🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

On-Premises Data Collector

data collectors integrations on-premises secureworks


The Secureworks® Taegis™ XDR On-Premises Data Collector enables you to forward various event sources via Syslog for ingestion into the Secureworks® Taegis™ XDR data lake.

Note

When configuring security appliances to forward events via Syslog to a Secureworks® Taegis™ XDR On-Premises Data Collector, ensure that the log format requirements are followed exactly for the supported integration type. If an intermediate log forwarder is being used to forward on behalf of the security appliances, the logs received at the Secureworks® Taegis™ XDR On-Premises Data Collector must meet the log format requirements of the integration type. Logs received by a Secureworks® Taegis™ XDR On-Premises Data Collector that do not adhere to format requirements may be processed as generic events.

Important

With release 1.2.1+, the Secureworks® Taegis™ XDR On-Premises Data Collector has a simplified configuration that requires fewer open ports to operate. If you have a configured collector from an earlier release, it will continue to work. If you want to use the updated collector (release 1.2.1 or better) you need to create and download a new collector from Integrations > Data Collectors in Secureworks® Taegis™ XDR and reconfigure your environment. The instructions below still apply. If you downloaded your generated collector image before December 5, 2019, your collector does not support proxy configuration.

Note

The Taegis™ XDR Collector can support up to 200K EPS (events per second) for properly configured cloud and on-premises collectors.

Note

Third-party tools or applications cannot be installed on any Taegis™ XDR Collector.

Create and Download Your Taegis™ XDR Collector

You can preconfigure, create, and download an On-Premises Data Collector for your environment directly in Secureworks® Taegis™ XDR from Integrations > Data Collectors.

  1. From the Taegis™ XDR left-hand side navigation, select Integrations → Data Collectors. This page displays the collectors your organization has configured.

  2. Select Actions → Add Collector from the top right. The Add Collector modal displays.

Add New Collector

Add New Collector

  1. Select On-Premises as the collector type and then select Next.

  2. Complete the following fields:

Tip

Hit Enter after each NTP server IP address or use a comma , to separate them in the box. Once entered, you can remove an NTP server by selecting the x.

Note

Default and custom NTP settings are only used during initial Data Collector setup. Once connectivity is established, the Data Collector synchronizes time via the Taegis™ XDR backend connection.

  1. Select Create Collector.

Create Collector

Create Collector

Tip

To add the eStreamer app to the collector to retrieve all security event logs from your Cisco Firepower Threat Defense (FTD) device, see eStreamer App. For more information, see the Cisco FTD Firewall guide.

  1. The Install Collector modal displays the following files available for download:

    • An .iso that contains the configuration files for your collector.
    • An .ova that is the virtual machine that the collector will run in.
    • A .vhd, which is a .zip collection (downloaded filename is: ctpx-collector.zip) of Microsoft HyperV disk images. This is an alternative to the .ova file.

Save these files; you’ll use them during the installation process described below.

Manage Integrations Collector Downloads

Manage Integrations Collector Downloads

Installation

The On-Premises Data Collector is a virtual machine appliance that must be installed in your hypervisor environment in order to collect data and transmit it to the Secureworks® Taegis™ XDR Infrastructure. It can be preconfigured and downloaded in Secureworks® Taegis™ XDR from Integrations > Data Collectors and installed in a vsphere and/or hyperv environment. Once the appropriate information is provided, the collector will be customized, built, and configured to DHCP or static IP addressing depending on your selection.

Note

Recommended virtual environment versions for the Secureworks® Taegis™ XDR On-Premises Data Collector are vSphere ESXi 6.7 or later or Hyper-V 8.0 in Windows Server 2016 or later.

Once complete, an .iso cdrom image containing your client certificate/credentials and disk image in the form of .ova (vsphere) or .vhdx (hyper-v) will be available for download from Secureworks® Taegis™ XDR. You will be required to attach the .iso (cdrom image) to the collector VM on boot.

Once booted the appliance registers with Secureworks® Taegis™ XDR and the status of the connection will be displayed in the Secureworks® Taegis™ XDR Console.

Data Collection and Network Access Requirements

The following is a reference architecture for data collection and provides an overview of the collector’s network access requirements.

Regions

Taegis™ XDR Regional Configuration

Some configuration specifics of Taegis™ XDR depend on the region you are deployed in (US1, US2, US3, EU).

onPrem

Secureworks® Taegis™ XDR On-Premises Architecture

The collector acts by default as a Syslog forwarder and collects security log data. All logs that are sent to the collector will be collected and transmitted using rapid batching to the Secureworks® Taegis™ XDR infrastructure. The collector listens and transmits data on the following ports, and you must allow access from inside your organization to outside on the following hostname and ports.

Note

All Syslog data is forwarded to Secureworks® Taegis™ XDR by way of a secure mTLS connection using TLS 1.3.

Taegis™ XDR Collectors forward Syslog data in batches. The frequency is optimized according to batch size and time since last forward.

Hostname and port configurations are as follows:

Outbound https on Port 443 — TCP

Taegis™ XDR API

NTP servers: 123/UDP Outbound

The Secureworks® Taegis™ XDR On-Premises Data Collector uses the following standard NTP servers:

Note

Windows DC servers cannot serve as NTP servers for non-domain hosts such as the On-Premises Data Collector.

Inbound—Syslog

Outbound Device APIs

Connectivity Requirements for Data Collectors

Regions

Taegis™ XDR Regional Configuration

Some configuration specifics of Taegis™ XDR depend on the region you are deployed in (US1, US2, US3, EU).

Any device that uses its own SSL certificate, including Cloud-based and On-Premises Data Collectors, must safelist the following destination IP addresses or domains in order to avoid conflict. If using an AWS data collector, please refer to the AWS table.

For Most Data Collectors

Source Destination Port/Protocol Notes
Data Collector IP or hostname
US1
collector.ctpx.secureworks.com
18.217.45.178/32
3.16.4.173/32
18.224.219.97/32
13.59.146.90/32
3.16.16.254/32
18.223.74.238/32
US2
collector.delta.taegis.secureworks.com
52.14.113.127/32
3.141.73.137/32
3.136.78.106/32
US3
collector.foxtrot.taegis.secureworks.com
44.229.101.49
35.166.77.47
34.214.135.78
EU
collector.echo.taegis.secureworks.com
18.158.143.139/32
35.159.14.37/32
52.59.37.234/32
TCP/443 Safelisting device access to Taegis™ XDR
Data Collector IP or hostname NTP severs IP/Hostnames provided during provisioning UDP/123 Safelisting device access to NTP servers

This rule is only necessary when custom NTP servers are provided during provisioning.
Data Collector IP or hostname 0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
UDP/123 Safelisting device access to default NTP server.

This rule is only necessary when custom NTP servers are not provided during provisioning.
Data Collector IP or hostname DNS server IPs provided during provisioning UDP/53
TCP/53
Safelisting device access to DNS servers

Note

If using local NTP, the access must be safelisted both to and from the data collector on those networks.

For AWS Data Collectors

Source Destination Port/Protocol Notes
AWS Data Collector IP or hostname
US1
collector.ctpx.secureworks.com
18.217.45.178/32
3.16.4.173/32
18.224.219.97/32
13.59.146.90/32
3.16.16.254/32
18.223.74.238/32
US2
collector.delta.taegis.secureworks.com
52.14.113.127/32
3.141.73.137/32
3.136.78.106/32
US3
collector.foxtrot.taegis.secureworks.com
44.229.101.49
35.166.77.47
34.214.135.78
EU
collector.echo.taegis.secureworks.com
18.158.143.139/32
35.159.14.37/32
52.59.37.234/32
TCP/443 Safelisting device access to Taegis™ XDR via hostname
AWS Data Collector IP or hostname NTP severs IP/Hostnames provided during provisioning UDP/123 Safelisting device access to NTP servers

This rule is only necessary when custom NTP servers are provided during provisioning.
AWS Data Collector IP or hostname 169.254.169.123 UDP/123 Safelisting device access to default NTP server.

This rule is only necessary when custom NTP servers are not provided during provisioning.
AWS Data Collector IP or hostname DNS server IPs provided during provisioning UDP/53
TCP/53
Safelisting device access to DNS servers

Proxy Support

Cloud-based and On-Premises Data Collectors attempt to discover local proxy settings on the host if they are unable to connect directly to the internet.

Cloud-based and On-Premises Data Collectors also support a hard-coded proxy. If you need to create a data collector that contains a hard-coded proxy, please submit a support request with the following required information:

If the proxy is configured but is unavailable or not reachable, the data collector will fall back to a direct connection.

Note

Cloud-based and On-Premises Data Collectors do not support hard-coded authenticated proxies at this time. A proxy with man in the middle (MITM) capability needs to safelist the above network connections.

Spool Log Cache

A 200GB spool log holds data when the forwarding connection to Secureworks® Taegis™ XDR is slowed or temporarily unavailable.

Virtual Machine Requirements

Virtual Machine Requirements:

Configuration

Secureworks® Taegis™ XDR steps you through collector configuration and provides an .iso with credentials and configuration for the collector and an .ova virtual image that you then deploy in your environment.

Set Up On-Premises Data Collector with vSphere

The following steps you through installation of the Secureworks® Taegis™ XDR On-Premises Data Collector. It is assumed you have the preconfigured ISO and OVA files on hand. If you still need those, navigate to Integrations > Data Collectors in Secureworks® Taegis™ XDR or contact your Secureworks® Taegis™ XDR representative.

Install the On-Premises Data Collector on VMware vSphere

  1. Make sure you have the .iso and .ova files you need to run the collector appliance. You can preconfigure and download those in Secureworks® Taegis™ XDR from Integrations > Data Collectors.

  2. Connect to your vSphere Web Console.

  3. Navigate to Virtual Machines and select Create / Register VM.

Create or Register a VM

Create or Register a VM

  1. From Select Creation Type, select Deploy a virtual machine from an OVF or OVA file.

Select Creation Type

Select Creation Type

  1. Give your new VM a name such as taegis-xdr-collector and then select the .ova file you downloaded from the Secureworks® Taegis™ XDR integration manager (see Step 1 above).

Select Secureworks® Taegis™ XDR .ova File

Select Secureworks® Taegis™ XDR .ova File

  1. Select the appropriate datastore where you want to store the VM’s disk images.

Important

Choose a datastore with at least 220GB of free space for the VM. 20GB is needed for the primary and 200GB for the secondary drive.

 

  1. Choose your preferred network and disk configurations.
  2. Review the configuration and then select Finish.
  3. Navigate to Storage and choose Datastore Browser.

Select Datastore Browser

Select Datastore Browser

  1. Select the datastore where you want to store the Secureworks® Taegis™ XDR On-Premises Data Collector configuration .iso (see Step 1).
  2. Click Upload and select the configuration .iso.
  3. Navigate back to Virtual Machines, and right-click the VM to bring up the context menu. Choose Edit Settings from the context menu.

Edit Settings

Edit Settings

  1. Change the CDROM device from Client Device to Datastore ISO File.

Select Datastore .iso

Select Datastore .iso

  1. The Datastore Browser opens. From there select the .iso you uploaded in Step 11 and click Save to finalize the changes.
  2. The VM is now ready to be powered on.

Note

When deploying an onsite collector the .ISO must be mounted at first boot to configure the Taegis™ XDR Collector. After the Taegis™ XDR Collector shows "READY" in Secureworks® Taegis™ XDR, the .ISO can be dismounted.

Set Up On-Premises Data Collector with Hyper-V

The following steps you through installation of the Secureworks® Taegis™ XDR On-Premises Data Collector using a Hyper-V environment. It is assumed you have the ctpx_collector.zip file on hand. If you still need that, navigate to Integrations > Data Collectors in Secureworks® Taegis™ XDR or contact your Secureworks® Taegis™ XDR representative.

Install the On-Premises Data Collector on Hyper-V

  1. It is assumed you have the ctpx_collector.zip file on hand. If you still need that, navigate to Integrations > Data Collectors in Secureworks® Taegis™ XDR or contact your Secureworks® Taegis™ XDR representative. Unzip the ctpx_collector.zip file downloaded from Secureworks® Taegis™ XDR On-Premises Data Collector when you created your On-Premises Data Collector.

Tip

Place ctpx_collector.vhdx and ctpx-collector-disk2.vhdx in the same folder with the ctpx-collector.iso as it needs to be mounted to the CD drive on the Hyper-V machine.

Unzip your ctpx-collector download

Unzip your ctpx-collector.zip download

  1. Open the Hyper-V Manager and select New, then select Virtual Machine... from the context popup in the upper right pane.

Create a New Virtual Machine

Create a New Virtual Machine

  1. The New Virtual Machine Wizard displays. Select Next.

Virtual Machine Wizard

Virtual Machine Wizard

The Specify Name and Location dialog displays.

  1. Specify a name for the Virtual Machine then select Next.

Virtual Machine Name

Virtual Machine Name

The Specify Generation dialog displays.

  1. Choose Generation 1 then select Next.

Specify Generation

Specify Generation

The Assign Memory dialog displays.

  1. Assign memory (see Virtual Machine Requirements above for recommended settings) and select Next.

Assign Memory

Assign Memory

The Configure Networking dialog displays.

  1. Choose the network adapter you are going to use with the virtual machine, then select Next.

Configure Networking

Configure Networking

The Connect Virtual Hard Disk dialog displays.

  1. Select Use an existing virtual hard disk and then browse to the location you chose in Step 1. Choose the ctpx-collector.vhdx file, then select Next.

Connect Virtual Hard Disk

Connect Virtual Hard Disk

The Completing the New Virtual Machine Wizard dialog displays.

  1. Review the summary information and click Finish.

Completing the New Virtual Machine Wizard

Completing the New Virtual Machine Wizard

  1. From the Hyper-V Manager, select the virtual machine in the Virtual Machines pane (upper center), then select Settings in the lower right pane.

Hyper-V Manager

Hyper-V Manager

  1. Select Processor from the Settings menu in the upper left-hand pane (see Virtual Machine Requirements above for recommended settings). Do NOT select OK or Apply at this step.

Hyper-V Processor

Hyper-V Processor

  1. Next, open IDE Controller 0 right below Processor. The IDE Controller details display in the right-hand pane.

IDE Controller 0

IDE Controller 0

Choose Hard Drive then select Add.

  1. Another Hard Drive appears under IDE Controller 0 in the left pane; it should be automatically selected. Select Browse..., navigate to the folder from Step 1, and choose ctpx-collector-disk2.vhdx. Do NOT select OK or Apply at this step.

Second Hard Drive

Second Hard Drive

  1. Click on DVD Drive under IDE Controller 1 in the upper left pane. Choose Image file:, then Browse, navigate to the folder from Step 1, and choose ctpx-collector.iso. Do NOT select OK or Apply at this step.

ctpx-collector.iso

ctpx-collector.iso

  1. Review the Processor, IDE Controller 0, and IDE Controller 1 entries on the left pane. Verify the following selections:

Processor

IDE Controller 0

IDE Controller 1:

Verify Settings

Verify Settings

Once verified, click on OK. The Settings menu closes.

  1. Select the virtual machine on under Virtual Machines in the Hyper-V Manager, right-click or otherwise bring up the context menu, and select Start.

Start

Start

  1. The Secureworks® Taegis™ XDR On-Premises Data Collector is now running.

Access Troubleshooting Console

The Admiral console allows you to access information about a deployed Taegis™ XDR Collector locally. The tools provided within Admiral assist in device setup and troubleshooting of common problems such as network connectivity. For more information, see Admiral Console.

Edit Your Taegis™ XDR Collector Configuration

Important

Making changes to the Secureworks® Taegis™ XDR On-Premises Data Collector configuration of a live system carries the risk of rendering the device inoperable. The Secureworks® Taegis™ XDR On-Premises Data Collector will make every attempt possible to rollback to the previous configuration when a configuration change is unsuccessful. Secureworks® Taegis™ XDR On-Premises Data Collector configuration changes should be treated with the same level of caution used for any other kind of change in your environment according to your risk and change management guidelines. You should always be prepared to redeploy the device.

Certain configuration parameters of a running and healthy Secureworks® Taegis™ XDR On-Premises Data Collector can be changed on a live collector. To edit these parameters, select Actions and choose Edit Collector Configuration from a collector details page. Editable fields include the hostname, proxy settings, NTP server, and, for Secureworks® Taegis™ XDR On-Premises Data Collectors that have a static IP configuration, DNS servers. Modifications to the network interface configuration such as Static/DHCP, IP Address, Netmask, and Gateway are not editable fields on a Secureworks® Taegis™ XDR On-Premises Data Collector. If you require a change to the network interface configuration, it is required to provision a new Secureworks® Taegis™ XDR On-Premises Data Collector.

Edit Collector Details

Edit Collector Details

Edit Collector Configuration Slideout

Edit Collector Configuration

After submitting a Secureworks® Taegis™ XDR On-Premises Data Collector configuration change, a banner will appear to indicate that the change is pending and the edit action will no longer be available until the change has completed. The pending changes will be pushed to your Secureworks® Taegis™ XDR On-Premises Data Collector where they will be applied and connectivity testing conducted.

Edit Collector Configuration Pending

Edit Collector Configuration Pending

If the pending changes result in the Secureworks® Taegis™ XDR On-Premises Data Collector no longer able to successfully connect, the change will be rolled back to the previous configuration and a failure message will appear in the banner.

Edit Collector Configuration Rolled Back

Edit Collector Configuration Rolled Back

If the change is successful, you will receive a successful message in the banner once the change has completed.

Edit Collector Configuration Success

Edit Collector Configuration Success

In rare circumstances, it’s possible that the configuration change and rollback are both unsuccessful. Example scenarios include, but are not limited to, changes to the underlying network during the change or network connectivity failures to the backend during an inflight change. In these circumstances, you will see a failure banner and the Secureworks® Taegis™ XDR On-Premises Data Collector will need to be redeployed.

Edit Collector Configuration Failed

Edit Collector Configuration Failed

Once the change is complete, download the updated ISO for your records should you ever need to redeploy the Secureworks® Taegis™ XDR On-Premises Data Collector in the future. It is not necessary to attach the new ISO to the current running instance.

Manage Integrations Collector Downloads

Manage Integrations Collector Downloads

Taegis™ XDR Collector Frequently Asked Questions

Do I need to take action to update the security of my Taegis™ XDR Collectors? What is the Taegis™ XDR Collectors patching process?

Taegis™ XDR Collectors update automatically and require no user intervention. Typically ,Taegis™ XDR Collectors update every 24 hours based on the latest available published packages. If your collector is connected and healthy, it will automatically receive and apply these updates.

Are Taegis™ XDR Collectors configured with a secure baseline configuration?

Yes, Taegis™ XDR Collectors are designed utilizing DISA STIG guidelines.

 

On this page: