Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Secureworks Taegis Glossary


The definitions used in this glossary and throughout the Secureworks® Taegis™ XDR documentation site are for the purposes of using the Taegis™ XDR application. For legal definitions, please refer to the Secureworks service descriptions applicable to your organization.


A device in your organization’s network that Taegis XDR is aware of and monitors for reporting and alerts.


A notification in Taegis XDR created from event(s) from a detector informing you of activity that may need to be investigated further.


Application Programming Interface. A set of software functions made available to customers by the Taegis platform that allows for programmatic access to different capabilities within the platform for purposes of integrating with customer or 3rd party software generally used for automation, reporting, etc.


On-premise and cloud-based (virtual) devices that Taegis XDR uses to gather logs.


A measure of how confident our systems are that an alert is accurate and represents malicious activity, ranging from 1-100. The higher the score, the more confident we are that the alert indicates genuine malicious activity.


In Automation, an instance of a connector that you configure. The connection provides the method that Taegis XDR uses to authenticate to an IT tool within your environment, as well as the URL it should authenticate to.


In Automation, the definition that defines how Taegis XDR communicates with external IT tools, allowing a playbook to execute API calls that are published by a vendor.

CTU Countermeasures

Rulesets that can be deployed to Snort-based sensors and Suricata-based sensors.

data source

The sensors in your network that send telemetry to Taegis XDR.


The devices in your network that continuously monitor your environment data for malicious activity.


In Entity Graph, the directional line representing the relationship or activity between entities.


Endpoint Detection & Response


The devices in your organization’s network that Taegis XDR is aware of and monitors for reporting and alerts. Includes any end-user computing instance (e.g., notebook, laptop, workstation, VDI instance), physical server, virtual server, or computing workload (any installation of a server OS, e.g., Linux, Unix, macOS, Windows).


Data extracted from the events that are part of an investigation that played a role in the incident, including but not limited to usernames, hostnames, IP addresses, and files.


A single security-related occurrence on your network.


A collector, API, or data source that is integrated with Taegis XDR.


The gathered alerts, events, agents, and other data regarding a potential security incident, which you and other members of your organization work to resolve.

MITRE ATT&CK Framework

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the cybersecurity product and service community.

multi-factor authentication

(MFA) The use of multiple types of authentication to verify a user’s identity for login (e.g. username/password + mobile phone security token).


In Entity Graph, the representation of an entity associated with an investigation.

normalized event

A raw event that has been parsed into a database schema, which facilitates common activities such as search, security detections, and other activities.


In Automation, the definition that defines what actions to take and when to take them using one or more configured connections.


In Investigations, the importance and potential impact to your organization of an investigation’s activities.

query language

An advanced tool in Taegis XDR used to craft searches for alerts and events available in your tenant.


Alerts prefixed with RESEARCH are generated by detectors / features in the research development stage. This stage is used measure precision and recall. Documentation is updated at later stages.


A pattern match for generated alerts (alert suppression rules) or ingested events (custom alert rules). Upon successful match, the associated action is performed (e.g., suppress alert or create new alert).


In alerts, a measure of how much of a potential threat some activity poses to your environment. The severity score ranges from 0-1. The higher the score, the bigger the potential threat posed by the activity. Severity is also represented by text labels as Info (0-0.199...), Low (0.2 to 0.399...), Medium (0.4 - 0.599...), High (0.6 - 0.799...), and Critical (0.8-1).

Tactic Graphs™

A trademarked name for Taegis™ XDR’s correlation engine that can pattern match across multiple telemetry sources or alerts to create new detections.


The platform that supports Secureworks applications such as XDR, ManagedXDR, and VDR.

Taegis™ ManagedXDR

(Taegis Managed Extended Detection and Response) A fully managed solution delivered through our Taegis security analytics and operations platform, providing advanced threat hunting, detection and rapid response across endpoint, network, and cloud environments.

Taegis™ ManagedXDR Elite

(Taegis Managed Extended Detection and Response Elite) A fully managed solution that includes a dedicated Secureworks expert to perform proactive and iterative threat hunting across your endpoint, network, and cloud environments, and bi-weekly updates on your organization's exposure to targeted threats.

Taegis™ XDR

(Taegis Extended Detection and Response) An advanced security analytics tool that enables you to detect advanced threats, trust your alerts, streamline and collaborate on investigations, and automate the right action.


The collection of real-time data pushing continuously from network devices, such as routers, firewalls, and switches, to one or more centralized locations for storage, processing, and analysis.


An environment on the Taegis platform that aggregates telemetry from many endpoints into a single holistic view. Most customers have one tenant; those with large-scale needs may require multiple tenants.

threat intelligence

Data produced, analyzed, and validated by our 70+ Counter Threat Unit™ researchers and automatically correlated against your telemetry to ensure you are protected from the latest threats and adversary behaviors.


A general term for a group of detection rules which create alerts in Taegis XDR. These groups of rules apply to a specific set of telemetry or ingest sources (e.g., IP Watchlist matches Netflow, Domain Watchlist matches DNSquery, etc.).


A dashboard element that displays a snapshot of defined metrics.


On this page: