Power BI for XDR
Overview ⫘
Microsoft Power BI is a secure hosted cloud service that lets users build and view dashboards, reports, and Power BI apps—a type of content that combines related dashboards and reports—using a web browser or via apps for Windows, iOS, and Android. Power BI is available through a dedicated license, but also comes included with Office 365 E5, therefore many customers already have access to it, providing one of the easiest streamlined and integrated options for company-wide reporting capabilities.
By using Power BI to summarize and visualize data from Secureworks® Taegis™ XDR, users can gain rich insights about their network and user activity, and any alerts and investigations that result from said activity. Secureworks has created a set of sample reports that can be used to address various reporting requirements within your organization, using data from multiple APIs within XDR.
Use Case Examples ⫘
Reporting can serve many purposes. XDR contains an abundance of information about your network devices and users, and investigations pertaining to those entities, that can be analyzed and visualized in different ways to tell a story. Those stories can be used to drive various outcomes important to different personas within a business, by providing metrics that are useful for measuring the impact and progress of a particular outcome. By integrating XDR data into Power BI, the data related to XDR alerts and investigations allows customers and partners to better understand trends that affect their ability to effectively and efficiently detect and respond to threats.
Below are a few personas, with their possible responsibilities and outcomes, that Power BI can support. The provided datasets and reports are intended as a starting point. They can be modified and expanded according to unique requirements of a particular business goal, once the metrics that support that goal have been identified.
- SOC managers
- Responsibilities: Workload monitoring, analyst skill/learning management
- Outcomes: Reduce response and resolution time, improve analyst efficiency, triage harder problems
- Security leaders and architects
- Responsibilities: Retrospectives, technology gaps, attack vector trends
- Outcomes: Evolve security programs, expand defenses, make time for bigger and better things
- Threat hunters
- Responsibilities: Analysis of entity context, attack vectors, gaps
- Outcomes: Find obscure/rare attacks and vulnerabilities, plug unknown gaps, stop threats before they happen
- Security admins
- Responsibilities: Device administration, confidentiality/integrity/availability, agent and license management
- Outcomes: Maintain the machine, ensure analysts have all useful data, reduce cost and overhead
- MSSPs
- Responsibilities: workload monitoring, analyst skill/learning management, administration
- Outcomes: Monitor important customers, improve analyst efficiency, reduce cost and overhead
Implementation Details ⫘
The Power BI for XDR integration functions via PowerQuery, a programming language within Power BI that supports the ability to perform API authentication and queries and parses the response data for use within Power BI. The authentication to XDR happens within PowerQuery, which cannot execute until Power BI has completed its initial authentication using Anonymous authentication. No credentials are sent in cleartext, nor is anonymous authentication allowed. For the purposes of this sample template, however, we must tell Power BI to use Anonymous authentication to allow the PowerQuery scripts to execute, where the actual OAuth authentication to XDR occurs using a client ID and client secret.
XDR APIs use GraphQL queries to retrieve data. The PowerQuery scripts pass GraphQL queries to various XDR API endpoints to obtain the desired information about alerts, investigations, assets, users, data volume, and so on. Depending on the XDR API endpoints used, the JSON data returned needs to be handled in different ways—with regards to splitting lists to tables, diving into records and retrieving specific values, re-ordering and re-naming columns, and so on—so each PowerQuery script has its own handling of the API response.
Several base queries pull datasets from XDR pertaining to alerts and investigations. There are also auxiliary queries that pull information about endpoints and tenant users, which are used as lookup tables to filter and enrich other datasets, with relationships configured in the model that associate alerts and investigations with these various lookups. You can see all queries and their relationships under the Model view in Power BI.
Deployment Instructions ⫘
API URL Regions ⫘
Regions
The URL to access XDR APIs may differ according to the region your environment is deployed in:
- US1—
https://api.ctpx.secureworks.com
- US2—
https://api.delta.taegis.secureworks.com
- US3—
https://api.foxtrot.taegis.secureworks.com
- EU—
https://api.echo.taegis.secureworks.com
The examples in this XDR API documentation use https://api.ctpx.secureworks.com
throughout. If you are in a different region substitute appropriately.
Import the Power BI Template ⫘
In order to deploy these reports, we have produced a .pbit template file that must be imported into Power BI Desktop, obtained from Microsoft. Prior to following these instructions, please ensure you have obtained a Power BI license from Microsoft; see licensing options on Microsoft’s website. Please note that the use of this template file is at the user's discretion, and Secureworks assumes no liability for its use or interpretation of the data provided.
- Create an XDR API client with the Tenant Auditor role using the instructions provided on API Authentication.
- Ensure you replace the API URL domain for your Taegis environment (i.e., api.delta.taegis.secureworks.com)
- Copy the output of the command somewhere safe and private. It contains sensitive credentials that should only be used for Power BI in your organization. You will need client_id and client_secret for the Power BI template.
- Download and install Power BI Desktop, obtained from Microsoft.
Tip
Although the official RAM recommendation for Power BI is 4 GB, we recommend 8 GB for optimal system performance.
- Download the
powerbi_for_taegisxdr.pbit
template file here: powerbi_for_taegisxdr.pbit. - Open the downloaded .pbit file. You may see some prompts for Microsoft account authentication, depending on your organization's access policies. You will need to authenticate to Microsoft to be able to publish the reports to your Power BI workspace.
- Once opened, a pop-up window prompting for parameters displays. Perform the following:
- Input your client_id and client_secret from the API credential creation process in Step 1.
- Select your Taegis environment URL for the XDR Environment parameter.
- Input your XDR tenant ID (found on the Tenant Settings → Subscriptions page within XDR).
- Adjust any of the default thresholds for result limits and time ranges as desired (90 days or less).
- Click Load.
Enter Parameters
- When prompted for authentication in the Access Web content window, use the default Anonymous access and click Connect.
Access Web Content
- Select Organizational privacy for all URLs prompted on the Privacy Levels pop-up. This is required for the Anonymous authentication pre-check to succeed.
Select Organizational Privacy
- If everything was successful, the queries will run and load rows into the models. A populated report will open and display various visuals. If you do not see the visuals, or received an error message, please see the Known Issues section in this document.
Successful Import
Publish the Reports to Power BI Web ⫘
To publish all of the reports to your online Power BI workspace:
-
Click Publish at the far right of the Home tab at the top of the Power BI window. This will prompt you to save the file locally on your computer. Choose a name and location and save the file.
-
Once saved, you will be prompted to log in to a Microsoft account if you have not yet done so.
-
After logging in, you will see a list of available workspaces. Select one appropriate for yourself or your team (consider "My workspace" as a starting point) and click Select.
Select Workspace
- The reports will publish to and can be viewed at Power BI web.
Publish Reports
- To set a refresh interval for the data, called a Semantic Model, click the Schedule refresh icon next to the Semantic Model. This will open up settings for the model.
Select Schedule Refresh
- Expand the Refresh setting and enable the refresh schedule. Select your desired time zone and refresh interval and then click Apply. Now your reports will automatically update at your desired interval.
Configure Refresh
Example Reports ⫘
Note that the following are examples of what is possible. Customers are encouraged to explore and build their own dashboards according to the metrics needed to measure and track desired outcomes.
Investigation Overview ⫘
Example Investigation Overview Report
Analyst Performance Details ⫘
Example Analyst Performance Details Report
Alert Entity Browser ⫘
Example Alert Entity Browser Report
Data Volume Overview ⫘
Example Data Volume Overview Report
Known Issues ⫘
You receive an error or see a yellow banner with the message "We couldn’t authenticate with the credentials provided" ⫘
- At the top of the Power BI query editor window, click the Data Source Settings button on the Home tab.
Select Data Source Settings from Home Tab
-
Select the Data sources in current file radio button at the top of the window.
-
For each URL in the list, click Edit permissions at the bottom of the window and then perform the following:
- Click Edit under Credentials Type.
Edit Credentials Type
- Select Anonymous and click Save.
- Select OK.
-
Select the Global permissions radio button at the top of the window.
-
Repeat the permission edit process for each URL in the list, if they do not align with the "Data sources in current file" settings.
-
Close the Data Source Settings window.
-
Click the Refresh Preview button on the Home tab.
Refresh Preview
- The selected query successfully refreshes. Note that you may need to manually click Refresh Preview for each query in the list if you intend to edit the queries or preview the data.
Your data does not load ⫘
There are a few possible causes:
- Your XDR API credential is not valid. Follow the XDR API authentication instructions to create an API client with the Tenant Auditor role.
Invalid Credential Errors
-
The data privacy setting chosen for the file is not Organizational or Public. Ensure Organizational is selected for the Privacy Levels. For more information, see You receive an error or see a yellow banner with the message “We couldn’t authenticate with the credentials provided”.
-
Your organization does not allow outbound access to the XDR API URLs. This is unlikely as it would mean the XDR web interface would not work either, but depending on where you are attempting to use Power BI, there may still be a host- or network-level policy preventing this access. Troubleshoot with your organization's network team to determine if this is a potential cause.
Changelog ⫘
1.1.1 ⫘
Released: Production Stable—19 November 2024
Fixes & Improvements ⫘
- Updated user ID relationships to account for new authenticator provider
- Consolidated tenant environment parameters
- Minor report tweaks
1.1.0 ⫘
Released: Production Stable—25 July 2024
Features ⫘
- New report: Security Overview
- New report: Analyst Performance Details
- Adjustable time ranges for alert, investigation, and data volume queries
- Tenant ID selection to allow a multi-tenant API client to run reports for various child tenants
Fixes & Improvements ⫘
- Fixed pagination for alerts and investigations
- Re-structured queries to use parent (BASE_) queries to improve query performance and API load
- Expanded alert base query to include custom alerts
- Users are strongly advised to review their custom alert rules, as excessively noisy custom alerts can cause result limits to be hit too soon, preventing insightful non-custom alerts from being loaded; otherwise, exclude them in the alert base query
- Improved field mapping to avoid relationship conflicts
- Fixed data load failure if tenant has no deployed endpoints
- Minor report tweaks
1.0.0 ⫘
Released: Production Stable—2 May 2024
Features ⫘
- Initial release