🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Capabilities At a Glance

detectors data sources integrations edr endpoints


The following summarizes the integration and configuration capabilities of Secureworks® Taegis™ XDR, including what data sources are compatible and what data from those sources are needed and/or available to Secureworks® Taegis™ XDR Detectors and the watchlists Secureworks® Taegis™ XDR can ingest.

Regions

Availability of Taegis™ XDR features depend upon the region your environment is deployed in.

For a gathered list of what is not supported in the EU region, see Unsupported Features in EU.

Detector Requirements

The following lists the data sources each Secureworks® Taegis™ XDR detector requires:

Data Retention Policy

Secureworks retains event and alert data for 12 months from the date the data is received. All other data concerns are covered in the Secureworks© Cloud Services Interface Privacy Statement.

Provided Data from Integrations

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Cloud

  Antivirus Auth CloudAudit DHCP DNS Email Encrypt HTTP Management Netflow NIDS Thirdparty
Amazon GuardDuty                       V
AWS Application Load Balancer               D        
AWS CloudTrail   V V                  
AWS VPC Flow Logs                   D    
AWS Web Application Firewall               D, V        
Cisco Umbrella         D     D   D    
Google Cloud Platform     Y             D   V
Google Workspace   D, V V                 V
MS Azure Active Directory   Y Y                  
MS Azure Active Directory Activity Reports   D V                  
MS Azure Active Directory Identity Protection     V                 V
MS Azure Activity Logs     V                  
MS Graph Security     V                 V
MS Office 365   D, V V                 V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Email Security

  Antivirus Auth CloudAudit DHCP DNS Email Encrypt HTTP Management Netflow NIDS Thirdparty
Mimecast             D        
Proofpoint             D        

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Endpoints

  Alerts Auth DNS File Collection HTTP NIDS Netflow Process File Modification API Call Registry Scriptblock Management Persistence Thread Injection
Taegis™ Windows Endpoint Agent      
Taegis™ macOS Endpoint Agent            
Taegis™ Linux Endpoint Agent            
Red Cloak™ Windows Endpoint Agent              
Red Cloak™ Linux Endpoint Agent                        
VMware Carbon Black Response Cloud          
VMware Carbon Black Cloud Endpoint™ Standard        
VMware Carbon Black Cloud Enterprise EDR          
Crowdstrike      
Microsoft Defender for Endpoint      
SentinelOne      

Note

The Endpoints table will be updated to use the new integration definitions in a future release.

Firewalls/Next-Gen Firewalls

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Barracuda Firewall                   D      
Check Point Firewall V D         D   D     V
Cisco ASA Firewall   D Y D       D Y D V    
Cisco FTD Firewall (Syslog only, see eStreamer via eNCore for NIDS)   D Y D       D Y D V    
Cisco Meraki Firewall   D         Y D   D V    
Forecepoint Firewall   D Y         D   D     V
Fortigate Firewall V D   D     D   D     V
Juniper SRX Firewall   D         Y D   D V    
OPNsense Firewall                   D      
PaloAlto Firewall   D           D   D V    
pfSense Firewall                   D      
SonicWall Firewall   D Y D       D   D V    
Sophos XG   D       Y D   D V    
WatchGuard Firewall   Y   D       D   D      
Zscaler Cloud Firewall       D           D      

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Host-Based Intrusion Detection Systems

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
McAfee ePO Y Y                   D Y
Trend Micro Deep Security V           Y D   D Y    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Identity and Access Management

  Auth CloudAudit DNS HTTP Netflow NIDS Process Thirdparty
Cisco ISE D           Y  
CyberArk D Y           V
Okta D Y            

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Infrastructure Management

  Auth CloudAudit DNS HTTP Management Netflow NIDS Process Thirdparty
vCenter D       Y        

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Network Intrusion Detection Systems

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
Secureworks iSensor                   D D, V    
Corelight (Zeek)   D Y D   D   D   D D, V    
Darktrace                         V
eStreamer via eNCore                   D D, V    
LastLine   Y                 D    
Suricata       D       D   D D, V    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

OT Security

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Claroty CTD                   D     V
Dragos Platform                   D     V
Nozomi Guardian                         Y
SCADAfence                   D D   Y

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Important

Adding an OT Security integration to your Taegis XDR tenant requires Taegis™ XDR for OT. Contact your account manager or CSM to acquire the required license.

Security Service Edge

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
Cato Networks Y                 D     Y
Cloudflare               D   D Y    
Netskope V Y               D V   V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Server Logs

  Auth DHCP DNS File HTTP Management Netflow NIDS Process Thirdparty
InfoBlox (DNS via named process)     D            
Microsoft Windows Event Log (Microsoft-Windows-Security-Auditing) D     Y   Y D   Y Y
Microsoft DHCP   Y                
Microsoft DNS     D              
Microsoft IIS         D          
Non-Microsoft-based servers (processes like sudo/su/sshd/named) D   D     Y        

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

VPN Appliances

  Auth DNS HTTP Netflow NIDS Process Thirdparty
PulseSecure VPN D            

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Web Application Firewalls/LoadBalancers

  Auth DNS HTTP Management Netflow NIDS Process Thirdparty
F5 ASM WAF     D          
F5 LTM D     Y        
Barracuda WAF     D          
Fortinet FortiWeb         D     V
Imperva WAF     D          
Citrix ADC D   D Y D    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Web Proxies

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Akamai Enterprise Application Access (EAA)   D           D          
Forcepoint Web Security               D          
Cisco IronPort   Y           D          
McAfee Web Gateway               D          
Symantec (Blue Coat) ProxySG WebProxy               D          
Zscaler Secure Web Gateway               D          

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Other Network Appliances

  Auth DNS HTTP Management Netflow NIDS Process Thirdparty
Cisco IOS based Switches and Routers D     Y        
Aruba ClearPass NAC D              

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Other Integrations

HRMS & Identity

Azure Active Directory

Features Supported:

How we Integrate

We implement the Microsoft Graph API.

Compatible Detectors

Stolen Credentials, and Tactic Graphs™ Detector.

SIEM/Security

Splunk Heavy Forwarder

Replicates all data sent from Splunk using their Heavy Forwarder to Secureworks® Taegis™ XDR.

How We Integrate

Secureworks® Taegis™ XDR is configured to receive data from Splunk Heavy Forwarder through a TLS encrypted Syslog ingestor. A Secureworks® Taegis™ XDR technical representative can help you get the appropriate TLS certificate issued. Once the certificate has been issued, you can configure a Splunk Heavy Forwarder to send data to Secureworks® Taegis™ XDR. This involves updating the output.conf file for Splunk Heavy Forwarder.

Note

We only support forwarded data types for integrations that are supported by Secureworks® Taegis™ XDR.

Compatible Detectors

All Secureworks® Taegis™ XDR detectors are capable of using Splunk provided data. Usage is dependent on your configuration and the data Splunk is forwarding.

Perimeter/Proxy

Secureworks iSensor

Secureworks™ iSensor is a Network IDS/IPS available from Secureworks. It leverages our latest threat intelligence to detect network-level threat signatures on the perimeter. iSensor is a separately contracted feature that may be included with Taegis™ ManagedXDR.

Features Supported
Compatible Detectors

DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs™ Detector, Punycode, IP Watchlist, and Domain Watchlists.

Palo Alto Networks

We use Secureworks® Taegis™ XDR’s On-Premises Data Collector to pull NetFlow data from PAN devices.

Features Supported
Supported Devices
How We Integrate

We collect Syslog information from Palo Alto using the Taegis™ XDR Collector. For more information see On-Prem Data Collector.

Compatible Detectors

DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs™ Detector, Punycode, IP Watchlist.

Cisco

Features Supported
Supported Devices
How We Integrate

We collect Syslog information from Cisco using the Taegis™ XDR Collector, and use eStreamer to collect security events/logs from FTD devices. For more information see On-Prem Data Collector.

Compatible Detectors

DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs™ Detector, Punycode, IP Watchlist.

Cloud Applications

Office 365 / Azure

Features Supported
Compatible Detectors

Stolen Credentials, and Tactic Graphs™ Detector.

Amazon Web Services

Our AWS Integration uses a custom-developed AWS Collector for supporting GuardDuty Findings, importing findings and displaying those findings to the user. We do not support Cloudwatch or Cloudwatch Agent at this time.

We also support data collected by a custom serverless collector that supports AWS Application Load Balancers, AWS CloudTrail, AWS VPC Flow logs and AWS WAF. We additionally support integration with Cisco Umbrella services deployed to AWS.

Compatible Detectors

Stolen Credentials, and Tactic Graphs™ Detector.

Endpoint

Red Cloak™ Endpoint Agent

The Secureworks Red Cloak™ Endpoint Agent is included with Secureworks® Taegis™ XDR. This agent captures a rich set of telemetry from endpoints, including DNS, IP, Processes, Windows Logs, and Linux Logs.

Compatible Detectors

All of Secureworks® Taegis™ XDR’s proprietary detectors make use of Red Cloak™ Endpoint Agent telemetry: DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs™ Detector, Punycode, IP Watchlist, and Domain Watchlists.

CrowdStrike

The CrowdStrike agent captures a rich set of telemetry from endpoints, including DNS, IP, Processes, Windows Logs, and Linux Logs.

Note

You must have CrowdStrike Falcon Insight (EDR) for Secureworks® Taegis™ XDR to receive any telemetry from CrowdStrike Falcon Prevent (NGAV). Falcon Insight gathers the telemetry that is sent to Taegis™ XDR. You can purchase the license for Falcon Insight from Secureworks or CrowdStrike.

Falcon Prevent (NGAV) is only an alert provider; therefore, if you only have CrowdStrike Falcon Prevent (NGAV), then Taegis™ XDR will not receive any telemetry from it.

Compatible Detectors

All of Secureworks® Taegis™ XDR’s proprietary detectors make use of CrowdStrike data, including DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs™ Detector, Punycode, IP Watchlist, and Domain Watchlists.

VMware Carbon Black Cloud Endpoint Standard and Enterprise EDR

Carbon Black’s traditional AV service. Secureworks® Taegis™ XDR has access to Carbon Black telemetry which enables endpoint, detection, and response (EDR) capabilities with this service. Integrated with Secureworks® Taegis™ XDR.

Carbon Black Response Cloud

Carbon Black’s Endpoint, Detection, and Response (EDR) service. We have access to Carbon Black telemetry which enables EDR capabilities with this service.

Okta

This integration further strengthens Secureworks® Taegis™ XDR’s knowledgebase of your security landscape by receiving user information telemetry directly from Okta via an Okta API.

Using an Okta connector, information related to Authentication Events, Policy Changes, and User Management lists are directly fed into the Secureworks® Taegis™ XDR platform, further providing insights to security analysts during investigations.

Unsupported Features in the EU Region

All Taegis™ XDR features except the following are supported in the EU region:

Endpoint Integrations

 

On this page: