Manage NDR Devices
Note
Taegis NDR is an evolution of iSensor, but with a new name and soon with expanded capabilities. You may see some references to the iSensor branding as we complete this transition.
To view your organization’s current integrated Taegis™ NDR Devices, monitor their health, and manage their rules and registration, select Taegis™ NDR from the Secureworks® Taegis™ XDR left-hand side navigation.
This page displays the NDR Devices that your organization has configured in a summary card or table view.
NDR Devices
Adjust the Page View ⫘
Switch between the summary card view and the list view of NDR using the buttons at the top of the page.
Alter NDR View
View NDR Device Status and Health ⫘
The NDR page displays quick-view information about each NDR Device’s current status and recent activity:
- Status — The current health status of the NDR Device:
Status | Description |
---|---|
HEALTHY | The NDR Device has reported in and is deployed and healthy. |
WARNING | The NDR Device has not reported in recently or has failed to deploy correctly. |
NO DATA | The NDR Device was previously provisioned but has not reported in recently. |
NOT REGISTERED | The NDR Device has not yet been deployed. |
- Mode — The current NDR Device traffic processing mode. See Traffic Processing Mode for more information.
Mode | Description |
---|---|
INLINE ACTIVE | The NDR Device passes traffic through and will block traffic when alerted to do so. |
INLINE PASSIVE | The NDR Device passes traffic through and will not block traffic when alerted to do so. |
SNIFFER | The NDR Device will inspect traffic but the traffic will not pass through the NDR Device. |
- Rule Set — The current set of rules configured on the NDR Device with version. See Signature Sets for more information.
Rule Set | Description |
---|---|
Connectivity | This rule set is designed to favor device performance over the security controls. |
Security | This rule set is designed to favor security controls over device performance. |
Balanced | This rules set is designed to balance the security needs and performance characteristics. |
Tip
Run the NDR Change Management Report for detailed information about signature and rule set updates made for each NDR Device in your tenant. For more information, see Taegis™ NDR Change Management Report.
View Detailed NDR Device Information ⫘
Select a card from the summary card view or the NDR Device name from the list view to open additional details about the NDR Device.
Detailed NDR Device Information
Note
You must be a Tenant Administrator to make changes to an NDR Device.
Important
Making changes to the NDR Device configuration of a live NDR Device carries the risk of rendering the NDR Device inoperable and/or allowing or blocking certain traffic on your network. The NDR Device will make every attempt possible to rollback to the previous configuration when a configuration change is unsuccessful. NDR Device configuration changes should be treated with the same level of caution used for any other kind of change in your environment according to your risk and change management guidelines. You should always be prepared to redeploy to the device.
Details ⫘
The top section displays the following details about the NDR Device. Select the link to view more information about each item.
- Name
- IP address
- Status
- Mode
- Rule Set
- HOME_NET defined on the device
- EXTERNAL_NET defined on the device
Note
To change the values of HOME_NET
and EXTERNAL_NET
, see Customization Tab. To change any other NDR Device settings, contact support.
Allow and Block Tabs ⫘
The Allow and Block tabs display a list of firewall rules configured on the NDR Device. Allow rules allow traffic to pass while Block rules block traffic.
Actions ⫘
Select one or more rules from the list and then choose the Actions menu to Delete or Export to CSV the selected rules.
NDR Device Allow/Block Actions
Add Allow or Block ⫘
To add a new Allow or Block rule to the NDR Device:
- Select Add Allow or Add Block; the Add Allow/Block Rule form displays.
Add NDR Device Block Rule
- Enter at least one Source or Destination address or range.
- The Ports are Destination checkbox is checked by default; uncheck this option if the port definitions for the rule are source ports.
- Specify the ports for the rule: All (default), a single port, a range of ports, or multiple ports separated by commas.
- Select the desired protocol, or leave at the default of all protocols.
- Select the desired time frame the rule is to be in effect, or leave at the default of always in effect.
- Select Deploy Rule to save the rule and attempt to deploy the rule to the NDR Device.
Registration Tab ⫘
The Registration tab displays the current Registration Key and the Status of that key.
Actions ⫘
-
If the key is expired, select the Actions menu and choose Reactivate Key to reactivate the key for use with this NDR Device.
-
Select the Actions menu and choose Download to download the open source files that are used on the NDR Device, and if the device is a virtual device, the virtual device for setup.
NDR Device Registration Actions
Customization Tab ⫘
The Customization tab displays the following editable device variables. Select the link to view more information about each variable.
Edit HOME_NET ⫘
To edit the HOME_NET defined on the NDR Device, follow these steps:
-
Select the Edit HOME_NET pencil icon. The Edit HOME_NET side drawer displays.
-
Choose Add Row and enter a new IP address or range. The entry displays red if improperly formatted.
-
Select one or more rows with the checkboxes and choose Delete Rows to remove those entries.
-
Once complete, select Save to return to the NDR Device details.
-
Select Deploy Customizations to update the NDR Device with your changes. Once complete, a message displays the status of the rule deployment. Select More Information to view the complete results.
Edit HOME_NET
Edit EXTERNAL_NET ⫘
To edit the EXTERNAL_NET defined on the NDR Device, follow these steps:
-
Select the Edit EXTERNAL_NET pencil icon. The Edit EXTERNAL_NET side drawer displays.
-
Choose one of the following options:
- Any — Traffic from any source
- !$HOME_NET — Traffic from all sources not defined by HOME_NET, which is the traditional configuration
- List — Traffic from a customized list of sources
-
If choosing the List option:
- Select Add Row to enter a new IP address or range. The entry displays red if improperly formatted.
- Select one or more rows with the checkboxes and choose Delete Rows to remove those entries.
-
Once complete, select Save to return to the NDR Device details.
-
Select Deploy Customizations to update the NDR Device with your changes. Once complete, a message displays the status of the rule deployment. Select More Information to view the complete results.
Edit EXTERNAL_NET
Edit HTTP_PORTS ⫘
To edit the HTTP_PORTS defined on the NDR Device, follow these steps:
-
Select the Edit HTTP_PORTS pencil icon. The Edit HTTP_PORTS side drawer displays.
-
Choose Add Row and enter a new port number. The entry displays red if improperly formatted.
-
Select one or more rows with the checkboxes and choose Delete Rows to remove those entries.
-
Once complete, select Save to return to the NDR Device details.
-
Select Deploy Customizations to update the NDR Device with your changes. Once complete, a message displays the status of the rule deployment. Select More Information to view the complete results.
Edit HTTP_PORTS