Symantec MSS Portal Users Guide
Symantec MSS Portal Users Guide
Symantec MSS Portal Users Guide
Legal Notice
Copyright © 2014 Symantec Corporation.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
The Licensed Software and Documentation are deemed to be "commercial computer software"
and "commercial computer software documentation" as defined in FAR Sections 12.212 and
DFARS Section 227.7202.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043 USA
http://www.symantec.com
Contents
■ About Chat
restricted using an organizational hierarchy so that only those with the correct
permission can view it. The portal has the following functional areas:
Home The Home shows your activity stream, a customizable Service Monitor
bar, and an assortment of modules showing incident information,
ThreatCon status, and news alerts. See “About the Home page”
on page 16.
Dashboard The Dashboard page lets you create multiple dashboards customized
with your preferred information modules. See “About the Dashboard”
on page 61.
Incidents The Incidents page contains all incidents that occurred on your
network. See “About incidents” on page 66.
Requests The Requests page lets you view your organization's requests and
submit new ones. See “About requests” on page 85.
Devices The Devices page contains all of the devices that Symantec manages
and monitors for you. The default view shows the non-terminated
devices within or affecting your organization, sorted by health status.
See “About devices” on page 93.
Assets The Assets page lets you modify the list of assets that your
organization has registered with MSS. See “About assets” on page 98.
Logs The Logs page contains a log query builder and query management
features. See “Viewing logs” on page 110.
Settings Located at the top of every page, click Settings to view your
entitlements, access your user and organization profiles, and modify
notifications. See “About settings” on page 25.
Alerts The Alerts page is where you can view any of the alerts delivered to
you, as well as view the vulnerability, malicious code, and security
risk databases, and perform a variety of other alerts-related tasks.
See “Using Alerts” on page 126.
Datafeeds The Datafeeds page displays the files for the various feeds that your
client has requested, as well as the files that are available for
download. You also can access related datafeed documentation and
tools.See “Using Datafeeds” on page 160.
Custom Reports The Custom Reports page is where you can customize any of the
pre-configured reports to mine the DeepSight Intelligence or Global
Intelligence Network (GIN) database and extract actionable
intelligence that is specific to your organization's environment. See
“Using Custom Reports” on page 164.
Settings Located at the top of every page, click Settings to view your licenses,
access your user and organization profiles, and modify notifications.
See “About settings” on page 25.
Note: To access the portal, you must use a browser that supports 128-bit encryption
and JavaScript.
4 Click Login.
5 In the VIP Authentication page, type the Security Code currently displayed
on your soft token.
6 Click Login.
Note: If authentication fails on the first attempt, wait for the token code to change
and try again. Contact the SOC if you have difficulties logging in to the portal.
Accessing the MSS portal when multiple accounts are found for an
email address
For customers who have multiple MSS portal accounts associated with an email
address, you must select your account when you log in. Each separate account
must have a VIP token registered with it.
To access the portal when multiple accounts are found
1 In a Web browser, go to https://mss.symantec.com.
2 At the Login page, type your primary email address and password.
3 Click Login.
4 At the Multiple Accounts Found page, select the account you want to use
for this session.
5 Click Login.
6 If this account does not yet have a registered token associated with it, you
must register a token. See “Setting up your login using Symantec VIP
credentials” on page 10.
If this account does have an associated token registered, then in the VIP
Authentication page, type the Security Code currently displayed on your token
and click Login.
Note: To access the portal, you must use a browser that supports 128-bit encryption
and JavaScript.
Introducing the Symantec Managed Security Services Portal 13
Accessing the MSS portal
Note: Contact the SOC if you have difficulties logging in to the portal.
Table 1-2 Are DeepSight Intelligence and MSS portal accesses integrated?
About Chat
Chat is an instant messaging application that lets you have a text conversation with
an MSS Team Member. A transcript of the chat will be emailed to you at your request
and, if applicable, will be stored with a related case.
Note: During times of heavy activity, you may encounter a queue window after
submitting your question or issue.
To use Chat
1 At the top right or bottom left of any page, click the Chat link.
2 Type your identifying information in the spaces provided.
3 Click in the Message text box and type your issue or question.
4 Click Submit.
5 In the Chat window, type your responses in the lower text box, clicking the
Send button as needed to transmit your responses.
6 When the session has ended, the Chat window displays a post-chat survey.
Please click the option buttons next to your answers, provide additional
feedback as needed, and click Submit.
Introducing the Symantec Managed Security Services Portal 15
About supported browsers
Note: Ensure that Internet Explorer's zoom setting is at 100% for the best readability.
You can find this setting either in the lower right side of the browser's Status Bar
or in the main menu under View.
Service Monitor Bar The Service Monitor bar displays a customizable set of monitors that
you can click to filter the Activity Stream. The monitors displayed also
change depending on your subscriptions.
Activity Stream The Activity Stream gives you an up-to-the-second feed of the threats
affecting in your organization and alerts impacting your devices and
assets.
Open Incidents by The Open Incidents by Asset Criticality module provides a count of
Asset Criticality (7 unique incidents of the selected severity that contain at least one asset
days) of the selected criticality over the past 7 days. The severity increases
from chart bottom to top, and asset value increases from left to right.
You can click a linked value to see a filtered Incidents grid or, if the
linked value is 1, go directly to the Incident Detail page.
Service Summaries The Service Summaries module lists links to the the most recent reports
and alerts. For MSS customers, it shows Service Alerts and Customer
Monthly Reports. For DeepSight Intelligence users, it shows the
DeepSight Intelligence Weekly and Monthly Summaries.
Note: All dates/times in the portal are local unless otherwise indicated.
Note: When the system returns zero results for a data item, you see a green
checkmark instead of zero.
Assigned to Me This Open incidents assigned to you in the past week. MSS
Week
Navigating the Home page 18
Reviewing the Service Monitor bar
Table 2-1 Service Monitor bar items and their descriptions (continued)
Assigned to Me This Incidents assigned to you in the past week that MSS
Week - Closed have been closed.
Assigned to Me This Open incidents assigned to you in the past month. MSS
Month
Assigned to Me This Incidents assigned to you in the past month that MSS
Month - Closed have been closed.
Critical Alerts This Week Any critical or emergency incidents or requests MSS
in the past week.
Table 2-1 Service Monitor bar items and their descriptions (continued)
Critical Incidents Today Critical incidents opened in the past 24 hours. MSS
Critical Incidents This Critical incidents opened in the past week. MSS
Week
Critical Incidents This Critical incidents opened in the past month. MSS
Month
Device Alarms Today Open device alarms in the past 24 hours. MSS
Device Alarms This Open device alarms in the past week. MSS
Week
Device Alarms This Open device alarms in the past month. MSS
Month
Table 2-1 Service Monitor bar items and their descriptions (continued)
Analyst Journal Entries All published Analyst Journal entries for the past DS
seven days.
Note: Initially displayed by default for DS-only
subscribers.
MATI Reports All published MATI reports for the past seven DS
days.
Note: Initially displayed by default for DS-only
subscribers. Also, requires MATI license.
Note: The Service Monitor bar displays no less than 5 and no more than 12 monitors
at a time.
2 Click Save as default to save your current filter set to be loaded when My
Default is clicked. Click Hide to hide the button.
3 To change the stream date range, at the top of the stream area, click 1, 7, 30,
or 90 to set the stream to reflect that number of days.
Navigating the Home page 22
Using the DeepSight Intelligence Global Incidents module
5 Near the top of the Location and Threats tabs, click the box next to Show all
sensors reporting activity in the last 24 hours to see those bubbles that
are suppressed due to periods of inactivity, also known as “zero bubbles.” A
zero bubble indicates that the sensor returned no detected activity in the last
data refresh, but activity had been detected at some time during the last 24
hours.
6 When the map data is refreshed and you see the new data notification icon,
click Reset.
7 When you are finished using the map, close the browser window. Closing this
window does not affect your MSS portal session.
Note: The map module employs Microsoft's® Bing™ Maps Platform API. For Terms
of Use, see Microsoft® Bing™ Maps Platform APIs’ Terms Of Use.
■ About settings
■ About alerts
■ Printing or exporting
About settings
The Settings pages are where you manage your profile, your organization's profile,
and your alert subscriptions. Administrators might see more options depending on
their permission level.
Note: The MSS portal is set to time out after 120 minutes without user activity. This
setting is not customizable. Activating the Auto-Refresh feature on the Home page's
Activity Stream or the Dashboards page will not affect the 120 minute timeout
setting. Only direct user interaction will reset the timer.
Managing settings 26
About user profiles
■ Contact Information: This tab is where you manage your email addresses,
telephone numbers, and mailing addresses.
Refer to the previous section for detailed information on editing user details.
Note: After cloning the account, the new account user must log in to test and activate
the delivery methods. See “Managing delivery methods” on page 51.
7 Monitor the status messages for a successful outcome. Click the link below
the summary for a more detailed list of account attributes that were cloned.
8 Click Close.
Incident Manager MSS This user has read and write access to all base
functions except Vulnerability Uploads and Users.
This user also has write access to non-device
Requests and all MSS Notifications.
Incident Reviewer MSS This user has read-only access to the Home page,
Dashboard, Incidents, Devices, Assets, and
Reports. This user also can edit their own profile,
read non-device Requests, and edit/write all MSS
Notifications
Asset User MSS This user can view assets and devices. Upon login,
the Portal displays the Assets grid.
Managing settings 33
About user profiles
Receive MSS Alerts MSS Toggles the ability to receive MSS alerts.
Configure Alerts DeepSight Lets the user configure their own alert
Intelligence notifications.
MSS
Manage Delivery Methods DeepSight Lets the user manage their alert delivery
Intelligence methods.
Manage Technology Lists DeepSight Lets the user manage their own tech
Intelligence lists.
Note: Users wanting to reset their passwords can do so from the Login page using
the Forgot Password link. See “Recovering from a forgotten password” on page 13.
Deleting a user
Only administrators can delete user accounts.
To delete a user
1 Under the Settings page title, click the Users link.
2 In the Users grid, click the user's email address link.
3 In the user's detail page, click Delete User.
4 In the confirmation prompt, click Proceed.
5 In the subsequent system message window, click OK.
The DeepSight Intelligence portal uses the organization profile area to administer
licenses across an organization.
About entitlements
An entitlement is the quantity of a Service that you purchase. You purchase
monitoring or managing services for a quantity of nodes, devices, IPs, servers, or
blocks of devices, nodes, or servers, according to the Service Description. The
terms of the agreement governing the purchase typically indicates a fixed start and
end date (fixed-term entitlement), but some negotiated agreements contain an
auto-renewal provision (autorenewal entitlement). As devices are registered with
the service, the amount of open entitlement available for additional devices is
decreased. As an example, a customer may have purchased under a fixed-term
agreement monitoring services for 150 firewalls—the entitlement—but initially used
only 100, leaving 50 open entitlements to be leveraged for additional devices during
the term of the agreement.
The portal helps you keep track of your entitlements so that you know which devices
are assigned to which entitlements. You also can see when an entitlement is nearing
expiration, so that you can begin the process of renewing the service or plan for
termination of the service.
Note: How the devices are counted under Entitlements depends on the type of
device, its role (such as failover designation or high availability pairing), and the
terms of the contracted service. Please direct any questions to your Service
Manager.
To view licenses
◆ In the Org Profile page, click the Licenses tab.
To view ThreatCon IPs
◆ In the Org Profile page, click the ThreatCon IPs tab.
To view MSS entitlements
1 In the Org Profile page, click the MSS Entitlements tab.
2 In the MSS Entitlements grid, click a Search Code to view details for that
entitlement.
To view devices
1 In the Org Profile page, click the Devices tab.
2 In the Devices grid, click the Search Code to view details for the device.
3 In the Devices grid, click the Reporting IP address for details of the listed IP
address.
To view branding
◆ In the Org Profile page, click the Branding tab.
3 To access license details, in the Licenses grid, click the license number.
4 In the License Details page, you have the following options:
■ In the Assigned tab, click Manage License to assign or unassign the
license.
■ In the License Pack History tab, view the history information.
About alerts
Alerts covers various notifications from Symantec to you and your organization.
The portal lets you configure alerts from both MSS and DeepSight Intelligence,
depending on your subscriptions. You configure and receive only those alerts
generated by your subscribed services.
See “Configuring MSS alerts” on page 39.
See “Configuring DeepSight Intelligence alerts” on page 43.
My Alerts
The My Configured Alerts tab gives you access to every alert delivered to your user
account. The alerts from the previous month are displayed by default, sorted
alphabetically. The initial display and all subsequent displays can be sorted by
clicking on any column heading.
An existing notifications monitor may be re-configured by selecting it in My
Configured Alerts and editing its settings in the subsequent page.
To reconfigure an alert
1 From the My Configured Alerts grid, scroll to the alert you want to edit, and
click Edit.
2 In the alert's settings page, modify the settings as needed.
3 Click Save.
To delete an alert
1 From the My Configured Alerts grid, scroll to the alert you want to delete, and
click Delete.
2 In the confirmation prompt, click OK.
Full Text The email is sent in plain text with a description of the reason for the
notification.
Sanitized Text The email is sent in plain text but contains a URL linking directly to the
incident details.
XML The email is sent using XML, allowing you to parse the information into
your own reports.
For further details regarding these formats, including examples, see the Symantec
MSS Automated Email Notifications Format Guide.
The portal also supports the following email encryption options:
No Encryption The email is sent unencrypted with a description of the reason for the
notification.
PGP Encryption The email is sent using PGP encryption with a description of the reason
for the notification.
■ Incident Severity Threshold: Choose the severity threshold for this alert.
■ Incident Category: Leave unassigned or choose one or more categories.
■ Asset Criticality Threshold: Choose the asset criticality threshold for this alert.
■ Asset Groups: Leave unassigned or choose one or more groups.
You can opt to receive the Daily Service Summary, as well as individual service
alerts. The Daily Summary includes the title and first line of the service alerts for
that day; if you do not subscribe to the individual alerts, you still can view the full
alert text by logging in to the portal. Note that all new portal users are automatically
set to receive service alerts.
You can also set the notification thresholds for incidents and the daily and weekly
digests. If you prefer, you can opt to be notified of global emerging threats and set
your preferred contact phone number.
You can select a different email format per address for each notification type. The
valid formats for each notification type are:
4 On the Service Alerts page, select an email format for each email address.
5 Click Save.
To change daily and weekly digest notification settings
1 In the Settings page, click the Alerts link.
2 In the Alerts page, click the Configure MSS Alerts tab.
3 On the MSS page, click Weekly/Daily Incidents Digest on the left.
4 On the Service Alerts page, select an email format for each email address.
5 Click Save.
5 Provide particular parameters for the alert monitor. Every alert type has several
configuration options. The number of configuration options and their parameters
differ based on the selected alert type. Some will ask you to define an alert
threshold, another will ask for tech lists, and still others need domain lists
entered or uploaded.
Daily Report This monitor delivers the Daily Report of Internet news and activity
or a notice that the summary is available.
Weekly Report This monitor delivers the Weekly Report of news and activity or a
notice that the summary is available.
Monthly Report This monitor delivers the Monthly Report of news and activity or a
notice that the summary is available.
Event Activity This activity monitor delivers alerts to you whenever the DeepSight
Intelligence statistical analysis engine detects a specific category
of events identified in your monitor configuration is being exploited
based on the key predictors alerting model.
Note: This alert type cannot be delivered by RSS.
Port Activity This activity monitor delivers alerts to you whenever the DeepSight
Intelligence statistical analysis engine detects a specific port
identified in your monitor configuration is being targeted based on
the key predictors alerting model.
Note: This alert type cannot be delivered by RSS.
Managing settings 45
Configuring DeepSight Intelligence alerts
Industry Activity This activity monitor delivers alerts to you whenever the DeepSight
Intelligence statistical analysis engine detects that the number of
anomalous sensors reporting an activity within an industry identified
in your monitor configuration exceeds the previous high-watermark
of anomalous activity by at least three anomalous sensors for at
least two hours.
Note: This alert type cannot be delivered by RSS.
Tech List Activity This activity monitor delivers alerts to you whenever the DeepSight
Intelligence statistical analysis engine detects a specific technology
included in a technology list in your monitor configuration is being
targeted based on the key predictors alerting model.
Note: This alert type cannot be delivered by RSS.
Security Risk This monitor delivers alerts to you whenever new adware or
spyware is identified within a technology included in a technology
list in your monitor configuration.
Malicious Code This monitor delivers alerts to you whenever a new malicious code
is discovered within a technology included in a technology list in
your monitor configuration.
Threat Alert This monitor delivers alerts to you whenever the DeepSight
Intelligence Threat Analyst Team develops intelligence of a new
threat or observes activity associated with a threat to a technology
included in a technology list in your monitor configuration.
Threat Analysis This monitor delivers alerts to you whenever the DeepSight
Intelligence Threat Analyst Team identifies a high-urgency threat
that promises widespread exploitation and significant impact. It
includes a thorough analysis of the threat to a technology included
in a technology list in your monitor configuration.
Research Report This monitor delivers in-depth reports from the DeepSight
Intelligence Threat Analyst Team. Research Reports may include
research into future threats, reports such as the Symantec Internet
Threat Report, and other information that the team uncovers during
research activities.
Domain This monitor delivers alerts to you whenever one of your domains
is mentioned within a malicious code alert or is targeted in an
Internet event. During monitor configuration, you have the option
of uploading a CSV file containing up to 5,000 domains. See “To
bulk upload domains for Domain and Brand Protection monitors”
on page 46.
Note: This alert type cannot be delivered by RSS.
Network Infection This monitor delivers alerts to you whenever our sensors discover
malicious activity originating from the IP address space that you
have provided.
Brand Protection This monitor delivers alerts to you whenever our sensors detect
phishing sites targeting one of your domains. During monitor
configuration, you have the option of uploading a CSV file
containing up to 5,000 domains. See “To bulk upload domains for
Domain and Brand Protection monitors” on page 46.
8 Click Upload.
A message under the Upload a Domain List field displays the number of
domains added successfully. If the result is not what you expect, click Reset,
then check your upload file to ensure that you are using the proper format for
the domain names and that each is separated by a comma. Then, upload the
file again using the steps above.
9 When you are finished creating the monitor, click Save.
All Technologies
The All Technologies technology list is exactly that, a list that contains every
technology within the DeepSight Intelligence portal technologies database. When
this list is used in a monitor, the monitor will trigger for every alert issued throttled
only by monitor thresholds. While useful, it is informationally noisy. When using the
All Technologies list, keep in mind that controlling the number of alerts delivered
to you with monitor thresholds may prevent delivery of some relevant alerts.
Note: You can configure an All Technologies technology list by including the
technology category All.
Managing settings 48
Configuring DeepSight Intelligence alerts
9 Check or uncheck the Internal Sharing and Internal Copying check boxes
to specify if you would like to share lists or allow people within your organization
to copy your Technology List.
10 Click Save when your list is complete.
Performing a bulk upload
4 In the Choose File to Upload dialog box, select a valid xml technology list file.
The file should be well-formed xml and must retain the format of the Master
Technology List template.
5 Click Open.
6 Type a name for the technology list you want to create.
7 Click Upload.
Note: You are permitted to create a technology list only at Product/Version level
with maximum of 1,000 CPE string entries through bulk CPE Upload. For other
features (i.e., Category/Vendor level inclusion) please use Manual Selection or bulk
XML upload.
Managing settings 50
Configuring DeepSight Intelligence alerts
4 In the Choose File to Upload dialog box, select a valid CPE technology list file.
The text file contents must have the format of the CPE Technology List template.
5 Click Open.
6 Type a name for the technology list you want to create.
7 Check or uncheck the Internal Sharing and Internal Copying check boxes
to specify if you would like to share lists or allow people within your organization
to copy your Technology List.
8 Click Upload.
4 In the Choose File to Upload dialog box, select a Qualys-generated xml file.
5 Click Open.
6 Type a name for the technology list you want to create.
7 Check or uncheck the Internal Sharing and Internal Copying check boxes
to specify if you would like to share lists or allow people within your organization
to copy your Technology List.
8 Click Upload.
Managing settings 51
Configuring DeepSight Intelligence alerts
that other notifications users will be able to identify who should receive alerts
when a delivery method is selected within monitors.
■ Delivery method type: The standard delivery method may be configured as email
or SMS. The RSS delivery method is included with each service license assigned
to a user's account. XML email is licensed as an Integration add-on.
■ Delivery method address or number: This input field must be syntactically correct
in order to function properly. Email addresses must comply with RFC
specifications and be syntactically correct. Telephone numbers must contain
only numbers: do not enter a '1' before the number. Country codes may be
necessary outside of the United States and Canada. Check the text below the
configuration screen for the most up-to-date information about the use of country
codes.
Note: Once configured, the Delivery Method Type cannot be changed. The Delivery
Method must be deleted and then recreated as the type of Delivery Method you
want.
Delivery Method What is delivered/ Additional Notes Available Detail Levels Available Alert Format
Type
email Delivers any alert type in the selected All detail levels for all alert Text, PDF, or HTML
format and detail level by electronic mail. types.
Note: Format selected
Note: Detail levels are during monitor
selected during monitor configuration.
configuration.
RSS Allows an RSS client to retrieve alerts Full Details RSS 2.0
after authentication.
SMS Delivers any alert type to any Notice: A short alert Text
SMS-enabled device. format that is, at most, a
couple of sentences long.
XML email Delivers XML encoded alerts as an email Full Details XML
attachment. See the Appendix for more
details.
Managing settings 53
Configuring DeepSight Intelligence alerts
SMS When entering a phone number for your SMS delivery method in
the US, Canada, or location reachable via an area code, please
enter the number starting with the area code. Do not enter a '1'
before the number.
XML email Enter a legal email address. It must be syntactically correct; for
example: john.doe@example.com. The XML email delivers an
XML attachment.
Web Services The Address or Number is not available for configuration. The
Web Service client polls the Web Service for new alerts and pulls
that information.
Note: The RSS delivery method pulls information from different RSS capable pages,
as a result the Address or Number configuration is actually done within the RSS
reader.
Managing settings 54
Configuring DeepSight Intelligence alerts
Bahamas 242
Bermuda 441
Country codes must be used for locations other than those listed above. When
entering a phone number for a location that requires a country code, enter '011',
the country code, and the phone number without spaces or other delimiters.
Example: If the SMS number is 61 1 2345 6789 then enter 01161123456789
Currently we can deliver SMS alerts to the following countries reachable using a
country code:
Australia 61
Austria 43
Belgium 32
Finland 358
France 33
Germany 49
Ireland 353
Israel 972
Managing settings 55
Configuring DeepSight Intelligence alerts
Italy 39
Japan 81
Liechtenstein 423
Malaysia 60
Netherlands 31
New Zealand 64
Philippines 63
Singapore 65
South Africa 27
Spain 34
Switzerland 41
United Kingdom 44
Venezuela 58
Contact customer support if you require service to a country not listed here.
Column Entry
Test Blank
Note: All email, SMS, and XML email delivery methods must be activated before
alert delivery begins. Web Services delivery methods do not require activation.
Managing settings 58
Using DeepSight Intelligence Groups
Email The delivery method activation code is the four characters found
in the test message in a line that reads: Delivery Method activation
XML
code is: A1A5 (or some other unique value).
Click the Enter Activation Code link for the newly configured
delivery method on the Configured Delivery Methods page. This
presents a page with an input field for the activation code. Enter
the activation code and click Continue.
SMS The delivery method activation code is the four characters found
at the bottom of the test message in a line that reads: Delivery
Method activation code is: A1A5 (or some other unique value).
Click the Enter Activation Code link for the newly configured
delivery method on the Configured Delivery Methods page. This
presents a page with an input field for the activation code. Enter
the activation code and click Continue.
The DeepSight Intelligence Groups feature is a way of grouping alert monitors with
users so that teams can more easily address alerts.
After creating a DeepSight Intelligence Group, you must create or edit alert monitors
to use your group as a delivery method. Once that is done, your group will begin
receiving alerts that your group members can process as part of alerts workflow.
Managing settings 59
Printing or exporting
Note: At least one of the users must be a Customer Administrator. This person
will have the ability to maintain the group.
5 Click Create.
Printing or exporting
The portal lets you generate printer-friendly views of most of the interface's pages
and export data from many of the grids. If you see an icon for Print or Export on
the right side above the grid or report, then the functionality exists for that item.
Note: If you want to include your brand header on your printouts, you must enable
the option to print background images and colors in your web browser. In Internet
Explorer, click Tools > Internet Options, click the Advanced tab, scroll to the
Printing section, and check the Print background colors and images box. In
Firefox, click File > Page Setup, and check the Print Background (colors &
images) box.
The Export function captures grid data, including hidden columns, and converts it
to a comma-separated values (.csv) format for viewing and manipulation in the
compatible application of your choosing. For incident grids, the portal exports 180
days of data; for requests and asset grids, all data is exported.
To print a report or grid
1 Customize the report or grid you intend to print. The output will contain only
those columns that are displayed in the grid.
2 Click the Print link located on the right side above the report or grid.
3 Print the view using your browser's print function.
Managing settings 60
Printing or exporting
Open Incidents by Asset The Open Incidents by Asset Criticality The time configuration options are 1, 7,
Criticality module provides a count of unique incidents 30, 60, 90, and 180 days.
of the selected severity that contain at least
one asset of the selected criticality over a
selected amount of time. The severity
increases from chart bottom to top, and asset
value increases from left to right. You can
click a linked value to see a filtered Incidents
grid or, if the linked value is 1, go directly to
the Incident Detail page.
Managing the Dashboard 62
About the Dashboard
Incident Category The Incident Category module contains a The time configuration options are 1, 7,
chart displaying the breakdown of incidents 30, 60, 90, and 180 days.
by category. You can customize the time
frame and the severity of the incidents
included in the graph. Hovering over elements
in the module provides additional information
about the incidents in each category.
Incident Classification This module contains a chart displaying the The time configuration options are 1, 7,
breakdown of incidents by classification. You 30, 60, 90, and 180 days.
can customize the time frame included in the
graph. Hovering over elements in the module
provides additional information about the
incidents in each classification.
Incident Classification This module displays the top 5 most frequent The time configuration options are 7, 30,
Frequency incident classifications over a selected 60, 90, and 180 days.
amount of time. More data is shown when a
data point is hovered within the graph.
Incident Frequency The Incident Frequency module displays You can modify this module to display
incidents over a selected amount of time. The a select set of severities.
module breaks down incidents by severity
The time configuration options are 7, 30,
and lets you choose which severity types you
60, 90, and 180 days.
would like to display over which period of
time. The severities can also be deselected
and selected within the legend. More data is
shown when a data point is hovered within
the graph.
Open Items The Open Items module contains a list of the You can modify this module to display
top 50 open items according to your a select set of severities.
preferences.
The time configuration options are 1, 7,
30, 60, 90, and 180 days.
Security Monitor The Security Monitor module provides a You can configure the timeframe to 1,
high-level view of your current security 7, 30, 60, 90, and 180 days.
incident posture.
Symantec News The Symantec News module displays a list The time configuration options are 1, 7,
of Service Alerts, Threats, and Advisories in 30, 60, 90, and 180 days.
a convenient feed for quick viewing.
Managing the Dashboard 63
Customizing your Dashboard
■ About incidents
■ Searching incidents
■ Printing or exporting
About incidents
Incidents are identified through analysis of an organization’s device logs. Incidents
range from routine network occurrences to actual attacks against an organization’s
systems. The SOC Technology Platform (STP) analyzes device logs to find patterns
that indicate potential weaknesses or compromises in the client’s system.
The portal categorizes incidents using the following severity levels:
These are Informational incidents with no impact to the client. They are presented
for informational/reporting purposes.
Managing incidents 67
Searching incidents
Warning incidents are suspicious and may require additional investigation by the
client. They are not a high-risk attack and do not require immediate action to
mitigate the impact of the attack.
These are Critical incidents, which are high-risk attacks or possible compromises.
Immediate action is necessary to mitigate the impact of these incidents.
The Incidents page displays incidents related to the registered networks (a.k.a.
netblocks) assigned to your organization. Users at the company-level organization
will see all incidents for that company.
If you do not have access to an incident's destination organization, or there are no
organizations associated with this incident, the Destination Organization column
displays External. If you have access to more than one of the associated destination
organizations, the column displays Multiple.
Searching incidents
The portal provides a simple search feature that allows you to instantly view an
incident.
Currently, correlation is supported between certain firewalls from Palo Alto Networks,
Sourcefire, Checkpoint, and FireEye, and antivirus and intrusion prevention system
(IPS) products from Symantec and McAfee.
same known malware file was blocked. These events are combined to create a
correlated incident with a wealth of information that you can opt to export to PDF
for analysis and remediation. See “To view correlated incident events” on page 76.
The correlated incident provides an overlay with the following information, if available:
outcome, file name, reputation, source URL, MD5/SHA256 hash, and malware
behavior, including affected operating systems, known effects of infection, and the
associated malware subtypes.
Note the following definitions to better understand the expanded file information.
Reputation Indicates the trust level that Symantec assigns to a file, based on a stringent
evaluation methodology. Reputation shows as one of the following terms:
First Seen Indicates when Symantec's global community of users first downloaded this
file. Treat new files with caution.
The resolved incident provides an overlay with the following information, if available:
a source host address resolution diagram, source host details, your affected assets,
and the logging devices involved.
■ Created date only: Checking only this box filters the grid to display incidents
with a creation timestamp that falls within the selected timeframe. This is
the default grid setting.
■ Key Event Activity date only: Checking only this box filters the grid to display
incidents with key event activity that falls within the selected timeframe.
■ Both: Checking both boxes causes the grid to display incidents with a
creation timestamp that falls within the specified timeframe as well as any
additional results where the latest key event activity falls within the specified
timeframe.
3 Click the (undo) link next to the selected timeframe at the top of the left side
bar to return to the default timeframe.
To change the grid timeframe by picking a date range
1 In the Timeframe area of the left side bar, click the Pick Date Range link.
2 Click in the Start date field and type a date, or click the calendar widget on
the right end of the field and navigate to your preferred start date.
3 Click in the End date field and type a date, or click the calendar widget on the
right end of the field and navigate to your preferred end date.
4 Click Apply.
5 Below the Pick Date Range link, choose whether to display the incidents’
Created date, Key Event Activity date or both.
To filter the grid
1 In the left side bar, click one or more entries under the available filter sets to
narrow the focus of the grid data. You can select multiple items within a filter
set. Once you have selected all the items in one category that you want to
view, and move to another filter set, you cannot go back to the previous set to
select again unless those previous selections are undone.
For example, if you were to select Critical and Emergency under Severity, then
select External under Organization, you would notice that the Severity filter set
is no longer displayed. To display that filter set and choose other severities,
you must first undo the ones you have selected.
2 Click Show All at the bottom of the filter set to see all of the filters available
for that set. Show All only appears if there are more than five filters within a
set.
3 Click Show Less at the bottom of the filter set to display only the top five filters.
4 At the top of the left side bar, click the (undo) link next to a filter selection you
want to remove, or click Undo All to remove all of the filter selections.
Managing incidents 72
Updating multiple incidents simultaneously
■ Status
■ Closure code
■ Severity
■ Assignment
■ Comment
■ Reference number
■ Priority
To perform an incident bulk update
1 In the Incidents grid, click the check box at the start of the row of all incidents
you want updated simultaneously.
You can also click the check box at the top of that grid column to select all of
the incidents on that grid page. Note that this action does not select all incidents
across a multi-page grid, only those on the page currently displayed.
2 Click the Update button at the top of the grid.
3 In the Update Incident window, modify the incident information as needed.
Note that where you are restricted to a set of values, the field is a selection
list. The other fields let you type your information free-form. Comments added
in this window are appended to all of the selected incidents' activity logs.
4 Click Save.
Printing or exporting
The lets you generate printer-friendly views of most of the interface's pages and
export data from many of the grids. If you see an icon for Print or Export on the
right side above the grid or report, then the functionality exists for that item. Note
that the Intelligence tab content does not support this Print/Export feature.
Note: If you want to include your brand header on your printouts, you must enable
the option to print background images and colors in your web browser. In Internet
Explorer, click Tools > Internet Options, click the Advanced tab, scroll to the
Printing section, and check the Print background colors and images box. In
Firefox, click File > Page Setup, and check the Print Background (colors &
images) box.
The Export function captures grid data, including hidden columns, and converts it
to a comma-separated values (.csv) format for viewing and manipulation in the
Managing incidents 74
Reviewing and editing incident details
compatible application of your choosing. For incident grids, the exports 180 days
of data; for requests and asset grids, all data is exported.
To print a report or grid
1 Customize the report or grid you intend to print. The output will contain only
those columns that are displayed in the grid.
2 Click the Print link located on the right side above the report or grid.
3 Print the view using your browser's print function.
To export grid data
1 Click the Export icon located on the right side above the grid.
2 In the Opening ReportData.csv window, click Save to Disk.
3 Click OK.
4 If your browser is configured to automatically route downloads to a specific
location, you will find ReportData.csv there. Otherwise, in the Enter name of
file to save to... window, modify the file name as desired, navigate to your
preferred download location, and click Save.
Note: You can change the incident severity, but be aware that the quickly evolving
threat environment can require the SOC to override your setting with a different
severity, if necessary.
5 In the Key Events grid, locate an event to investigate, and click the File Info
button for the malicious file overlay. See “About incident correlation” on page 68.
6 Click the links available in the overlay for more information.
7 In the File Info overlay, you can click Export PDF to create and download a
Portable Document Format file containing more malware file information.
8 Click OK.
To view an incident’s true source IP address resolution
1 In the Incidents grid, click the incident you want to investigate.
2 In the Incident Details page, note the icon to the right of the IP address. See
“Unmasking true source IP addresses” on page 69.
3 In the Incident Details page, click the Events tab.
4 In the Key Events grid, select how you want to view the grid: as a Group or
a List. This option is not available if there are no grouped events.
5 In the Key Events grid, locate an event to investigate, and click the Info button
for the true source overlay.
6 Click the links available in the overlay for more information.
7 Click OK.
To construct a log query from incident details
1 In the Incident Details page, click the Events tab.
2 Click Construct Log Query.
3 In the Construct Log Query window, ensure that the Source IP and Device
Name entries are correct.
4 Click a Time Period for the report to cover or click Custom and use the
calendar widget to set a custom date range.
5 Click Run Query.
To view related assets
1 In the Incident Details page, click the Assets tab.
2 In the Assets tab, click the Asset Name to view details about the asset or click
the Primary IP to view IP address details.
To view related devices
1 In the Incident Details page, click the Devices tab.
2 In the Devices grid, click the Search Code to view device details.
You can see only those devices to which you have access.
Managing incidents 78
Reviewing IP address details
3 Select a start and end date for this authorization or check the Always
Authorized check box.
4 Type a scanner description.
5 Click Add.
To edit an authorized scanner
1 In the Authorized Scan grid, locate the scanner you want to edit and click the
Edit button on the right.
2 In the Update Authorized Scan area above the grid, modify the auto-populated
fields as needed.
3 Click Save.
To delete an authorized scanner
1 In the Authorized Scan grid, locate the scanner you want to remove and click
the Delete button on the right.
2 In the confirmation prompt, click OK.
Note: The Type designation here is for your reference only and does not in any
way affect or change the analysis done against your networks.
6 Click Add.
To edit a registered network
1 In the Registered Networks grid, locate the netblock you want to edit and
click the Edit button on the right.
2 In the data entry area above the grid, modify the auto-populated fields as
needed.
3 Click Save.
To delete a registered network
1 In the Registered Networks grid, locate the netblock you want to remove and
click the Delete button on the right.
2 In the confirmation prompt, click OK.
5 If you chose List, type the values (at least two are required) that you want to
populate the selection list. Click the + (plus) icon to add another Values field.
6 Optionally, type the field's description.
7 Click Add.
8 In the confirmation prompt, click OK.
To edit a custom field
1 In the Custom Fields grid, locate the custom field you want to edit and click
the Edit button on the right.
2 In the data entry area above the grid, modify the auto-populated fields as
needed.
3 Click Save.
To delete a custom field
1 In the Custom Fields grid, locate the custom field you want to remove and
click the Delete button on the right.
2 In the confirmation prompt, click OK.
■ Asset Criticality lets you specify an asset criticality level for your rule (for
example, all assets that your organization have identified as Critical). The
options are Critical, High, Medium, and Low. You may define only one Asset
Criticality row per rule.
■ Asset Group lets you narrow the rule to affect only those incidents that
impact a specific asset group. If your organization does not use the asset
grouping feature, this criterion will not appear. You may select multiple
Asset Groups per rule.
4 Click the green + icon as needed to add more criteria. When a rule has more
than two or more rows, a red X icon appears to the right of every row. Click
this icon to delete the row.
5 Click the Rule Name field and type a name for this severity rule.
6 Optionally, click the Description field and type a short description for the rule.
If you use this field, the text appears as a tooltip when you hover your pointer
over an information icon next to the rule name in the custom rule grid.
7 Click Custom Severity Level and choose the severity level for the affected
incidents. The options are Emergency, Critical, Warning, or Informational.
8 If your custom severity is Critical or Emergency, click the Receive Escalation
Call selection box if you want the SOC to call your organization's escalation
contact when an incident triggers this rule.
9 Click Save.
To edit a custom severity rule
1 In the Custom Severity Rules grid, click the Edit icon (shaped like a pencil)
at the far right side of the row you want to edit.
2 After the selected row populates the data fields above the grid, modify the rule
criteria as needed, following the instructions provided in the previous procedure.
3 Click the green + icon as needed to add more criteria. When a rule has more
than two or more rows, a red X icon appears to the right of every row. Click
this icon to delete the row.
4 If needed, click the Rule Name field and modify the rule's name.
5 If needed, click the Description field and modify the rule's description.
6 Click Custom Severity Level and modify it as needed. The options are
Emergency, Critical, Warning, or Informational.
Managing incidents 84
Configuring certain incident-related features
7 If your custom severity is Critical or Emergency, review your choice for the
Receive Escalation Call selection box and select or deselect the box, as
needed.
8 Click Save.
To copy a custom severity rule
1 In the Custom Severity Rules grid, click the Copy icon (shaped like
overlapping squares) at the far right side of the row you want to copy.
2 After the selected row populates the data fields above the grid, modify the rule
criteria as needed, following the instructions provided in the previous procedure.
3 Click the green + icon as needed to add more criteria. When a rule has more
than two or more rows, a red X icon appears to the right of every row. Click
this icon to delete the row.
4 Click the Rule Name field and modify the rule's name. Rule names must be
unique.
5 If needed, click the Description field and modify the rule's description.
6 Click Custom Severity Level and modify it as needed. The options are
Emergency, Critical, Warning, or Informational.
7 If your custom severity is Critical or Emergency, click the Receive Escalation
Call selection box if you want the SOC to call your organization's escalation
contact when an incident triggers this rule.
8 Click Save.
To delete a custom severity rule
1 In the Custom Severity Rules grid, click the Delete icon (the black X) at the
far right side of the row you want to delete.
2 In the confirmation prompt, click Yes to confirm rule deletion.
To view the revision history for a custom severity rule
1 In the Custom Severity Rules grid, in the Creation Date column, click the
History icon next to the rule's date and time entry.
If a rule has not been modified since being created, there is no version history
to view and no History icon appears.
2 In the Incident Severity Rule Revision History window, review the available
entries.
3 Click Close.
Chapter 6
Managing requests
This chapter includes the following topics:
■ About requests
■ Searching requests
■ Editing requests
■ Printing or exporting
About requests
The portal displays the following request types:
Alarm (AL) This is generated automatically, such as in the case of a device outage.
Service Case This is opened by customers either through the portal’s New Request
(SC) link or by contacting the SOC. Service Cases include policy changes.
The Requests page displays service cases and alarms for your organization. The
default view shows all active requests sorted by urgency.
Searching requests
The portal provides a requests search feature. You can search for requests by
typing in the Search field either an exact Request ID, or part of a request reference
number, contact name, request description, or activity log text. If the search returns
one result, the portal displays the result in a Request Detail page. If the search
returns more than one result, the results are displayed in a grid.
When searching for the request reference number, contact name, request
description, or activity log text fields, the portal compares the search text with
possible results using SQL's LIKE operator. SQL provides the following wildcard
characters for searching using LIKE.
_ (underscore) Any single character. Searching on ‘_ean’ finds requests with four-letter
words that end with ‘ean’ (mean, Dean, Sean,
and so on).
[^] Any single character Searching on ‘de[^l]%’ finds requests with words
not within the starting with ‘de’ and where the following letter is
specified range not ‘l’.
([^a-f]) or set
([^abcdef]).
When you need to search for text that includes characters normally considered
wildcards, use the backslash ‘\’ escape character just before the wildcard. For
example, to search for ‘60%’ where % is not a wildcard, type ‘60\%’ in the text
search box. Similarly, to search for ‘60\’, type ‘60\\’. The escape character only
applies to the wildcard characters and the escape character itself.
To search for a request
1 At the top of any Requests page, click inside the Search field.
2 Type one of the following:
■ A complete request ID number
■ Complete or partial request reference number
■ Complete or partial contact name
■ Partial request description
■ Partial activity log
3 Click Search.
■ If the search returns one result, the portal displays the result in a Request
Detail page.
■ If the search returns more than one result, they are displayed in a grid. Click
the Request ID link to see the Request Detail page.
Managing requests 88
Reviewing request details
■ If the search returns no results, the portal displays a blank Request Detail
page with the message “Requested data cannot be found.” and the search
text you entered displayed at the page’s subtitle line.
Editing requests
You can update a request’s activity, upload files to be attached to a request, and
change the organization to which it is assigned.
Note: You will only be able to reassign a request to another organization to which
you have access.
To edit a request
1 In the Request Detail page, click the Edit icon.
2 Modify the editable fields as you prefer.
3 In the Edit Request page, click Assigned to to expand the drop-down list.
4 In the Edit Request page, type the reference number in the Reference # text
box.
5 When you are finished editing, click Submit.
To attach a file to the request
1 In the Request Details page, click the Attachments tab.
2 In the Attachments tab, click Browse next to the File to upload text box, and
locate the file you want to upload.
The maximum number of files that you can attach to a request during an update
session is five, and each file can be no larger than 10 MB.
3 When you have located the file to upload, click Open.
The file is scanned for viruses before being attached to the request.
4 Under Comment, type an optional comment.
5 Click Upload.
you are satisfied with your selection, you can name and save the filter set for future
use.
Available filters appear on the left side of the page. The number of items matching
the filter appears next to the filter link. When you apply a filter to the grid, the selected
filter item is removed from the set and displayed at the top of the page as a filter
selection, and the available filter sets change based on the remaining data.
Additionally, the grid can be customized to show more or fewer columns, and the
data can be sorted by any of the displayed columns.
To change the grid timeframe using a preset
1 In the Timeframe area of the left side bar, click your preferred timeframe preset.
2 Click the (undo) link next to the selected timeframe at the top of the left side
bar to return to the default timeframe.
To change the grid timeframe by picking a date range
1 In the Timeframe area of the left side bar, click the Pick Date Range link.
2 Click in the Start date field and type a date, or click the calendar widget on
the right end of the field and navigate to your preferred start date.
3 Click in the End date field and type a date, or click the calendar widget on the
right end of the field and navigate to your preferred end date.
4 Click Apply.
To filter the grid
1 In the left side bar, click one or more entries under the available filter sets to
narrow the focus of the grid data. You can select multiple items within a filter
set. Once you have selected all the items in one category that you want to
view, and move to another filter set, you cannot go back to the previous set to
select again unless those previous selections are undone.
2 Click Show All at the bottom of the filter set to see all of the filters available
for that set. Show All only appears if there are more than five filters within a
set.
3 Click Show Less at the bottom of the filter set to display only the top five filters.
4 At the top of the left side bar, click the (undo) link next to a filter selection you
want to remove, or click Undo All to remove all of the filter selections.
To save your filter for later use
1 When you have made all of your preferred filter selections, click the Save button
in the left side bar in the Saved Filters area.
2 In the Save Filter window, type a name for your filter.
Managing requests 91
Printing or exporting
3 Click Save.
4 Click the Select Filter list to access your saved filter.
To sort the grid
1 Click any displayed column heading to sort the grid by that column in ascending
order.
2 Click the column heading again to sort the grid by that column in descending
order.
To customize the grid columns
1 In the upper right side of the grid, click Customize Columns.
2 In the Customize Columns window, click an entry in the Columns Displayed
area in the left pane, then click the arrow pointing rightward, to remove the
column from the grid view. You can add columns by clicking an entry in the
Columns Available area in the right pane, then clicking the arrow pointing
leftward.
3 Change the column display order by selecting entries in the left pane and
clicking the Up and Down buttons until you have your preferred order.
4 You can set the grid sort order as well by clicking the Sort Order selection list
and clicking your preferred sort column.
5 Click the Set as Default View check box if you want this customized view to
be your default view for this grid.
6 When you have finished customizing the grid, click Apply Updates.
To toggle the filter bar
1 At the top of the left side bar, click the leftward-facing arrow to hide the filter
bar.
2 At the top left of the grid, click the rightward-facing arrow to view the filter bar.
Printing or exporting
The lets you generate printer-friendly views of most of the interface's pages and
export data from many of the grids. If you see an icon for Print or Export on the
right side above the grid or report, then the functionality exists for that item. Note
that the Intelligence tab content does not support this Print/Export feature.
Managing requests 92
Printing or exporting
Note: If you want to include your brand header on your printouts, you must enable
the option to print background images and colors in your web browser. In Internet
Explorer, click Tools > Internet Options, click the Advanced tab, scroll to the
Printing section, and check the Print background colors and images box. In
Firefox, click File > Page Setup, and check the Print Background (colors &
images) box.
The Export function captures grid data, including hidden columns, and converts it
to a comma-separated values (.csv) format for viewing and manipulation in the
compatible application of your choosing. For incident grids, the exports 180 days
of data; for requests and asset grids, all data is exported.
To print a report or grid
1 Customize the report or grid you intend to print. The output will contain only
those columns that are displayed in the grid.
2 Click the Print link located on the right side above the report or grid.
3 Print the view using your browser's print function.
To export grid data
1 Click the Export icon located on the right side above the grid.
2 In the Opening ReportData.csv window, click Save to Disk.
3 Click OK.
4 If your browser is configured to automatically route downloads to a specific
location, you will find ReportData.csv there. Otherwise, in the Enter name of
file to save to... window, modify the file name as desired, navigate to your
preferred download location, and click Save.
Chapter 7
Managing devices
This chapter includes the following topics:
■ About devices
■ Printing or exporting
About devices
The Devices page displays the devices Symantec manages and monitors for you.
You can browse for results using the faceted filters or look up a device in the Search
field.
Printing or exporting
The lets you generate printer-friendly views of most of the interface's pages and
export data from many of the grids. If you see an icon for Print or Export on the
Managing devices 96
Reviewing device details
right side above the grid or report, then the functionality exists for that item. Note
that the Intelligence tab content does not support this Print/Export feature.
Note: If you want to include your brand header on your printouts, you must enable
the option to print background images and colors in your web browser. In Internet
Explorer, click Tools > Internet Options, click the Advanced tab, scroll to the
Printing section, and check the Print background colors and images box. In
Firefox, click File > Page Setup, and check the Print Background (colors &
images) box.
The Export function captures grid data, including hidden columns, and converts it
to a comma-separated values (.csv) format for viewing and manipulation in the
compatible application of your choosing. For incident grids, the exports 180 days
of data; for requests and asset grids, all data is exported.
To print a report or grid
1 Customize the report or grid you intend to print. The output will contain only
those columns that are displayed in the grid.
2 Click the Print link located on the right side above the report or grid.
3 Print the view using your browser's print function.
To export grid data
1 Click the Export icon located on the right side above the grid.
2 In the Opening ReportData.csv window, click Save to Disk.
3 Click OK.
4 If your browser is configured to automatically route downloads to a specific
location, you will find ReportData.csv there. Otherwise, in the Enter name of
file to save to... window, modify the file name as desired, navigate to your
preferred download location, and click Save.
■ About assets
■ Registering an asset
■ Importing assets
■ Grouping assets
■ Deleting an asset
About assets
Assets are the workstations, servers, and other resources protected by your network
security infrastructure. Register assets via the MSS portal, using pre-defined
attributes or customizable tags, to enable richer impact assessment and assist in
security incident remediation.
The Assets page displays your registered assets filtered by organization and asset
value, along with a tag cloud to aid in narrowing the displayed assets.
Managing assets 99
Registering an asset
Registering an asset
You add an asset in the portal in several ways.
To register an asset
1 Perform one of the following actions:
■ Add an asset as part of an asset upload file. See “Importing assets”
on page 101.
■ Use the Vulnerability Scan feature to create new and modify existing assets
based on the scan content. See “Uploading vulnerability scans” on page 103.
■ In a Device Detail page, click the Add as Asset button. This automatically
populates several Asset Details fields. See “Reviewing device details”
on page 96.
■ In the main Assets page, click Manage Assets selection list in the upper
right and, select Create New Assets. Continue the steps below.
Before editing the selection list values, it is very important to understand the
following:
■ You can change or delete the default values.
■ When you update or delete a value in one of the lists, that change is applied to
all assets.
■ Changes to these attributes are done at your organization level and cascade
down to your sub-organizations.
To add asset attribute values from the Assets grid
1 In the Assets grid, check one or more assets to receive the customized values.
2 At the upper right side of the grid, click the Manage Assets selection list, then
select Manage Asset Attributes.
3 In the Asset Attributes window, choose the list you want to customize.
The options are Operating System, Compliance Restrictions, and System
Functions.
4 In the Values area of the window, type a new attribute value and click Add
Value.
5 Click Save.
To add asset attribute values from Asset Details
1 In an Asset Details screen, click the Manage List link located next to the
selection list you want to edit.
The fields are Operating System, Compliance Restrictions, and System
Functions.
2 In the Values area of the Asset Attributes window, type a new attribute value
and click Add Value.
3 Click Save.
To edit asset attribute values
1 In the Values area of the Asset Attributes window, locate the value you want
to edit and click the Edit icon.
2 In the Values text box, modify the value as needed and click Add Value.
3 Click Save.
Managing assets 101
Importing assets
Importing assets
The portal lets you import lists of assets. The contents of the file to be uploaded
must adhere to the following requirements and be in .csv (comma-separated value)
format.
Note: When entering a list of values for a column, use semicolon delimiters. Some
columns are restricted to a list of available options. The text must match exactly.
Organization Defaults to the organization name of the user who uploaded the file 18
Asset Value Low, Medium, High, Critical; defaults to Medium if no value provided N/A
Table 8-3 Optional fields that can contain more than one value
Tags 50
Table 8-3 Optional fields that can contain more than one value (continued)
System Function Antivirus Server, Database Server, Domain Controller, Email Server, File N/A
Server, Firewall, High-Value Workstation, IDS/IPS, Name Server, Network
Management Server, Proxy, Vulnerability Scanner, Web Server, Workstation
Table 8-4 Optional fields that can contain only one value
Operating System Linux, Mac OSX, Other Unix, Solaris, Windows, Windows Server 2003, N/A
Windows 2008
Domain 200
Address 1 200
Address 2 200
City 100
State/Province 250
Postal Code 25
GMT offset Standard GMT offset without daylight savings time. Valid values are 0, +1 6
to +12, -1 to -12. See the URL in note 1 below. GMT offset should be
formatted as follows: [absolute GMT Offset]-[S|D] where S refers to standard
time and D refers to Daylight Savings time.
Country Use ISO 3166-1-alpha-2 codes. Use the list at the URL in note 2 below. 2
Description 500
Ignore Use this column to mark assets to process or ignore. Leave blank for the 1
asset to be processed or use a hash mark (#) for the row to be ignored during
processing.
1. http://www.wwp.greenwichmeantime.com/info/timezone.htm
2. http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm
Managing assets 103
Uploading vulnerability scans
To import assets
1 First, be sure that the file you intend to upload is in the .csv format. Saving a
spreadsheet as .csv is the most common method of conversion. Once this is
done, proceed with the next step.
2 In the Assets page, click Manage Assets selection list in the upper right and,
select Import/Export Assets.
3 In the Import Assets window, note the check box labeled Delete assets not
contained in this import. Checking this box will overwrite all of your registered
assets and remove from the portal any assets that are not in the upload file.
4 If you want to see your asset import history, click the View Import History
button. Click Ok to close the window.
5 Click Browse… to locate the .csv file you want to upload. Click the file name
and then click Open.
6 Click Upload.
To view your asset import history
1 In the Assets page, click the View Import History button.
2 Click Ok to close the window.
The Upload page lets you upload a vulnerability scan data file to the portal. This
data is used to enhance the analysis of your company’s log data. The data file must
be in a supported format: Qualys 4.0 and above, Nessus 1.x (please contact the
MSS Service Desk to confirm that your version is supported), and McAfee
Vulnerability Manager (formerly Foundstone) Risk_Data and Host_Data. Other
vendor formats may be supported using Symantec's XML Vulnerability Format
(XVF) 2.0; please contact MSS for further details. Consult the Symantec MSS XVF
Reference Guide, available in the Downloads page, for detailed information about
XVF. The upload file size limit is 50 MB.
The bottom half of the Vulnerability Uploads window shows a listing of uploaded
vulnerability scans. The grid report lists the uploaded file path and name, the contact
who uploaded the file, the scan file type, associated comments, if any, whether the
upload was successful, and the date and time that the file was submitted to the
SOC.
Managing assets 104
Grouping assets
Note: Rapid7 NexPose users can export their vulnerability scans into the Qualys
format and then upload them using the following instructions.
Grouping assets
You can gather your registered assets into groups that make sense to your
organization. Once created, you can easily populate your groups with your registered
assets.
To create an asset group
1 In the Assets page, click Manage Assets selection list in the upper right and,
select Manage Groups.
2 In the Manage Groups window, click Add Group.
3 In the New Asset Group window, type a name for the group and an optional
description.
4 Select the responsible organization for this asset group.
5 Click Create Group.
6 In the asset list, click the checkbox next to the assets you want to add to the
group.
7 Click Save.
To manage an asset group
1 On the Assets page, in the left side bar, click the Manage link next to the
Group filter heading.
2 In the Manage Groups window, click the name of the group you want to modify.
Managing assets 105
Using the advanced search feature
3 If you want to edit the group details, click the Edit icon, and type your
modifications in the fields provided. Click Save.
4 If you want to add assets to the group, click Add Assets.
5 In the asset list, check the checkbox next to the assets you want to add to the
group, and click Save.
6 If you want to remove assets from the group, click Delete Assets.
7 In the asset list, clear the checkbox next to the assets you want to remove from
the group, and click Save.
8 Click the X icon at the top right of the window.
To delete an asset group
1 On the Assets page, in the left side bar, click the Manage link next to the
Group filter heading.
2 In the Manage Groups window, click the name of the group you want to delete.
3 In the confirmation prompt, click OK.
5 Click Save.
Deleting an asset
You can delete an asset in the following way.
To delete an asset
1 On the Assets page, click the name of the asset you want to delete.
2 On the Asset Details page, click the Delete Asset button.
3 In the confirmation window, click OK.
selection, and the available filter sets change based on the remaining data.
Additionally, the grid can be customized to show more or fewer columns, and the
data can be sorted by any of the displayed columns.
To filter the grid
1 In the left side bar, click one or more entries under the available filter sets to
narrow the focus of the grid data. You can select multiple items within a filter
set. Once you have selected all the items in one category that you want to
view, and move to another filter set, you cannot go back to the previous set to
select again unless those previous selections are undone.
2 Click Show All at the bottom of the filter set to see all of the filters available
for that set. Show All only appears if there are more than five filters within a
set.
3 Click Show Less at the bottom of the filter set to display only the top five filters.
4 At the top of the left side bar, click the (undo) link next to a filter selection you
want to remove, or click Undo All to remove all of the filter selections.
To save your filter for later use
1 When you have made all of your preferred filter selections, click the Save button
in the left side bar in the Saved Filters area.
2 In the Save Filter window, type a name for your filter.
3 Click Save.
4 Click the Select Filter list to access your saved filter.
To sort the grid
1 Click any displayed column heading to sort the grid by that column in ascending
order.
2 Click the column heading again to sort the grid by that column in descending
order.
To customize the grid columns
1 In the upper right side of the grid, click Customize Columns.
2 In the Customize Columns window, click an entry in the Columns Displayed
area in the left pane, then click the arrow pointing rightward, to remove the
column from the grid view. You can add columns by clicking an entry in the
Columns Available area in the right pane, then clicking the arrow pointing
leftward.
3 Change the column display order by selecting entries in the left pane and
clicking the Up and Down buttons until you have your preferred order.
Managing assets 109
Changing the grid display
4 You can set the grid sort order as well by clicking the Sort Order selection list
and clicking your preferred sort column.
5 Click the Set as Default View check box if you want this customized view to
be your default view for this grid.
6 When you have finished customizing the grid, click Apply Updates.
To toggle the filter bar
1 At the top of the left side bar, click the leftward-facing arrow to hide the filter
bar.
2 At the top left of the grid, click the rightward-facing arrow to view the filter bar.
Chapter 9
Viewing logs
This chapter includes the following topics:
■ Viewing logs
Viewing logs
The MSS portal lets you view device logs that can be filtered by time range or
custom date range and by using a canned query (a filter supplied with the portal)
or a custom query that you create or another user has elected to share.
To view logs
1 In the MSS portal, click the Logs tab. This action displays the Log Viewer
where you can search for logs by time range or custom date range and by
using a canned query or a custom filter that you create.
OR
2 In the Incident Detail page, in the Events tab, click the numbered link in the
Logs column. This action uses the default canned query to display only those
logs associated with the event.
Viewing logs 111
Viewing logs
9 In the Log Downloads page, click a Filename link for the file you want to
download.
10 In the File Download dialog box, click Open to open the selected file, Save
to save the file to your computer, or Cancel to cancel the download and exit
the dialog box.
= Equal To lets you search for values exactly like The query Destination IP = 10.1.1.100 searches
what you enter in the text field. for logs where the Destination IP is 10.1.1.100.
<> Not Equal To lets you search for values that The query Destination IP <> 10.1.1.100
are lesser or greater than what you enter in the searches for logs where the Destination IP
text field. anything other than 10.1.1.100.
> Greater Than lets you search for values that The query Destination IP > 10.1.1.100 searches
are numerically greater than or equal to what for logs where the Destination IP is 10.1.1.101
you enter in the text field. and up.
>= Greater Than Or Equal To lets you search for The query Destination IP >= 10.1.1.100
values that are numerically greater than or equal searches for logs where the Destination IP is
to what you enter in the text field. 10.1.1.100 and up.
< Less Than lets you search for values that are The query Destination IP < 10.1.1.100 searches
numerically less than what you enter in the text for logs where the Destination IP is 10.1.1.99
field. and down.
<= Less Than Or Equal To lets you search for The query Destination IP <= 10.1.1.100
values that are numerically less than or equal searches for logs where the Destination IP is
to what you enter in the text field. 10.1.1.100 and down.
Viewing logs 113
Constructing a log query
LIKE The LIKE operator lets you define character The query Device Name LIKE s% returns logs
patterns to include in the search results. The where the device name begins with the letter
“%” sign can be used to define wildcards “s”.
(missing letters in the pattern) both before and
after the pattern.
NOT LIKE The NOT LIKE operator lets you define The query Device Name NOT LIKE s% returns
character patterns to exclude from the search logs where the device name begins with
results. The “%” sign can be used to define anything other than the letter “s”.
wildcards (missing letters in the pattern) both
before and after the pattern.
NULL The NULL operator lets you search for the The query Device Name NULL returns logs
absence of a value in a specific field. where the device name has no value provided.
NOT NULL The NOT NULL operator lets you search for the The query Device Name NOT NULL returns
presence of a value in a specific field. logs where the device name has any value
provided.
IN The IN and NOT IN operators are employed with The query Device Name IN Sample Device
User Defined Lists and Asset Groups. When Name List returns logs that contain device
you select these operators, a drop-down list names that are listed in the Sample Device
appears that contains the available User Defined Name List user defined list.
Lists and Asset Groups. Asset Groups are
NOT IN available only when the field to query against is The query Device Name NOT IN Sample
an IP address. Also, these cannot be selected Device Name List returns logs that do not
when you pick a field that already has a set of contain device names that are listed in the
specific values defined by the system, such as, Sample Device Name List user defined list.
MSS Action or Protocol.
BETWEEN The BETWEEN operator lets you specify two The query Destination IP BETWEEN 10.1.1.1
values to check between. Instead of the usual & 10.1.1.100 returns only logs with destination
one value field, there are two fields with the IP addresses that fall in the range of 10.1.1.2 to
symbol “&” between them. 10.1.1.99.
IS PART OF The IS PART OF SUBNET operator lets you The query Destination IP IS PART OF
SUBNET target your search toward a specified subnet SUBNET 192.168.0.0/24 returns only the logs
using Classless Inter-Domain Routing (CIDR) with destination IP addresses that fall within that
notation. subnet.
3 Click the plus sign icon to add a blank row to the bottom of the condition list.
Click the X icon at the beginning of the row to remove that condition.
4 To see the result of your new custom query, click Run Query.
5 To erase an unsaved query, click Reset and then click OK in the confirmation
dialog box.
To save a query
1 In the Query Name text box, type the name of your new query.
2 In the Query Description text box, type an optional description for your new
query.
3 Click Save Query.
To share a saved query
1 In the Logs page, under the Saved Queries tab, locate the query you want to
share, and click the Share button.
2 In the Share Query dialog box, click the SOC Analysts check box if you wish
to share the query with the Analysts at the SOC.
3 Click your preferred sharing option: only Your Organization or Your
Organization and Sub-orgs.
4 Click Submit.
To unshare a saved query
1 In the Logs page, under the Saved Queries tab, locate the query you want to
unshare, and click the Unshare button.
2 In the Share Query dialog box, clear the SOC Analysts check box to stop
sharing the query with the Analysts at the SOC.
Viewing logs 115
Constructing a log query using Enhanced Query
5 Depending on the criterion and operator that you chose, type a value for the
condition or select it from the list.
6 Click + to add another condition or click ( ) to add a nested or parenthetical
condition.
If you add a condition, choose AND or OR, then continue creating the new
condition as you did the first one.
If you add a nested condition, continue creating it as you did the first condition,
and then either click + to add another condition at this level, click ( ) to add a
parenthetical condition nested at a deeper level, or return to the first condition
and click + to add another top-level condition.
Note: You can nest parenthetical conditions only three levels deep.
7 When you have finished adding the condition lines, click the link next to Group
By, if available.
This is optional and lets you group the query results by a field of your choosing.
8 Optionally, use the Restrictions feature to define conditions for when to show
your results. Click the check box to use the feature, then choose an operator
from the list, and type a numerical value.
For example, you could employ this option if you want the choice to display
results only when the count returned exceeds a certain amount.
9 Next to Display results, choose your preferred report format.
If you elected to group your results by a criterion, your display options are:
■ Over time in a multi-line time series graph
■ By your grouping choice on a bar, column, pie, or line graph
If you elected not to group your results, your display options are:
■ Over time in a single-line time series graph
■ As an aggregate count of the log lines
3 In the Save Query window, type your preferred name and description for this
query.
4 Click Save.
To update a saved log query
1 In the Enhanced Query page, click the link for a saved query from the list on
the left.
2 Click Edit to change the query's name and description.
3 In the Save Query window, type the new name and description.
4 Click Save.
5 Modify the query's time frame and conditions as necessary.
6 Click Update.
■ Show current series data in a table: Presents query results from the
modified date range in a tabular format.
■ Get raw logs for this query: Opens log lines corresponding to the query
into a new tab or window.
The format-specific options are:
■ Log count in a bar, column, pie, or line graph
■ Add 25 more results: If the number of results not displayed is less than
25, that number is shown in the menu option.
■ Remove 25 results: Removes 25 results, if possible.
■ View as pie chart, View as line graph, View as column chart, and
View as bar graph: Changes the graph view to the selected display
format.
■ Time series: area (single line), bar, and line (single line)
■ Construct query from current time range: Automatically constructs
a log query from the results within the modified time frame.
■ View as pie chart, View as line graph, View as column chart, and
View as bar graph: Changes the graph view to the selected display
format.
24 hour timeout
Possible errors that you may receive while performing log queries, and tips for their
mitigation, are as follows:
Viewing logs 120
Tips to improve your online log queries
You are more likely to avoid timeout errors if you use the default field set when
building your query. The default set includes those fields that are visible when you
click the Field selection list. You must click (More…) at the bottom of the list, as
shown in the following figure, to access the extended set.
Viewing logs 121
Tips to improve your online log queries
■ About reports
■ Viewing reports
About reports
The MSS portal provides access to numerous reports about incidents, device logs,
attacks, infections, and compliance data. You can also download a variety of files
and customer reports to your computer.
Viewing reports
The Reports collection tabs let you focus more on the reports that matter to you.
Additionally, you have the option of marking any current report as a “favorite,”
thereby placing it in your Favorites collection, as well as have a new custom report
created by your Services Manager. Finally, you have expanded report exporting
format options.
To view reports
1 In the MSS portal, click the Reports tab.
2 In the Reports page, click your desired report collection tab. Choose from the
following:
■ Summary – This tab shows the following collections:
■ Favorites – The reports you have marked as favorites are collected
here.
■ Recent Reports – Only your 10 most recently run reports are shown
in this collection.
Viewing reports 124
Viewing reports
■ All Reports – This collection displays all of the reports that are available
to you, including those that can be found in the other collections.
■ Incidents – This tab shows Incident reports.
■ Devices – This tab shows Device reports.
■ Organizations – This tab shows Organization reports.
■ Requests – This tab shows Request reports.
■ Compliance – This tab shows the Payment Card Industry (PCI),
Sarbanes-Oxley (SOX), and Good Practice Guide 13 (GPG) report collection
subtabs.
■ PCI – This collection shows compliance reports related to the PCI
standard.
■ SOX – This collection shows compliance reports related to the
Sarbanes-Oxley standard.
■ GPG – This collection shows compliance reports related to the Good
Practice Guide 13 standard.
3 In the selected collection page, click the report you want to view.
4 If the report has a selectable timeframe, click the duration in days in the
upper-left side of the report, or click the Pick Date Range link to select a custom
timeframe.
5 In the report, click any of the active links to view more details about that item.
To mark a report as a favorite
1 On any report selection page, click the star icon to the right of the description.
2 Within the report, click the Save as favorite check box.
To export a report
◆ On any report page, click the Export icon and select from the following formats:
■ XML file with report data
■ CSV (comma delimited) – This a comma separated value format.
Viewing reports 125
Viewing reports
■ Acrobat (file) PDF – Use this format to export the report into a Portable
Document Format file.
■ MHTML (web archive) – Use MIME HTML format to combine resources
typically represented by external links together with HTML code into a single
file.
■ Excel – This exports the report into a format readable by Microsoft Excel.
■ TIFF – This is the Tagged Information File Format.
■ Word – This exports the report into a format suited to Microsoft Word.
4 Click a number for the desired range of Days or click Custom and modify the
date and time for which you want to view logs. Note that reports for date ranges
exceeding 30 days are run offline; you will receive email notification when the
report is complete.
5 In the Maximum Rows box, type your preferred maximum number of logs for
the portal to retrieve. Note that maximum value for this field is 5,000. Reports
exceeding this number of rows are run offline; you will receive email notification
when the report is complete.
6 In the Timeout (Minutes) box, type the number of minutes you want to allow
the query to run before timing out. The maximum value for this field is 20.
7 Click Run.
Chapter 11
Using the DeepSight™
Intelligence Portal
This chapter includes the following topics:
■ Using Alerts
■ Using Research
■ Using Intelligence
■ Using Datafeeds
■ Printing or exporting
Using Alerts
The Alerts tab lets you do the following:
■ View any of the alerts delivered to you
■ View delivered alerts by alert type
■ View the vulnerability, malicious code, and security risk databases
■ Set up vacation mode, where notifications can be held until your return or filtered
so that selected alerts are forwarded during your vacation period
■ Perform an advanced search of your alerts or the alert databases
By default, you land on the My Alerts tab where alerts that have been delivered to
you are displayed.
Using the DeepSight™ Intelligence Portal 127
Using Alerts
Using My Alerts
The My Alerts tab gives you access to every alert delivered to your user account.
The alerts from the previous month are displayed by default. The list begins with
the most recently delivered alert. The display can be expanded or filtered by date
range and/or restricted by alert type.
The My Alerts display is initially divided into four columns:
■ Rating
■ Title
■ Delivered
■ Type
The grids can be sorted by clicking on any column heading. The From and To Date
fields at the top of the page let you view alerts delivered between the specified
dates.
To filter My Alerts
1 On the My Alerts tab, click the From Date field and use the calendar widget
to select the date on which the alerts grid should start.
2 Click the To Date field and use the calendar widget to select the date on which
the alerts grid should end.
3 Use the Alert Type drop down if you want to see a specific alert type. Alert
Types correspond to alerts delivered by configured monitors. See Table 11-1
for more information.
4 If you want to include group alerts in the results, check the box next to Include
Group Alerts and select the group to include from the pick list.
5 Select the number of records you want displayed in the results grid.
6 Click Submit.
Vulnerability Vulnerability
Domain Domain
ThreatCon ThreatCon
Note: Use the Hide/Show Search Criteria link located above the Display Option
selectors to toggle the search fields display.
4 Complete the search fields associated with the selected alert type. Reference
the following sections for detailed information on the search fields displayed.
5 Click Submit.
Vulnerability
The vulnerability alert type can be searched as a My Alert or as an All Alert. The
advanced search options vary only slightly and are identified within Table 11-2.
Field Description
■ My Alerts
■ All Alerts
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Period Last Updated is the default, but you may select Published.
Date Range Use the calendar widgets to set the From and To dates.
Alert Type Use the drop down to select the alert type to search.
Monitor This displays monitors that apply to the specified Alert Type. Select
the monitor of interest or use the default setting of All Monitors to
(My Alerts only)
return results from every triggering monitor.
Delivery Method Select the Delivery Method to which the alert was delivered.
Field Description
Include Group Alerts If you want to include group alerts in the results, check the box
next to Include Group Alerts and select the group to include from
the pick list.
Technology List The Technology List drop-down box allows you to filter the entire
vulnerability database by the products defined within your
(All Alerts only)
technology lists. A vulnerability technologies list search is based
on the contents of the Vulnerable Systems field.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
(My Alerts only)
Vendor Entering a vendor name into the Search Text input box returns all
results for the specified vendor. The Search By criteria, when used
for a large or prolific vendor, may return too many results to be
useful; when used with a small or moderately sized vendor, it can
be used to locate products when the exact product name is not
known.
Product Entering a product name returns results for that product. The
product vendor's name is not required when entering the Search
Text. The vulnerability product search is based on the contents of
the Vulnerable Systems field within a vulnerability alert.
Vendor Reference Select a vendor from the drop down menu and enter the reference
number to find the related DeepSight Intelligence vulnerability
report.
CVE ID/Candidate This is the Common Vulnerability and Exposures (CVE) ID from
the CVE list maintained by mitre.org. Entering the ID number into
the input box returns the database entries associated with the
value.
CPE Name This is the Common Platform Enumeration (CPE) Name from the
CPE list maintained by mitre.org. Entering the CPE Name into the
input box returns the database entries associated with the value.
Fix Available Narrow the search to include those where a fix is or is not available.
Using the DeepSight™ Intelligence Portal 132
Using Alerts
Field Description
Minimum Urgency The minimum urgency value (0-10) that must be matched in order
to be displayed.
Minimum Severity The minimum severity value (0-10) that must be matched in order
to be displayed.
Minimum Impact The minimum impact value (0-10) that must be matched in order
to be displayed.
Minimum CVSS2 Base The minimum CVSS2 Base score (0-10) that must be matched in
order to be displayed.
Minimum CVSS2 The minimum CVSS2 Temporal score (0-10) that must be matched
Temporal in order to be displayed.
Number of records to be Select the number of records you want displayed in the results
shown grid.
Table 11-3 Advanced search options for malicious code or security risks
Field Description
■ My Alerts
■ All Alerts
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Using the DeepSight™ Intelligence Portal 133
Using Alerts
Table 11-3 Advanced search options for malicious code or security risks
(continued)
Field Description
Date Period Last Updated is the default, but you may select Published.
Date Range Use the calendar widgets to set the From and To dates.
Alert Type Use the drop down to select the alert type to search.
Title When the title of a malicious code or security risk is used in the
Search Text input box, one result is returned, unless it is part of
a family of malicious code or security risks. Using a portion of the
title may return multiple results. The title search also searches the
aliases field for malicious code or security risks.
Monitor This displays monitors that apply to the specified alert type. Select
the monitor of interest or use the default setting of All Monitors to
(My Alerts only)
return results from every triggering monitor.
Delivery Method This displays delivery methods available on the user account.
Select the delivery method of interest or use the default setting of
(My Alerts only)
All Delivery Methods to return results from every delivery method.
Include Group Alerts If you want to include group alerts in the results, check the box
next to Include Group Alerts and select the group to include from
the pick list.
Technology List The Technology List drop-down selection box allows you to filter
the entire malicious code or security risk database by the products
(All Alerts only)
defined within your technology lists. A malicious code or security
risk technology list search is based on contents of the Infection
Hosts field.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
(My Alerts only)
Vendor Entering a vendor name into the Search Text input box returns all
results for the specified vendor. The Search By criteria, when used
for a large or prolific vendor, may return too many results to be
useful. When used with a small or moderately sized vendor, it can
be used to locate products when the exact product name is not
known.
Using the DeepSight™ Intelligence Portal 134
Using Alerts
Table 11-3 Advanced search options for malicious code or security risks
(continued)
Field Description
Product Entering a product name returns results for that product. The
product vendor's name is not required when entering the search
text. The malicious code or security risk product search is based
on contents of the Infection Hosts field within a malicious code or
security risk alert.
Malicious Code ID or This is the Malicious Code or Security Risk ID assigned by the
DeepSight Intelligence Threat Analyst Team. Entering the ID
Security Risk ID
number into the input box returns the specific database entry
referred to by the ID value.
Minimum Peak Risk Specify the minimum peak risk value that must be matched in
order to be displayed. This selection allows you to locate instances
of a risk rating changing over time.
Minimum Risk Specify the minimum risk value that must be matched in order to
be displayed.
Minimum Impact Specify the minimum impact value that must be matched in order
to be displayed.
Minimum Prevalence Specify the minimum prevalence value that must be matched in
order to be displayed.
Minimum Infection Specify the minimum infection potential value (0-5) that must be
Potential (Malicious matched in order to be displayed.
Code only)
Number of records to be Select the number of records you want displayed in the results
shown grid.
Using the DeepSight™ Intelligence Portal 135
Using Alerts
Domain
The searchable fields for the Domain alert type are listed in Table 11-4.
Field Description
■ My Alerts
■ All Alerts
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Domain Enter the domain name to search using the “abccorp.com” domain
name format.
Number of records to be Select the number of records you want displayed in the results
shown grid.
Table 11-5 Advanced search options for Threat Alert & Analysis
Field Description
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Minimum Urgency The minimum urgency value (0-10) that must be matched in order
to be displayed.
Minimum Impact The minimum impact value (0-10) that must be matched in order
to be displayed.
Number of records to be Select the number of records you want displayed in the results
shown grid.
Research Report
The searchable fields for the Research Report alert type are listed in Table 11-6.
Using the DeepSight™ Intelligence Portal 137
Using Alerts
Field Description
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Number of records to be Select the number of records you want displayed in the results
shown grid.
Table 11-7 Advanced search options for Daily, Weekly, Monthly Reports
Field Description
■ My Alerts
■ All Alerts
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Using the DeepSight™ Intelligence Portal 138
Using Alerts
Table 11-7 Advanced search options for Daily, Weekly, Monthly Reports
(continued)
Field Description
Date Range Use the calendar widgets to set the From and To dates.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Number of records to be Select the number of records you want displayed in the results
shown grid.
Event Activity
The searchable fields for the Event Activity alert type are listed in Table 11-8.
Field Description
■ My Alerts
■ All Alerts
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Using the DeepSight™ Intelligence Portal 139
Using Alerts
Table 11-8 Advanced search options for Event Activity alerts (continued)
Field Description
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Using the DeepSight™ Intelligence Portal 140
Using Alerts
Table 11-8 Advanced search options for Event Activity alerts (continued)
Field Description
Event Correlation Specify the event type of interest. By default, this is set to: All. But
any of the following event types may be selected using the
drop-down selection menu:
■ All
■ Android OS Attacks
■ Apple IOS Attacks
■ Apple OS Attacks
■ Audit Event
■ Backdoor
■ Clientside Attacks
■ Customized Signatures
■ Database Attacks
■ DNS Attacks
■ DoS
■ EMail
■ Firewall Diagnostic Events
■ Firewall Security Events
■ FTP Attacks
■ Hacking Tool
■ Infrastructure Attacks
■ Kerberos Attacks
■ Malicious Code Attacks
■ Manipulation/Spoofing
■ Miscellaneous
■ Network File System Attacks
■ P2P
■ Probes
■ Remote Code Execution
■ Remote Services Attacks
■ RPC
■ SMB/NetBIOS Attacks
■ Unix/Linux Attacks
■ Unknown Category
■ VoIP Infrastructure Attacks
■ Windows Attacks
■ WWW Attacks
Number of records to be Select the number of records you want displayed in the results
shown grid.
Using the DeepSight™ Intelligence Portal 141
Using Alerts
Industry Activity
The searchable fields for the Industry Activity alert type are listed in Table 11-9.
Field Description
■ My Alerts
■ All Alerts
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Using the DeepSight™ Intelligence Portal 142
Using Alerts
Table 11-9 Advanced search options for Industry Activity alerts (continued)
Field Description
Market Segment Specify the market segment of interest. By default, this is set to:
All. But any of the following market segments may be selected
using the drop down selection menu:
■ All
■ Accounting
■ Aerospace
■ Agriculture
■ Architectural
■ Arts / Media
■ Financial Services
■ Biotech / Pharmaceutical
■ Communications / PR
■ Community / Non-Profit
■ Computer Consulting
■ Computer Hardware
■ Computer Software
■ Construction
■ Education
■ Engineering
■ Government - Local
■ Government - State
■ Government - National
■ Health Care
■ Information Technology
■ Insurance
■ Internet Service Provider
■ Law Enforcement
■ Legal
■ Manufacturing
■ Military
■ Retail / Wholesale (including e-commerce)
■ Telecommunications
■ Transportation
■ Utilities / Energy
■ VAR / VAD
■ Small Business
■ Home User
Using the DeepSight™ Intelligence Portal 143
Using Alerts
Table 11-9 Advanced search options for Industry Activity alerts (continued)
Field Description
Number of records to be Select the number of records you want displayed in the results
shown grid.
Port Activity
The searchable fields for the Port Activity alert type are listed in Table 11-10.
Field Description
■ My Alerts
■ All Alerts
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Port All ports are used by default. You can specify a port value of
interest or concern.
Number of records to be Select the number of records you want displayed in the results
shown grid.
Table 11-11 Advanced search options for Tech List Activity alerts
Field Description
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Technology List Specify the technology list of interest or concern using the drop
down menu.
Number of records to be Select the number of records you want displayed in the results
shown grid.
ThreatCon
The searchable fields for the ThreatCon alert type are listed in Table 11-12.
Using the DeepSight™ Intelligence Portal 145
Using Alerts
Field Description
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Status Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Unresolved
■ Not Applicable
■ In Progress
■ Unresolved Low
■ Unresolved Medium
■ Unresolved High
Number of records to be Select the number of records you want displayed in the results
shown grid.
Note: Using a minimum ThreatCon value of one (1) returns all results.
Network Infection
The searchable fields for the Network Infection alert type are listed in Table 11-13
Using the DeepSight™ Intelligence Portal 146
Using Alerts
Field Description
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Data Source Type Select the status level of interest or use the default setting of All
Statuses to return results at any status setting.
■ All
■ Symantec DeepSight Intelligence Bot List
■ Known Source IPs
■ Repeat Source IPs
■ DeepSight Intelligence Firewall Data
■ DeepSight Intelligence IDS Data
■ Symantec Phish Report Network
■ Command and Control Hosts
Number of records to be Select the number of records you want displayed in the results
shown grid.
Brand Protection
The searchable fields for the Brand Protection alert type are listed in Table 11-14
Note: Selecting the Brand Protection Alert Type returns all of your Brand Protection
Alerts delivered during the specified Date Range.
Using the DeepSight™ Intelligence Portal 147
Using Alerts
Field Description
The selection affects the search options available for each alert
type.
Note: The All Alerts display option presents the vulnerability,
malicious code, and security risk databases.
Date Range Use the calendar widgets to set the From and To dates.
Number of records to be Select the number of records you want displayed in the results
shown grid.
■ Send notification when vacation over–This option holds all alerts and
sends them when the vacation period ends.
■ Send selected alerts–This option sends only the alerts that you selected
to be delivered for a particular vacation period on the Alerts delivered
during Vacation tab. See “Selecting alerts to be delivered during vacation”
on page 147.
Using Research
The Research tab gives you access to an assortment of Statistics data and Lookup
Tools.
The Statistics tabs present network conditions captured and reported by DeepSight
Intelligence IDS and firewall sensors, as well as antivirus activity reported by
Symantec's antivirus customers.
The Lookup Tools provide you with avenues for researching specific IP address,
URL/domain, port, MD5/SHA256 hash, and malcode information.
Finally, you have a method of uploading files that you suspect to be infected to
Symantec Security Response.
Using the DeepSight™ Intelligence Portal 149
Using Research
Note: The percentages will not add up to 100%. This is because the percentages
displayed are the percentage of the DeepSight Intelligence sensors observing a
particular activity.
Using the DeepSight™ Intelligence Portal 150
Using Research
Top Offending ISPs This table presents the top ten offending Internet service providers
(ISPs). It should be noted, however, that hosts within designated
ISP spaces that are identified as sources may actually be
unsuspecting victims. It is possible that malicious remote users
may have used (or “spoofed”) the identified source address or
compromised that system and then used it to launch attacks. The
percentages of the DeepSight Intelligence Analyzer user base that
have logged attacks from those particular ISPs are displayed.
Top Offending IPs This table presents the top ten attacking IP addresses as reported
by DeepSight Intelligence sensors. The percentages reflect the
portion of the DeepSight Intelligence Analyzer user base reporting
activity from the listed IP addresses. Each IP address is a link to
the IP Lookup page where details of that IP addresses's activity
are noted. See Using IP lookup
Top Offending Ports This table presents the top ten most commonly attacked ports. It
is indicative of the most frequently attacked services and/or
emerging Trojan patterns. The statistics displayed are percentages
of the DeepSight Intelligence Analyzer user base that logged
attacks against those particular ports in the past two weeks.
Clicking any of the listed ports displays the Port Lookup page. See
Using Port lookup
Top Source Countries This chart presents the top five offending countries as reported
by DeepSight Intelligence sensors. The statistics displayed are
the percentages of the DeepSight Intelligence Analyzer user base
that actually logged attacks from those particular countries. Top
Source Countries statistics are generated from DeepSight
Intelligence data culled within the last two weeks.
Top Destination This table presents the top five victim countries. Statistics displayed
Countries are percentages of the DeepSight Intelligence Analyzer user base
that are most frequently under attack categorized by country. Top
Destination Countries statistics are generated from DeepSight
Intelligence data culled within the last two weeks.
Using the DeepSight™ Intelligence Portal 151
Using Research
Top Attacked Products This table presents the top ten most frequently attacked
commercial or freeware products. The statistics displayed are
percentages of the DeepSight Intelligence Analyzer user base that
has logged attacks against those products in the past 24 hours.
Attacked Products statistics are generated from DeepSight
Intelligence data culled within the last two weeks.
ThreatCon
ThreatCon is the DeepSight Intelligence rating of conditions in the wild. The
ThreatCon level is a scale of 1 (low) to 4 (extreme). The rating suggests an
appropriate security posture based on network conditions. DeepSight Intelligence
Threat Analysts set the value based on conditions reported by DeepSight Intelligence
sensors and their evaluations of intelligence gathered during the previous day.
The Current ThreatCon Level display includes:
■ The ThreatCon graphic for the appropriate threat level
■ An explanation of the reason for the ThreatCon rating
■ A link to the Daily Report
The four ThreatCon levels are described in Table 11-15.
Level 4 - Extreme This condition applies when extreme global network incident
activity is in progress. Implementation of measures in this
Full alert
Threat Condition for more than a short period probably will
create hardship and affect the normal operations of network
infrastructure.
Note: Symantec's DeepSight Intelligence Threat Analyst Team has never issued a
Level 4 ThreatCon alert.
Using IP lookup
Symantec collects a vast amount of intelligence about observed security-related
online behavior. Much of this intelligence includes the offender’s IP address used
as part of the attack.
Offender behavior (also known as attack categories or activity types) falls into the
following categories:
■ Attack: Includes observations of attempted vulnerability exploitation, as well as
Denial of Service attempts
■ Botnet: Indicates that the IP address has been seen participating in a bot
command and control (C&C) structure or has been seen participating in bot-like
activity
■ CnC: Indicates that the IP address has been seen hosting a botnet C&C channel
■ Fraud: Indicates that the IP address has been used to defraud or otherwise fool
a victim into disclosing sensitive information or spending money via methods
that do not rely upon malicious behavior such as phishing, malware, vulnerability
exploitation, or outright theft
■ Malware: Includes observations of attempted propagation, distribution, or seeding
of malicious code
■ Phish: Includes observations of IP addresses that are phishing hosts
■ Spam: Indicates that the IP address has been observed sending spam
The IP Lookup Tool enables you to discover reputation, activity, ownership, and
location information for an IP address if the data is available.
IP addresses must be in IPv4 format.
To look up an IP address
1 Click the Research tab.
2 Under Lookup Tools, click the IP tab.
3 Type an IP address in IPv4 format (for example, 10.1.1.1).
4 Press Enter or click Go.
If data is available, the IP address detail page shows the following information. The
behavior-specific page area populates with different sets of information depending
on the behavior observed.
Ownership:
■ Organization: The organization registered as owning the IP address
■ Industry: The organization's industry, extrapolated from the NAICS or the ISIC
Using the DeepSight™ Intelligence Portal 155
Using Research
Note: You can use the IP Lookup Tool to determine if troublesome IP addresses
extracted from your logs are also found within the DeepSight Intelligence database.
The utility may not find information on your requested IP address. Lack of search
results can be attributed to the vastness of the IP address space or the possibility
of an attacker focused on a specific IP address, a range of IP addresses, or a
specific site.
Using the DeepSight™ Intelligence Portal 156
Using Research
Datafeed:
■ First listed: The date that the threat first appeared in the datafeed
■ Last listed: The date that the threat last appeared in the datafeed
■ Reputation: A summary of ratings indicating the threat level that the URL/domain
poses on an increasing scale of 1 to 10
■ Hostility: The threat's observed activity level on an increasing scale of 1 to 5
■ Confidence: Symantec's confidence in the information's validity on an increasing
scale of 1 to 5
■ Consecutive days listed: The number of consecutive days that the domain
has remained listed
■ Days seen in the last 90 days
Behavior-specific details, if any:
■ First observed: The date that the GIN first observed the activity
■ Last observed: The date that the GIN last observed the activity
■ Unique events observed over the last 90 days: Depending on the behavior
observed, information in this part of the screen also includes attack names,
attack categories, activity descriptions, and IP addresses associated with the
URL/domain
The Associated IPs grid lists the IP addresses identified as owning, owned by,
or in some way related to the URL owning organization. Clicking an IP address
link takes you to the lookup page for that address.
Using Intelligence
The Intelligence page presents analyst journals and Managed Adversary Threat
Intelligence (MATI) reports (with the appropriate license) written by the DeepSight
Intelligence Threat Analyst Team throughout the day. The journals and reports are
posted to the page as they are completed.
To read an analyst journal
1 Click the Intelligence tab.
2 Click the Analyst Journal tab.
3 If desired, filter the journal list by archive or timeframe.
To filter the list by timeframe, click Pick Date Range, choose the range using
the calendar widgets, and click Apply.
4 When you have located the journal you want to read, click its title. When you
are finished reading the journal, click Back located in the upper right of the title
bar.
To search for an analyst journal
1 Click the Intelligence tab.
2 Click the Analyst Journal tab.
3 On the left, above Archive, click the Search text box and type your search
term.
4 Press Enter.
To read a MATI report
1 Click the Intelligence tab.
2 Click the MATI Reports tab.
Using the DeepSight™ Intelligence Portal 160
Using Datafeeds
3 If desired, filter the report list by archive, timeframe, threat score, threat domain,
or targeted industries.
To filter the list by timeframe, click Pick Date Range, choose the range using
the calendar widgets, and click Apply.
4 When you have located the report you want to read, click its title. When you
are finished reading the report, click Back located in the upper right of the title
bar.
To search for a MATI report
1 Click the Intelligence tab.
2 Click the MATI Reports tab.
3 On the left, above Archive, click the Search text box and type your search
term.
4 Press Enter.
Using Datafeeds
The Datafeeds tab displays the files for the various feeds that your client has
requested, as well as the files that are available for download.
Note: This feature requires the purchase of one or more separate licenses. See
“Assigning or unassigning DeepSight Intelligence licenses” on page 34.
The page displays one or more of the following tabs, shown on the left of the page,
based on your account configuration:
■ Common Data: This datafeed provides data that is contained in a number of
tables that are related to the vulnerability and security risks datafeeds. It is
intended to limit the number of updates sent as the result of changes within
secondary linking tables; it also facilitates change management of the databases.
■ Security Risk: This datafeed provides real-time visibility into emerging threats
including malcode, adware, and spyware. It includes threat descriptions and
prevalence/risk/urgency ratings, along with associated disinfection techniques
and mitigation strategies.
■ Vulnerability: This datafeed provides real-time visibility into vulnerabilities
impacting nearly 105,000 technologies from more than 14,000 vendors. It
includes detailed descriptions, impacted systems, Security Content Automation
Protocol (SCAP) identifiers, ratings, and attack scenarios, along with information
on the availability of exploits and solutions.
Using the DeepSight™ Intelligence Portal 161
Using Datafeeds
Feed details
Each details tab display is divided into two sections:
■ Files Requested
■ Files Available
The Files Requested portion populates when your datafeeds client requests records.
The Files Requested area can then be compared with the Files Available area as
a visual indicator of possible discrepancies in your database.
Using the DeepSight™ Intelligence Portal 162
Using Datafeeds
■ True
■ False
■ True
■ False
Date Displays the date and time the record was requested.
The Files Available portion lists files that your datafeeds client has not requested.
FileName Displays the name of the compressed file containing the feed.
Using the DeepSight™ Intelligence Portal 163
Using Datafeeds
■ True
■ False
Page numbers Page numbers appear when your list of files available
exceeds the number of files that can comfortably fit on the
page. Clicking a page number allows you to see the other
pages.
User Activity Start Date Designates the first date that user actions should be
displayed. It allows you to extend or narrow the display of
user actions.
User Activity End Date Designates the last date that user actions should be
displayed. It allows you to extend or narrow the display of
user actions.
Calendar icon Use the calendar icon to set a date in either the User Activity
Start Date or the User Activity End Date.
Method Invoked Displays the web method invoked by your web service client
to retrieve data.
Page numbers Page numbers appear when your list of actions exceeds the
number of actions that can comfortably fit on the page.
Clicking a page number allows you to see the other pages.
Total Records Displays the total number of user actions for the User Activity
date range.
Note: The Custom Reports module is an add-on product for the DeepSight
Intelligence portal. The Custom Reports tab only appears if you have purchased
the add-on license for it.
Report categories
The left side of the Custom Reports page displays the list of available reports
separated into four categories:
■ Summary Reports
■ Analysis Reports
■ Other Reports
■ Malicious Code Reports
Each report type is designed to tell a story from a particular perspective that is
drawn from the DeepSight Intelligence or GIN database of IDS and/or firewall events.
Using the DeepSight™ Intelligence Portal 165
Using Custom Reports
In the case of Malicious Code reports, the data is drawn from Symantec's AV Ping
system.
Each report type in a report category links to a reports wizard that is pre-configured
for the report, but that can be customized by you. The reports wizard only presents
options that are relevant to the report type you are configuring. In most cases you
can submit the report after giving it a name.
Each type of report is explained in the report category tables below.
Summary Reports
These are general reports derived from reporting IDS and/or firewall sensors. The
descriptions for Summary Report types are in Table 11-19.
Port Summary The Port Summary report provides a breakdown of port activity observed
by DeepSight Intelligence sensors. It is helpful in determining which
ports are being targeted and the trend of this activity. This report consists
of multiple pages if both IDS and firewall events were provided and
selected, or a single page if only one of these event types have been
provided or selected.
This report consists of the following elements:
Category Summary The Category Summary report provides a breakdown of event activity
by the category or class of events that are being observed by DeepSight
Intelligence sensors.
This consists of a bar graph depicting the cumulative activity for each
selected category over the selected period of time and a series of up
to ten trend graphs depicting historical trend activity for each category.
Each associated trend graph is accompanied by a listing of the top
event types within each category and the number of occurrences of
each event type observed over the selected period of time.
Target Product The Target Product Summary report provides a breakdown of the
Summary products and applications that are being targeted, as observed by
DeepSight Intelligence sensors.
Origin Summary The Origin Summary provides a breakdown of where global events are
originating. It is helpful in determining who is targeting DeepSight
Intelligence sensors and the trend of attack activity from each source.
This report depicts both IDS and firewall activity if events were provided
and selected, or only one of these if only one of these event types have
been provided or selected.
This report consists of the following elements:
Analysis Reports
Analysis Reports are based on reports from IDS and/or firewall sensors. The
descriptions for Analysis Report types are in Table 11-20.
Using the DeepSight™ Intelligence Portal 168
Using Custom Reports
IP Analysis This IP Analysis report provides insight into the activity of a single IP
address that is observed by DeepSight Intelligence sensors. This report
consists of a number of components that reflect the activity, habits, and
applications that the IP address is targeting. In correlating a number of
these data points, this report presents the origin of the attacker, and
the vulnerabilities and services targeted by the attacker.
This report consists of the following elements:
Event Analysis This event analysis report provides a detailed analysis of activity
surrounding a specific event. The report provides a history of event
activity. It outlines who is conducting the activity and who is targeted.
This report consists of the following elements:
Port Analysis This port analysis report provides a detailed analysis of activity
surrounding a specific port. The report provides a history of activity
targeting the chosen port. It outlines who is originating the activity, and
who is targeted.
This report consists of the following elements, for both IDS event data,
and firewall event data, if selected:
Other Reports
These reports are based on data derived from IDS and/or firewall sensors. The
descriptions for other report types are in Table 11-21.
Originating IPs The Originating IPs report provides a summary of the top IPs from which
activity was observed by DeepSight Intelligence sensors.
This report consists of the following elements:
Associated Ports The Associated Ports report displays the most common source ports
that have been observed targeting a specific destination port.
This report consists of the following elements:
Originating ISP The Originating ISP report provides a summary of the top ISPs from
which activity was observed by DeepSight Intelligence sensors.
This report consists of the following elements:
Source IP Infection The Source IP infection rate report provides a breakdown of the number
Rate of originating source IP addresses for a chosen criteria. This indicates
the rate of spread of a particular threat. In the case of a specific event
related to a worm, it can also serves as an indicator of the number of
infected systems.
This report consists of the following elements:
Event Time The Event Time Summary report provides a breakdown of the time
frame during which network security events most commonly occur on
your network. Knowledge of when these events occur allows for the
tracking of historical activity and the allocation of resources for future
planning.
This report consists of the following elements:
Target Countries The Target Countries report provides a summary of the top countries
towards which activity was observed by DeepSight Intelligence sensors.
This report consists of the following elements:
Target Industries The Target Industries report provides a summary of the top industries
towards which activity was observed by DeepSight Intelligence sensors.
This report consists of the following elements:
This report consists of the following elements:
Attack Age The Attack Age report provides an overview of events based around
the age of the vulnerabilities associated with them, and the age of the
events themselves.
This report consists of the following elements:
■ A New Attacks trend graph provides a listing of the top five events
observed by DeepSight Intelligence sensors which are newer than
30 days.
■ An Attacks by Vulnerability Published Date graph provides a
breakdown of events, based on the age of the vulnerabilities
associated with each event. Events are broken into four categories.
These are 0-60 days, 61-180 days, 181-365 days, and over 365
days.
■ An Attack Age Over Time graph provides a breakdown of events,
based on the date on which each event was first observed within
the Portal. Events are broken into four categories. These are 0-60
days, 61-180 days, 181-365 days, and over 365 days.
Malicious Code Analysis The Malicious Code Analysis report provides a detailed analysis
of activity surrounding a specific malicious code sample. The report
provides a history of event activity and portrays the primary
affected countries.
Malicious Code Product The Malicious Code product report provides a summary of
malicious code activity reported to Symantec's AV Ping system
based on the platform or product being targeted.
Note: The Associated Ports report limits the Date Range of the report to the last 60
days of data.
or by the greatest number of events. If you are a data contributor you have additional
analysis methods available. The top 15 results are selected from the data identified
by your chosen analysis method, then the remaining two elements are charted.
IDS and firewall sensors offer the same analysis methods.
By largest observing sensor Using this analysis method, the tri-graph chart plot order is
count based on global data by sensor count, distinct IP addresses, and then by event
volume.
By largest event count based Using this analysis method, the tri-graph chart plot order is
on global data by event volume, sensor count, and then by distinct IP
addresses.
By largest Source IP count Using this analysis method, the tri-graph chart plot order is
based on global data by distinct IP addresses, sensor count, and then by event
volume.
By Largest Event Count Using this analysis method, the tri-graph charts contrast
Based on My Data Global event volume with user event volume; Global sensor
counts; and contrasts Global IPs with user IPs.
By Largest Source IP Count Using this analysis method, the tri-graph charts contrasts
Based on My Data Global IPs with user IPs; distinct Global IPs; and contrasts
Global volume with user volume.
Note: The default analysis method is By Largest Observing Sensor Count Based
on Global Data. Analyzer user data is not available for all report types.
Based on Consumer Using this analysis method, the top events are determined based
Submissions on consumer AV Ping reports.
Probes
The inclusion of reconnaissance activity, or probes, is useful in initial reports.
However, the inclusion of probes adds considerable noise to a report as the analyst
attempts to focus in for greater detail.
Source
A key analysis question is always:
■ Where did this come from?
Using the DeepSight™ Intelligence Portal 179
Using Custom Reports
The Portal allows the analyst to filter by up to five source IP addresses or up to five
countries. The addresses can be derived from an organization's IDS or firewall
systems or an organization's competitor.
Destination
The analyst always asks:
■ What is the target?
The DeepSight Intelligence portal reports allows this to be defined in a number of
ways: Destination Ports, Portless Protocols, and/or Destination Countries.
The analyst may filter by up to five destination ports. These could be popular or
likely targets, or they could represent the proprietary service ports used by an
organization. The transport protocol may be TCP, UDP, or No Protocol. The analyst
may also filter using a single portless protocol or up to five targeted countries.
Demographics
Demographic information attempts to answer the analyst's question:
■ Who is being targeted?
DeepSight Intelligence Analyzer data contributors, uploading firewall and IDS data
via Extractor, are required to specify the type of industry, revenue, and employee
size to participate.
Up to five targeted industries may be specified.
The size of the affected organization can be used as a report modifier by designating
an annual revenue range. Multiple revenue sizes may be specified.
The number of employees may also be used as data filter. Multiple numbers of
employees may be specified.
Events
Events help to answer the question:
■ How are these attacks carried out?
The analyst may filter by a category of attack or choose a specific event. Events
are selected by choosing an event category and then specifying up to five events.
The five events may be selected from multiple categories. While events are not
normally associated with firewalls, DeepSight Intelligence Threat Analysts classify
Using the DeepSight™ Intelligence Portal 180
Using Custom Reports
firewall data as a diagnostic or a security event. Selection of these events may also
be made.
Products
Products helps the analyst the targeted technologies:
■ What technologies are being exploited?
To focus on what is being attacked, identify relevant products. Products may be
specified as a category or specifically defined as a technology within a product
category. Searching by a particular product speeds selection. Products may also
be specified as a technology list. Technology lists specific to an organization's
environment are configured within the Alerts portion of the Portal. Using technology
lists, the Analyst can quickly screen data based on relevant technologies.
Printing or exporting
The lets you generate printer-friendly views of most of the interface's pages and
export data from many of the grids. If you see an icon for Print or Export on the
right side above the grid or report, then the functionality exists for that item.
Note: If you want to include your brand header on your printouts, you must enable
the option to print background images and colors in your web browser. In Internet
Explorer, click Tools > Internet Options, click the Advanced tab, scroll to the
Printing section, and check the Print background colors and images box. In
Firefox, click File > Page Setup, and check the Print Background (colors &
images) box.
The Export function captures grid data, including hidden columns, and converts it
to a comma-separated values (.csv) format for viewing and manipulation in the
compatible application of your choosing.
To print a report or grid
1 Customize the report or grid you intend to print. The output will contain only
those columns that are displayed in the grid.
2 Click the Print link located on the right side above the report or grid.
3 Print the view using your browser's print function.
Using the DeepSight™ Intelligence Portal 184
Printing or exporting
what actions, if any, should be taken to protect the network and/or prevent further
compromise.
Security Incident These are routine security incidents with no impact to the client. They are presented
severity: Informational for informational/reporting purposes.
Security Incident Warning security incidents are suspicious and may require additional investigation
severity: Warning by the client. They are not a high-risk attack and do not require immediate action
to mitigate the impact of the attack.
Security Incident Critical security incidents are high-risk attacks or possible compromises. Immediate
severity: Critical action is necessary to mitigate the impact of these security incidents. These security
incidents are required to be escalated as severe security incidents.
Security Incident Emergency security incidents are high-risk attacks that resulted in a validated
severity: Emergency compromise. Immediate action is necessary to mitigate the impact of these security
incidents. These security incidents are required to be escalated as severe security
incidents.
Index
A assets (continued)
advanced search importing 101
assets 105 managing attributes 99
incidents 68 registering 99
Alerts updating or editing 106
about 126 viewing
Advanced Search 129 activity log 107
brand protection 146 import history 103
daily, weekly, and monthly reports 137 related incidents 107
domain 135
event activity 138 C
industry activity 141 certificates 29
malicious code and security risks 132 installing 29
network infection 145 obtaining 29
port activity 143 chat
research report 136 about 14
tech list activity 143 compliance
threat alert and threat analysis 135 reports
ThreatCon 144 viewing 125
vulnerability 130 Custom Reports
All Alerts 128 about 164
My Alerts 127 categories
vacation mode about 164
selecting 147 analysis reports 167
setting 147 malicious code reports 174
alerts other reports 170
email summary reports 165
encryption 39 configuring 180
formats 39 DeepSight Intelligence data
assets mining 175
about 98 report modifiers
advanced search 105 about 178
deleting 107
editing 106
additional IP addresses 107
D
bulk update 106 Dashboard 61
grouping 104 customizing 63
groups Incident Category 64
creating 104 Incident Classification 64
deleting 105 Incident Classification Frequency 65
managing 104 Incident Frequency 65
Index 188
Research (continued)
statistics (continued)
IDS 149
ports 151
suspect files 158
research
analyst watch content
ThreatCon 152
attack categories 154
S
settings
alerts
DeepSight Intelligence 39
MSS 39
MSS notifications 40
cloning accounts 31
DeepSight Intelligence groups 58
editing 26
administrator 30
monitors
bulk uploading 46
org profile
about 35
profiles
about 26
roles and permissions 32
T
ThreatCon 24
U
user details
language 28
V
VIP Token
deleting 29
vulnerability scans
uploading 103