Integration Overview
integrations data collectors data sources endpoint agents telemetry
XDR Telemetry Flowchart ⫘
There are three types of data that can be integrated with Secureworks® Taegis™ XDR:
- Endpoint Detection & Response (EDR) Agents (required)
- Cloud Data Sources
- Syslog Data Sources (data collector required)
There are many ways to configure your security data flow with XDR, depending on the types of data sources you plan to integrate. The chart below illustrates how different data types flow into the XDR data lake.
XDR Telemetry Flowchart
Some possible configurations include:
Syslog Data Source → Data Collector → XDR
Set up a data collector in your environment, then set up your syslog data source to feed to the collector directly.
Cloud Data Source → XDR
Configure cloud data sources to forward directly to Taegis XDR without need of a data collector.
SIEM → Data Collector → XDR
Feed security data into a SIEM or other data server, then configure the SIEM or data server to forward to the data collector.
Available Integration Guides ⫘
Data Collectors ⫘
Data collectors receive and forward telemetry to the XDR data lake. XDR supports unlimited data collectors to acquire telemetry and logs from traditional security controls.
The general workflow for connecting a data collector to XDR is as follows:
- Install Collector — Add the XDR Collector to XDR through the Integrations panel.
- Configure Collector — Give XDR the appropriate credentials to access the data source.
- Configure Firewall — Enable the data to pass the firewall.
- Authorize Access — XDR needs permissions from the data collector to integrate; make sure it is authorized with the data source.
- Complete Setup — Finish the process and start feeding data into XDR.
Consider the following when determining collector quantity and placement:
- Collectors can process 200,000 events per second (EPS) under ideal conditions (adequate compute, storage, and bandwidth resources).
- Consider geographical locations and bandwidth concerns when determining placement.
- Secureworks recommends deploying collectors as close to the data source as possible. Make sure that there are sufficient network permissions to guarantee that data sources’ log traffic reaches the collector.
Data collector integration guides:
- AWS Data Collector
- Azure Data Collector
- Google Cloud Platform (GCP) Data Collector
- XDR On-Premises Data Collector
Endpoint Agents ⫘
Important
Secureworks requires one of these EDR agents for every XDR deployment.
XDR supports multiple EDR agents, including:
- Taegis™ XDR Endpoint Agent
- Red Cloak™ Endpoint Agent
- Secureworks® Taegis™ NGAV
- CrowdStrike Falcon Insight EDR
- Microsoft Defender for Endpoint
- SentinelOne
- VMware Carbon Black Cloud and Enterprise EDR
Note
Secureworks does not recommend integrating two endpoint agents into Taegis with the exception of Red Cloak Endpoint Agent with Taegis NGAV. Running multiple endpoint agents may result in duplicate telemetry, duplicate alerts, and/or agent performance issues.
Data Sources ⫘
Once you’ve successfully deployed your data collectors, you are ready to forward data to the collectors. Data collectors receive telemetry and logs from your data sources via syslog protocols on UDP port 514 and TCP port 601.
Refer to the appropriate integration guide for guidance on configuring popular security controls to maximize their visibility and value to XDR.
Manage Existing Integrations ⫘
To confirm logs have been received as expected, as well as delete or view the status of existing integrations, see the following topics:
- Manage NDR Devices
- Monitor Data Sources
- Manage Cloud APIs
- Manage Data Collectors
- Manage Endpoint Agents