Integration Overview
integrations data collectors data sources endpoint agents telemetry
XDR Telemetry Flowchart ⫘
There are three types of data that can be integrated with Secureworks® Taegis™ XDR:
- Endpoint Detection & Response (EDR) Agents (required)
- Cloud Data Sources
- Syslog Data Sources (data collector required)
There are many ways to configure your security data flow with XDR, depending on the types of data sources you plan to integrate. The chart below illustrates how different data types flow into the XDR data lake.
XDR Telemetry Flowchart
Some possible configurations include the following. See Data Sources for more information.
Syslog Data Source → Data Collector → XDR
Set up a data collector in your environment, then set up your syslog data source to feed to the collector directly.
Cloud Data Source → XDR
Configure cloud data sources to forward directly to Taegis XDR without need of a data collector.
SIEM → Data Collector → XDR
Feed security data into a SIEM or other data server, then configure the SIEM or data server to forward to the data collector.
Integrate with XDR ⫘
Data Collectors ⫘
Data collectors receive and forward syslog telemetry to the XDR data lake. XDR supports unlimited data collectors to acquire telemetry and logs from traditional security controls.
The general workflow for connecting a data collector to XDR is as follows:
- Install Collector — Add the XDR Collector to XDR through the Integrations panel.
- Configure Collector — Give XDR the appropriate credentials to access the data source.
- Configure Firewall — Enable the data to pass the firewall.
- Authorize Access — XDR needs permissions from the data collector to integrate; make sure it is authorized with the data source.
- Complete Setup — Finish the process and start feeding data into XDR.
Consider the following when determining collector quantity and placement:
- Collectors can process 200,000 events per second (EPS) under ideal conditions (adequate compute, storage, and bandwidth resources).
- Consider geographical locations and bandwidth concerns when determining placement.
- Secureworks recommends deploying collectors as close to the data source as possible. Make sure that there are sufficient network permissions to guarantee that data sources’ log traffic reaches the collector.
Data collector integration guides:
- AWS Data Collector
- Azure Data Collector
- Google Cloud Platform (GCP) Data Collector
- On-Premises Data Collector
- High-Availability On-Premises Data Collector
Endpoint Agents ⫘
Important
Secureworks requires one of these EDR agents for every XDR deployment.
XDR supports multiple EDR agents, including:
- Taegis™ XDR Endpoint Agent
- Red Cloak™ Endpoint Agent
- Secureworks® Taegis™ NGAV
- CrowdStrike Falcon Insight EDR
- Microsoft Defender for Endpoint
- SentinelOne
- VMware Carbon Black Cloud and Enterprise EDR
Note
Secureworks does not recommend integrating two endpoint agents into Taegis with the exception of Red Cloak Endpoint Agent with Taegis NGAV. Running multiple endpoint agents may result in duplicate telemetry, duplicate alerts, and/or agent performance issues.
Data Sources ⫘
There are multiple ways to integrate data sources into XDR. Some methods utilize the data collector, while others rely on an API connection to an external platform.
At the highest level, data sources can be integrated with XDR via a Secureworks Optimized Integration or a Custom Integration:
Secureworks Optimized Integration ⫘
This is an end-to-end integration targeting a data source and ingest path where the downstream outcomes such as normalization, search, and alerting have been predetermined, tested, and documented by XDR.
Start here to determine if the data source you wish to integrate has already been optimized by Secureworks with a set of tested instructions to follow. For a full list of Secureworks Optimized Integrations, see:
Custom Integration ⫘
This is an integration where only the transport of data from a data source into XDR is guaranteed; downstream outcomes such as normalization, search, and alerting have not been tested and may require additional work beyond ingest to be achieved.
If the data source you wish to integrate with XDR has not yet been optimized by Secureworks, or you wish to explore additional options for integration, there are several available custom transport methods you can use. For more information, see:
Manage Existing Integrations ⫘
To confirm logs have been received as expected, as well as delete or view the status of existing integrations, see the following topics:
- Manage NDR Devices
- Monitor Data Sources
- Manage Cloud APIs
- Manage Data Collectors
- Manage Endpoint Agents