Capabilities At a Glance
detectors data sources integrations edr endpoints
The following summarizes the integration and configuration capabilities of Secureworks® Taegis™ XDR, including what data sources are compatible and what data from those sources are needed and/or available to XDR Detectors and the watchlists XDR can ingest.
Regions ⫘
Availability of XDR features depend upon the region your environment is deployed in.
For a gathered list of what is not supported in the EU region, see Unsupported Features in EU.
Detector Requirements ⫘
The following lists the data sources each XDR detector requires:
- Account Compromise — Auth
- Bring Your Own Threat Intel — Telemetry normalized into XDR schemas
- Brute Force — Auth
- Business Email Compromise — Auth
- Cloud Recon to Change — AWS CloudAudit
- Domain Generation Algorithms — DNS
- Email Watchlist — Email
- File Analysis — Telemetry from Taegis Endpoint Agents version 1.2 and greater or files fetched from Taegis Endpoint Agents
- Hands-On-Keyboard — Process
- IP Watchlist — NIDS, Netflow
- iSensor — Alerts, NIDS, Netflow
- Kerberoasting — Auth
- Network IDS — NIDS
- Password Spray — Auth
- Penetration Test — Alerts
- Portscanning and Broadscanning — Netflow
- Punycode — DNS
- Quick Mail Consent (MS o365) — MS o365 Management API Audit Logs
- Rare Program to Rare IP — Netflow, Process
- SharpHound — Auth, Netflow
- Snapshot Exfiltration — AWS CloudTrail Logs
- Stolen Credentials — Alerts, Auth, Netflow
- Suspicious DNS Activity — DNS
- Tactic Graphs — Alerts, Auth, DNS, NIDS, Netflow, Process
- Taegis Watchlist — Telemetry normalized into XDR schemas
- Watchlist, Cloud — Thirdparty Alerts
- Watchlist, Domain — DNS
- Watchlist, Endpoint — normalized endpoint telemetry
Data Retention Policy ⫘
Secureworks retains event and alert data for 12 months from the date the data is received. All other data concerns are covered in the Secureworks Cloud Services Interface Privacy Statement.
Provided Data from Integrations ⫘
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Cloud ⫘
| Antivirus | Auth | CloudAudit | DHCP | DNS | Encrypt | HTTP | Management | Netflow | NIDS | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Amazon GuardDuty | V | |||||||||||
| AWS Application Load Balancer | D | |||||||||||
| AWS CloudTrail | V | V | ||||||||||
| AWS VPC Flow Logs | D | |||||||||||
| AWS Web Application Firewall | D, V | |||||||||||
| Cisco Umbrella | D | D | D | |||||||||
| Google Cloud Platform | Y | D | V | |||||||||
| Google Workspace | D, V | V | V | |||||||||
| MS Azure Active Directory | Y | Y | ||||||||||
| MS Azure Active Directory Activity Reports | D | V | ||||||||||
| MS Azure Active Directory Identity Protection | V | V | ||||||||||
| MS Azure Activity Logs | V | |||||||||||
| MS Graph Security | V | V | ||||||||||
| MS Office 365 | D, V | V | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Email Security ⫘
| Antivirus | Auth | CloudAudit | DHCP | DNS | Encrypt | HTTP | Management | Netflow | NIDS | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mimecast | V | D | ||||||||||
| Proofpoint | V | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Endpoints ⫘
| Alerts | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Taegis Windows Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Taegis macOS Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||||
| Taegis Linux Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||||
| Red Cloak Windows Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Red Cloak Linux Endpoint Agent | ✓ | ✓ | ✓ | ||||||||||||
| VMware Carbon Black Response Cloud | ✓ | ✓ | |||||||||||||
| VMware Carbon Black Cloud Endpoint™ Standard | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| VMware Carbon Black Cloud Enterprise EDR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Crowdstrike | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Microsoft Defender for Endpoint | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓* | ||||||
| SentinelOne | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
* ScriptBlock events are collected by Microsoft Defender only on Linux and macOS devices.
Note
The Endpoints table will be updated to use the new integration definitions in a future release.
Firewalls/Next-Gen Firewalls ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Barracuda Firewall | D | ||||||||||||
| Check Point Firewall | V | D | Y | D | D | V | |||||||
| Cisco ASA Firewall | D | Y | D | D | Y | D | V | ||||||
| Cisco FTD Firewall (Syslog only, see eStreamer via eNCore for NIDS) | D | Y | D | D | Y | D | V | ||||||
| Cisco Meraki Firewall | D | Y | D | D | V | ||||||||
| Forecepoint Firewall | D | Y | D | D | V | ||||||||
| Fortigate Firewall | V | D | D | Y | D | D | V | ||||||
| Juniper SRX Firewall | D | Y | D | D | V | ||||||||
| OPNsense Firewall | D | ||||||||||||
| PaloAlto Firewall | D | D | D | V | |||||||||
| pfSense Firewall | D | ||||||||||||
| SonicWall Firewall | D | Y | D | D | D | V | |||||||
| Sophos XG | D | Y | Y | D | D | V | |||||||
| WatchGuard Firewall | Y | D | D | D | |||||||||
| Zscaler Cloud Firewall | D | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Host-Based Intrusion Detection Systems ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| McAfee ePO | Y | Y | D | Y | |||||||||
| Trend Micro Deep Security | V | Y | D | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Identity and Access Management ⫘
| Auth | CloudAudit | DNS | HTTP | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|
| Cisco Duo | D | |||||||
| Cisco ISE | D | Y | ||||||
| CyberArk | D | Y | V | |||||
| Okta | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Infrastructure Management ⫘
| Auth | CloudAudit | DNS | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|---|
| vCenter | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Microsegmentation Software ⫘
| Auth | DNS | File | HTTP | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|
| Akamai Guardicore Segmentation | D | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Network Intrusion Detection Systems ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Secureworks iSensor | D | D, V | |||||||||||
| Corelight (Zeek) | D | Y | D | D | D | D | D, V | ||||||
| Darktrace | V | ||||||||||||
| eStreamer via eNCore | D | D, V | |||||||||||
| LastLine | Y | D | |||||||||||
| Suricata | D | D | D | D, V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
OT Security ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Claroty CTD | D | V | |||||||||||
| Dragos Platform | D | V | |||||||||||
| Nozomi Guardian | Y | ||||||||||||
| SCADAfence | D | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Important
Adding an OT Security integration to your XDR tenant requires XDR for OT. Contact your account manager or CSM to acquire the required license.
Security Service Edge ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Cato Networks | Y | D | Y | ||||||||||
| Cloudflare | D | D | Y | ||||||||||
| Netskope | V | Y | D | D | V | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Server Logs ⫘
| Auth | DHCP | DNS | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|---|---|
| InfoBlox (DNS via named process) | D | |||||||||
| Microsoft Windows Event Log (Microsoft-Windows-Security-Auditing) | D | Y | Y | D | Y | Y | ||||
| Microsoft DHCP | Y | |||||||||
| Microsoft DNS | D | |||||||||
| Microsoft IIS | D | |||||||||
| Non-Microsoft-based servers (processes like sudo/su/sshd/named) | D | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
VPN Appliances ⫘
| Auth | DNS | HTTP | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|
| PulseSecure VPN | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Web Application Firewalls/LoadBalancers ⫘
| Auth | DNS | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|
| Akamai App & API Protector | D | Y | ||||||
| F5 ASM WAF | D | |||||||
| F5 LTM | D | Y | ||||||
| Barracuda WAF | D | |||||||
| Fortinet FortiWeb | D | V | ||||||
| Imperva WAF | D | |||||||
| Imperva Cloud WAF | Y | |||||||
| Citrix ADC | D | D | Y | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Web Proxies ⫘
| Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Akamai Enterprise Application Access (EAA) | D | D | |||||||||||
| Forcepoint Web Security | D | ||||||||||||
| Cisco IronPort | Y | D | |||||||||||
| Skyhigh Secure Web Gateway | D | ||||||||||||
| Symantec (Blue Coat) ProxySG WebProxy | D | ||||||||||||
| Zscaler Secure Web Gateway | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Other Network Appliances ⫘
| Auth | DNS | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|
| Cisco IOS based Switches and Routers | D | Y | ||||||
| Aruba ClearPass NAC | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Other Integrations ⫘
HRMS & Identity ⫘
Azure Active Directory ⫘
Features Supported:
- Enable/Disable AD Account
- Force Password Change
- Login History
How we Integrate ⫘
We implement the Microsoft Graph API.
Compatible Detectors ⫘
Stolen Credentials, and Tactic Graphs™ Detector.
SIEM/Security ⫘
Splunk Heavy Forwarder ⫘
Replicates all data sent from Splunk using their Heavy Forwarder to XDR.
How We Integrate ⫘
XDR is configured to receive data from Splunk Heavy Forwarder through a TLS encrypted Syslog ingestor. A XDR technical representative can help you get the appropriate TLS certificate issued. Once the certificate has been issued, you can configure a Splunk Heavy Forwarder to send data to XDR. This involves updating the output.conf file for Splunk Heavy Forwarder.
Note
We only support forwarded data types for integrations that are supported by XDR.
Compatible Detectors ⫘
All XDR detectors are capable of using Splunk provided data. Usage is dependent on your configuration and the data Splunk is forwarding.
Perimeter/Proxy ⫘
Secureworks iSensor ⫘
Secureworks iSensor is a Network IDS/IPS available from Secureworks. It leverages our latest threat intelligence to detect network-level threat signatures on the perimeter. iSensor is a separately contracted feature that may be included with Secureworks® Taegis™ ManagedXDR.
Features Supported ⫘
- Inline and passive deep packet inspection
- Integration in TDR Threat Intelligence
- Blocking Devices on the network
Compatible Detectors ⫘
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
Palo Alto Networks ⫘
We use XDR’s On-Premises Data Collector to pull NetFlow data from PAN devices.
Features Supported ⫘
- Netflow Capture
- Integration in TDR Threat Intelligence
Supported Devices ⫘
- Palo Alto Firewall PANOS 6.1 - 7.0 - 7.1
- Panorama 6.1 - 6.7, including Wildfire Security Logs
- Palo Alto Firewall PANOS 8.0 - 9.x - 10.0
- Panorama 8.0 - 9.0 - 9.1
How We Integrate ⫘
We collect Syslog information from Palo Alto using the XDR Collector. For more information see On-Prem Data Collector.
Compatible Detectors ⫘
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist.
Cisco ⫘
Features Supported ⫘
- WAF features
- Netflow Capture
- Integration in TDR Threat Intelligence
Supported Devices ⫘
- Cisco ASA
- Cisco FTD
- Cisco Meraki
How We Integrate ⫘
We collect Syslog information from Cisco using the XDR Collector, and use eStreamer to collect security events/logs from FTD devices. For more information see On-Prem Data Collector.
Compatible Detectors ⫘
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist.
Cloud Applications ⫘
Office 365 / Azure ⫘
Features Supported ⫘
- Office 365 Audit Log Data (Logins to Services, Changes to accounts, Sends/Receive E-mail metadata). Normalizing this data into a normalized auth type. Picking out logins across these services, and feeding them into the anomaly detector. Too far away, etc. Looking for behavior.
- XDR’s integration uses a collector that supports Microsoft Graph Security Alerts. These are alerts that are generated across all Microsoft products, including third-party partners like Palo Alto.
- Azure AD Audit Logs.
Compatible Detectors ⫘
Stolen Credentials, and Tactic Graphs Detector.
Amazon Web Services ⫘
Our AWS Integration uses a custom-developed AWS Collector for supporting GuardDuty Findings, importing findings and displaying those findings to the user. We do not support Cloudwatch or Cloudwatch Agent at this time.
We also support data collected by a custom serverless collector that supports AWS Application Load Balancers, AWS CloudTrail, AWS VPC Flow logs and AWS WAF. We additionally support integration with Cisco Umbrella services deployed to AWS.
Compatible Detectors ⫘
Stolen Credentials, and Tactic Graphs Detector.
Endpoint ⫘
Red Cloak Endpoint Agent ⫘
The Secureworks Red Cloak™ Endpoint Agent is included with XDR. This agent captures a rich set of telemetry from endpoints, including DNS, IP, Processes, Windows Logs, and Linux Logs.
Compatible Detectors ⫘
All of XDR’s proprietary detectors make use of Red Cloak Endpoint Agent telemetry: DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
CrowdStrike ⫘
The CrowdStrike agent captures a rich set of telemetry from endpoints, including DNS, IP, Processes, Windows Logs, and Linux Logs.
Note
You must have CrowdStrike Falcon Insight (EDR) for XDR to receive any telemetry from CrowdStrike Falcon Prevent (NGAV). Falcon Insight gathers the telemetry that is sent to XDR. You can purchase the license for Falcon Insight from Secureworks or CrowdStrike.
Falcon Prevent (NGAV) is only an alert provider; therefore, if you only have CrowdStrike Falcon Prevent (NGAV), then XDR will not receive any telemetry from it.
Compatible Detectors ⫘
All of XDR’s proprietary detectors make use of CrowdStrike data, including DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
VMware Carbon Black Cloud Endpoint Standard and Enterprise EDR ⫘
Carbon Black’s traditional AV service. XDR has access to Carbon Black telemetry which enables endpoint, detection, and response (EDR) capabilities with this service. Integrated with XDR.
Carbon Black Response Cloud ⫘
Carbon Black’s Endpoint, Detection, and Response (EDR) service. We have access to Carbon Black telemetry which enables EDR capabilities with this service.
Okta ⫘
This integration further strengthens XDR’s knowledgebase of your security landscape by receiving user information telemetry directly from Okta via an Okta API.
Using an Okta connector, information related to Authentication Events, Policy Changes, and User Management lists are directly fed into the XDR platform, further providing insights to security analysts during investigations.
Unsupported Features in the EU Region ⫘
All XDR features except the following are supported in the EU region:
Endpoint Integrations ⫘
- NGAV is not supported in the EU region.