☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Secureworks Taegis Glossary

Note

The definitions used in this glossary and throughout the Secureworks® Taegis™ XDR documentation site are for the purposes of using the XDR application. For legal definitions, please refer to the Secureworks service descriptions applicable to your organization.

agent ⫘

A device in your organization’s network that XDR is aware of and monitors for reporting and alerts.

alert ⫘

A notification in XDR created from event(s) from a detector informing you of activity that may need to be investigated further.

API ⫘

Application Programming Interface. A set of software functions made available to customers by the Taegis platform that allows for programmatic access to different capabilities within the platform for purposes of integrating with customer or 3rd party software generally used for automation, reporting, etc.

collector ⫘

On-premise and cloud-based (virtual) devices that XDR uses to gather logs.

confidence ⫘

A measure of how confident our systems are that an alert is accurate and represents malicious activity, ranging from 1-100. The higher the score, the more confident we are that the alert indicates genuine malicious activity.

connection ⫘

In Automation, an instance of a connector that you configure. The connection provides the method that XDR uses to authenticate to an IT tool within your environment, as well as the URL it should authenticate to.

connector ⫘

In Automation, the definition that defines how XDR communicates with external IT tools, allowing a playbook to execute API calls that are published by a vendor.

CTU Countermeasures ⫘

Rulesets that can be deployed to Snort-based sensors and Suricata-based sensors.

data source ⫘

The sensors in your network that send telemetry to XDR.

detector ⫘

The devices in your network that continuously monitor your environment data for malicious activity.

edge ⫘

In Entity Graph, the directional line representing the relationship or activity between entities.

EDR ⫘

Endpoint Detection & Response

endpoint ⫘

The devices in your organization’s network that XDR is aware of and monitors for reporting and alerts. Includes any end-user computing instance (e.g., notebook, laptop, workstation, VDI instance), physical server, virtual server, or computing workload (any installation of a server OS, e.g., Linux, Unix, macOS, Windows).

entity ⫘

Data extracted from the events that are part of an investigation that played a role in the incident, including but not limited to usernames, hostnames, IP addresses, and files.

event ⫘

A single security-related occurrence on your network.

integration ⫘

A collector, API, or data source that is integrated with XDR.

investigation ⫘

The gathered alerts, events, agents, and other data regarding a potential security incident, which you and other members of your organization work to resolve.

MITRE ATT&CK Framework ⫘

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the cybersecurity product and service community.

multi-factor authentication ⫘

(MFA) The use of multiple types of authentication to verify a user’s identity for login (e.g. username/password + mobile phone security token).

node ⫘

In Entity Graph, the representation of an entity associated with an investigation.

normalized event ⫘

A raw event that has been parsed into a database schema, which facilitates common activities such as search, security detections, and other activities.

playbook ⫘

In Automation, the definition that defines what actions to take and when to take them using one or more configured connections.

priority ⫘

In Investigations, the importance and potential impact to your organization of an investigation’s activities.

query language ⫘

An advanced tool in XDR used to craft searches for alerts and events available in your tenant.

research ⫘

Alerts prefixed with RESEARCH are generated by detectors / features in the research development stage. This stage is used measure precision and recall. Documentation is updated at later stages.

rule ⫘

A pattern match for generated alerts (alert suppression rules) or ingested events (custom alert rules). Upon successful match, the associated action is performed (e.g., suppress alert or create new alert).

severity ⫘

In alerts, a measure of how much of a potential threat some activity poses to your environment. The severity score ranges from 0-1. The higher the score, the bigger the potential threat posed by the activity. Severity is also represented by text labels as Info (0-0.199...), Low (0.2 to 0.399...), Medium (0.4 - 0.599...), High (0.6 - 0.799...), and Critical (0.8-1).

Tactic Graphs™ ⫘

A trademarked name for XDR’s correlation engine that can pattern match across multiple telemetry sources or alerts to create new detections.

Taegis ⫘

The platform that supports Secureworks applications such as XDR, ManagedXDR, and VDR.

Taegis™ ManagedXDR ⫘

(Taegis Managed Extended Detection and Response) A fully managed solution delivered through our Taegis security analytics and operations platform, providing advanced threat hunting, detection and rapid response across endpoint, network, and cloud environments.

Taegis™ ManagedXDR Elite ⫘

(Taegis Managed Extended Detection and Response Elite) A fully managed solution that includes a dedicated Secureworks expert to perform proactive and iterative threat hunting across your endpoint, network, and cloud environments, and bi-weekly updates on your organization's exposure to targeted threats.

Taegis™ XDR ⫘

(Taegis Extended Detection and Response) An advanced security analytics tool that enables you to detect advanced threats, trust your alerts, streamline and collaborate on investigations, and automate the right action.

telemetry ⫘

The collection of real-time data pushing continuously from network devices, such as routers, firewalls, and switches, to one or more centralized locations for storage, processing, and analysis.

tenant ⫘

An environment on the Taegis platform that aggregates telemetry from many endpoints into a single holistic view. Most customers have one tenant; those with large-scale needs may require multiple tenants.

threat intelligence ⫘

Data produced, analyzed, and validated by our 70+ Counter Threat Unit™ researchers and automatically correlated against your telemetry to ensure you are protected from the latest threats and adversary behaviors.

watchlist ⫘

A general term for a group of detection rules which create alerts in XDR. These groups of rules apply to a specific set of telemetry or ingest sources (e.g., IP Watchlist matches Netflow, Domain Watchlist matches DNSquery, etc.).

A dashboard element that displays a snapshot of defined metrics.

agent
alert
API
collector
confidence
connection
connector
CTU Countermeasures
data source
detector
edge
EDR
endpoint
entity
event
integration
investigation
MITRE ATT&CK Framework
multi-factor authentication
node
normalized event
playbook
priority
query language
research
rule
severity
Tactic Graphs™
Taegis
Taegis™ ManagedXDR
Taegis™ ManagedXDR Elite
Taegis™ XDR
telemetry
tenant
threat intelligence
watchlist
widget