☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Data Sources

The Data Sources table provides an overview of the data sources sending telemetry to Secureworks® Taegis™ XDR with an indicator of their logging health. To access the Data Sources page:

Select Integrations from the XDR left-hand side navigation.
Choose Data Sources.

The table lists each data source XDR is aware of, including the sensor type and health status.

Manage Data Sources

To make visualization clearer, data sources with multiple sensor types are grouped together in a single line by Source ID in the Data Sources table. If there are multiple sensor types rolled up to the source ID, you’ll see them listed in the table under the Sensor Type column.

Sensor Type Column

To see details on which sensor types are involved, select the Source ID link to bring up the details page.

Filter Data Sources ⫘

To filter the Data Sources table, use the collapsible filter menu to narrow down the list of matching data sources by fields such as Source ID, Last Log Seen, and Sensor Type.

Filter Data Sources

Export Data Sources as CSV ⫘

You can export the full Data Sources table or selected rows to a CSV file, based on the selected filters.

To export all of the data from Data Sources to CSV:

Filter the table of data sources, if necessary.
In the top right corner of the Data Sources table, select Export All as CSV.
Proceed to Data Exports where the finished CSV file will be ready to download.

Tip

To export a file with all data sources, remove all filters from the table.

Export All Data Sources

Export Filtered Data Sources

To export selected data sources:

Filter the table of data sources, if necessary.
Select the check boxes of the data sources you want to download.
In the top right corner of the Data Sources table, select Export Selected as CSV.
Proceed to Data Exports where the finished CSV file will be ready to download.

Export Selected Data Sources

View Data Source Health ⫘

The overview table also provides an indicator of the logging health of the data source via the Status column. The status label assigned is based on the amount of elapsed time since a log message was last seen from the device. Any device that has stopped sending data for more than 24 hours will be listed as No Data and will be included in an email summary notification sent to all users subscribed to the Data Source Notifications email preference.

Note

The Data Source Notifications email notification is disabled by default. It is recommended that all users responsible for ensuring data flow have this notification preference enabled.

Data Source Health notifications should always be investigated.

The health of a data source can be one of the following:

Healthy — Latest log message from the device was received less than an hour ago.
Warning — Latest log message from the device was received between one hour and 24 hours ago.
No Data — Latest log message from the device was received more than 24 hours ago.

Note

After 30 continuous days in a No Data status, a data source will stop being displayed in the table and email notifications will cease.

If a data source is not in a Healthy state, make sure the device is online, can reach the Taegis™ XDR Collector, and then refer to the corresponding integration guide for the device type to ensure it is configured to log to the XDR Collector correctly.

Delete Data Sources ⫘

Delete one or more data sources to remove the device records from the table and stop health status email notifications enabled in your Profile Settings for the devices. This action cannot be undone.

Important

The delete action deletes the device record and does not delete or affect the telemetry received from the data source. If a deleted data source continues to send telemetry to XDR, it reappears in the Data Sources table.

Delete a Single Data Source ⫘

From the Data Sources table, select the Delete icon from the Actions column for the data source you wish to delete. A confirmation modal displays.

Delete Single Data Source

Select Done to confirm the delete action. The data source is deleted and removed from the table.

Delete Multiple Data Sources ⫘

From the Data Sources table, select the checkboxes to the left of the data sources you wish to delete. A count of selected sources displays above the table.
Select the Delete icon from the count of selected sources above the table. A confirmation modal displays.
Select Done to confirm the delete action. The data sources are deleted and removed from the table.

Delete Multiple Data Sources

View Data Source Details ⫘

The Data Source details page includes a summary of the data source’s current status, and other basic information. It also features a chart of its message volume by schema over the last 24 hours, and a list of sample messages generated by the data source.

To view data source details:

Select the Source ID of the data source you want to see details for.
The Data Sources Details panel displays.

Data Source Details

Pivot Search from a Data Source ⫘

There are two ways to run a pivot search from a data source:

On the Data Source detail page, select Advanced Search to run a search on that sensor ID for the past 24 hours.

sensor_id = 'firewall1234' EARLIEST =-24h
Under Sample Messages, select the magnifying glass icon to run a search on that particular schema and sensor ID for the past 24 hours.

FROM nids WHERE sensor_id = 'firewall1234' EARLIEST =-24h

Data Sources

Multiple Sensor Types Grouped By Related Source ID ⫘

Filter Data Sources ⫘

Export Data Sources as CSV ⫘

View Data Source Health ⫘

Delete Data Sources ⫘

Delete a Single Data Source ⫘

Delete Multiple Data Sources ⫘

View Data Source Details ⫘

Pivot Search from a Data Source ⫘

On this page: