Taegis™ XDR Telemetry Flowchart ⫘
There are three types of data that can be integrated with Taegis™ XDR:
- Endpoint Detection & Response (EDR) Agents (required)
- Cloud Data Sources
- Syslog Data Sources (data collector required)
There are many ways to configure your security data flow with Taegis™ XDR, depending on the types of data sources you plan to integrate. The chart below illustrates how different data types flow into the Taegis™ XDR data lake.
Taegis™ XDR Telemetry Flowchart
Some possible configurations include:
Syslog Data Source → Data Collector → Taegis™ XDR
Set up a data collector in your environment, then set up your syslog data source to feed to the collector directly.
Cloud Data Source → Taegis™ XDR
Configure cloud data sources to forward directly to Taegis XDR without need of a data collector.
SIEM → Data Collector → Taegis™ XDR
Feed security data into a SIEM or other data server, then configure the SIEM or data server to forward to the data collector.
Available Integration Guides ⫘
Data Collectors ⫘
Data collectors receive and forward telemetry to the Taegis™ XDR data lake. Taegis™ XDR supports unlimited data collectors to acquire telemetry and logs from traditional security controls.
The general workflow for connecting a data collector to Taegis™ XDR is as follows:
- Install Collector — Add the Taegis™ XDR Collector to Taegis™ XDR through the Integrations panel.
- Configure Collector — Give Taegis™ XDR the appropriate credentials to access the data source.
- Configure Firewall — Enable the data to pass the firewall.
- Authorize Access — Taegis™ XDR needs permissions from the data collector to integrate; make sure it is authorized with the data source.
- Complete Setup — Finish the process and start feeding data into Taegis™ XDR.
Consider the following when determining collector quantity and placement:
- Collectors can process 200,000 events per second (EPS) under ideal conditions (adequate compute, storage, and bandwidth resources).
- Consider geographical locations and bandwidth concerns when determining placement.
- Secureworks recommends deploying collectors as close to the data source as possible. Make sure that there are sufficient network permissions to guarantee that data sources’ log traffic reaches the collector.
Data collector integration guides:
- AWS Data Collector
- Azure Data Collector
- Google Cloud Platform (GCP) Data Collector
- Taegis™ XDR On-Premises Data Collector
Endpoint Agents ⫘
Secureworks requires one of these EDR agents for every Taegis™ XDR deployment.
Taegis™ XDR supports multiple EDR agents, including:
- Secureworks Taegis™ Endpoint Agent
- Secureworks Red Cloak™ Endpoint Agent
- Secureworks® Taegis™ NGAV
- CrowdStrike Falcon Insight EDR
- Microsoft Defender for Endpoint
- VMware Carbon Black Cloud and Enterprise EDR
Secureworks does not recommend integrating two endpoint agents into Taegis with the exception of Red Cloak™ Endpoint Agent with Secureworks® Taegis™ NGAV. Running multiple endpoint agents may result in duplicate telemetry, duplicate alerts, and/or agent performance issues.
Data Sources ⫘
Once you’ve successfully deployed your data collectors, you are ready to forward data to the collectors. Data collectors receive telemetry and logs from your data sources via syslog protocols on UDP port 514 and TCP port 601.
Refer to the appropriate integration guide for guidance on configuring popular security controls to maximize their visibility and value to Taegis XDR.
Manage Existing Integrations ⫘
To confirm logs have been received as expected, as well as delete or view the status of existing integrations, see the following topics:
- Manage iSensors
- Monitor Data Sources
- Manage Cloud APIs
- Manage Data Collectors
- Manage Endpoint Agents