Version: 2019-05-10 Download


deepwatch Analytics solutions provide monitoring and management of the Customer’s Analytics environment. Currently, deepwatch offers two Analytics solutions; Protect Analytics and Detect Analytics.

deepwatch Protect Analytics includes the following features and capabilities:

  • deepwatch Platform Management;
  • Operational and Strategic Threat Intelligence;
  • Incident Detection Development;
  • Knowledge Management;
  • Support and Training; and
  • Volume Tier.

deepwatch Detect Analytics includes the following features and capabilities:

  • All deepwatch Protect Analytics features & capabilities;
  • Event Monitoring and Analysis;
  • Incident Alerting and Response;
  • Incident/Case Management;
  • Threat Hunting; and
  • Incident Response Services.

Features & Capabilities

Protect Analytics

deepwatch Platform Management

deepwatch provides on-going services of Customer’s deepwatch environment to enable Customer’s resources to focus their efforts on cybersecurity-relevant actions. deepwatch provides management services for the following deepwatch Platform components.

Management Services

Supporting Infrastructure

Splunk Infrastructure


  • Configuration Management
  • Log Source Onboarding
  • User Provisioning & Deprovisioning
  • Upgrades & Patches
  • Troubleshooting

Machine Instances

Index Clusters

Splunk Enterprise


Operating Systems

Search Heads

Splunk Enterprise Security (Optional)



Deployment Servers

Splunk UBA (Optional)



License Servers


Heavy Forwarders


Universal Forwarders


deepwatch provides health monitoring and resolution for the following deepwatch Platform components.

Health Monitoring & Resolution Services

Supporting Infrastructure

Splunk Infrastructure

Splunk Data

  • Uptime Monitoring
  • Resource Utilization
  • License Utilization
  • Active Response

Machine Instances

Index Clusters

Log Sources


Operating Systems

Search Heads

Reporting Hosts



Deployment Servers

Data Models



License Servers


Heavy Forwarders


Universal Forwarders


Operational and Strategic Threat Intelligence

deepwatch incorporates a robust fusion of validated open-source and commercial threat-intelligence sources into the deepwatch Platform. These sources provide deepwatch and Customer with an enhanced foundation for identifying, reporting and responding to malicious activity. To further enrich our capabilities, deepwatch partners with government and industry-specific organizations to access exclusive Indicators of Compromise (IoC) and signatures. The deepwatch platform ingests these IoCs and signatures for distribution and future incident enrichment.

Incident Detection Development

deepwatch utilizes its Content Library to develop and implement additional use cases. Currently, deepwatch’s Content Library consists of more than 200 use cases developed by deepwatch personnel that represents the business and security requirements of deepwatch Customers. These use cases are adapted to Customer’s specific environment using Splunk’s Common Information Model (CIM) that normalizes Customer data to match a common standard, using the same field names and event tags for equivalent events from different sources or vendors. deepwatch’s Content Library consists of the following exclusive use cases:

  • Over 150 Searches (Can be used as Alerts or Dashboard Panels);
  • Over 50 XML dashboards; and
  • Over 20 Unique & 80 Vendor Specific Log Types.

deepwatch updates the Content Library at least quarterly with new use cases.

Knowledge Management

The deepwatch Platform utilizes ServiceNow’s Knowledge Management functionality to provide shared Knowledge Articles between deepwatch personnel and Customer. deepwatch provides a pre-defined set of Knowledge Articles specific to Customer. Additionally, custom Knowledge Articles are developed by deepwatch personnel within ServiceNow, which notifies Customer’s personnel for review and approval. Knowledge Articles are reviewed at least every three (3) months during pre-defined meetings and as applicable during weekly status meetings.

Support & Training

deepwatch serves as the primary contact for Customer’s personnel for support of the all deepwatch Platform components. As such, deepwatch provides the support traditionally provided directly from vendors such as Splunk, Demisto, and Anomali. deepwatch maintains specific support agreements with deepwatch Platform component vendors to accelerate support related incidents. deepwatch provides Customer’s personnel with training on the deepwatch Platform and its supporting components via in-person and video-based training, and knowledge articles.

Volume Tier

Monitored Customer devices may send a predetermined data volume, defined in either Gigabytes (GB) or Terabytes (TB) per day, to the deepwatch Platform.  Customers may configure as many devices and log sources as desired until the total amount of daily traffic reaches the contracted Volume Tier.

deepwatch will provision storage based on the contracted Volume Tier.  deepwatch will store the equivalent of ninety (90) days online. deepwatch will store data older than ninety (90) days offline in object storage. Unless otherwise contracted and stated on the Customer Order Form, deepwatch will retain one (1) year of logs for Customer.

Detect Analytics

Event Monitoring & Analysis

deepwatch provides event validation of in-scope devices twenty-four (24) hours a day, three hundred sixty-five (365) days a year. Event validation consists of deepwatch analysts monitoring log data and alerting platforms to validate and respond to potential Information Security incidents.

Incident Alerting and Response

deepwatch utilizes the following framework for providing Customer with Incident Alerting and Response.

Incident Analysis

Incident Routing

Incident Handling

Incident Reporting

Analyze alert output and compare with SIEM, ongoing events, change tickets, and other activity.

Define incident severity per Customer-specific definitions established during Customer onboarding.

Expedite defined severity events to deepwatch’s Incident Responders.

Report validated incidents to the Customer via ServiceNow.

Perform research to determine if an incident has malicious intent or is regular activity and assess potential impact.

Verify, and escalate validated incidents based on severity.

Perform ad-hoc incident response, malware analysis, and digital forensics as requested by the Customer.

Provide updates to the Customer on incidents as additional information becomes available.

Conduct threat assessment based on intelligence feeds and proprietary deepwatch threat intelligence.

Escalate alerts to appropriate Customer personnel using a threat escalation matrix.

Provide telephone and chat analysis and support to the Customer.

Define criteria for automatic incident creation and alerting,  and implement to decrease validation and alert duration.

Incident/Case Management

deepwatch provides Incident/Case Management capabilities within the deepwatch Platform. Both deepwatch Squads and Customer personnel collaborate and share relevant artifacts within the Demisto Case Management feature of the deepwatch Platform. deepwatch Squad members work daily in Demisto to triage and manage cybersecurity incident workflows.

Threat Hunting

Active hunting by dedicated deepwatch Threat Hunters identifies threats before they materialize. Proactive Threat Hunting occurs based on advanced analytics and trends and includes hunting for unusual activity outside normal patterns. This type of hunting requires knowledge of adversarial behavior in each Customer’s daily work patterns as well as developing threat profiles from publicly available intelligence and Customer provided information.

The following table outlines the activities performed by deepwatch Threat Hunters and Analysts.

Threat Hunters


Tactics, Techniques and Procedures (TTP) Development

Incident Triage & Validation

Threat Hunting

Threat Hunting

Knowledge Object Development & Tuning

Tuning Knowledge Objects

Incident Escalation

Log Source Ingestion

Threat Research

Collaboration with Customer Personnel via Slack & Microsoft Teams

Collaboration with Customer Personnel via Slack & Microsoft Teams

Attend Customer Meetings & Support

Incident Response Services

As part the deepwatch Detect Analytics solution, deepwatch provides up to eight (8) hours per month of Remote Incident Response (RIR) at no extra cost for the duration of the contract period. deepwatch tracks and reports RIR hours as utilized. Hours expire every month. RIR hours may be used for the following services beyond those natively included within the deepwatch Detect Analytics solution:

  • Perform ad hoc investigations or data analysis requested by Customer (data must exist within the Customer's deepwatch environment);
  • Participate in cybersecurity incident response activities led by Customer; and
  • Participate in table top exercises to simulate incident response management activities.

If Customer requires more than eight (8) hours of RIR support during any given month, Customer must purchase additional deepwatch Incident Response Retainer services.

Assumptions & Expectations


Customer will utilize deepwatch's identity solution to access deepwatch-related systems. Examples include Splunk, Demisto, and ServiceNow. Customer may federate existing authentication from their identity provider or may utilize deepwatch's identity solution as an identity provider.

Virtual Appliance Deployment Assumptions

Customer will provide a virtual machine infrastructure capable of hosting Linux (CentOS) virtual appliance(s) managed remotely by deepwatch.  Customer will install virtual appliance(s) on Customer provided virtual machine infrastructure, configured with at least the following specifications:

  • At least 250 GB of either solid-state drives (SSD) or spinning disk storage;
  • 4 CPU cores; and
  • 16GB of RAM.

Customer will allow outbound TCP/443 access from Customer environment virtual appliance(s) via the zero-trust solution. Customer is responsible for the virtual appliance infrastructure (host) and networking, while deepwatch is responsible for the virtual appliance(s) (guest[s]).

Customer will deploy forwarding agents to monitored devices, or configure existing forwarders to use deepwatch’s deployment server and forward specific indexes.

Travel & Expense

Customer acknowledges and agrees to follow the travel and expense policy provided here.

[ Home ]