Security Analytics Key Features

Symantec Security Analytics is a powerful solution to effectively arm today’s incident response modern day threats. Packed with award-winning technology and features, Security Analytics provides the details that expose the full source and scope of any threat or attack targeting your information assets and significantly speeds the time to conduct complete network forensics investigations.

Alerts Dashboard

To provide a comprehensive view of your network activity and highest priority alerts at first glance, the Security Analytics web interface defaults to the Alerts Management Dashboard. This new view presents a histogram of alert activity plus new “alert cards” that pivot to filtered lists of alerts and their threat scores. From this page you can filter your alerts by IP, by indicator, or by threat level.

Alerts Dashboard

Anomaly Detection

An exciting new feature, anomaly detection performs statistical analysis on your captured data and alerts you on anomalous behavior. When you pivot from the alert to the new Anomaly Investigation view, you can see when the anomaly occurred, how often, and which other endpoints were involved.

Anomaly Detection


Industrial Control Systems (ICS) are attractive targets for cyber attack and like the rest of the network, require complete visibility. Security Analytics supports SCADA protocol analysis and delivers the power of Symantec Security Analytics to industrial control environments. Security Analytics monitors Modbus and DNP3 protocols that are common in networks that control operations at nuclear facilities, water treatment plants, power plants, oil refineries, manufacturing facilities…and numerous other industries. Use of Indicators, Rules (notifications) and Anomaly Detection is possible on indexed SCADA attributes.


Dynamic Filtering

Not all traffic is created equal…or equally malicious. Incident response teams may choose to eliminate traffic they don’t see as a threat and prioritize available capture storage to optimize their investment. With Security Analytics, you can selectively filter and “not” capture packets based on rules settings. Eliminate streaming video or music; video conferencing and a whole lot more. This will increase your capture window to focus on what you feel is most critical.

Dynamic Filtering

Capture Only Mode

When specific use cases call for very fast raw packet capture – without the need of for extensive metadata enrichment – Security Analytics delivers. Selectively turn off data enrichment and significantly boost capture performance on a single appliance.

Capture Only Mode

Summary View

With Security Analytics you have the flexibility and freedom to create multiple, customized views for each use case to suit your incident-response workflow. Add and rearrange report widgets to your selected view to display summarized data in table, pie, bar, or column charts. Create new views for specialized use cases. No matter your preference, the summary view provides instant situational awareness of your network on a single page.

Summary View

Active Reports

Identify evasive exploits and malware with Symantec Security Analytics reports, which provide a detailed, vivid picture of network traffic while giving users the power to respond to incidents as they unfold. Reports are a key navigation point, helping even novice users pinpoint their target data faster and with more accuracy. Reports fall into these categories:

  • applications
  • DNS
  • email activity
  • encryption
  • files
  • geolocation
  • network packets
  • social personas
  • threat intelligence
  • web activity
Active Reports

Application Classification

Identify network activity by peering deep inside packet data to find the telltale signs of malicious intent. Symantec Security Analytics classifies more applications crossing your network than any other network forensics solution. More than 2,800 applications and thousands of attributes are recognized and indexed for easy search and recovery. Not only can you identify specific applications in network traffic, you can search metadata attributes such as To, From, Subject Line, Protocol, Tunnel Initiator, Presented MIME Type, Detected (magic number) File Type, and more within network flows.

Application Classification

Reputation Services/Data Enrichment

Security Analytics delivers on demand reputation checks from multiple trusted threat intelligence providers including:

  • VirusTotal
  • Google Safebrowse
  • Domain Age
  • RobTex
  • Team Cyrmu
  • LastLine
  • YARA
Reputation Services/Data Enrichment

Symantec Intelligence Services

All traffic that is captured on a Symantec Security Analytics appliance is analyzed for any known malicious web, mail and file-based threats. Security Analytics uses Intelligence Services for Security Analytics to harness the Symantec Global Intelligence Network, threat intelligence from 175 million endpoints reporting on billions of web and URL threats.

Blue Coat Intelligence Services

Extractions of Artifacts

The most powerful contributor to Situational Awareness is Security Analytics’s ability to reconstruct network traffic exactly as it passed over the wire. Produce evidence that makes sense. With every packet that is captured and classified, quick discovery, reconstruction and delivery of files in their original format is easy and intuitive. See the web page as the user saw it. View IM and email conversations. Reconstruct PDFs, Word docs, PPTs, Excel spreadsheets and more in their original format. Perform surveillance on a host or an individual and deliver real, recognizable evidence – not just a collection of packets.

Extractions of Artifacts

Seamless Integrations

Symantec Security Analytics integrates with best-of-breed network security technologies to give them the ability to pivot directly from an alert or log and obtain complete packet-level detail and artifacts of the event before, during and after the alert. The open, web services REST API lets you leverage technologies like HP ArcSight, Splunk, IBM Qradar, Guidance, Countertack, Symantec ATP and more. Streamline your incident response workflow and get a complete source and scope of an attack.

Seamless Integrations

Sandbox Brokering

All traffic that is captured on a Symantec Security Analytics appliance is analyzed for any known malicious web, mail and file-based threats. Security Analytics uses Intelligence Services for Security Analytics to harness the Symantec Global Intelligence Network, threat intelligence from 175 million endpoints reporting on billions of web and URL threats.

Sandbox Brokering

Additional Features

Artifacts Timeline

The Artifacts Timeline is a histogram of network artifacts over time. It helps incident response specialists quickly visualize a sequence of events and significantly improves artifact search performance.

Packet Analyzer

For those who love a good packet (and what incident response team doesn’t), but hate multiple steps for analysis, Security Analytics includes a full-featured packet analyzer right on the appliance. No need to transfer huge files over the network just to determine that the packets you were looking for aren’t in there. Use Wireshark filter syntax and conduct your deep analysis without having to leave the comfort of the Security Analytics interface. Filtered results are always one click away. Very powerful!

Media Panel

Nothing tells a story like a picture. When trying to enforce acceptable Internet use policy, quickly see what images are crossing your network and who’s viewing them. Media panel lets you quickly view and analyze all image and audio files to see exactly what the user experienced. Filter by file, extension or size and associated metadata such as: URL, source/destination IP, size or MIME type. A picture is worth a thousand words and can lead to details of unsanctioned or malicious activity.


With Security Analytics Geolocation you see the origin and destination of all network traffic. Identify patterns and concentrations of traffic traveling to and from non-traditional locations. See hot spots of activity, zoom-in on specific paths and flag IP addresses, locations or even countries as suspicious. Abnormal traffic patterns may be your starting point of an investigation and reduce your time to resolution. Export any network traffic as a .klm file and import into Google Earth. “Traffic to North Korea – that’s not right!”

Performance / Scale

Symantec Security Analytics appliances capture everything that crosses your network (packet header and payload), giving you a complete and forensically sound record of network activity. Only Security Analytics appliances meet the grueling demands of the largest government and enterprise networks, yet swiftly reconstruct and deliver real files from within terabytes of raw packet data.

Deployment options range from small or branch-office appliances to dedicated 10Gb High Density appliances with expandable storage for today’s fastest networks. Only Symantec Security Analytics gives you the option to also deploy as a Virtual Appliance. Large customers with expansive networks have selected Symantec as the only solution capable of meeting their needs for incident response and advanced network forensics, now and in the future.

Passively receiving traffic from a tap or SPAN, Security Analytics is invisible to the rest of your network, capturing traffic at line speeds without adding latency.

Central Manager

Central Manager provides a single point of management for Security Analytics 2G, 10G, VMs and high-density storage deployments. It delivers central access to all Security Analytics sensors for directed, aggregate searches and management. Supporting now over 200 sensors, Central Manager makes it easy for incident response teams to conduct efficient and comprehensive investigations across the entire organization.

Comparative Reporting

Compare captured network traffic to previous periods to identify abnormal patterns and establish a baseline and then highlight and notify when deviations occur. With comparative reporting, you understand trends over time and determine if further investigation is needed.

Indicators / Rules

Indicators use structured language to observe and identify specific activity. Use built-in metadata attributes, automatically-updated 3rd party indicator data or use custom updates from virtually any source.

Rules enable automation of alerts and common actions for additional analysis based on any indicator. For example, automatically export data to a PCAP, enrich retained metadata or send to file shares, analyze with 3rd-party tools like DLP or endpoint solutions. Tune notification frequency to what your incident response team and processes require.

Root Cause Explorer

Quickly get to the root cause of an attack with automatic tracing of HTTP referrer chains. Root Cause Explorer correlates relevant email, IM, and HTTP information for quick analysis and discovery of how the threat entered the network and the subsequent activities. As one user stated – “You’ve made one of the most time-consuming, rote functions of my job as simple as pushing a button …That was easy!”

PCAP Import

Rich analysis of Security Analytics can be applied to PCAPs from other sources of you may already have. You can also optimize available Security Analytics storage by exporting captured network traffic as PCAPs on external storage for later import and analysis as needed. PCAP Import also allows forensics analysts and incident response teams to obtain detailed information and analysis from PCAPs delivered from external sources.


Transmit captured data flows to third party tools for further analysis. Regenerate traffic with less than 1 ms of latency, even on 10Gb networks. Throttle traffic playback so other tools don’t bog down. Replay captured traffic to other tools to validate their effectiveness after they have been updated with new signatures or threat intelligence. By playing historical traffic back to updated tools you can determine if you were infected before that new threat was classified.

Filter & Replay Traffic

Filter inbound and outbound traffic by protocol, IP, MAC address, payload type, or unique bit pattern. Filter at the header or payload level. Apply multiple filters with the ability to start and stop filters at any time, while continuing to capture traffic. You can also iImport filters using standard Berkley Packet Filter (BPF) format. This level of control is unique to Symantec Security Analytics and provides flexibility to capture the traffic you feel most important to your investigations.

Extended Metadata Retention

Optimize the storage available on your Symantec Security Analytics appliance and extend the window of your forensics data. Create independent allocations of storage for metadata and full packets. This enables retention and analysis of longer periods of metadata and packets—weeks, months, or more. This enables long-term window for trend analysis and optimize the limited amount of storage.

Universal Connector

With the Universal Connector, you can directly add IP addresses to the Security Analytics filter bar from a Web browser. If you are conducting an investigation in any security tool that uses a standard browser-based UI, the connector allows you to pivot directly from those tools into Security Analytics and start your investigation. This simple integration provides a powerful way to simplify your investigation workflow and provide valuable context and full packet detail to simple alerts.