Power BI for XDR

api guides

Overview ⫘

Microsoft Power BI is a secure hosted cloud service that lets users build and view dashboards, reports, and Power BI apps—a type of content that combines related dashboards and reports—using a web browser or via apps for Windows, iOS, and Android. Power BI is available through a dedicated license, but also comes included with Office 365 E5, therefore many customers already have access to it, providing one of the easiest streamlined and integrated options for company-wide reporting capabilities.

By using Power BI to summarize and visualize data from Secureworks® Taegis™ XDR, users can gain rich insights about their network and user activity, and any alerts and investigations that result from said activity. Secureworks has created a set of sample reports that can be used to address various reporting requirements within your organization, using data from multiple APIs within XDR.

Use Case Examples ⫘

Reporting can serve many purposes. XDR contains an abundance of information about your network devices and users, and investigations pertaining to those entities, that can be analyzed and visualized in different ways to tell a story. Those stories can be used to drive various outcomes important to different personas within a business, by providing metrics that are useful for measuring the impact and progress of a particular outcome. By integrating XDR data into Power BI, the data related to XDR alerts and investigations allows customers and partners to better understand trends that affect their ability to effectively and efficiently detect and respond to threats.

Below are a few personas, with their possible responsibilities and outcomes, that Power BI can support. The provided datasets and reports are intended as a starting point. They can be modified and expanded according to unique requirements of a particular business goal, once the metrics that support that goal have been identified.

• SOC managers
  • Responsibilities: Workload monitoring, analyst skill/learning management
  • Outcomes: Reduce response and resolution time, improve analyst efficiency, triage harder problems
• Security leaders and architects
  • Responsibilities: Retrospectives, technology gaps, attack vector trends
  • Outcomes: Evolve security programs, expand defenses, make time for bigger and better things
• Threat hunters
  • Responsibilities: Analysis of entity context, attack vectors, gaps
  • Outcomes: Find obscure/rare attacks and vulnerabilities, plug unknown gaps, stop threats before they happen
• Security admins
  • Responsibilities: Device administration, confidentiality/integrity/availability, agent and license management
  • Outcomes: Maintain the machine, ensure analysts have all useful data, reduce cost and overhead
• MSSPs
  • Responsibilities: workload monitoring, analyst skill/learning management, administration
  • Outcomes: Monitor important customers, improve analyst efficiency, reduce cost and overhead

Implementation Details ⫘

The Power BI for XDR integration functions via PowerQuery, a programming language within Power BI that supports the ability to perform API authentication and queries and parses the response data for use within Power BI. The authentication to XDR happens within PowerQuery, which cannot execute until Power BI has completed its initial authentication using Anonymous authentication. No credentials are sent in cleartext, nor is anonymous authentication allowed. For the purposes of this sample template, however, we must tell Power BI to use Anonymous authentication to allow the PowerQuery scripts to execute, where the actual OAuth authentication to XDR occurs using a client ID and client secret.

XDR APIs use GraphQL queries to retrieve data. The PowerQuery scripts pass GraphQL queries to various XDR API endpoints to obtain the desired information about alerts, investigations, assets, users, data volume, and so on. Depending on the XDR API endpoints used, the JSON data returned needs to be handled in different ways—with regards to splitting lists to tables, diving into records and retrieving specific values, re-ordering and re-naming columns, and so on—so each PowerQuery script has its own handling of the API response.

Several base queries pull datasets from XDR pertaining to alerts and investigations. There are also auxiliary queries that pull information about endpoints and tenant users, which are used as lookup tables to filter and enrich other datasets, with relationships configured in the model that associate alerts and investigations with these various lookups. You can see all queries and their relationships under the Model view in Power BI.

Deployment Instructions ⫘

API URL Regions ⫘

Import the Power BI Template ⫘

In order to deploy these reports, we have produced a .pbit template file that must be imported into Power BI Desktop, obtained from Microsoft. Prior to following these instructions, please ensure you have obtained a Power BI license from Microsoft; see licensing options on Microsoft’s website.

1. Create an XDR API client with the Tenant Auditor role using the instructions provided on API Authentication.
   • Ensure you replace the API URL domain for your Taegis environment (i.e., api.delta.taegis.secureworks.com)
   • Copy the output of the command somewhere safe and private. It contains sensitive credentials that should only be used for Power BI in your organization. You will need client_id and client_secret for the Power BI template.
2. Download and install Power BI Desktop, obtained from Microsoft.
3. Download the powerbi_for_taegisxdr.pbit template file here: powerbi_for_taegisxdr.pbit.
4. Open the downloaded .pbit file. You may see some prompts for Microsoft account authentication, depending on your organization's access policies. You will need to authenticate to Microsoft to be able to publish the reports to your Power BI workspace.
5. Once opened, a pop-up window prompting for parameters displays. Perform the following:
   • Input your client_id and client_secret from the API credential creation process in Step 1.
   • Select your Taegis environment URL for the api_url and vURL parameters.
   • Click Load.

Enter Parameters

6. When prompted for authentication in the Access Web content window, use the default Anonymous access and click Connect.

Access Web Content

7. Select Organizational privacy for all URLs prompted on the Privacy Levels pop-up. This is required for the Anonymous authentication pre-check to succeed.

Select Organizational Privacy

8. If everything was successful, the queries will run and load rows into the models. A populated report will open and display various visuals. If you do not see the visuals, or received an error message, please see the Known Issues section in this document.

Successful Import

Publish the Reports to Power BI Web ⫘

To publish all of the reports to your online Power BI workspace:

1. Click Publish at the far right of the Home tab at the top of the Power BI window. This will prompt you to save the file locally on your computer. Choose a name and location and save the file.

2. Once saved, you will be prompted to log in to a Microsoft account if you have not yet done so.

3. After logging in, you will see a list of available workspaces. Select one appropriate for yourself or your team (consider "My workspace" as a starting point) and click Select.

Select Workspace

4. The reports will publish to and can be viewed at Power BI web.

Publish Reports

5. To set a refresh interval for the data, called a Semantic Model, click the Schedule refresh icon next to the Semantic Model. This will open up settings for the model.

Select Schedule Refresh

6. Expand the Refresh setting and enable the refresh schedule. Select your desired time zone and refresh interval and then click Apply. Now your reports will automatically update at your desired interval.

Configure Refresh

Example Reports ⫘

Note that the following are examples of what is possible. Customers are encouraged to explore and build their own dashboards according to the metrics needed to measure and track desired outcomes.

Investigation Workload Overview ⫘

Example Investigation Workload Overview Report

Alert Entity Browser ⫘

Example Alert Entity Browser Report

Data Volume Overview ⫘

Example Data Volume Overview Report

Known Issues ⫘

Data load fails if no endpoints are deployed in the XDR tenant ⫘

The relationships between data models assume that you have at least one endpoint deployed in your XDR tenant, and these relationships break if no endpoints are present, which causes the data load to fail during initial template setup. While it is rare for a tenant not to have any endpoints deployed, you can resolve this behavior by removing all Asset-related queries from the data models, which will cause all associated relationships to disappear. However, since you will have to cancel the data load in order to get access to the Query Editor to make these modifications, the initial template parameters like client_id and client_secret will not be saved, and you will need to manually enter them in the Query Editor. This is currently unsupported but may be supported in the future. If this behavior affects you and you do not feel comfortable editing the queries, please contact your Account Team to engage Professional Services for further assistance.

You receive an error or see a yellow banner with the message "We couldn’t authenticate with the credentials provided" ⫘

1. At the top of the Power BI query editor window, click the Data Source Settings button on the Home tab.

Select Data Source Settings from Home Tab

2. Select the Data sources in current file radio button at the top of the window.

3. For each URL in the list, click Edit permissions at the bottom of the window and then perform the following:

• Click Edit under Credentials Type.

Edit Credentials Type

• Select Anonymous and click Save.
• Select OK.

4. Select the Global permissions radio button at the top of the window.

5. Repeat the permission edit process for each URL in the list, if they do not align with the "Data sources in current file" settings.

6. Close the Data Source Settings window.

7. Click the Refresh Preview button on the Home tab.

Refresh Preview

8. The selected query successfully refreshes. Note that you may need to manually click Refresh Preview for each query in the list if you intend to edit the queries or preview the data.

Your data does not load ⫘

There are a few possible causes:

• Your XDR API credential is not valid. Follow the XDR API authentication instructions to create an API client with the Tenant Auditor role.

Invalid Credential Errors

• The data privacy setting chosen for the file is not Organizational or Public. Ensure Organizational is selected for the Privacy Levels; see You receive an error or see a yellow banner with the message “We couldn’t authenticate with the credentials provided”.

• Your organization does not allow outbound access to the XDR API URLs. This is unlikely as it would mean the XDR web interface would not work either, but depending on where you are attempting to use Power BI, there may still be a host- or network-level policy preventing this access. Troubleshoot with your organization's network team to determine if this is a potential cause.