Version: 2019-09-24 Download


deepwatch Endpoint Solutions provide monitoring, management, and operation of customer’s Endpoint Detect and Response (EDR) solutions. deepwatch currently offers one endpoint solution; Protect Endpoint.

deepwatch Protect Endpoint includes the following features and capabilities:

  • Onboarding;
  • Alert Monitoring;
  • Device Software Upgrades and Configuration (excluding Profile Changes);
  • Profile Changes;
  • Active Response;
  • Knowledge Management; and
  • Support & Training.

Features & Capabilities

Protect Endpoint



deepwatch configures customer’s centralized EDR management solution for new implementations or performs a health-check and reconfiguration of existing centralized EDR management solutions.

deepwatch configures customized endpoint profiles or modifies existing endpoint profiles based on a combination of vendor recommendations, customer input, and deepwatch experience. These profiles are adjusted throughout the subscription duration at the customer’s request. The number of profiles included in the Protect Endpoint subscription is identified in each customer’s Order Form.


In collaboration with customer, deepwatch develops the appropriate governance rules in order to identify the following:

  • Maintenance Windows;
    • Planned Upgrades & Configuration Changes;
    • Limited to 1 Window per Week;
  • deepwatch integration into the customer’s change management process; and
  • Clearly define and document activities deepwatch may perform without explicit customer approval.

Alert Monitoring

deepwatch monitors customer EDR solutions for notable events, operational issues, and overall health by integrating the EDR solutions into deepwatch’s deepstack Cloud SecOps Platform.

Device Software Updates and/or Configuration (Excluding Profile Changes)

deepwatch performs platform configuration and patch management on behalf of deepwatch customers for in-scope EDR solution components. This includes updating the platform software and firmware as well as implementing changes requested via the deepwatch portal. Customer requests are prioritized and performed during the agreed upon maintenance window. Changes that cannot be addressed during the maintenance window are addressed at the next mutually agreed upon maintenance window.

deepwatch reviews all requested changes and identifies any technical issues with performing any requested change prior to scheduling the proposed software update and/or configuration change during the maintenance window.

Profile Changes

deepwatch performs profile changes as approved by customer during the designated maintenance windows. deepwatch reviews all requested changes and identifies any technical issues with performing any requested change prior to scheduling the proposed profile change during the maintenance window.  Customers may request up to five (5) emergency profile changes per month outside of the mutually agreed upon maintenance window.

Active Response

deepwatch takes customer authorized active response actions utilizing the capabilities of the customer’s EDR solution. Common examples include:

  • Blocking all network traffic (excluding the EDR solution) from the endpoint;
  • Malicious file deletion/removal; and
  • Investigation and analysis of potential malware.

Active response actions not included as native functionality within the customer EDR solution are not in-scope for deepwatch’s Protect Endpoint solution.

Knowledge Management

deepwatch’s deepstack Cloud SecOps Platform utilizes ServiceNow’s Knowledge Management functionality to provide shared Knowledge Articles between deepwatch and customer. deepwatch provides a predefined set of Knowledge Articles to customer. Additionally, custom Knowledge Articles are developed by deepwatch within ServiceNow, which notifies customer for review and approval. Knowledge Articles are reviewed at least every three (3) months during pre-defined meetings and as applicable during status meetings.

Support & Training

deepwatch serves as the primary contact for customer personnel for support of all deepwatch deepstack Cloud SecOps Platform components. In this context, deepwatch provides the support traditionally provided directly from vendors. deepwatch maintains specific support agreements with deepstack Cloud SecOps Platform component vendors in order to address and seek to resolve support related incidents in a prompt manner. deepwatch provides customer personnel with training on the deepwatch deepstack Cloud SecOps Platform and its supporting components via in-person and video-based training as well as ServiceNow Knowledge Articles.

Assumptions & Expectations


Customer must implement deepwatch's identity solution to access the deepstack Cloud SecOps Platform as well as customer’s centralized EDR management solution. Customer must federate existing authentication from its identity provider or utilize deepwatch's identity solution as an identity provider in conjunction with deepwatch’s Zero-Trust remote access solution.

Centralized Management

Customer acknowledges and agrees to provide access to in-scope centralized EDR management solutions to facilitate solutions delivery.

Subscription Dependencies

Customer must hold an active deepwatch Detect Analytics subscription or execute a deepwatch Detect Analytics subscription before the start date for its deepwatch Protect Endpoint subscription.

EDR Dependencies

Customer is responsible for the deployment of the EDR solution software agents on its endpoint devices.

Customer is also  responsible for ensuring EDR solution software agents are able to communicate with the centralized EDR management solution.


Each in-scope EDR solution must be on the deepwatch Supported Endpoint Solutions list set forth here as may be modified by deepwatch from time to time Additionally, customer must maintain active support contracts for all in-scope EDR solutions from the product device vendor and add deepwatch personnel to customer’s vendor support entitlements.

Travel & Expense

Customers acknowledge and agree to follow the deepwatch travel and expense policy provided here.

Virtual Appliance Deployment Assumptions

Customer must provide a virtual machine infrastructure capable of hosting Linux virtual appliance(s) managed remotely by deepwatch. Customer must also install virtual appliance(s) on its virtual machine infrastructure, configured with at least the following specifications:

  • At least 250 GB of either solid-state drives (SSD) or spinning disk storage;
  • 4 CPU cores; and
  • 16GB of RAM.

Customer must allow outbound TCP/443 access from their environment(s) virtual appliance(s) via the Symantec Secure Access Cloud Zero-Trust solution. Customers are responsible for the virtual appliance infrastructure (host) and networking and deepwatch is responsible for the virtual appliance(s) (guest[s]).

[ Home ]