Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Microsoft Windows Event Log Integration Guide

integrations endpoints microsoft

The Microsoft Windows Event Log can be accessed by various products, facilitating the forwarding of Windows Event Logs to a Secureworks® Taegis™ XDR Data Collector for security event monitoring. A Secureworks® Taegis™ XDR Data Collector accepts Windows Event Logs in the Snare over Syslog format.

Examples of vendors that support the forwarding of Microsoft Windows Event logs in the Snare over Syslog format are:

Commercial Products:

Open Source Products:

Please refer to the vendor’s site for purchasing and configuration guidance.

Connectivity Requirements

Source Destination Port/Protocol
Windows server Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

  Auth DHCP DNS File HTTP Management Netflow NIDS Process Thirdparty
Microsoft Windows Event Log (Microsoft-Windows-Security-Auditing) D     Y   Y D   Y Y

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections


Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.


The data source must be configured to report timestamps as UTC to ensure that Secureworks® Taegis™ XDR reports the correct time zone.


NXLog CE does not support changing the timestamp into UTC. If that is required, a different product like NXlog Enterprise Edition is required.

Intersect Alliance Documentation

NXLog Template Downloads


This configuration template is provided as a convenience to Secureworks® Taegis™ XDR customers. We provides best-effort troubleshooting for our customers, but questions around advanced configuration or issues should be resolved with the vendor.


On this page: