Free community edition

Request a demo

Combating Threat Intelligence Obstacles with DFLabs SOAR and Symantec DeepSight

Back to all articles

Combating Threat Intelligence Obstacles with DFLabs SOAR and Symantec DeepSight 1

The addition of threat intelligence to a security program has become as commonplace to security as an organization deploying a firewall to their perimeter. However, just like an improperly configured firewall can spell disaster to an organization’s security posture, so can improperly vetted intelligence feeds.

DFLabs integration with Symantec DeepSight provides organizations with the capability to overcome these common threat intelligence pitfalls through Symantec DeepSight ‘s enriched intelligence data and the automation power of DFLabs IncMan SOAR platform. Symantec DeepSight’s intelligence feeds provide the context necessary to operationalize its data through pure automation and orchestration power found in DFLabs IncMan SOAR.

Threat Intelligence has become a necessary tool for organizations to utilize to ensure that their security teams have the most up to date and relevant threat data to protect their businesses and assets. However, the market has become so saturated with products looking to offer this service to organizations that oftentimes these products are not accurately utilized.

The inability to operationalize threat intelligence data is one of the highest reported obstacle organizations face when attempting to deploy a threat intelligence program. Oftentimes this inability leads to an even greater level of alert fatigue and missed indicators of a larger breach. These missed indicators can allow an attacker to lie dormant in an environment for long periods of time, granting them the ability to maintain a strong foothold and accomplish a greater level of damage to an organization and its reputation.

  • How can organizations operationalize their threat intelligence solutions?
  • How can organization gather greater context from their threat intelligence feeds?
  • How can organizations prevent alert fatigue and missed indicators of compromise while building a threat intelligence program?

DFLabs SOAR and Symantec DeepSight Solution:

The DFLabs and Symantec DeepSight solution aims to help organizations overcome the obstacles most often faced when trying to implement and utilize a threat intelligence in a security program. By harnessing the power of DFLabs automation and orchestration capabilities the context-rich threat intelligence data gathered from Symantec DeepSight can be fully operationalized to assist security teams during their preliminary investigations and remediation efforts.

Through the use of automation and orchestration techniques, Symantec’s threat intelligence data can be used to make split-second decisions on behalf of the security team to correctly prioritize and remediate a potential incident. By allowing context-rich intelligence feeds to drive automated actions, security teams will be able to combat alert fatigue and ensure indicators of compromise are not missed.

  • Operationalize threat intelligence through context-rich data feeds and the power of automation and orchestration
  • Gather the context necessary to make split-second security decisions by utilizing data-rich intelligence feeds
  • Prevent alert fatigue and missed indicators of compromise by utilizing threat intelligence and automation to evaluate and prioritize security incidents

About Symantec DeepSight:

Symantec DeepSight is a cloud-hosted cyber threat intelligence platform that provides access to both Adversary Intelligence and Technical Intelligence. The intelligence is drawn from Symantec’s broad portfolio of security products, as well as its adversary intelligence operations, which include security research and analysis teams positioned across the globe. DeepSight Intelligence data is enriched, verified and analyzed to provide attribution and to connect seemingly disparate indicators into campaigns with known actors and motivations behind them. The finished intelligence product is actionable and is made available via a web portal, data feeds or restful APIs.

Use Case:


An endpoint detection system alert is received for a potentially suspicious download to a development computer. IncMan SOAR receives the alert and automatically executes the Suspicious File Download R3 Rapid Response Runbook. The runbook starts by parsing out important incident information such as source and destination IP address and file hash.

Once this information is extracted the source IP address and the file hash are evaluated against Symantec DeepSight’s reputation services. This information is forwarded to the runbook’s first set of conditional statements which are looking for evidence that the IP address or file hash are reporting a negative reputation score. The R3 Rapid Response Runbook evaluates both artifacts simultaneously and splits off into two separate workflows to handle the artifacts separately.

The first workflow looks at the reputation score of the destination IP address where the potentially malicious file was downloaded from. If Symantec DeepSight finds the address to be malicious, a query is issued to the organization’s SIEM platform to gather information on any additional hosts who may have interacted with that IP in the last 30 days. If any additional hosts had been observed interacting with the malicious IP the additional hosts are added to the incident as new incident artifacts, the priority is elevated to high, the IP address is blocked at the firewall, and a new ticket is created in the organization’s ticketing system for manual follow-up by the security team. However, if the query of the organization’s SIEM does not indicate additional hosts had interacted with the IP, the IP will be blocked, the affected host will be tagged for follow-up review, and a new ticket is created for the security team to ensure the affected host is monitored for any potential infection or breach.

If Symantec DeepSight reports a benign reputation score, the R3 Rapid Response Runbook will re-evaluate the IP address against another reputation service before exiting the workflow. If the additional reputation service finds the IP address to contain a malicious reputation score the initial workflow will be taken to ensure that no other hosts in the environment had interacted with the malicious IP before it is blocked at the organization’s firewall.

A similar workflow is followed by the R3 Rapid Response Runbook when evaluating the downloaded file. The hash is checked against Symantec DeepSight’s reputation service to determine its reputation score. If the reputation score is malicious the intelligence data gathered from Symantec DeepSight is utilized to gather specific malware information to be presented to the security team for remediation, the affected machine is tagged for remediation and a ticket is opened in the organization’s ticketing system for review.

If the downloaded file is issued a benign reputation score by Symantec, a re-verification check will be performed by another reputation service before exiting the workflow. If the re-verification check finds the file to be malicious, the organization’s SIEM will be queried to ensure no other host had interacted with the malicious file in the last 30 days. If additional hosts have been observed, the hosts are added to the incident as new incident artifacts, the priority is elevated to high, the file is banned, and a new ticket is opened in the organization’s ticketing system for review. If no additional hosts are observed, the file is banned, the affected host is tagged for remediation, and a new ticket is opened for the security team to review.


  • Enrichment
  • Domain Reputation
  • File Reputation
  • IP Reputation
  • URL Reputation
  • Malware Information


Effectively responding to a security incident requires critical decisions to be made in seconds. Without actionable threat intelligence, responders and security solutions lack the vital information needed to stop the threat before additional damage can be done. Combining the automation and orchestration power of DFLabs’ IncMan with the context-rich threat intelligence data from Symantec DeepSight allows organizations to quickly operationalize threat intelligence and make efficient and accurate automated, semi-automated and manual response decisions.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo