This article describes the Intelligence Card Extension for Symantec's DeepSight Intelligence.
About Symantec DeepSight
Symantec Deepsight Intelligence extends your teams with actionable cyber threat intelligence. Make sharper decisions to defend against emerging global threats. The extension provides enrichment for Domain Cards, IP Address Cards, URL cards and Hash cards.
This support page describes how to enable extensions within Recorded Future. You must have commercial access to Symantec Deepsight to use this extension. At the end of this support page are instructions on obtaining your API Token from the Symantec Deepsight portal; as a reminder, an admin user must enable the extension, and the API credentials used will make the extension available to all other users for the enterprise account.
Extending Hash Cards
You can enrich any Hash Card with the following threat intelligence from Symantec DeepSight:
- Reputation
- SchemaVersion
- Intelligence
- Events
You can pivot in Recorded Future on these elements of the Symantec DeepSight response:
- MD5, SHA256 Hashes
Example of SHA-256 Hash: 1f15a3e297b9017c40276ad1c32d606c8beebbf432227b47360f3674bfb60127
Extending Domain Cards
You can enrich any Domain Card with the following threat intelligence from Symantec DeepSight:
- SchemaVersion
- Whitelist
- Whois Record Data
You can pivot in Recorded Future on these elements of the Symantec DeepSight response:
- Domains
Example (facebook.com)
Extending URL Cards
You can enrich any URL Card with the following threat intelligence from Symantec DeepSight:
- SchemaVersion
- Whitelist
- Host Data
- Whois Record Data
You can pivot in Recorded Future on these elements of the Symantec DeepSight response:
- Domains
- URLs
Example (https://imgur.com/gallery/bgplqGg):
Extending IP Address Cards
You can enrich any IP Address Card with the following threat intelligence from Symantec DeepSight:
- SchemaVersion
- Whitelist
- First Seen
- Last Seen
- Behaviours
- Target Industries
- Target Countries
- Geolocation Info
- Network
- Organization
You can pivot in Recorded Future on these elements of the Symantec DeepSight response:
- IPs
- ASNs
Example(220.243.135.194):
Subscription Limitations
- Restricted Access: Access denied. The API key was successfully authenticated, but the license does not permit access to the requested resource.
- Limited Usage: The license count usage for the given period has been exceeded
More Information
Detailed docs on the various information fields can be found on https://deepsight.symantec.com/PortalNextGen/Content/Help/en-US/DPS-Help/wwhelp/wwhimpl/js/html/wwhelp.htm
Getting your API Token from the Symantec DeepSight Portal
To get your api token, login to the DeepSight portal and click on ‘Settings’ which is located at the top right
On the settings page select 'Profile' on the left side:
Your API Token should be at the bottom of the screen; regenerate if needed.