Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Cisco Ironport Integration Guide

integrations network cisco

Cisco IronPort Web Security Appliances (WSA) should be configured to send logs to the Taegis™ XDR Collector via syslog by following the logging instructions below.

Connectivity Requirements

Source Destination Port/Protocol
Cisco IronPort WSA Taegis™ XDR Collector (mgmt IP) UDP/514

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Cisco IronPort   Y           D          

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections


Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configuration Instructions

To configure Cisco IronPort to send logs to Secureworks® Taegis™ XDR via syslog, follow these instructions.

Web Security Appliances

Follow the instructions provided by Cisco to add or edit log subscriptions using the syslog push retrieval method for the following log types:

W3C Logs

Create a new W3C Log type subscription to forward http/https access logs to Secureworks® Taegis™ XDR using a custom format. Consider the following requirements while following the configuration steps:

Syslog Push Configuration

Consider the following requirements for the syslog push retrieval method configuration for each of the preceding log type subscriptions:


Make sure to commit or push your changes to all of the IronPorts you wish Secureworks® Taegis™ XDR to receive logs from.


On this page: