 In the Values area of the window, type a new attribute value and click Add
Value.
5 Click Save.
To add asset attribute values from Asset Details
1 In an Asset Details screen, click the Manage List link located next to the
selection list you want to edit.
The fields are Operating System, Compliance Restrictions, and System
Functions.
2 In the Values area of the Asset Attributes window, type a new attribute value
and click Add Value.
3 Click Save.
To edit asset attribute values
1 In the Values area of the Asset Attributes window, locate the value you want
to edit and click the Edit icon.
2 In the Values text box, modify the value as needed and click Add Value.
3 Click Save.
Managing assets 101
Importing assets
To delete asset attribute values

1 In the Values area of the Asset Attributes window, locate the value you want
to edit and click the Delete icon.
3 Click Save.
Importing assets
The portal lets you import lists of assets. The contents of the file to be uploaded
must adhere to the following requirements and be in .csv (comma-separated value)
format.
Note: When entering a list of values for a column, use semicolon delimiters. Some
columns are restricted to a list of available options. The text must match exactly.
Table 8-1 Required fields
Field Notes and allowed values Max. characters

allowed
Asset Name 200
Primary IP Address IPv4 dotted quad or IPv6 format allowed N/A
Host Name 200
Table 8-2 Fields requiring a value; will auto-populate if no value provided

allowed
Organization Defaults to the organization name of the user who uploaded the file 18
Asset Value Low, Medium, High, Critical; defaults to Medium if no value provided N/A
Table 8-3 Optional fields that can contain more than one value

allowed
Tags 50
IP address IPv4 dotted quad or IPv6 format allowed N/A

Managing assets 102
Importing assets
Table 8-3 Optional fields that can contain more than one value (continued)

allowed
System Function Antivirus Server, Database Server, Domain Controller, Email Server, File N/A
Server, Firewall, High-Value Workstation, IDS/IPS, Name Server, Network
Management Server, Proxy, Vulnerability Scanner, Web Server, Workstation
Compliance GLBA, HIPAA, PCI, Contains Personally Identifiable Information, N/A

Restrictions Sarbanes-Oxley
Table 8-4 Optional fields that can contain only one value

allowed
Operating System Linux, Mac OSX, Other Unix, Solaris, Windows, Windows Server 2003, N/A
Windows 2008
Domain 200
MAC Address 200
Address 1 200
Address 2 200
City 100
State/Province 250
Postal Code 25
GMT offset Standard GMT offset without daylight savings time. Valid values are 0, +1 6
to +12, -1 to -12. See the URL in note 1 below. GMT offset should be
formatted as follows: [absolute GMT Offset]-[S|D] where S refers to standard
time and D refers to Daylight Savings time.
Country Use ISO 3166-1-alpha-2 codes. Use the list at the URL in note 2 below. 2
Description 500
Ignore Use this column to mark assets to process or ignore. Leave blank for the 1
asset to be processed or use a hash mark (#) for the row to be ignored during
processing.
1. http://www.wwp.greenwichmeantime.com/info/timezone.htm
2. http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm
Managing assets 103
Uploading vulnerability scans
To import assets
1 First, be sure that the file you intend to upload is in the .csv format. Saving a
spreadsheet as .csv is the most common method of conversion. Once this is
done, proceed with the next step.
2 In the Assets page, click Manage Assets selection list in the upper right and,
select Import/Export Assets.
3 In the Import Assets window, note the check box labeled Delete assets not
contained in this import. Checking this box will overwrite all of your registered
assets and remove from the portal any assets that are not in the upload file.
4 If you want to see your asset import history, click the View Import History
button. Click Ok to close the window.
5 Click Browse… to locate the .csv file you want to upload. Click the file name
and then click Open.
6 Click Upload.
To view your asset import history
1 In the Assets page, click the View Import History button.
2 Click Ok to close the window.
Uploading vulnerability scans

Note: You must be a company administrator or a partner to upload vulnerability
scans.
The Upload page lets you upload a vulnerability scan data file to the portal. This
data is used to enhance the analysis of your company’s log data. The data file must
be in a supported format: Qualys 4.0 and above, Nessus 1.x (please contact the
MSS Service Desk to confirm that your version is supported), and McAfee
Vulnerability Manager (formerly Foundstone) Risk_Data and Host_Data. Other
vendor formats may be supported using Symantec's XML Vulnerability Format
(XVF) 2.0; please contact MSS for further details. Consult the Symantec MSS XVF
Reference Guide, available in the Downloads page, for detailed information about
XVF. The upload file size limit is 50 MB.
The bottom half of the Vulnerability Uploads window shows a listing of uploaded
vulnerability scans. The grid report lists the uploaded file path and name, the contact
who uploaded the file, the scan file type, associated comments, if any, whether the
upload was successful, and the date and time that the file was submitted to the
SOC.
Managing assets 104
Grouping assets
Note: Rapid7 NexPose users can export their vulnerability scans into the Qualys
format and then upload them using the following instructions.
To upload a vulnerability data file

1 In the MSS portal, click the Assets tab.
2 In the Assets page, click the Manage Assets selection list, and select Vul
Uploads.
3 Click Browse and locate the file to be uploaded.
4 If you want the Portal to use the scan contents to create new assets and modify
ones already registered, check the check box next to that statement.
5 Optionally, in the Comment text box, type your comments regarding the file
you are uploading.
6 Click Upload to upload the data file.
Grouping assets
You can gather your registered assets into groups that make sense to your
organization. Once created, you can easily populate your groups with your registered
assets.
To create an asset group
1 In the Assets page, click Manage Assets selection list in the upper right and,
select Manage Groups.
2 In the Manage Groups window, click Add Group.
3 In the New Asset Group window, type a name for the group and an optional
description.
4 Select the responsible organization for this asset group.
5 Click Create Group.
6 In the asset list, click the checkbox next to the assets you want to add to the
group.
7 Click Save.
To manage an asset group
1 On the Assets page, in the left side bar, click the Manage link next to the
Group filter heading.
2 In the Manage Groups window, click the name of the group you want to modify.
Managing assets 105
3 If you want to edit the group details, click the Edit icon, and type your
modifications in the fields provided. Click Save.
4 If you want to add assets to the group, click Add Assets.
5 In the asset list, check the checkbox next to the assets you want to add to the
group, and click Save.
6 If you want to remove assets from the group, click Delete Assets.
7 In the asset list, clear the checkbox next to the assets you want to remove from
the group, and click Save.
8 Click the X icon at the top right of the window.
To delete an asset group
1 On the Assets page, in the left side bar, click the Manage link next to the
Group filter heading.
2 In the Manage Groups window, click the name of the group you want to delete.

The MSS portal includes an advanced search method on certain grid pages.
To run advanced searches
1 On the Assets page, click the Advanced Search button above the grid.
At the top of the grid, note the appearance of a set of empty selection boxes.
2 Click the first selection box and select an attribute to search for from the items
listed (for example, Criticality).
3 In the second selection box, select an operator. The default operator is = (equal
to).
4 In the third selection box, click and select or type the value of the attribute you
choose at the start (for example, High).
5 Click the + (plus sign) icon at the end of the line to add another row and continue
entering search parameters.
Use the X icon to remove a row.
6 When you are finished entering search parameters, click Run.
Managing assets 106
Updating asset information
Updating asset information

You can edit assets one at a time or in bulk.
Updating multiple assets simultaneously

You can perform a bulk update of assets from the Asset grid.
To multiple assets simultaneously
2 On the Assets page, click the check box to the left of the asset you want to
edit.
You can also click the check box in the grid header bar to select all of the assets
on that page.
3 Click the Update button located in the upper right side of the grid.
4 In the Update Asset window, modify the asset information as you desire.
You can update the following information:
■ Organization (replaces current organization)
■ Operating System (replaces current OS)
■ Description (replaces existing description, if any)
■ Tags (select an action: Add (add to existing values), Replace (replace
existing values with entered text), or Remove (remove the entered text from
existing values))
■ Compliance Restrictions (select an action: Add, Replace, or Remove)
■ Groups (select an action: Add, Replace, or Remove)
■ System Functions (select an action: Add, Replace, or Remove)
5 Click Save.
Editing a single asset

You can edit a single asset record in the following way.
To edit an asset
2 On the Assets page, click the name of the asset you want to edit.
3 On the Asset Details page, click the Edit icon.
Managing assets 107
Deleting an asset
4 Add or edit asset attributes as needed.

5 Click Submit.
To view an asset's related incidents
◆ On the Asset Details page, click the Related Incidents tab.
To view an asset's activity log
◆ On the Asset Details page, click the Activity Log tab.
Adding an IP address to an existing asset

You add an IP address to an asset in the following way.
To add an IP address to an existing asset
1 On the Assets page, click the name of the asset you want to edit.
2 In the Asset Details page, click the Edit icon.
3 In the IP Addresses tab, click the + Add IP Address button to add a new text
box.
4 Type the new IP address in the text box.
5 Click Submit.
Deleting an asset
You can delete an asset in the following way.
To delete an asset
1 On the Assets page, click the name of the asset you want to delete.
2 On the Asset Details page, click the Delete Asset button.
3 In the confirmation window, click OK.

use.
Managing assets 108
To filter the grid
set.
3 Click Save.
To sort the grid
order.
order.
leftward.
Managing assets 109
bar.
Chapter 9
Viewing logs
■ Viewing logs
■ Constructing a log query
■ Constructing a log query using Enhanced Query
■ Reviewing your log query results in Enhanced Query
■ Managing user defined lists
■ Tips to improve your online log queries
■ Tips to improve your online log queries
Viewing logs
The MSS portal lets you view device logs that can be filtered by time range or
custom date range and by using a canned query (a filter supplied with the portal)
or a custom query that you create or another user has elected to share.
To view logs
1 In the MSS portal, click the Logs tab. This action displays the Log Viewer
where you can search for logs by time range or custom date range and by
using a canned query or a custom filter that you create.
OR
2 In the Incident Detail page, in the Events tab, click the numbered link in the
Logs column. This action uses the default canned query to display only those
logs associated with the event.
Viewing logs 111
Viewing logs
To view log session data

1 In the Log Viewer window, click the Show all fields check box.
2 In the logs grid, click the Session Data link for the log you want to view.
3 In the Session Data window, the left side of the window contains raw session
data and the right side contains a base64 decoded view of the session data.
If the data was not base64 encoded, the two sides will contain the same
information.
4 Click the Close button in the upper right to return to the log listing.
If the Close button is not accessible, close the browser sidebar.
Exporting the log grid data

You can export logs to your computer in CSV and XML formats. If the log grid you
want to export has more than 5,000 logs, the portal initiates a request to generate
a compressed file containing the log query results. You are notified via email when
this file is available on the Log Downloads page. You also have the option of
exporting either all fields (columns) in the grid or just the default field set.
To export log grid data
1 In the Log Viewer, Incident Detail page, or Event Detail page, view logs as
described in the previous procedure.
2 Click Export located on the right side above the grid.
3 In the Export Logs dialog box, select your preferred file format.
4 Select the number of rows to export, either the current results displayed in the
logs grid or a number of your choosing. Note that the maximum number that
you can retrieve at one time is 1,000,000 (one million) logs.
5 Select whether you want to retrieve all of the log fields/columns or only the
default set.
6 Click the Export button.
7 If your export contains 5,000 logs or fewer, the portal begins exporting the file.
Go to Step 10.
OR
If your export contains 5,000+ logs, the portal initiates a request to generate
a compressed file containing the log query results. Check your email for a
notification informing you that the log archive is ready for you to download.
8 Click the link supplied in the notification or go to Logs > Log Downloads.
Viewing logs 112
Constructing a log query
9 In the Log Downloads page, click a Filename link for the file you want to
download.
10 In the File Download dialog box, click Open to open the selected file, Save
to save the file to your computer, or Cancel to cancel the download and exit
the dialog box.

Using the Logs page, you can construct, edit, and delete queries on a large number
of fields.
You can also share queries that you create. Only you can update or delete the
shared query. Other users cannot save changes to the original shared query, but
can modify and save a copy to make their own version.
Part of constructing a log query is using operators. These operators tell the query
function which logic to apply when processing each line. See Table 9-1 for definitions
and examples of the available operators.
Table 9-1 Query operators with examples
Operator Definition Example
= Equal To lets you search for values exactly like The query Destination IP = 10.1.1.100 searches
what you enter in the text field. for logs where the Destination IP is 10.1.1.100.
<> Not Equal To lets you search for values that The query Destination IP <> 10.1.1.100
are lesser or greater than what you enter in the searches for logs where the Destination IP
text field. anything other than 10.1.1.100.
> Greater Than lets you search for values that The query Destination IP > 10.1.1.100 searches
are numerically greater than or equal to what for logs where the Destination IP is 10.1.1.101
you enter in the text field. and up.
>= Greater Than Or Equal To lets you search for The query Destination IP >= 10.1.1.100
values that are numerically greater than or equal searches for logs where the Destination IP is
to what you enter in the text field. 10.1.1.100 and up.
< Less Than lets you search for values that are The query Destination IP < 10.1.1.100 searches
numerically less than what you enter in the text for logs where the Destination IP is 10.1.1.99
field. and down.
<= Less Than Or Equal To lets you search for The query Destination IP <= 10.1.1.100
values that are numerically less than or equal searches for logs where the Destination IP is
to what you enter in the text field. 10.1.1.100 and down.
Viewing logs 113
Table 9-1 Query operators with examples (continued)
Operator Definition Example
LIKE The LIKE operator lets you define character The query Device Name LIKE s% returns logs
patterns to include in the search results. The where the device name begins with the letter
“%” sign can be used to define wildcards “s”.
(missing letters in the pattern) both before and
after the pattern.
NOT LIKE The NOT LIKE operator lets you define The query Device Name NOT LIKE s% returns
character patterns to exclude from the search logs where the device name begins with
results. The “%” sign can be used to define anything other than the letter “s”.
wildcards (missing letters in the pattern) both
before and after the pattern.
NULL The NULL operator lets you search for the The query Device Name NULL returns logs
absence of a value in a specific field. where the device name has no value provided.
NOT NULL The NOT NULL operator lets you search for the The query Device Name NOT NULL returns
presence of a value in a specific field. logs where the device name has any value
provided.
IN The IN and NOT IN operators are employed with The query Device Name IN Sample Device
User Defined Lists and Asset Groups. When Name List returns logs that contain device
you select these operators, a drop-down list names that are listed in the Sample Device
appears that contains the available User Defined Name List user defined list.
Lists and Asset Groups. Asset Groups are
NOT IN available only when the field to query against is The query Device Name NOT IN Sample
an IP address. Also, these cannot be selected Device Name List returns logs that do not
when you pick a field that already has a set of contain device names that are listed in the
specific values defined by the system, such as, Sample Device Name List user defined list.
MSS Action or Protocol.
BETWEEN The BETWEEN operator lets you specify two The query Destination IP BETWEEN 10.1.1.1
values to check between. Instead of the usual & 10.1.1.100 returns only logs with destination
one value field, there are two fields with the IP addresses that fall in the range of 10.1.1.2 to
symbol “&” between them. 10.1.1.99.
IS PART OF The IS PART OF SUBNET operator lets you The query Destination IP IS PART OF
SUBNET target your search toward a specified subnet SUBNET 192.168.0.0/24 returns only the logs
using Classless Inter-Domain Routing (CIDR) with destination IP addresses that fall within that
notation. subnet.
Note: Queries that contain a user defined list cannot be shared.

Viewing logs 114
To construct a log query

1 In the Logs page, under the Construct Query tab, in the Option area, select
a timeframe, maximum row count, and a timeout in minutes. Check the Run
Query Offline box to have the portal generate a download file.
2 In the Construct Query area, do the following:
■ Select a field to query, then select an operator, and then type or select a
field value.
■ To include parentheses, click the parenthesis check boxes as appropriate.
■ To create a complex query consisting of two or more conditions, use the
AND/OR list box as appropriate.
3 Click the plus sign icon to add a blank row to the bottom of the condition list.
Click the X icon at the beginning of the row to remove that condition.
4 To see the result of your new custom query, click Run Query.
5 To erase an unsaved query, click Reset and then click OK in the confirmation
dialog box.
To save a query
1 In the Query Name text box, type the name of your new query.
2 In the Query Description text box, type an optional description for your new
query.
3 Click Save Query.
To share a saved query
1 In the Logs page, under the Saved Queries tab, locate the query you want to
share, and click the Share button.
2 In the Share Query dialog box, click the SOC Analysts check box if you wish
to share the query with the Analysts at the SOC.
3 Click your preferred sharing option: only Your Organization or Your
Organization and Sub-orgs.
4 Click Submit.
To unshare a saved query
unshare, and click the Unshare button.
2 In the Share Query dialog box, clear the SOC Analysts check box to stop
sharing the query with the Analysts at the SOC.
Viewing logs 115
Constructing a log query using Enhanced Query
3 Click the sharing option None.

4 Click Submit.
To run a saved query
share, and click the Re-Run button.
2 Click the Schedule Run button to schedule the query to run at a specified
time.
To delete a saved query
share, and click the Delete button.
2 Click OK in the confirmation dialog box.

The Enhanced Query tab displays a revamped user interface for you to create your
log queries. This is also where we are implementing new visual features and
enhanced reporting functionality.
Using the Logs page, you can construct, edit, and copy queries on a large number
of fields.
Part of constructing a log query is using operators. These operators tell the query
function which logic to apply when processing each line. See Table 9-1 for definitions
and examples of the available operators.
To create a log query using Enhanced Query
1 In the Logs page, click the Enhanced Query tab.
2 In the Enhanced Query tab, under Set Query Parameters, click the link next
to Time Period and select a time frame for this query.
Time period selection is required. The options are 1 hour, 2 hours, 4 hours, 8
hours, 12 hours, 24 hours, 48 hours, 7 days, and Custom. The default selection
is 1 hour.
Selecting Custom requires you to use the calendar widgets to choose a valid
date range.
3 Click the link next to Criteria and select a criterion from the list.
4 Choose an operator from the list. See Table 9-1 for more information on the
query operators.
Viewing logs 116
5 Depending on the criterion and operator that you chose, type a value for the
condition or select it from the list.
6 Click + to add another condition or click ( ) to add a nested or parenthetical
condition.
If you add a condition, choose AND or OR, then continue creating the new
condition as you did the first one.
If you add a nested condition, continue creating it as you did the first condition,
and then either click + to add another condition at this level, click ( ) to add a
parenthetical condition nested at a deeper level, or return to the first condition
and click + to add another top-level condition.
Note: You can nest parenthetical conditions only three levels deep.
7 When you have finished adding the condition lines, click the link next to Group
By, if available.
This is optional and lets you group the query results by a field of your choosing.
8 Optionally, use the Restrictions feature to define conditions for when to show
your results. Click the check box to use the feature, then choose an operator
from the list, and type a numerical value.
For example, you could employ this option if you want the choice to display
results only when the count returned exceeds a certain amount.
9 Next to Display results, choose your preferred report format.
If you elected to group your results by a criterion, your display options are:
■ Over time in a multi-line time series graph
■ By your grouping choice on a bar, column, pie, or line graph
If you elected not to group your results, your display options are:
■ Over time in a single-line time series graph
■ As an aggregate count of the log lines
10 Click Get Results. To start over, click Clear.

To save a log query
1 In the Enhanced Query page, create a new query as described previously, or
click the link for a saved query from the list on the left.
2 Click Save As.
Viewing logs 117
Reviewing your log query results in Enhanced Query
3 In the Save Query window, type your preferred name and description for this
query.
4 Click Save.
To update a saved log query
1 In the Enhanced Query page, click the link for a saved query from the list on
the left.
2 Click Edit to change the query's name and description.
3 In the Save Query window, type the new name and description.
4 Click Save.
5 Modify the query's time frame and conditions as necessary.
6 Click Update.
Reviewing your log query results in Enhanced Query

The portal can display the results of your query in a variety of formats.
The formats are
■ Bar, column, pie, and line graph
■ Time series: area (single line), bar, and line (single or multiple line)
■ Aggregate log count
■ Tabular
The options you chose when constructing the query govern its initial display. You
then have several options to manipulate the data to suit your purpose, including
changing the chart format, narrowing the time frame, and displaying the data as a
table. You can then export the data to a variety of formats.
To reconfigure the log query results display
1 In your log query results, click the configuration icon at the top right side of the
graph.
2 Click your selection in the configuration menu. See the following option
descriptions for more information.
All graphical results formats have the following options:
■ Export to PDF, Export to PNG, and Export to JPEG: You have a variety
of export options from which to choose.
■ Show all data in table: Presents the original query results in a tabular
format.
Viewing logs 118
Managing user defined lists
■ Show current series data in a table: Presents query results from the
modified date range in a tabular format.
■ Get raw logs for this query: Opens log lines corresponding to the query
into a new tab or window.
The format-specific options are:
■ Log count in a bar, column, pie, or line graph
■ Add 25 more results: If the number of results not displayed is less than
25, that number is shown in the menu option.
■ Remove 25 results: Removes 25 results, if possible.
■ View as pie chart, View as line graph, View as column chart, and
View as bar graph: Changes the graph view to the selected display
format.
■ Time series: area (single line), bar, and line (single line)
■ Construct query from current time range: Automatically constructs
a log query from the results within the modified time frame.
■ View as pie chart, View as line graph, View as column chart, and
View as bar graph: Changes the graph view to the selected display
format.
■ Time series: line (multiple line)

■ Construct query from current time range: Automatically constructs
a log query from the results within the modified time frame.
Managing user defined lists

User defined lists are lists of values—IP addresses, numbers, or characters—that
you can create and add to certain queries.
To create a user defined list
1 In the Logs page, click the User Defined Lists tab.
2 Click Create.
3 In the Create User Defined List window, type a name for the list. This is
required.
4 Type an optional description.
5 Add your list of values. Use a carriage return as the list item delimiter. Note
that each list item can be no more than 75 characters in length. Also, we
recommend that you include no more than 30 items per list.
Viewing logs 119
Tips to improve your online log queries
6 Select a value type. The options are: IP Addresses, Numbers, or Characters.

This is required.
7 Click Save.
To manage a user defined list
1 Click the User Defined Lists tab.
2 In the User Defined Lists grid, locate the list you want to edit and click Edit.
3 In the Edit User Defined List window, change the information as needed.
4 Click Save.
To delete a user defined list
1 Click the User Defined Lists tab.
2 In the User Defined Lists grid, locate the list you want to delete and click
Delete.
3 At the confirmation prompt, click Yes.

The most common reasons for query failure are:
■ Too wide a time range
■ Too short a timeout value
To head off failures or errors, think of performing an online log query as a quick
way of ensuring that you receive useful data before running a more time-consuming
offline query against a large amount of logs. Running an online query is quicker for
smaller amounts of data but, compared to offline queries, it is also more restrictive:
Online 1 to 5,000 rows (the default setting is 1,000 rows)
15 minute timeout (the default setting is 1 minute)
Offline 5,001 to 1,000,000 rows
24 hour timeout
Possible errors that you may receive while performing log queries, and tips for their
mitigation, are as follows:
Viewing logs 120
If your online query returns Try one or more of the following:

a timeout error…
■ Increase the timeout value (up to the maximum 15 minutes).
■ Narrow the time range.
■ Use default query fields (instead of the extended field set;
see below) whenever possible.
■ Run the query offline by clicking the Run Query Offline
check box.
If your online query Try one or more of the following:

completes but the results
reached the maximum
■ Add more filter conditions.
number of rows, and there
may be other logs that meet ■ Run the query offline by clicking the Run Query Offline
your criteria… check box.
If your online query Try one or more of the following:

completes but returns no
■ Expand the time range.
logs…
■ Remove or modify filter conditions to widen the search.
You are more likely to avoid timeout errors if you use the default field set when
building your query. The default set includes those fields that are visible when you
click the Field selection list. You must click (More…) at the bottom of the list, as
shown in the following figure, to access the extended set.
Viewing logs 121

Possible errors that you may receive while performing log queries, and tips for their
mitigation, are as follows:
If your online query returns a Try one or more of the following:

timeout error…
■ Increase the timeout value (up to the maximum 15
minutes).
If your online query completes Try one or more of the following:

but the results reached the
maximum number of rows,
■ Add more filter conditions.
and there may be other logs
that meet your criteria…
Viewing logs 122
If your online query completes Try one or more of the following:

but returns no logs…
■ Expand the time range.
■ Remove or modify filter conditions to widen the search.
Chapter 10
Viewing reports
■ About reports
■ Viewing reports
About reports
The MSS portal provides access to numerous reports about incidents, device logs,
attacks, infections, and compliance data. You can also download a variety of files
and customer reports to your computer.
Viewing reports
The Reports collection tabs let you focus more on the reports that matter to you.
Additionally, you have the option of marking any current report as a “favorite,”
thereby placing it in your Favorites collection, as well as have a new custom report
created by your Services Manager. Finally, you have expanded report exporting
format options.
To view reports
1 In the MSS portal, click the Reports tab.
2 In the Reports page, click your desired report collection tab. Choose from the
following:
■ Summary – This tab shows the following collections:
■ Favorites – The reports you have marked as favorites are collected
here.
■ Recent Reports – Only your 10 most recently run reports are shown
in this collection.
Viewing reports 124
Viewing reports
■ New Reports – This collection shows the 10 newest published reports.
■ All Reports – This collection displays all of the reports that are available
to you, including those that can be found in the other collections.
■ Incidents – This tab shows Incident reports.
■ Devices – This tab shows Device reports.
■ Organizations – This tab shows Organization reports.
■ Requests – This tab shows Request reports.
■ Compliance – This tab shows the Payment Card Industry (PCI),
Sarbanes-Oxley (SOX), and Good Practice Guide 13 (GPG) report collection
subtabs.
■ PCI – This collection shows compliance reports related to the PCI
standard.
■ SOX – This collection shows compliance reports related to the
Sarbanes-Oxley standard.
■ GPG – This collection shows compliance reports related to the Good
Practice Guide 13 standard.
■ Downloads – This tab shows user's guides, customer-specific documents,

and reports that were run offline.
■ IP Addresses – This tab displays a search field where you can type an IP
address and view its detail page.
3 In the selected collection page, click the report you want to view.
4 If the report has a selectable timeframe, click the duration in days in the
upper-left side of the report, or click the Pick Date Range link to select a custom
timeframe.
5 In the report, click any of the active links to view more details about that item.
To mark a report as a favorite
1 On any report selection page, click the star icon to the right of the description.
2 Within the report, click the Save as favorite check box.
To export a report
◆ On any report page, click the Export icon and select from the following formats:
■ XML file with report data
■ CSV (comma delimited) – This a comma separated value format.
Viewing reports 125
Viewing reports
■ Acrobat (file) PDF – Use this format to export the report into a Portable
Document Format file.
■ MHTML (web archive) – Use MIME HTML format to combine resources
typically represented by external links together with HTML code into a single
file.
■ Excel – This exports the report into a format readable by Microsoft Excel.
■ TIFF – This is the Tagged Information File Format.
■ Word – This exports the report into a format suited to Microsoft Word.
To view compilance reports

1 In the Compliance tab, click the report collection subtab you want to view.
2 In the expanded report collection list, click the report you wish to view.
3 In the report page, construct a query using the following fields:
■ Select a device from the Device Name list box.
■ If desired, type an IP address in the IP field and/or a host name in the Host
Name field.
4 Click a number for the desired range of Days or click Custom and modify the
date and time for which you want to view logs. Note that reports for date ranges
exceeding 30 days are run offline; you will receive email notification when the
report is complete.
5 In the Maximum Rows box, type your preferred maximum number of logs for
the portal to retrieve. Note that maximum value for this field is 5,000. Reports
exceeding this number of rows are run offline; you will receive email notification
when the report is complete.
6 In the Timeout (Minutes) box, type the number of minutes you want to allow
the query to run before timing out. The maximum value for this field is 20.
7 Click Run.
Chapter 11
Using the DeepSight™
Intelligence Portal
■ Using Alerts
■ Using Research
■ Using Intelligence
■ Using Datafeeds
■ Using Custom Reports
Using Alerts
The Alerts tab lets you do the following:
■ View any of the alerts delivered to you
■ View delivered alerts by alert type
■ View the vulnerability, malicious code, and security risk databases
■ Set up vacation mode, where notifications can be held until your return or filtered
so that selected alerts are forwarded during your vacation period
■ Perform an advanced search of your alerts or the alert databases
By default, you land on the My Alerts tab where alerts that have been delivered to
you are displayed.
Using the DeepSight™ Intelligence Portal 127
Using Alerts
Using My Alerts
The My Alerts tab gives you access to every alert delivered to your user account.
The alerts from the previous month are displayed by default. The list begins with
the most recently delivered alert. The display can be expanded or filtered by date
range and/or restricted by alert type.
The My Alerts display is initially divided into four columns:
■ Rating
■ Title
■ Delivered
■ Type
The grids can be sorted by clicking on any column heading. The From and To Date
fields at the top of the page let you view alerts delivered between the specified
dates.
To filter My Alerts
1 On the My Alerts tab, click the From Date field and use the calendar widget
to select the date on which the alerts grid should start.
2 Click the To Date field and use the calendar widget to select the date on which
the alerts grid should end.
3 Use the Alert Type drop down if you want to see a specific alert type. Alert
Types correspond to alerts delivered by configured monitors. See Table 11-1
for more information.
4 If you want to include group alerts in the results, check the box next to Include
Group Alerts and select the group to include from the pick list.
5 Select the number of records you want displayed in the results grid.
6 Click Submit.
Table 11-1 Correlating alert types with delivering monitors
Alert type Monitor type
Vulnerability Vulnerability
Malicious Code Malicious Code
Security Risk Security Risk
Domain Domain
Threat Alert Threat Alert

Using Alerts
Table 11-1 Correlating alert types with delivering monitors (continued)
Alert type Monitor type
Threat Analysis Threat Analysis
Industry Activity Industry Activity
Tech List Activity Tech List Activity
Port Activity Port Activity
Event Activity Event Activity
ThreatCon ThreatCon
Daily Report Daily Summary
Weekly Report Weekly Summary
Monthly Report Monthly Summary
Research Report Research Reports
Network Infection Network Infection
Brand Protection Brand Protection
Using All Alerts

The All Alerts tab gives you access to these DeepSight Intelligence alerts:
■ Security Risk
■ Vulnerability
■ Malicious Code
This historical alerts information is a powerful tool for threat remediation as well as
for security research and network planning. By default, alerts released or updated
in the previous month are displayed on the All Alerts page. The list begins with the
most recently issued alerts in the Alert Type you are viewing.
The grids can be sorted by clicking on any column heading. The From and To Date
fields at the top of the page let you view alerts delivered between the specified
dates.
Using Alerts
To filter All Alerts

1 On the All Alerts tab, click the From Date field and use the calendar widget
to select the date on which the alerts grid should start.
2 Click the To Date field and use the calendar widget to select the date on which
the alerts grid should end.
3 Use the Alert Type drop down if you want to see a specific alert type.
4 Select the number of records you want displayed in the results grid.
5 Click Submit.
The All Alerts grid columns are determined by the alert type selected.
Using Advanced Search

The Advanced Search tab helps you find alerts delivered to your MSS portal user
account and to search every vulnerability, malicious code, or security risk alert
issued by DeepSight Intelligence.
You can search any alert type delivered to your MSS portal account by selecting
the My Alerts option. Selecting the All Alerts option lets you to search these alert
types:
■ Security Risk
■ Vulnerability
■ Malicious Code
The search fields change depending on the alert type you select. The search features
available for each alert type are described in the tables below.
Note: Use the Hide/Show Search Criteria link located above the Display Option
selectors to toggle the search fields display.
To perform an alerts search

1 On the Advanced Search tab, select a display option: My Alerts or All Alerts.
This selection affects the search options displayed for each alert type.
Note that the All Alerts display option presents the vulnerability, malicious
code, and security risk databases.
2 Use the Date Range calendar widgets to set the From and To dates.
3 Select an Alert Type.
Using Alerts
4 Complete the search fields associated with the selected alert type. Reference
the following sections for detailed information on the search fields displayed.
5 Click Submit.
Vulnerability
The vulnerability alert type can be searched as a My Alert or as an All Alert. The
advanced search options vary only slightly and are identified within Table 11-2.
Table 11-2 Advanced search options for vulnerabilities
Field Description
Display Option Choose what to search:
■ My Alerts
■ All Alerts
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Period Last Updated is the default, but you may select Published.
Date Range Use the calendar widgets to set the From and To dates.
Alert Type Use the drop down to select the alert type to search.
Title When the Title of a vulnerability is entered, one result is returned,

unless it is part of a family of vulnerabilities or malicious code.
Using a portion of the title may return multiple results.
Description This permits searches based on the nature of a vulnerability. For

instance, when input validation is entered for Search Text, the
search returns alerts in which an input validation condition is a
part of the body of the vulnerability alert. The search examines
the body of the alerts in the database.
Monitor This displays monitors that apply to the specified Alert Type. Select
the monitor of interest or use the default setting of All Monitors to
(My Alerts only)
return results from every triggering monitor.
Delivery Method Select the Delivery Method to which the alert was delivered.
(My Alerts only)

Using Alerts
Table 11-2 Advanced search options for vulnerabilities (continued)
Field Description
Include Group Alerts If you want to include group alerts in the results, check the box
next to Include Group Alerts and select the group to include from
the pick list.
Technology List The Technology List drop-down box allows you to filter the entire
vulnerability database by the products defined within your
(All Alerts only)
technology lists. A vulnerability technologies list search is based
on the contents of the Vulnerable Systems field.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
(My Alerts only)
Vendor Entering a vendor name into the Search Text input box returns all
results for the specified vendor. The Search By criteria, when used
for a large or prolific vendor, may return too many results to be
useful; when used with a small or moderately sized vendor, it can
be used to locate products when the exact product name is not
known.
Product Entering a product name returns results for that product. The
product vendor's name is not required when entering the Search
Text. The vulnerability product search is based on the contents of
the Vulnerable Systems field within a vulnerability alert.
Version Enter the specific product version, if desired.
Vendor Reference Select a vendor from the drop down menu and enter the reference
number to find the related DeepSight Intelligence vulnerability
report.
Code Enter a vendor reference code, if desired.
CVE ID/Candidate This is the Common Vulnerability and Exposures (CVE) ID from
the CVE list maintained by mitre.org. Entering the ID number into
the input box returns the database entries associated with the
value.
CPE Name This is the Common Platform Enumeration (CPE) Name from the
CPE list maintained by mitre.org. Entering the CPE Name into the
input box returns the database entries associated with the value.
Exploit Search by exploit type.
Fix Available Narrow the search to include those where a fix is or is not available.
Using Alerts
Table 11-2 Advanced search options for vulnerabilities (continued)
Field Description
Bugtraq ID This is the Bugtraq ID assigned by the Bugtraq moderator. Entering

the ID number into the input box returns the specific database
entry referred to by the ID value.
Minimum Urgency The minimum urgency value (0-10) that must be matched in order
to be displayed.
Minimum Severity The minimum severity value (0-10) that must be matched in order
to be displayed.
Minimum Impact The minimum impact value (0-10) that must be matched in order
to be displayed.
Minimum CVSS2 Base The minimum CVSS2 Base score (0-10) that must be matched in
order to be displayed.
Minimum CVSS2 The minimum CVSS2 Temporal score (0-10) that must be matched
Temporal in order to be displayed.
Number of records to be Select the number of records you want displayed in the results
shown grid.
Note: Using a minimum threshold value of 0 returns all results.
Malicious Code and Security Risks

The malicious code and security risk alert types can be searched as a My Alert or
as an All Alert. The advanced search options vary only slightly and are identified
within Table 11-3.
Table 11-3 Advanced search options for malicious code or security risks
Field Description
■ My Alerts
■ All Alerts
type.
Using Alerts
(continued)
Field Description
Date Period Last Updated is the default, but you may select Published.
Alert Type Use the drop down to select the alert type to search.
Title When the title of a malicious code or security risk is used in the
Search Text input box, one result is returned, unless it is part of
a family of malicious code or security risks. Using a portion of the
title may return multiple results. The title search also searches the
aliases field for malicious code or security risks.
Description This permits searches based on the nature of a malicious code or

security risk. For instance, you could enter “steal passwords,”
“network traffic,” or “denial of service.” The search examines the
body of the alerts in the database.
Monitor This displays monitors that apply to the specified alert type. Select
the monitor of interest or use the default setting of All Monitors to
(My Alerts only)
return results from every triggering monitor.
Delivery Method This displays delivery methods available on the user account.
Select the delivery method of interest or use the default setting of
(My Alerts only)
All Delivery Methods to return results from every delivery method.
Include Group Alerts If you want to include group alerts in the results, check the box
next to Include Group Alerts and select the group to include from
the pick list.
Technology List The Technology List drop-down selection box allows you to filter
the entire malicious code or security risk database by the products
(All Alerts only)
defined within your technology lists. A malicious code or security
risk technology list search is based on contents of the Infection
Hosts field.
(My Alerts only)
Vendor Entering a vendor name into the Search Text input box returns all
results for the specified vendor. The Search By criteria, when used
for a large or prolific vendor, may return too many results to be
useful. When used with a small or moderately sized vendor, it can
be used to locate products when the exact product name is not
known.
Using Alerts
(continued)
Field Description
Product Entering a product name returns results for that product. The
product vendor's name is not required when entering the search
text. The malicious code or security risk product search is based
on contents of the Infection Hosts field within a malicious code or
security risk alert.
Version Enter the specific product version, if desired.
Malicious Code ID or This is the Malicious Code or Security Risk ID assigned by the
DeepSight Intelligence Threat Analyst Team. Entering the ID
Security Risk ID
number into the input box returns the specific database entry
referred to by the ID value.
Minimum Peak Risk Specify the minimum peak risk value that must be matched in
order to be displayed. This selection allows you to locate instances
of a risk rating changing over time.
■ Malicious Code risk range 1-5

■ Security Risk risk range 0-5
Minimum Risk Specify the minimum risk value that must be matched in order to
be displayed.

Minimum Impact Specify the minimum impact value that must be matched in order
to be displayed.

Minimum Prevalence Specify the minimum prevalence value that must be matched in

Minimum Infection Specify the minimum infection potential value (0-5) that must be
Potential (Malicious matched in order to be displayed.
Code only)
shown grid.
Using Alerts
Note: Using a minimum threshold value of 1 returns all results.
Domain
The searchable fields for the Domain alert type are listed in Table 11-4.
Table 11-4 Advanced search options for Domain alerts
Field Description
■ My Alerts
■ All Alerts
type.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Domain Enter the domain name to search using the “abccorp.com” domain
name format.
shown grid.
Threat Alert and Threat Analysis

The searchable fields for the Threat Alert and Threat Analysis alert types are listed
in Table 11-5.
Using Alerts
Table 11-5 Advanced search options for Threat Alert & Analysis
Field Description

■ My Alerts
■ All Alerts
type.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved High
Minimum Urgency The minimum urgency value (0-10) that must be matched in order
to be displayed.
Minimum Impact The minimum impact value (0-10) that must be matched in order
to be displayed.
shown grid.
Research Report
The searchable fields for the Research Report alert type are listed in Table 11-6.
Using Alerts
Table 11-6 Advanced search options for Research Report
Field Description

■ My Alerts
■ All Alerts
type.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved High
shown grid.
Daily, Weekly, Monthly Reports

The searchable fields for the Daily, Weekly, and Monthly summaries are listed in
Table 11-7.
Table 11-7 Advanced search options for Daily, Weekly, Monthly Reports
Field Description
■ My Alerts
■ All Alerts
type.
Using Alerts
Table 11-7 Advanced search options for Daily, Weekly, Monthly Reports
(continued)
Field Description
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved High
shown grid.
Event Activity
The searchable fields for the Event Activity alert type are listed in Table 11-8.
Table 11-8 Advanced search options for Event Activity alerts
Field Description
■ My Alerts
■ All Alerts
type.
Using Alerts
Table 11-8 Advanced search options for Event Activity alerts (continued)
Field Description
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved High
Using Alerts
Table 11-8 Advanced search options for Event Activity alerts (continued)
Field Description
Event Correlation Specify the event type of interest. By default, this is set to: All. But
any of the following event types may be selected using the
drop-down selection menu:
■ All
■ Android OS Attacks
■ Apple IOS Attacks
■ Apple OS Attacks
■ Audit Event
■ Backdoor
■ Clientside Attacks
■ Customized Signatures
■ Database Attacks
■ DNS Attacks
■ DoS
■ EMail
■ Firewall Diagnostic Events
■ Firewall Security Events
■ FTP Attacks
■ Hacking Tool
■ Infrastructure Attacks
■ Kerberos Attacks
■ Malicious Code Attacks
■ Manipulation/Spoofing
■ Miscellaneous
■ Network File System Attacks
■ P2P
■ Probes
■ Remote Code Execution
■ Remote Services Attacks
■ RPC
■ SMB/NetBIOS Attacks
■ Unix/Linux Attacks
■ Unknown Category
■ VoIP Infrastructure Attacks
■ Windows Attacks
■ WWW Attacks
shown grid.
Using Alerts
Industry Activity
The searchable fields for the Industry Activity alert type are listed in Table 11-9.
Table 11-9 Advanced search options for Industry Activity alerts
Field Description
■ My Alerts
■ All Alerts
type.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved High
Using Alerts
Table 11-9 Advanced search options for Industry Activity alerts (continued)
Field Description
Market Segment Specify the market segment of interest. By default, this is set to:
All. But any of the following market segments may be selected
using the drop down selection menu:
■ All
■ Accounting
■ Aerospace
■ Agriculture
■ Architectural
■ Arts / Media
■ Financial Services
■ Biotech / Pharmaceutical
■ Communications / PR
■ Community / Non-Profit
■ Computer Consulting
■ Computer Hardware
■ Computer Software
■ Construction
■ Education
■ Engineering
■ Government - Local
■ Government - State
■ Government - National
■ Health Care
■ Information Technology
■ Insurance
■ Internet Service Provider
■ Law Enforcement
■ Legal
■ Manufacturing
■ Military
■ Retail / Wholesale (including e-commerce)
■ Telecommunications
■ Transportation
■ Utilities / Energy
■ VAR / VAD
■ Small Business
■ Home User
Using Alerts
Table 11-9 Advanced search options for Industry Activity alerts (continued)
Field Description
shown grid.
Port Activity
The searchable fields for the Port Activity alert type are listed in Table 11-10.
Table 11-10 Advanced search options for Port Activity alerts
Field Description
■ My Alerts
■ All Alerts
type.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved High
Port All ports are used by default. You can specify a port value of
interest or concern.
shown grid.
Technology List Activity

The searchable fields for the Technology List alert type are listed in Table 11-11.
Using Alerts
Table 11-11 Advanced search options for Tech List Activity alerts
Field Description

■ My Alerts
■ All Alerts
type.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved High
Technology List Specify the technology list of interest or concern using the drop
down menu.
shown grid.
ThreatCon
The searchable fields for the ThreatCon alert type are listed in Table 11-12.
Using Alerts
Table 11-12 Advanced search options for ThreatCon alerts
Field Description

■ My Alerts
■ All Alerts
type.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved High
Minimum ThreatCon The minimum ThreatCon value (1 - 4) that must be matched in

shown grid.
Note: Using a minimum ThreatCon value of one (1) returns all results.
Network Infection
The searchable fields for the Network Infection alert type are listed in Table 11-13
Using Alerts
Table 11-13 Advanced search options for Network Infection alerts
Field Description

■ My Alerts
■ All Alerts
type.
Data Source Type Select the status level of interest or use the default setting of All
■ All
■ Symantec DeepSight Intelligence Bot List
■ Known Source IPs
■ Repeat Source IPs
■ DeepSight Intelligence Firewall Data
■ DeepSight Intelligence IDS Data
■ Symantec Phish Report Network
■ Command and Control Hosts
shown grid.
Brand Protection
The searchable fields for the Brand Protection alert type are listed in Table 11-14
Note: Selecting the Brand Protection Alert Type returns all of your Brand Protection
Alerts delivered during the specified Date Range.
Using Alerts
Table 11-14 Advanced search options for Brand Protection alerts
Field Description

■ My Alerts
■ All Alerts
type.
shown grid.
Selecting alerts to be delivered during vacation

You have the ability to choose which alerts to have delivered to you while your
account is in vacation mode. See “Setting vacation mode” on page 147.
To select alerts to be delivered during vacation
1 On the Alerts screen, click the Alerts delivered during Vacation tab.
2 Select the date range start and end dates.
3 Use the Alert Type selection list to choose the type of alert you want delivered.
4 Select the number of records to display.
5 Click Submit.
Setting vacation mode

You have the ability to put your account in a vacation mode, which has the effect
of delaying delivery of some or all alert notifications for a period of time that you
set. Note that when you turn off a vaction item, the record remains in the grid
displaying date and time that you turned it off.
To set vacation mode
1 On the Alerts screen, click the Set Vacation tab.
2 Click the Vacation Mode selection list and choose one of the options.
The options are:
Using Research
■ Send notification when vacation over–This option holds all alerts and
sends them when the vacation period ends.
■ Send selected alerts–This option sends only the alerts that you selected
to be delivered for a particular vacation period on the Alerts delivered
during Vacation tab. See “Selecting alerts to be delivered during vacation”
on page 147.
3 Select the date range start and end dates.

4 Click Add.
To edit an existing vacation item
1 In the vacation grid, locate the vacation you want to edit or update, and click
the Edit button on the right.
2 Change the mode and date range as needed using the steps in the previous
procedure.
3 Click Update.
To turn off vacation mode
1 In the vacation grid, locate the vacation you want to turn off, and click the check
box on the left.
2 Click Turn off.
Using Research
The Research tab gives you access to an assortment of Statistics data and Lookup
Tools.
The Statistics tabs present network conditions captured and reported by DeepSight
Intelligence IDS and firewall sensors, as well as antivirus activity reported by
Symantec's antivirus customers.
The Lookup Tools provide you with avenues for researching specific IP address,
URL/domain, port, MD5/SHA256 hash, and malcode information.
Finally, you have a method of uploading files that you suspect to be infected to
Symantec Security Response.
Using Research
To modify the Statistics graphs

1 If you want to view another date range, click one of the date range options next
to Select number of days to display. The options are 14, 30, and 90 days.
2 If you want to see a Portable Document Format (PDF) report of a graph, click
the View PDF link below that graph.
3 If you want to enlarge a graph, click the Zoom link above it.
To view Statistics history
1 In the Research page, click the Statistics tab you want to view.
2 Click the History link at the top right of the graph display page.
3 In the Statistics History window, choose a date and click Set.
4 Pick a Generation Time and click Go.
5 To return to the current day statistics, click the Current link at the top right of
the graph display page.
Researching IDS Statistics

The IDS tab presents the top five IDS sensor events in two ways:
■ Events on the rise by the number of sensors reporting
■ Events on the rise by the total number of IP addresses reported
The more sensors seeing an event, the more widespread it is. The more IPs seen
participating in an event, the more computers there are using the attack, or in the
case of a worm, the more infected systems. However, if the charted Events on the
Rise were picked simply by the largest number of sensors reporting or IP addresses
participating, the top five events would be less insightful because they would not
reveal emerging activity.
On both the IDS and Ports tabs is information about the activity in the wild during
the reporting time period. It is presented below the top-five graphs.
Note: The percentages will not add up to 100%. This is because the percentages
displayed are the percentage of the DeepSight Intelligence sensors observing a
particular activity.
Using Research
Top Offending ISPs This table presents the top ten offending Internet service providers
(ISPs). It should be noted, however, that hosts within designated
ISP spaces that are identified as sources may actually be
unsuspecting victims. It is possible that malicious remote users
may have used (or “spoofed”) the identified source address or
compromised that system and then used it to launch attacks. The
percentages of the DeepSight Intelligence Analyzer user base that
have logged attacks from those particular ISPs are displayed.
Top Offending IPs This table presents the top ten attacking IP addresses as reported
by DeepSight Intelligence sensors. The percentages reflect the
portion of the DeepSight Intelligence Analyzer user base reporting
activity from the listed IP addresses. Each IP address is a link to
the IP Lookup page where details of that IP addresses's activity
are noted. See Using IP lookup
It should be noted that the host addresses that are identified as

sources may actually be unsuspecting victims. It is possible that
malicious remote users may have used (or spoofed) the identified
source address or compromised that system and used it to launch
attacks. The Top (offending/attacking) IP category is a proven
indicator of a worm infection at the identified address. It also
frequently indicates email spammer activity.
Top Offending Ports This table presents the top ten most commonly attacked ports. It
is indicative of the most frequently attacked services and/or
emerging Trojan patterns. The statistics displayed are percentages
of the DeepSight Intelligence Analyzer user base that logged
attacks against those particular ports in the past two weeks.
Clicking any of the listed ports displays the Port Lookup page. See
Using Port lookup
Top Source Countries This chart presents the top five offending countries as reported
by DeepSight Intelligence sensors. The statistics displayed are
the percentages of the DeepSight Intelligence Analyzer user base
that actually logged attacks from those particular countries. Top
Source Countries statistics are generated from DeepSight
Intelligence data culled within the last two weeks.
Top Destination This table presents the top five victim countries. Statistics displayed
Countries are percentages of the DeepSight Intelligence Analyzer user base
that are most frequently under attack categorized by country. Top
Destination Countries statistics are generated from DeepSight
Using Research
Top Attacked Products This table presents the top ten most frequently attacked
commercial or freeware products. The statistics displayed are
percentages of the DeepSight Intelligence Analyzer user base that
has logged attacks against those products in the past 24 hours.
Attacked Products statistics are generated from DeepSight
Researching Ports Statistics

The Ports tab displays only firewall sensor data from the last two weeks. It presents
the top five events in two ways:
■ Ports on the rise by the number of sensors reporting
■ Ports on the rise by the total number of IP addresses reported
The more sensors seeing an event, the more widespread it is. The more IPs seen
participating in an event, the more computers there are using the attack, or in the
case of a worm, the more infected systems. However, if the ports on the rise were
picked simply by the largest number of sensors reporting or IP addresses
participating, the top five ports would be less insightful because they would not
reveal emerging activity.
On both the IDS and Ports tabs is information about the activity in the wild during
the two week reporting time period. It is presented below the top five graphs. See
Researching IDS Statistics for the additional list descriptions.
Researching Antivirus Statistics

The Antivirus page presents the top five threats in the previous two weeks. These
charts are derived from Symantec's AV Ping system in our consumer antivirus
product. The chart is a good indicator of malicious code propagation. While dozens
of new examples of malicious code are discovered every week, most fail to
propagate. When a malicious code appears within the top five graphs, it is
propagating successfully and potentially presents a threat to your infrastructure.
Note: The charts are updated every two hours.
Viewing Analyst Watch content

The Analyst Watch tab combines the Current ThreatCon Level and the Current
Analyst Watch List.
Using Research
ThreatCon
ThreatCon is the DeepSight Intelligence rating of conditions in the wild. The
ThreatCon level is a scale of 1 (low) to 4 (extreme). The rating suggests an
appropriate security posture based on network conditions. DeepSight Intelligence
Threat Analysts set the value based on conditions reported by DeepSight Intelligence
sensors and their evaluations of intelligence gathered during the previous day.
The Current ThreatCon Level display includes:
■ The ThreatCon graphic for the appropriate threat level
■ An explanation of the reason for the ThreatCon rating
■ A link to the Daily Report
The four ThreatCon levels are described in Table 11-15.
Table 11-15 ThreatCon Levels
ThreatCon Level Description
Level 1- Normal This condition applies when there is no discernible network

incident activity and no malicious code activity with a
Basic Network Posture
moderate or severe risk rating. Under these conditions, only
a routine security posture, designed to defeat normal network
threats, is warranted. Automated systems and alerting
mechanisms should be used.
Level 2 - Elevated This condition applies when knowledge or the expectation of

attack activity is present, without specific events occurring
Increased alertness
or when malicious code reaches a moderate risk rating. Under
this condition, a careful examination of vulnerable and
exposed systems is appropriate, security applications should
be updated with new signatures and/or rules as soon as they
become available and careful monitoring of logs is
recommended. No changes to actual security infrastructure
is required.
Level 3 - High This condition applies when an isolated threat to the

computing infrastructure is currently underway or when
Known threat
malicious code reaches a severe risk rating. Under this
condition, increased monitoring is necessary, security
applications should be updated with new signatures and/or
rules as soon as they become available and redeployment
and reconfiguration of security systems is recommended.
People should be able to maintain this posture for a few
weeks at a time, as threats come and go.
Using Research
Table 11-15 ThreatCon Levels (continued)
ThreatCon Level Description
Level 4 - Extreme This condition applies when extreme global network incident
activity is in progress. Implementation of measures in this
Full alert
Threat Condition for more than a short period probably will
create hardship and affect the normal operations of network
infrastructure.
Note: Symantec's DeepSight Intelligence Threat Analyst Team has never issued a
Level 4 ThreatCon alert.
Current Watch List

The Current Analyst Watch List portion of the Analyst Watch tab displays the most
interesting firewall and IDS sensor activity plotted over a two-day period, along with
the DeepSight Intelligence Threat Analyst's comments. When the threat analysts
are watching an IDS event, the system generates four graphs based on IDS data.
When a port is watched, eight graphs of both IDS and firewall data are generated.
The Current Analyst Watch List usually consists of one or two significant activities
identified by the threat analysts, but more activities will be presented when
warranted. The activity and event graphs are accompanied by DeepSight Intelligence
Threat Analyst comments.
The primary graph types are:
■ Sensors Observing an Activity
■ Total Number of Events Observed
■ IP Addresses Originating an Activity
■ Cumulative IP Addresses
These graph types are plotted separately for firewalls and IDS sensors. Whenever
an Analyst Watch involves multiple ports each group of graphs is labeled with the
relevant port value.
The title of the Analyst Watch serves as a link to more information about the activity
being watched based on its port number. The Port Lookup page displays malicious
code and vulnerability references and a graph of the activity.
Using Research
Using IP lookup
Symantec collects a vast amount of intelligence about observed security-related
online behavior. Much of this intelligence includes the offender’s IP address used
as part of the attack.
Offender behavior (also known as attack categories or activity types) falls into the
following categories:
■ Attack: Includes observations of attempted vulnerability exploitation, as well as
Denial of Service attempts
■ Botnet: Indicates that the IP address has been seen participating in a bot
command and control (C&C) structure or has been seen participating in bot-like
activity
■ CnC: Indicates that the IP address has been seen hosting a botnet C&C channel
■ Fraud: Indicates that the IP address has been used to defraud or otherwise fool
a victim into disclosing sensitive information or spending money via methods
that do not rely upon malicious behavior such as phishing, malware, vulnerability
exploitation, or outright theft
■ Malware: Includes observations of attempted propagation, distribution, or seeding
of malicious code
■ Phish: Includes observations of IP addresses that are phishing hosts
■ Spam: Indicates that the IP address has been observed sending spam
The IP Lookup Tool enables you to discover reputation, activity, ownership, and
location information for an IP address if the data is available.
IP addresses must be in IPv4 format.
To look up an IP address
1 Click the Research tab.
2 Under Lookup Tools, click the IP tab.
3 Type an IP address in IPv4 format (for example, 10.1.1.1).
4 Press Enter or click Go.
If data is available, the IP address detail page shows the following information. The
behavior-specific page area populates with different sets of information depending
on the behavior observed.
Ownership:
■ Organization: The organization registered as owning the IP address
■ Industry: The organization's industry, extrapolated from the NAICS or the ISIC
Using Research
■ NAICS: The organization's North American Industry Classification System code

■ ISIC: The organization's International Standard Industrial Classification code
■ Country: The country where the IP address's owner is registered
■ ASN: Autonomous System Number
■ Carrier: The company providing the internet service (the ISP)
■ Connection Type: The internet connection method that the IP address uses
Datafeed:
■ First listed: The date that the threat first appeared in the datafeed
■ Last listed: The date that the threat last appeared in the datafeed
■ Reputation: A summary of ratings indicating the threat level that the IP address
poses on an increasing scale of 1 to 10
■ Hostility: The threat's observed activity level on an increasing scale of 1 to 5
■ Confidence: Symantec's confidence in the information's validity on an increasing
scale of 1 to 5
■ Consecutive days listed: The number of consecutive days that the IP address
has remained listed
■ Days seen in the last 90 days
Behavior-specific details, if any:
■ First observed: The date that the GIN first observed the activity
■ Last observed: The date that the GIN last observed the activity
■ Unique events observed over the last 90 days: Depending on the behavior
observed, information in this part of the screen also includes attack names,
attack categories, activity descriptions, unique domain count, domain name,
URL count, and the URL associated with the IP address
Note: You can use the IP Lookup Tool to determine if troublesome IP addresses
extracted from your logs are also found within the DeepSight Intelligence database.
The utility may not find information on your requested IP address. Lack of search
results can be attributed to the vastness of the IP address space or the possibility
of an attacker focused on a specific IP address, a range of IP addresses, or a
specific site.
Using Research
Using URL/domain lookup

The URL/Domain Lookup Tool enables you to discover ownership, reputation,
activity, and associated IP address information for a URL/domain, if the data is
available.
The attack categories are the same as what is listed in the previous section, but
substituting URL/domain for IP address.
To look up a URL
2 Under Lookup Tools, click the URL/Domain tab.
3 Type a valid URL/domain (for example, www.symantecexample.com).
If data is available, the URL/domain detail page shows the following information.
The behavior-specific page area populates with different sets of information
depending on the behavior observed.
Ownership:
■ Registrar name: The name of the company that records the registration
■ Organization: The organization registered as owning the domain
Note: An organization entry of WHOISGUARD, INC. denotes that the company

WhoisGuard, Inc., was hired to mask the true organization. No further detail is
obtainable in such cases.
■ Contact name: The domain owner's designated contact person

■ Contact email: The contact person's registered email address
■ City: The city portion of the domain owner's registered address
■ State: The state portion of the domain owner's registered address
■ Country: The country portion of the domain owner's registered address
■ Registration created date: The date that the domain was registered
■ Registration updated date: The date that the domain registration was last
updated
■ Registration expiry date: The date that the domain registration will expire
■ Name servers: The name servers listed in the registration record as being
associated with the domain
Using Research
Datafeed:
■ First listed: The date that the threat first appeared in the datafeed
■ Last listed: The date that the threat last appeared in the datafeed
■ Reputation: A summary of ratings indicating the threat level that the URL/domain
poses on an increasing scale of 1 to 10
■ Hostility: The threat's observed activity level on an increasing scale of 1 to 5
■ Confidence: Symantec's confidence in the information's validity on an increasing
scale of 1 to 5
■ Consecutive days listed: The number of consecutive days that the domain
has remained listed
■ Days seen in the last 90 days
Behavior-specific details, if any:
■ First observed: The date that the GIN first observed the activity
■ Last observed: The date that the GIN last observed the activity
■ Unique events observed over the last 90 days: Depending on the behavior
observed, information in this part of the screen also includes attack names,
attack categories, activity descriptions, and IP addresses associated with the
URL/domain
The Associated IPs grid lists the IP addresses identified as owning, owned by,
or in some way related to the URL owning organization. Clicking an IP address
link takes you to the lookup page for that address.
Using Port lookup

The Port Lookup Tool lets you to search for activity on a specific port using either
TCP or UDP for transport.
To look up a port
2 Under Lookup Tools, click the Port tab.
3 Type a port number.
4 Choose TCP or UDP transport. TCP is selected by default.
The page populates with a chart showing a two week graph of port activity as well
as a listing of malicious code and vulnerability references associated with the port
address.
Using Research
Using MD5/SHA256 lookup

The MD5/SHA256 Lookup Tool lets you to search for information on a specific
MD5/SHA256 hash.
To look up a MD5/SHA256 hash
2 Under Lookup Tools, click the MD5/SHA256 tab.
3 Type or paste an MD5/SHA256 hash.
The page populates with the associated malcode name, file size, if known, and last
time and date of detection.
Note: MD5/SHA256 searches are based on an exact match. Please be sure to

include the full MD5/SHA256 in your query. Caution is recommended even if your
suspect file search produces no results. It is possible that your suspect file represents
a previously unseen Compromise Profile and is not listed in our database.
Using Malcode lookup

The Malcode Lookup Tool enables you to locate details on malicious code.
To look up malcode
2 Under Lookup Tools, click the Malcode tab.
3 Type all or part of a malcode name. Type as much of the name as you can to
retrieve a shorter results list.
5 If you receive a list of related results, click the link for the one you want to
investigate. The results list will remain in case you choose to view details for
other malcode.
The page populates with a chart showing the IP count over time, as well as a
malcode summary and reputation, file type and aliases, and associated MD5 hashes.
Clicking an MD5 hash link takes you to its MD5 lookup page.
Submitting suspect files

This feature lets you send files that you suspect to be infected to Symantec Security
Response. You can send up to nine files per submission.
Using Intelligence
To upload a suspect file

2 Click the Submit Suspect File tab.
3 Complete the form according to the instructions on the page.
4 When you are ready to submit the form, click Send to Symantec Security
Response.
Using Intelligence
The Intelligence page presents analyst journals and Managed Adversary Threat
Intelligence (MATI) reports (with the appropriate license) written by the DeepSight
Intelligence Threat Analyst Team throughout the day. The journals and reports are
posted to the page as they are completed.
To read an analyst journal
1 Click the Intelligence tab.
2 Click the Analyst Journal tab.
3 If desired, filter the journal list by archive or timeframe.
To filter the list by timeframe, click Pick Date Range, choose the range using
the calendar widgets, and click Apply.
4 When you have located the journal you want to read, click its title. When you
are finished reading the journal, click Back located in the upper right of the title
bar.
To search for an analyst journal
2 Click the Analyst Journal tab.
3 On the left, above Archive, click the Search text box and type your search
term.
4 Press Enter.
To read a MATI report
2 Click the MATI Reports tab.
Using Datafeeds
3 If desired, filter the report list by archive, timeframe, threat score, threat domain,
or targeted industries.
To filter the list by timeframe, click Pick Date Range, choose the range using
the calendar widgets, and click Apply.
4 When you have located the report you want to read, click its title. When you
are finished reading the report, click Back located in the upper right of the title
bar.
To search for a MATI report
2 Click the MATI Reports tab.
3 On the left, above Archive, click the Search text box and type your search
term.
4 Press Enter.
Using Datafeeds
The Datafeeds tab displays the files for the various feeds that your client has
requested, as well as the files that are available for download.
Note: This feature requires the purchase of one or more separate licenses. See
“Assigning or unassigning DeepSight Intelligence licenses” on page 34.
The page displays one or more of the following tabs, shown on the left of the page,
based on your account configuration:
■ Common Data: This datafeed provides data that is contained in a number of
tables that are related to the vulnerability and security risks datafeeds. It is
intended to limit the number of updates sent as the result of changes within
secondary linking tables; it also facilitates change management of the databases.
■ Security Risk: This datafeed provides real-time visibility into emerging threats
including malcode, adware, and spyware. It includes threat descriptions and
prevalence/risk/urgency ratings, along with associated disinfection techniques
and mitigation strategies.
■ Vulnerability: This datafeed provides real-time visibility into vulnerabilities
impacting nearly 105,000 technologies from more than 14,000 vendors. It
includes detailed descriptions, impacted systems, Security Content Automation
Protocol (SCAP) identifiers, ratings, and attack scenarios, along with information
on the availability of exploits and solutions.
Using Datafeeds
■ IP Reputation: This datafeed identifies the most malicious IP addresses identified

by Symantec’s Global Intelligence Network (GIN), along with the malicious
activities (attack, bot, CnC, fraud, malware, phish, and spam) and
hostility/confidence ratings associated with each. Feeds are available in XML,
CSV, and CEF formats.
■ URL Reputation: This datafeed identifies the most malicious domains/URLs
identified by GIN, along with the malicious activities (attack, bot, CnC, fraud,
malware, phish, and spam) and hostility/confidence ratings associated with
each. Feeds are available in XML, CSV, and CEF formats.
■ Advanced IP Reputation: This datafeed collection identifies the most malicious
IP addresses identified by GIN, with a separate datafeed for each activity: Attack,
Bot, CnC, Fraud, Malware, Phishing, and Spam. Each datafeed is available in
in XML, CSV, and CEF formats.
■ Advanced Domain/URL Reputation: This datafeed collection identifies the
most malicious domains/URLs identified by GIN, with a separate datafeed for
each activity: Attack, CnC, Fraud, Malware, and Phishing. Each datafeed is
available in in XML, CSV, and CEF formats.
■ User Audit Log: This feature displays a specified 30-day history of your
datafeeds usage.
Use the Datafeeds Access Tools area to view or download the following:
■ Web Service URL: This tab displays the URL where you can view the Datafeeds
service description (WSDL) and supported operations.
■ Documents: This tab lets you download the datafeed description documentation,
which includes instructions on setting up and using the Datafeed Client Tool.
■ Integrations: This tab lets you download documentation describing how to
integrate feed data into other applications (for example, ArcSight).
■ Tools: This tab lets you download the Datafeed Client Tool.
Feed details
Each details tab display is divided into two sections:
■ Files Requested
■ Files Available
The Files Requested portion populates when your datafeeds client requests records.
The Files Requested area can then be compared with the Files Available area as
a visual indicator of possible discrepancies in your database.
Using Datafeeds
Table 11-16 Files Requested
Column name or Description

component
SequenceNo Displays the sequence number assigned to the feed.
ParentSequenceNo Displays the sequence number of the Parent feed when a

parent-child relationship exists.
FileName The name of the zip file containing the feed.
Active Identifies if a file is currently being downloaded or is requested

and awaiting download.
The possible values are:
■ True
■ False
Baseline Identifies if a feed file delivers a baseline of the database.

■ True
■ False
Note: Baseline files can be quite large.
Published Identifies that a record has already been issued as an alert.

■ True
■ False
Date Displays the date and time the record was requested.
Total Records Displays the total number of records available.
The Files Available portion lists files that your datafeeds client has not requested.
Table 11-17 Files Available

component
SequenceNo Displays the sequence number assigned to the feed.
FileName Displays the name of the compressed file containing the feed.
Using Datafeeds
Table 11-17 Files Available (continued)

component
Baseline Identifies if a feed file delivers a baseline of the database.

■ True
■ False
Note: Baseline files can be quite large.
Page numbers Page numbers appear when your list of files available
exceeds the number of files that can comfortably fit on the
page. Clicking a page number allows you to see the other
pages.
Total Records Displays the total number of records available.
User Audit Log

The User Audit Log tab displays a 30-day history of your datafeeds usage on login.
The date range displayed can be modified to suit your needs.
Table 11-18 User Statistics and Actions table

component
User Activity Start Date Designates the first date that user actions should be
displayed. It allows you to extend or narrow the display of
user actions.
User Activity End Date Designates the last date that user actions should be
displayed. It allows you to extend or narrow the display of
user actions.
Calendar icon Use the calendar icon to set a date in either the User Activity
Start Date or the User Activity End Date.
Submit button Submits the requested User Activity Date range.
Login Location Identifies the web service utilized.
Method Invoked Displays the web method invoked by your web service client
to retrieve data.
Date The date of the activity.

Using Custom Reports
Table 11-18 User Statistics and Actions table (continued)

component
Page numbers Page numbers appear when your list of actions exceeds the
number of actions that can comfortably fit on the page.
Clicking a page number allows you to see the other pages.
Total Records Displays the total number of user actions for the User Activity
date range.

The DeepSight Intelligence reporting engine allows an organization's internal threat
analysts to take full advantage of the DeepSight Intelligence events database just
as the Threat Analysts do. You can customize any of the pre-configured reports to
mine the DeepSight Intelligence database or, for some reports, Symantec's Global
Intelligence Network (GIN) database, and extract actionable intelligence that is
specific to your organization's environment.
Note: The Custom Reports module is an add-on product for the DeepSight
Intelligence portal. The Custom Reports tab only appears if you have purchased
the add-on license for it.
To view recently run reports or scheduled reports

1 Click the Custom Reports tab.
2 In either list, Recently Run Reports or Scheduled Reports, click the report
title link.
Report categories
The left side of the Custom Reports page displays the list of available reports
separated into four categories:
■ Summary Reports
■ Analysis Reports
■ Other Reports
■ Malicious Code Reports
Each report type is designed to tell a story from a particular perspective that is
drawn from the DeepSight Intelligence or GIN database of IDS and/or firewall events.
In the case of Malicious Code reports, the data is drawn from Symantec's AV Ping
system.
Each report type in a report category links to a reports wizard that is pre-configured
for the report, but that can be customized by you. The reports wizard only presents
options that are relevant to the report type you are configuring. In most cases you
can submit the report after giving it a name.
Each type of report is explained in the report category tables below.
Summary Reports
These are general reports derived from reporting IDS and/or firewall sensors. The
descriptions for Summary Report types are in Table 11-19.
Table 11-19 Summary Report Descriptions
Report Type Explanation
Event Summary This report provides a breakdown of event activity observed by

DeepSight Intelligence sensors. The Event Summary is helpful in
determining which events are the most prominent and the history of
these events.
This report consists of a bar graph depicting up to ten IDS events

matching your search criteria and a series of up to five trend graphs
depicting historical trend activity of each event. If you choose to include
data from your own IDS systems it is overlaid onto the global data.
Table 11-19 Summary Report Descriptions (continued)
Port Summary The Port Summary report provides a breakdown of port activity observed
by DeepSight Intelligence sensors. It is helpful in determining which
ports are being targeted and the trend of this activity. This report consists
of multiple pages if both IDS and firewall events were provided and
selected, or a single page if only one of these event types have been
provided or selected.
This report consists of the following elements:
■ An intrusion detection system summary provides a summary of port

activity observed by DeepSight Intelligence IDS sensors. It consists
of a bar graph depicting up to ten ports matching your search criteria
and a series of up to five trend graphs depicting historical trend
activity targeting each port. If you choose to include data from your
own IDS systems it will be overlaid onto the global data.
■ A firewall system summary provides a summary of port activity
observed by DeepSight Intelligence firewall sensors. It consists of
a bar graph depicting up to ten ports matching your search criteria
and a series of up to five trend graphs depicting historical trend
activity targeting each port. If you choose to include data from your
own firewall systems it will be overlaid onto the global data.
Category Summary The Category Summary report provides a breakdown of event activity
by the category or class of events that are being observed by DeepSight
Intelligence sensors.
This consists of a bar graph depicting the cumulative activity for each
selected category over the selected period of time and a series of up
to ten trend graphs depicting historical trend activity for each category.
Each associated trend graph is accompanied by a listing of the top
event types within each category and the number of occurrences of
each event type observed over the selected period of time.
Target Product The Target Product Summary report provides a breakdown of the
Summary products and applications that are being targeted, as observed by
DeepSight Intelligence sensors.
This report consists of a bar graph depicting the cumulative activity

against each specific product over the selected period of time and a
series of up to ten trend graphs depicting historical trend activity for
each product. Each associated trend graph is accompanied by a listing
of the top event types targeting each product and the number of
occurrences of each event type observed over the selected period of
time.
Table 11-19 Summary Report Descriptions (continued)
Origin Summary The Origin Summary provides a breakdown of where global events are
originating. It is helpful in determining who is targeting DeepSight
Intelligence sensors and the trend of attack activity from each source.
This report depicts both IDS and firewall activity if events were provided
and selected, or only one of these if only one of these event types have
been provided or selected.
■ A top originating IP(s) listing provides a series of up to five trend

graphs depicting the historical trend of activity originating from each
individual IP address.
■ A top originating country(s) listing provides a series of up to five
trend graphs depicting the historical trend of activity originating from
each individual country. It should be noted that while in many cases
the IP addresses in this report are considered to be reliable, other
information may occasionally not be. The originating party is
determined by querying publicly accessible information sources
such as DNS, Domain Name Registrars, and WHOIS servers. These
information sources have, in some cases, been known to contain
inaccurate information due to the difficulty in keeping them current.
Destination The Destination Summary report provides an overview of the

Summary demographics being affected by events reported to the portal.
This report consists of the following elements, for both IDS event data,
and firewall event data, if selected:
■ A trend graph, depicting historical activity targeting up to five affected

countries.
■ A trend graph, depicting historical activity targeting up to five affected
industries.
■ A trend graph, breaking historical event activity into organizations
of various revenue categories.
■ A trend graph, breaking historical event activity into organizations
of various employee base size categories.
Analysis Reports
Analysis Reports are based on reports from IDS and/or firewall sensors. The
descriptions for Analysis Report types are in Table 11-20.
Table 11-20 Analysis Report Descriptions
IP Analysis This IP Analysis report provides insight into the activity of a single IP
address that is observed by DeepSight Intelligence sensors. This report
consists of a number of components that reflect the activity, habits, and
applications that the IP address is targeting. In correlating a number of
these data points, this report presents the origin of the attacker, and
the vulnerabilities and services targeted by the attacker.
■ An overview component that presents a number of data points

identifying the originating offender. Of interest are the number of
other DeepSight Intelligence users who have observed events from
this attacker, and the number of DeepSight Intelligence users who
have notified the offending contact about the attacker.
■ A contact information component that presents contact information
for the offending attacker's domain, the ISP, and the upstream
provider. All of this information provides assistance in contacting
and resolving activity originating from the IP address. It should be
noted that while in many cases the IP addresses are considered to
be reliable, other information may not be. The originating party is
determined by querying publicly accessible information sources
such as DNS, Domain Name Registrars, and WHOIS servers. These
information sources have, in some cases, been known to contain
inaccurate information due to the difficulty in keeping them current.
■ An IDS event and port summary provide a history of event and port
activity originating from the IP address. They provide a breakdown
of the top IDS events and port activity that has been observed from
DeepSight Intelligence sensors from this IP address.
The IDS Port Summary section may display activity that does not
have a corresponding event in the Event Summary section. This is
because certain events, considered to be prone to false positives,
are excluded from the Event Summary section.
Table 11-20 Analysis Report Descriptions (continued)
Event Analysis This event analysis report provides a detailed analysis of activity
surrounding a specific event. The report provides a history of event
activity. It outlines who is conducting the activity and who is targeted.
■ A description of the event is given, providing insight into it's meaning

and cause.
■ A series of graphs depict activity targeting this port as seen by
DeepSight Intelligence sensors. This includes the number of sensors
seeing the activity, the number of events seen, and the number of
unique IP address originating the activity during the time period.
■ An info section provides a summary of total activity seen during the
time period along with a listing of the top event signatures that are
contributing to this activity.
■ A series of tables provide a listing of the top contributing source IP
addresses and source countries, to determine the origin of this
activity, along with a listing of demographics affected by this activity.
■ A summary of vulnerabilities associated with the port activity are
provided, with associated links.
Port Analysis This port analysis report provides a detailed analysis of activity
surrounding a specific port. The report provides a history of activity
targeting the chosen port. It outlines who is originating the activity, and
who is targeted.
This report consists of the following elements, for both IDS event data,
and firewall event data, if selected:
■ A description of the port is given, providing insight into it's meaning

and cause.
■ A series of graphs depict activity for this event as seen by DeepSight
Intelligence sensors. This includes the number of sensors seeing
the activity, the number of events seen, and the number of unique
IP address originating the activity during the time period.
■ An info section provides a summary of total activity seen during the
time period along with a listing of the top IDS signature that are
contributing to this activity.
■ A series of tables provide a listing of the top contributing source IP
addresses and source countries, to determine the origin of this
activity, along with a listing of demographics affected by this activity.
■ A summary of vulnerabilities associated with the port activity are
provided, as are associated links.
Other Reports
These reports are based on data derived from IDS and/or firewall sensors. The
descriptions for other report types are in Table 11-21.
Table 11-21 Other Report Descriptions
Originating IPs The Originating IPs report provides a summary of the top IPs from which
activity was observed by DeepSight Intelligence sensors.
■ A pie or bar graph reflecting the cumulative amount of activity

observed from the top matching IPs over the chosen period of time.
■ A set of graphs depicting historical trend activity for the top matching
IP addresses. This includes the number of sensors observing events
from each IP address and the number of events that were observed
to be originating from each IP address.
Associated Ports The Associated Ports report displays the most common source ports
that have been observed targeting a specific destination port.

observed from each matching source port.
source ports. This includes the number of sensors observing events
from each source port, the number of events seen originating from
each source port, and the unique number of source IP addresses
observed originating activity from each source port.
Originating ISP The Originating ISP report provides a summary of the top ISPs from
which activity was observed by DeepSight Intelligence sensors.

observed from the top matching ISPs over the chosen period of
time.
ISPs. This includes the number of sensors observing events from
each ISP, the number of events that were observed, and the unique
number of source IP addresses that were observed to be originating
from each ISP.
Table 11-21 Other Report Descriptions (continued)
Source IP Infection The Source IP infection rate report provides a breakdown of the number
Rate of originating source IP addresses for a chosen criteria. This indicates
the rate of spread of a particular threat. In the case of a specific event
related to a worm, it can also serves as an indicator of the number of
infected systems.
■ A graph depicting the number of unique IP addresses seen per hour.

This provides an indicator as to how many unique systems are
originating the activity or are infected, on an hourly basis.
■ A graph depicting the cumulative number of IP addresses seen
since the report start date. This indicates the total number of unique
systems that have originated the activity or the total number of
systems infected since the report start date. This is contrasted with
the number of new infections seen on an hourly basis.
Originating The Originating Countries report provides a summary of the top

Countries countries from which activity was observed by DeepSight Intelligence
sensors.

observed from the top matching countries over the chosen period
of time.
countries. This includes the number of sensors observing events
from each country, the number of events observed, and the unique
number of source IP addresses that were observed from each
country.
Event Time The Event Time Summary report provides a breakdown of the time
frame during which network security events most commonly occur on
your network. Knowledge of when these events occur allows for the
tracking of historical activity and the allocation of resources for future
planning.
■ The time of day breakdown is displayed as a bar graph depicting

the average cumulative number of events observed for each hour
in a day, during the selected period of time.
■ The day of week breakdown is displayed as a bar graph depicting
the average cumulative number of events observed for each day in
a week, during the selected period of time.
Target Countries The Target Countries report provides a summary of the top countries
towards which activity was observed by DeepSight Intelligence sensors.

observed towards the top matching countries over the chosen period
of time.
■ A set of graphs depicting historical trend activity towards the top
matching countries. This includes the number of sensors that have
observed events within each country, the number of events that
were observed, and the unique number of source IP addresses that
were observed targeting each country.
Note that these results may be biased by the uneven distribution of

DeepSight Intelligence sensors across these countries.
Target Industries The Target Industries report provides a summary of the top industries
towards which activity was observed by DeepSight Intelligence sensors.

observed towards the top matching industries over the chosen period
of time.
■ A set of graphs depicting historical trend activity towards the top
matching industries. This includes the number of sensors that have
observed events towards each industry, the number of events that
were observed, and the unique number of source IP addresses that
were observed targeting each industry.

DeepSight Intelligence sensors across these industries.
Attacks by This Company Size report provides a breakdown of events observed

Company Size by DeepSight Intelligence sensors, by the size of the company that is
observing them. Companies are categorized by five employee ranges.
This report provides insight into the types of companies that are being
targeted.

observed towards each company size.
■ A set of graphs depicting historical trend activity towards each
company size. This includes the number of sensors that have
observed events in each category, the number of events observed,
and the unique number of source IP addresses that have observed
activity targeting each category.

DeepSight Intelligence sensors across companies within each category.
Attacks by This Company Size report provides a breakdown of events observed

Company Revenue by DeepSight Intelligence sensors, by the size of the company that is
observing them. Companies are categorized by five revenue ranges.
This report provides insight into the types of companies that are being
targeted.

observed towards each company size.
■ A set of graphs depicting historical trend activity towards each
company size. This includes the number of sensors that have
observed events in each category, the number of events observed,
and the unique number of source IP addresses that have observed
activity targeting each category.
Note that these results may be biased by uneven the distribution of

DeepSight Intelligence sensors across companies within each category.
Attack Age The Attack Age report provides an overview of events based around
the age of the vulnerabilities associated with them, and the age of the
events themselves.
■ A New Attacks trend graph provides a listing of the top five events
observed by DeepSight Intelligence sensors which are newer than
30 days.
■ An Attacks by Vulnerability Published Date graph provides a
breakdown of events, based on the age of the vulnerabilities
associated with each event. Events are broken into four categories.
These are 0-60 days, 61-180 days, 181-365 days, and over 365
days.
■ An Attack Age Over Time graph provides a breakdown of events,
based on the date on which each event was first observed within
the Portal. Events are broken into four categories. These are 0-60
days, 61-180 days, 181-365 days, and over 365 days.
Originating This Originating Netblocks report provides a breakdown, by Class A

Netblock Summary network, of events observed by DeepSight Intelligence sensors. It
consists of a horizontal bar graph of the top 20 originating netblocks.
Malicious Code Reports

These reports are derived from consumer AV Ping reports to Symantec and are a
strong indication of propagation in the wild. The descriptions for Malicious Code
Reports report types are in Table 11-22.
Table 11-22 Malicious Code Report Descriptions
Malicious Code The Malicious Code Summary report provides a summary of

Summary malicious code activity reported to Symantec's AV Ping system
using our consumer antivirus products.
This report consists of a bar graph depicting the cumulative number

of events observed over the selected period of time and a series
of up to ten trend graphs depicting historical trend activity for each
malicious code sample.
Table 11-22 Malicious Code Report Descriptions (continued)
Malicious Code Analysis The Malicious Code Analysis report provides a detailed analysis
of activity surrounding a specific malicious code sample. The report
provides a history of event activity and portrays the primary
affected countries.
A graph is provided, depicting the historical trend of AV Ping

reports for this malicious code. A description of the malicious code
sample is given. A table, is provided, listing the top countries in
which this sample has been observed.
Malicious Code Product The Malicious Code product report provides a summary of
malicious code activity reported to Symantec's AV Ping system
based on the platform or product being targeted.
This report consists of a pie or bar graph depicting the cumulative

number of AV Ping events observed by each platform or product.
It also includes a series of up to five trend graphs, depicting
historical trend activity for each product.
Mining DeepSight Intelligence data

The manipulation of four report elements determines the story Custom Reports will
tell. The elements are:
■ Report type
■ Date range
■ Analysis method
■ Data used
The perspective of a report changes when other elements are used to modify the
basic report configuration.
Report types are grouped into summaries, analyses, miscellaneous other reports
which are not adequately described as summaries or analyses, and malicious code
reports.
Step one: Select your report type

The report type should answer the question: “What do I want to look at?”
Report types are grouped by category and then each type is listed. Pick the report
type you want to open. See “Report categories” on page 164.
Step two: Select a date range

The date range can answer the questions:
■ When did this begin?
■ When did this end?
■ When did activity peak?
■ Is there any periodicity in the attack?
Expanding and contracting the time period analyzed changes the output of a report.
An event appearing as a top-ten activity in a two-day period may disappear when
the same report covers seven days. The interface provides the following convenient
date ranges: Today, Yesterday, 2 days, 3 days, 7 days, 14 days, and 30 days.
Select Custom if you'd like to customize the date range. Start and End dates are
specified by selecting a date on a calendar. The report can then be plotted by Hour,
Day, Week, or Month using the By drop-down box. This defines how many data
points are used in charting data to the graphs generated in a report.
Note: The Associated Ports report limits the Date Range of the report to the last 60
days of data.
Notes on hourly granularity

Hourly granularity is rarely used in your initial investigation of an event but it is vital
to follow-up reports. Hourly granularity allows you to see the very first trickle of an
event. For example, while SQL Slammer seemed to explode onto the Internet and
hit peak activity within a few hours, it had actually bounced around the Internet for
several days. Every Internet event begins with a trickle of activity, hourly granularity
allows you to analyze it.
You must use the custom date range option and activate the Enable Hourly Precision
check box and specify a starting hour and ending hour for the report. A report can
cover up to 48 hours using hourly granularity.
Step three: Select the analysis method

The analysis method answers the question:
■ How do I want to look at this?
■ What is more revealing, the number of sensors or the number of source IPs?
Different analysis methods produce different results for the same report type in the
same time period. The analysis method determines if your data is drawn from the
database by the greatest number of sensors, the greatest number of source IPs,
or by the greatest number of events. If you are a data contributor you have additional
analysis methods available. The top 15 results are selected from the data identified
by your chosen analysis method, then the remaining two elements are charted.
IDS and firewall sensors offer the same analysis methods.
Firewall and IDS analysis methods

The analysis method selected determines how the initial Top-15 for the chosen
report type is queried from the database. It provides a perspective for the analysis
presented in the report and directly impacts how the tri-graph charts are drawn. An
explanation of the plot orders is presented in Table 11-23.
Table 11-23 Understanding Analysis Methods
Analysis Method Explanation
By largest observing sensor Using this analysis method, the tri-graph chart plot order is
count based on global data by sensor count, distinct IP addresses, and then by event
volume.
By largest event count based Using this analysis method, the tri-graph chart plot order is
on global data by event volume, sensor count, and then by distinct IP
addresses.
By largest Source IP count Using this analysis method, the tri-graph chart plot order is
based on global data by distinct IP addresses, sensor count, and then by event
volume.
By Largest Event Count Using this analysis method, the tri-graph charts contrast
Based on My Data Global event volume with user event volume; Global sensor
counts; and contrasts Global IPs with user IPs.
By Largest Source IP Count Using this analysis method, the tri-graph charts contrasts
Based on My Data Global IPs with user IPs; distinct Global IPs; and contrasts
Global volume with user volume.
Note: The default analysis method is By Largest Observing Sensor Count Based
on Global Data. Analyzer user data is not available for all report types.
Malicious code analysis methods

The is one Analysis Method for Malicious Code reports.
Table 11-24 Understanding Analysis Methods for Malicious Code Submissions
Analysis Method Explanation
Based on Consumer Using this analysis method, the top events are determined based
Submissions on consumer AV Ping reports.
Step four: Select the data to use

Different data provides different insights for your analysis. For instance, probe data
can be useful in initially identifying an event but may obscure your view of the event
itself.
Firewall and IDS Data Selection

Global IDS data is always used but most reports allow the selection of local and
global firewall data and local IDS (if your organization uploads to DeepSight
Intelligence Analyzer via Extractor), as well as the inclusion of probes.
IDS and firewall data are managed separately in the reports. When local data is
selected, the charted top-five of the global data will be overlaid with your Local data.
Probes
The inclusion of reconnaissance activity, or probes, is useful in initial reports.
However, the inclusion of probes adds considerable noise to a report as the analyst
attempts to focus in for greater detail.
Malicious code submissions data

The default analysis method, Based on Consumer Submissions, uses consumer
AV Ping reports to Symantec.
Using report modifiers

While the primary report elements—report type, date range, analysis method, and
data—govern the overall perspective of a report, the report modifiers allow the
analyst to change the perspective of a report and focus on the most relevant
information.
Source
A key analysis question is always:
■ Where did this come from?
The Portal allows the analyst to filter by up to five source IP addresses or up to five
countries. The addresses can be derived from an organization's IDS or firewall
systems or an organization's competitor.
Destination
The analyst always asks:
■ What is the target?
The DeepSight Intelligence portal reports allows this to be defined in a number of
ways: Destination Ports, Portless Protocols, and/or Destination Countries.
The analyst may filter by up to five destination ports. These could be popular or
likely targets, or they could represent the proprietary service ports used by an
organization. The transport protocol may be TCP, UDP, or No Protocol. The analyst
may also filter using a single portless protocol or up to five targeted countries.
Note: It is not possible to filter by destination IP address. This is by design to protect

the security of our data contributors.
Demographics
Demographic information attempts to answer the analyst's question:
■ Who is being targeted?
DeepSight Intelligence Analyzer data contributors, uploading firewall and IDS data
via Extractor, are required to specify the type of industry, revenue, and employee
size to participate.
Up to five targeted industries may be specified.
The size of the affected organization can be used as a report modifier by designating
an annual revenue range. Multiple revenue sizes may be specified.
The number of employees may also be used as data filter. Multiple numbers of
employees may be specified.
Events
Events help to answer the question:
■ How are these attacks carried out?
The analyst may filter by a category of attack or choose a specific event. Events
are selected by choosing an event category and then specifying up to five events.
The five events may be selected from multiple categories. While events are not
normally associated with firewalls, DeepSight Intelligence Threat Analysts classify
firewall data as a diagnostic or a security event. Selection of these events may also
be made.
Products
Products helps the analyst the targeted technologies:
■ What technologies are being exploited?
To focus on what is being attacked, identify relevant products. Products may be
specified as a category or specifically defined as a technology within a product
category. Searching by a particular product speeds selection. Products may also
be specified as a technology list. Technology lists specific to an organization's
environment are configured within the Alerts portion of the Portal. Using technology
lists, the Analyst can quickly screen data based on relevant technologies.
Configuring the reports

You can refine the report criteria using the following page areas. The reports have
different areas depending on the report intent. Only the first part is required;
additional page areas serve as modifiers of the first page.
The possible page areas are:
■ General
■ Source
■ Destination
■ Malicious Code
■ Demographics
■ Events
■ Products
To complete the required General report page area
1 Click the desired report tab in the left side bar.
2 In the General page area, complete the following fields:
■ Choose the Report Type: Ad-Hoc Report or Scheduled Report. An ad hoc
report is generated one time at the time of criteria submission.
■ Type a useful and descriptive Name.
■ For a Scheduled Report, specify the report's Date Range.
■ Select the report Period.
■ Select an Analysis Method.

■ Pick your Data Sources, if available.
3 Continue to refine the report parameters, if desired; otherwise, click Submit.

To complete the Source report page area
1 In the Source Address text box, enter up to five source IP addresses,
separated by commas, and click the right-facing arrow to move them to the
Selected Source Addresses list.
Entering source IP addresses restricts the report to activity to just the specified
IP addresses. This is useful when analyzing the activity of frequent offenders
in your firewall logs.
2 In the Source Countries list, select up to five source countries, and click the
right-facing arrow to move them to the Selected Countries list.
Specifying countries restricts the report to event activity from the selected
countries.
To complete the Destination report page area
1 In the Port Number field, you may enter enter up to five destination ports,
separated by commas and, optionally, choose one of the protocols from the
Protocol field.
2 Click the right-facing arrow to move them to the Destination Ports list.
The destination port report modifier is especially useful in building reports
focused on organization's network services.
3 In the Portless Protocols section, if available, select one or more items as
desired, and click the right-facing arrow to move them to the Selected Portless
Protocols list.
4 In the Destination Countries section, select up to five destination countries,
and click the right-facing arrow to move them to the Selected Destination
Countries list.
Specifying destination countries restricts the report to event activity targeting
the selected countries.
To complete the Malicious Code page area

1 Chose a malicious code type from the Type pick list, type a more specific code
name in the Search field and click the Search button, then select up to five
items from the Malicious Code list, and click the right-facing arrow to move
them to the Selected Malicious Codes list.
To complete the Demographics report page area
1 In the Affected Industries section, select up to five affected industries.
The affected industries report modifier is especially useful in observing activity
within specified market segments.
2 In the Affected Revenue section, select up to five affected revenue sizes.
This modifying parameter helps to establish the degree of focus of an
event/attack.
3 In the Affected Employee Size section, select up to five affected employee
sizes.
This modifying parameter helps to establish the degree of focus of an
event/attack.
To complete the Events report page area
1 Choose from Event Category, Event Search, or Event Behavior.
Using events as a report modifier allows you to focus on event types that pose
the greatest risk to your network infrastructure.
2 If you chose Event Category, select up to five categories from the Event
Categories list, and click the right-facing arrow to move them to the Selected
Event Categories list.
3 If you chose Event Search, click in Search by Event Name, type an event
name in the Search field and click the Search button, then select up to five
items from the Events list, and click the right-facing arrow to move them to the
Selected Events list.
4 If you chose Event Behavior, select up to five behaviors from the Event
Behavior list, and click the right-facing arrow to move them to the Selected
Event Behavior list.
To complete the Products report page area

1 Choose from Product Categories or Products Search.
Using products as a report modifier allows you to focus on risks to your network
infrastructure. Tech Lists allow a complete definition of an organization's
environment to be utilized as a premise of a report.
2 If you chose Product Categories, select up to five categories from the Product
Categories list, and click the right-facing arrow to move them to the Selected
Product Categories list.
3 If you chose Products Search, chose a category from the Product Categories
pick list, type a product name in the Search field and click the Search button,
then select up to five items from the Products list, and click the right-facing
arrow to move them to the Selected Products list.
4 Or in the My Tech Lists list, select up to five tech lists and click the right-facing
arrow to move them to the Selected Tech Lists list.
5 Click Submit.
right side above the grid or report, then the functionality exists for that item.
images) box.
compatible application of your choosing.
To export grid data

3 Click OK.
Glossary
Change Manager A person who is responsible for changing a device's configuration.

Configuration Item Any component under the control of configuration management; for example, a
device, a Remote Importer, an operating system, a serial number, etc.
Device The security appliance and/or software covered by the MSS service.
Emergency Policy An Emergency Policy Change is an urgent request to alter the firewall rule set or
Change VPN connections to a Symantec Managed Firewall, Monitored and Managed
Firewall, or Monitored and Managed ISA. In the case of ISA, an Emergency Policy
Change can also be used to alter the Antivirus Definitions or Content and URL
Filtering Policy of the device. Most Symantec Managed Firewall, Monitored and
Managed Firewall, and Monitored and Managed ISA services include a certain
number of Emergency Policy Changes per year as part of the service. There is no
daily limit on the number of Emergency Policy Changes that can be used. Symantec
engineers work on Emergency Policy Changes from the time they are received until
completion. Symantec guarantees that Emergency Policy Changes will be completed
within three hours of receipt of the request by Symantec. If the client does not have
any Emergency Policy Changes, they can be purchased from Symantec at any
time.
Premium Policy Change A non-urgent request to alter the firewall rule set or VPN connections to a Symantec
Premium Monitored and Managed Firewall or Premium Monitored and Managed
ISA. In the case of ISA, a Premium Policy Change can also be used to alter the
Antivirus Definitions or Content and URL Filtering Policy of the device. All Symantec
Premium Monitored and Managed Firewall and Premium Monitored and Managed
ISA Services include unlimited Premium Policy Changes per month as part of the
service. Clients are limited to one Premium Policy Change per day. Premium Policy
Changes are queued when they are received. Symantec guarantees that Premium
Policy Changes will be completed within six hours of receipt of the request by
Symantec. While additional Premium Policy Changes cannot be purchased,
Emergency Policy Changes can be purchased at any time for all levels of service.
Security Incident A collection of device logs and data that has been identified by the STP to match
a pattern that indicates potential weakness or compromise in the customer’s system.
For a security incident to appear on the SII, it must be reviewed, categorized, and
confirmed by a human analyst; these confirmed incidents appear in reports and
statistics as "Validated Incidents.” Each validated security incident is assigned a
severity, which, along with comments entered by the analyst, can help you determine
Glossary 186
what actions, if any, should be taken to protect the network and/or prevent further
compromise.
Security Incident These are routine security incidents with no impact to the client. They are presented
severity: Informational for informational/reporting purposes.
Security Incident Warning security incidents are suspicious and may require additional investigation
severity: Warning by the client. They are not a high-risk attack and do not require immediate action
to mitigate the impact of the attack.
Security Incident Critical security incidents are high-risk attacks or possible compromises. Immediate
severity: Critical action is necessary to mitigate the impact of these security incidents. These security
incidents are required to be escalated as severe security incidents.
Security Incident Emergency security incidents are high-risk attacks that resulted in a validated
severity: Emergency compromise. Immediate action is necessary to mitigate the impact of these security
incidents. These security incidents are required to be escalated as severe security
incidents.
Index
A assets (continued)
advanced search importing 101
assets 105 managing attributes 99
incidents 68 registering 99
Alerts updating or editing 106
about 126 viewing
Advanced Search 129 activity log 107
brand protection 146 import history 103
daily, weekly, and monthly reports 137 related incidents 107
domain 135
event activity 138 C
industry activity 141 certificates 29
malicious code and security risks 132 installing 29
network infection 145 obtaining 29
port activity 143 chat
research report 136 about 14
tech list activity 143 compliance
threat alert and threat analysis 135 reports
ThreatCon 144 viewing 125
vulnerability 130 Custom Reports
All Alerts 128 about 164
My Alerts 127 categories
vacation mode about 164
selecting 147 analysis reports 167
setting 147 malicious code reports 174
alerts other reports 170
email summary reports 165
encryption 39 configuring 180
formats 39 DeepSight Intelligence data
assets mining 175
about 98 report modifiers
advanced search 105 about 178
deleting 107
editing 106
additional IP addresses 107
D
bulk update 106 Dashboard 61
grouping 104 customizing 63
groups Incident Category 64
creating 104 Incident Classification 64
deleting 105 Incident Classification Frequency 65
managing 104 Incident Frequency 65
Index 188
Dashboard (continued) Home (continued)

modules Activity Stream 21
configuring 64 Service Monitor 17
Open Incidents by Asset Criticality 64 customizing 20
Open Items 65
Security Monitor 65 I
Symantec News 65
incident
Datafeeds
netblocks
about 160
self-service 80
feed details 161
settings 79
user audit log 163
authorized scanners 79
DeepSight Intelligence data
custom fields 81
mining 175
custom severity rules 82
devices
registered networks 80
about 93
incident details
details 96
activity log 78
change managers 97
assessment 76
related devices 97
assets 77
related entitlements 97
attachments 78
related organizations 97
comments 78
related requests 97
construct log query 77
viewing 97
DeepSight Intelligence IP Lookup 75
searching 93
description 76
Traffic Report 97
devices 77
downloads
editing 74
files 123
events
reports 123
correlation 76
destination 76
E related hosts 76
entitlements source 76
about 36 key events 76
exporting 59 related incidents 78
related requests 78
F Request SOC Help 75
true source IP address resolution 77
filters
View Incident Severity Rules 75
filter bar
viewing 74
toggling 72, 91, 95, 109
incidents 66
saving 72, 90, 95, 108
advanced search 68
correlation 68
G malicious files 68
grid editing
customizing 72, 91, 95, 108 bulk update 72
filtering 71, 90, 94, 108 grid 70
sorting 72, 91, 95, 108 searching 67
severities 66
H true source IP address resolution 69
Home Intelligence
about 16 Analyst Journal 159
Index 189
Intelligence (continued) profiles (continued)

MATI Reports 159 VIP Token (continued)
IP addresses unlocking 33
details
viewing 78 Q
queries
L tips 119, 121
login 11
forgotten password 13 R
multiple accounts for an email 12
related assets
setting up VIP 10
primary IP 77
X.509 certificate 12
reports
logs
about 123
exporting 111
compliance 123
query
devices 123
constructing 112
incidents 123
sharing 112
IP addresses 123
user defined list 118
organizations 123
query beta tab
requests 123
constructing 115
summary 123
reviewing results 117
viewing 123
session data 111
request details
viewing 110
activity log 88
assets 88
O attachments 88
organizations comments 88
editing 37 related incidents 88
viewing 36 related requests 89
request input 88
P requests
creating 85
printing 59
editing 89
profiles
attachments 89
contact information
reviewing 88
editing 27
searching 86
email address
types 85
editing 27
Research
phone numbers
about 148
editing 27
analyst watch content 151
user details
current watch list 153
assign license 35
lookup tools
delete user 34
IP 154
editing 27
malcode 158
password 27
MD5/SHA256 158
password reset 34
port 157
VIP Token
URL/domain 156
adding 28
statistics
editing 28
antivirus 151
toggling 28
Index 190
Research (continued)
statistics (continued)
IDS 149
ports 151
suspect files 158
research
analyst watch content
ThreatCon 152
attack categories 154
S
settings
alerts
DeepSight Intelligence 39
MSS 39
MSS notifications 40
cloning accounts 31
DeepSight Intelligence groups 58
editing 26
administrator 30
monitors
bulk uploading 46
org profile
about 35
profiles
about 26
roles and permissions 32
T
ThreatCon 24
U
user details
language 28
V
VIP Token
deleting 29
vulnerability scans
uploading 103

Symantec MSS Portal Users Guide

Uploaded by

Copyright:

Available Formats

Symantec MSS Portal Users Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Symantec MSS Portal Users Guide

Uploaded by

Copyright:

Available Formats

Symantec Managed Security

Services Portal User's Guide

Documentation version 5.13

All rights reserved.

Federal acquisitions: Commercial Software - Government Users Subject to Standard License

Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

Chapter 1 Introducing the Symantec Managed Security

Chapter 2 Navigating the Home page ................................................ 16

Chapter 3 Managing settings .............................................................. 25

About settings .............................................................................. 25

Editing organization settings as an administrator ........................... 37

Chapter 4 Managing the Dashboard .................................................. 61

Chapter 5 Managing incidents ............................................................ 66

Chapter 6 Managing requests ............................................................. 85

Chapter 7 Managing devices ............................................................... 93

About devices .............................................................................. 93

Chapter 8 Managing assets .................................................................. 98

Chapter 9 Viewing logs ........................................................................ 110

Chapter 10 Viewing reports .................................................................. 123

Chapter 11 Using the DeepSight™ Intelligence Portal .................... 126

Glossary ............................................................................................................. 185

■ About the Symantec Managed Security Services Portal

■ About the Symantec DeepSight™ Intelligence Portal

■ What's new in the portal

■ Accessing the MSS portal

■ Accessing the DeepSight Intelligence portal outside of the MSS portal

■ About supported browsers

■ Where to get more information about the MSS portal

About the Symantec Managed Security Services Portal

Reports The Reports page leads to a collection of reports on Requests,

Note that some of these functions are available only to Administrators.

About the Symantec DeepSight™ Intelligence Portal

Research The Research page gives you access to an assortment of statistics

Intelligence The Intelligence page presents Analyst Journals written by the

Note that some of these functions are available only to Administrators.

What's new in the portal

■ A greatly improved DeepSight Intelligence Global Incidents map module on the

Accessing the MSS portal

Table 1-1 Regional SOC Telephone Numbers

Region Toll-Free International

Americas +1-888-467-4748 +1-703-414-4444

Americas Brazil 0-800-75-20180 N/A

EMEA N/A +44-(0)-207-949-0200

APJ N/A +61-2-9086-8400 (Sydney, Australia)

+81-3-5114-4700 (Tokyo, Japan)

Setting up your login using Symantec VIP credentials

To set up your login using Symantec VIP credentials

Accessing the portal via VIP

To access the portal via VIP

Accessing the MSS portal via Certificate

To access the portal via Certificate

Recovering from a forgotten password

Accessing the DeepSight Intelligence portal outside

Integrated? Use the following credentials

■ DeepSight Intelligence user name

■ DeepSight Intelligence user name

About supported browsers

Note: Internet Explorer's compatibility mode is not currently supported.