☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis™ Docs Home
About Taegis™ XDR
Get Started
- Get Started
- Top 5 Tasks
Integrate with Taegis XDR
- Integration Overview
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
  - Taegis™ Endpoint Agent
  - Taegis™ NGAV
    - Taegis™ NGAV
    - Taegis™ NGAV FAQ
  - Red Cloak™ Endpoint Agent
  - CrowdStrike
  - Microsoft Defender for Endpoint
  - SentinelOne
  - VMware Carbon Black
  - VMware Carbon Black Cloud Endpoint Standard and Enterprise EDR
  - VMware Carbon Black Response Cloud
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connections
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence and Detection
- Threat Intelligence
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
Taegis™ XDR Admin
- Your Account
- Tenant Settings
APIs
- Using Taegis™ XDR GraphQL APIs
- API Authentication
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Collector API
  - Using the Collector API
  - Collector GraphQL API
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Users API
  - Using the Users GraphQL API
- Tenants API
  - Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Taegis™ Managed iSensor
- Taegis™ ManagedXDR
- Taegis™ ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- Taegis ™ ManagedXDR for OT
- Taegis™ ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Legal

Watchlists

Secureworks® Taegis™ XDR has a number of watchlist detectors which gather watchlist alerts from third party data sources and normalize and forward them to the Secureworks® Taegis™ XDR Dashboard and Secureworks® Taegis™ XDR Alert Database. A typical Secureworks® Taegis™ XDR account will have Red Cloak™ Endpoint Agent Watchlist alerts, iSensor, and IP watchlist alerts.

Red Cloak™ Endpoint Agent Watchlist ⫘

Red Cloak™ Endpoint Agent Watchlist alerts are presented in Secureworks® Taegis™ XDR from the Red Cloak™ Endpoint Agent Watchlist detector. The severity levels are translated from the Red Cloak™ Endpoint Agent Watchlist to one of Info, Low, Medium, High, or Critical.

Alerts from these watchlists do not currently pull in the underlying events.

Cloud Watchlist ⫘

Watchlist alerts from external cloud security providers display in Secureworks® Taegis™ XDR from the following Secureworks® Taegis™ XDR detectors:

AWS GuardDuty
Cloud Watchlist

Note

Alerts from AWS GuardDuty do not currently pull in the underlying events.

Inputs ⫘

Watchlist alerts from third-party data sources ingested and normalized into Secureworks® Taegis™ XDR.

Outputs ⫘

Watchlist alerts pushed to the Secureworks® Taegis™ XDR Alert Database and Secureworks® Taegis™ XDR Dashboard.

MITRE ATT&CK Category ⫘

MITRE mapping is based on the relevant watchlist.

On this page:

Red Cloak™ Endpoint Agent Watchlist
Cloud Watchlist
Inputs
Outputs
MITRE ATT&CK Category