☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Admiral Console

data collectors integrations on-premises secureworks

The Admiral console allows you to access information about a deployed Taegis™ XDR Collector locally. The tools provided within Admiral assist in device setup and troubleshooting of common problems such as network connectivity.

Overview ⫘

Admiral is a text-based console application made available via the XDR Collector's console or serial port. Administrators can use Admiral to issue commands to the collector in order to obtain device information such as hostname, network details, NTP configuration, and more. You can also issue diagnostic commands to determine if there are any health or connectivity issues affecting the device and obtain verbose results that may help provide details to aid in resolving problems.

Admiral Console

Accessing Admiral ⫘

Access the Admiral console via the console or serial port of the XDR Collector. For instructions on accessing Admiral on each supported platform, reference the corresponding section below.

VMware ⫘

In VMware, access Admiral from the collector’s console. There are multiple ways to access the virtual machine console from within VMware, depending on your setup. For steps on how to access the console, refer to the official VMware documentation.

HyperV ⫘

In HyperV, access Admiral from the virtual machine console. Follow these steps:

Find the collector's virtual machine from System Center Virtual Machine Manager, also referred to as SCVMM or VMM.
Right click the virtual machine and select Connect or View. A sub-menu displays.
Select Connect via Console. A new window opens with the console. If the screen is initially blank, press Enter to see the console.

AWS ⫘

In AWS, access Admiral from the EC2 serial console. Follow these steps:

Note

You must have permission to access the EC2 serial console granted to you by your AWS administrator.

Find the collector instance in EC2 and bring up the instance summary.
Select Actions and choose Monitor and troubleshoot. A sub-menu displays.
Select EC2 serial console from the sub-menu. The EC2 serial console screen displays.
Select Connect to connect to the instance's serial console. A new window opens where you can interact with the console. If the screen is initially blank, press Enter to see the console.

Azure ⫘

In Azure, access Admiral from the VM serial console. Follow these steps:

Find the collector virtual machine in Azure and bring up the overview.
From the left menu in the virtual machine context, select Serial console from the Help header. Azure connects to the serial console and displays it in the right portion of the screen. If the screen is initially blank, press Enter to see the console.

GCP ⫘

In GCP, access Admiral from the serial console. Follow these steps:

Note

For GCP Collectors deployed before April 2023, access to the serial port may be disabled by default. If the button to connect to the serial console is grayed out and you are unable to access the serial port, follow the official GCP documentation to enable serial port access for a VM instance.

Find the collector virtual machine and bring up the instance details.
At the top of the Details tab, select the Connect to serial console button to be connected to serial port 1. A new window opens and the serial console appears. If the screen is initially blank, press Enter to see the console.

Note

If the button to connect to the serial console is grayed out, see the above note about how to enable access.

Using Admiral ⫘

Basic Usage ⫘

Admiral is a text-based command line application. While using Admiral, the application provides you with suggestions based on what you type and supports auto-completion using the Tab key.

The Admiral prompt displays when you access Admiral for the first time. This contains the hostname of the collector followed by a > symbol. Begin typing commands into Admiral for it to execute. To see what commands Admiral supports, use the help command, which outputs a list of currently supported commands with a brief description of each.

Suggestions and Auto-Complete ⫘

As you type, Admiral provides a list of suggestions based on your input. These suggestions contain the same brief descriptions of each available command seen when using help. To use a suggestion, press the Tab key to have Admiral auto-complete it. Once you have pressed Tab, scroll through the list of all suggested commands using the up and down arrows, and use Enter to execute the command that you have chosen.

To get a new blank line without executing what you have already typed, press Ctrl-C. Admiral brings you to a new clean line without attempting to process any command you have already entered.

When typing a command, the suggestions list only shows you the top suggestions, requiring you to press Tab and then scroll to see the complete list. However, press the ? key at any time and Admiral displays every suggested command without needing to tab into the list to scroll.

Note

Some commands have additional syntax that only appears in suggestions such as run dns check with verbose output.

Command Types ⫘

Admiral commands are divided into two types: show commands that provide information about the state of the collector and run commands that cause actions to occur. As a rule, show commands never change the state of the collector or generate any network traffic, whereas run commands are allowed to perform actions that may cause the collector to update its state or create network connections.

Check Commands and Verbosity ⫘

One special type of run command is the check command. Checks are routines that exist to provide feedback on various collector systems that are necessary for it to collect data. In their normal form they provide very simple output as to if a system is found to be functioning correctly or not. However, if more in-depth information is desired, use the verbose form of the check to obtain more detailed output that can be useful for troubleshooting.

For example, the run dns check command displays a simple output showing if DNS resolution of the Taegis API FQDN is successful. If you need more detailed information about the DNS resolution process, use run dns check with verbose output.

Commands and Command Menus ⫘

Admiral commands are organized into menus. The directory command displays a list of available menus. To enter a menu, use the enter command followed by the name of the menu you wish to enter. To exit a menu, use the exit command.

Currently, there are two menus: default and maintenance. The default menu contains the basic run and show commands. The maintenance menu contains commands that are useful for troubleshooting special scenarios when working with Secureworks support. When entering a different menu, the prompt changes to indicate which menu you are in to help you keep track of where you are.

The following table details each command available in Admiral in the default menu. This menu is used when Admiral starts. Exiting this menu exits Admiral.

Command	Description
about	show about dialog
cancel shutdown	cancel a pending shutdown or pending reboot
clear	clear the screen
directory	show a list of available command menus
enter	enter a different command menu
exit	exit the recovery console
help	show available commands in your current command menu
run all checks	run all available checks one after another
run dns check	check if the dns servers can resolve the Secureworks Taegis API
run e2e check	end-to-end check confirming access to Secureworks Taegis API
run ntp check	check to see if the ntp can synchronize
run ping check	check to see if this device can ping the default gateway
run reboot	schedule a system reboot one minute in the future
run shutdown	schedule a system power-off one minute in the future
run tunnel check	verify the tunnel to Secureworks Taegis is running
show arp	show the arp table
show cluster status	show the status of the cluster
show date	show the current date and time
show disk	show basic disk information
show management interface	show the management interface
show memory	show the current memory usage in kilobytes
show network	show the running network configuration
show ntp status	show information related to ntp
show routes	show management interface routing information
show system info	show various diagnostic information about this collector
show uptime	show the system uptime
show virtual memory	show the virtual memory usage over a few seconds

The following table details each command available in Admiral in the maintenance menu. This menu is used when you enter the maintenance menu. Exiting this menu will return you to the default menu.

Command	Description
clear	clear the screen
directory	show a list of available command menus
enter	enter a different command menu
exit	return to the default command menu
help	show available commands in your current command menu
restart cluster service	restart the cluster service on this node
restart management service	restart the tunnel and management agent for support connectivity
restart ntp service	force synchronization to the ntp server and restart ntp
restart tunnel service	restart the tunnel service between the node and Taegis

Admiral Console

Overview ⫘

Accessing Admiral ⫘

VMware ⫘

HyperV ⫘

AWS ⫘

Azure ⫘

GCP ⫘

Using Admiral ⫘

Basic Usage ⫘

Suggestions and Auto-Complete ⫘

Command Types ⫘

Check Commands and Verbosity ⫘

Commands and Command Menus ⫘

Default Menu Available Commands ⫘

Maintenance Menu Available Commands ⫘

On this page: