Video Screencast Help

Welcome to DeepSight Product Forum - Join the conversation!

Created: 19 Jun 2013 • Updated: 19 Jun 2013 | 6 comments
Shishir Agrawal's picture

Welcome to the DeepSight Product Forum!

Symantec is committed to providing the best support possible for our products and we want to enable the community to help each other, as well as provide another avenue for you to receive product announcements and receive answers to your various questions, support related or otherwise.

Below you will find some basic information and webcast/overview videos for your reading pleasure.

DeepSight Product page - here you can find datasheets and white papers:

http://www.symantec.com/deepsight-products

Webcast - Next Generation GIN and DeepSight portal:

https://www-secure.symantec.com/connect/videos/new-deepsight-portal-webcast

DeepSight Early Warning Services Overview:

https://www-secure.symantec.com/connect/videos/deepsight-early-warning-services-overview

 

Thank you for your interest in the DeepSight product and we look forward to your questions and views.

See you in the next post!

 

-Shishir

Comments 6 CommentsJump to latest comment

Milan_T's picture

Hi Shishir,

Good to have this community.

I would like to know if you can share, how you define black list and white list and how it is being validated by deepsight security analyst.

Regards,

Milan

Tim G.'s picture

Milan,

 

I'm not certain what you mean with this question however let me briefly define a blacklist and a whitelist:

Blacklist - A list of IPs, or URLs that are under suspicion and therefore should be denied connections to your protected network resources.

WhiteList - A list of known trusted or good IPs and URLs that you will always permit communications with.

As far as how things are being validated, I'm not certain the contest of the question could you please elaborate?

Thanks,

Tim

Milan_T's picture

Hi Tim,

 

Our application SSIM downloads update from Deepsight and use that update for correlation in few security rules.

Now we are not able to fetch that data like black list IP from SSIM.

I want to explore that data from ssim or deepsight for further analysis.

Please find snap of one lookup table where it does not contain any ip or list but trigger incident when it detect blacklisted ip by deepsight.

ip watchlist.JPG

Tim G.'s picture

Milan,

How the data is handled by SSIM is less of a DeepSight question and more of a SSIM question.  I'd have to refer you to the SSIM community to find out more about this as I am not versed in the SSIM, only in the intelligence used to create the datafeeds.

As far as your datafeed no longer being available in SSIM, I beleive if you update your subscription you will received continuously updated data.

Thanks,

Tim

 

bryon_page's picture

Milan,

The SSIM does not publish the list of IP's updated from Deepsight in that lookup table since the content/list is always being updated it is all maintained in the SSIM database.  If you want to see details on the IP address triggered by Deepsight it will be highlighted RED in the alert/incident under the Events tab you can right click and select 'Watch list info' for more details.  Also below is a KB explaining how you can add Whitelist to exclude trusted IPs and how to add your own untrusted IPs that are not being flagged by Deepsight.   http://www.symantec.com/docs/TECH122908

Regards,

Bryon

Milan_T's picture

Hi Bryon,

 

Thanks for this. Now i got the thing and also so many time i have seen ip in red colour but not aware why it seems red. Now i got complete picture and it would help in further analysis.

 

Regards,

Milan Thumar