Splunk and Symantec Intelligence, Better Together


Over the past few months, we have been working closely with Symantec™ to debut an exciting new Splunk App. Today, we are proud to announce the 1.0 release of the Symantec DeepSight™ Security Intelligence App for Splunk Enterprise on Splunkbase. Download it today! This app is the result of a collaborative effort between the Operational Intelligence Team at Function1 and Symantec’s Cyber Security Group.

This app works in tandem with Symantec’s DeepSight™ Security Intelligence, which provides global threat, vulnerability, and reputation intelligence.  DeepSight Security Intelligence collects, analyzes, and delivers cyber-threat information through a customizable portal and data feeds, enabling proactive defensive actions and improved incident response. DeepSight Intelligence protects enterprises by creating better-informed security operations teams and by providing the tools for a faster, more accurate identification of threats and their remediation. By using Symantec’s DeepSight Intelligence, recognized by industry analysts as a market leader, you can build on existing investments in security technologies to create a robust, scalable information security program that more effectively uses your current operational resources and tools. The Symantec DeepSight Security Intelligence data feeds offer live downloads of the most malicious IP addresses and domains and URLs including contextual information such as the type of exhibited and historical behavior.

If you are already a subscriber to the Symantec DeepSight IP and URL Reputation data feeds, you are aware of the powerful insight you have into potentially malicious or vulnerable IP addresses and URLs hitting your network. DeepSight Intelligence collects, analyzes, and delivers cyber threat information collected by the Symantec Global Intelligence Network (GIN). The Symantec GIN has global visibility into the threat landscape including big data from:

·       More than 41.5 million attack sensors in 157 countries

·       An extensive anti-fraud community of enterprises, security vendors, and more than 50 million end users

·       More than 8 billion emails per month from 5 million decoy accounts

·       Over 1.5 billion web requests a day

The Symantec DeepSight Security Intelligence App for Splunk Enterprise allows Splunk users, who are also DeepSight customers, the ability to seamlessly correlate data from Symantec DeepSight IP and URL Reputation data feeds to any data source in your Splunk environment. By integrating the DeepSight data feeds into Splunk, you will gain unique insights into your entire IT environment by having the ability to easily identify any malicious activities taking place in your network.

The Symantec DeepSight Security Intelligence App for Splunk Enterprise provides the following views for monitoring your environment with ease and clarity:

Landing Page (Home)

- This page provides you with a general overview of the top IP addresses and URL/Domains that have been identified by the latest Symantec data feed. The ability to filter by behavior, confidence, time, etc. allows you to gain deeper insight into malicious IP addresses and URLs. Can you take action?

DeepSight IP Global Map
- The IP Map provides a geographical representation of the malicious or vulnerable IP addresses. You can drilldown into specific countries that are the source of these IP addresses by clicking on the country name below the map.
DeepSight Data
- The data view provides you the ability to filter and sort the IP addresses and URLs in a multitude of ways. Drilldown capabilities are built into this view allowing you to view the raw event quickly and efficiently.
DeepSight Correlation Search 
- The correlated search view seamlessly reconciles your Splunk data against Symantec’s data feeds .If there is a malicious IP or URL/Domain identified by DeepSight present in your environment, it will be displayed here. You also have the ability to drilldown into this correlated raw event to investigate this potential vulnerability further. You can also lookup the IP or URL/Domain directly in the DeepSight portal by clicking on the malicious IP or URL/Domain on the DeepSight Hits table.


Please note, the Symantec DeepSight Security Intelligence App for Splunk Enterprise includes a Technology Add-on that must run on Linux (RHEL 6.x/CentOS 6.x) only. A new release of the Technology Add-on will be available for the Windows platform in the months to come.The download includes helpful documentation that will walk you through the installation of the app. If you need any assistance or have any enhancement ideas/requests, please let us know by sending an email to support@function1.com
Happy Splunking!

Subscribe to Our Newsletter

Stay In Touch