☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Portscanning and Broadscanning

The Portscanning and Broadscanning Detectors identify attempts by a threat actor to search assets in your environment for open ports that might present attack opportunities. They do this by attempting to open a connection from one machine to another, and if the connection succeeds, then the port is open.

There are two subversions of this activity:

Portscanning looks for many open ports of interest on a single asset.
Broadscanning looks for many portscan activities on a large number of assets.

These detectors process streams of netflow data and look for the combinations of events that match the threshold criteria.

Portscanning Alert

Portscanning Alert

Broadscanning Alert

Broadscanning Alert

Schema ⫘

Netflow

Event Filtering ⫘

Events are filtered to match the following criteria:

Source and destination addresses are internal / loopback
Set of important destination ports

Outputs ⫘

Alerts generated by Tactic Graphs™ Detector are pushed to the Secureworks® Taegis™ XDR Alert Triage Dashboard.

MITRE ATT&CK Category ⫘

MITRE Enterprise ATT&CK - Reconnaissance - Gather Victim Network Information. For more information, see MITRE Technique T1590.
MITRE Enterprise ATT&CK - Reconnaissance - Active Scanning. For more information, see MITRE Technique T1595.

On this page:

Schema
Event Filtering
Outputs
MITRE ATT&CK Category