Endpoint Watchlists
Endpoint watchlists serve these purposes:
- To consolidate alerts pulled from supported endpoint integrations into Secureworks® Taegis™ XDR
- To apply the consolidated endpoint alerts with a detector name corresponding to the Agent type
- To apply Secureworks Counter Threat Unit™ (CTU)-curated watchlists to normalized endpoint telemetry
Taegis Watchlist ⫘
Regardless of which endpoint agent is utilized within an environment, XDR applies CTU-curated watchlists to normalized endpoint telemetry. This watchlist identifies adversary tactics and techniques within normalized endpoint telemetry.
Requirements ⫘
This detector requires the following data sources, integrations, or schemas:
- Carbon Black Cloud Endpoint
- CrowdStrike
- Microsoft Defender for Endpoint
- SentinelOne
Note
Taegis Endpoint Agent and Red Cloak Endpoint Agent alerts are produced directly in XDR and display in the Secureworks® Taegis™ Watchlist detector.
Inputs ⫘
Detections are from the following normalized sources:
Outputs ⫘
Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.
Configuration Options ⫘
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category ⫘
This detector has no direct MITRE Mapping, though the Detector can be used in several framework mappings.
Detector Testing ⫘
This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
FROM alert WHERE metadata.creator.detector.detector_id='carbon-black-psc'
FROM alert WHERE metadata.creator.detector.detector_id='microsoft-atp-normalizer'
FROM alert WHERE metadata.creator.detector.detector_id='app:event-filter:sentinelone-threat'
FROM alert WHERE metadata.creator.detector.detector_id='app:event-filter:crowdstrike'
References ⫘
- Schemas