☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Getting Started
Integrate with XDR
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
- Power BI for XDR
Secureworks Products, Services, and Policies
- Taegis NDR
  - Overview
  - Service Description
  - Transitioning from CTP
  - Legacy iSensor Service Descriptions
    - Managed iSensor
    - Managed iSensor Add-on
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- Secureworks Professional Services
- Legal

Manage NDR Devices

ndr integrations

Note

Taegis NDR is an evolution of iSensor, but with a new name and soon with expanded capabilities. You may see some references to the iSensor branding as we complete this transition.

To view your organization’s current integrated Taegis™ NDR Devices, monitor their health, and manage their rules and registration, select Taegis™ NDR from the Secureworks® Taegis™ XDR left-hand side navigation.

This page displays the NDR Devices that your organization has configured in a summary card or table view.

NDR Devices

Adjust the Page View ⫘

Switch between the summary card view and the list view of NDR using the buttons at the top of the page.

Alter NDR View

View NDR Device Status and Health ⫘

The NDR page displays quick-view information about each NDR Device’s current status and recent activity:

Status — The current health status of the NDR Device:

Status	Description
HEALTHY	The NDR Device has reported in and is deployed and healthy.
WARNING	The NDR Device has not reported in recently or has failed to deploy correctly.
NO DATA	The NDR Device was previously provisioned but has not reported in recently.
NOT REGISTERED	The NDR Device has not yet been deployed.

Mode — The current NDR Device traffic processing mode. See Traffic Processing Mode for more information.

Mode	Description
INLINE ACTIVE	The NDR Device passes traffic through and will block traffic when alerted to do so.
INLINE PASSIVE	The NDR Device passes traffic through and will not block traffic when alerted to do so.
SNIFFER	The NDR Device will inspect traffic but the traffic will not pass through the NDR Device.

Rule Set — The current set of rules configured on the NDR Device with version. See Signature Sets for more information.

Rule Set	Description
Connectivity	This rule set is designed to favor device performance over the security controls.
Security	This rule set is designed to favor security controls over device performance.
Balanced	This rules set is designed to balance the security needs and performance characteristics.

Tip

Run the NDR Change Management Report for detailed information about signature and rule set updates made for each NDR Device in your tenant. For more information, see Taegis™ NDR Change Management Report.

View Detailed NDR Device Information ⫘

Select a card from the summary card view or the NDR Device name from the list view to open additional details about the NDR Device.

Detailed NDR Device Information

Note

You must be a Tenant Administrator to make changes to an NDR Device.

Important

Making changes to the NDR Device configuration of a live NDR Device carries the risk of rendering the NDR Device inoperable and/or allowing or blocking certain traffic on your network. The NDR Device will make every attempt possible to rollback to the previous configuration when a configuration change is unsuccessful. NDR Device configuration changes should be treated with the same level of caution used for any other kind of change in your environment according to your risk and change management guidelines. You should always be prepared to redeploy to the device.

Details ⫘

The top section displays the following details about the NDR Device. Select the link to view more information about each item.

Name
IP address
Status
Mode
Rule Set
HOME_NET defined on the device
EXTERNAL_NET defined on the device

Note

To change the values of HOME_NET and EXTERNAL_NET, see Customization Tab. To change any other NDR Device settings, contact support.

Allow and Block Tabs ⫘

The Allow and Block tabs display a list of firewall rules configured on the NDR Device. Allow rules allow traffic to pass while Block rules block traffic.

Actions ⫘

Select one or more rules from the list and then choose the Actions menu to Delete or Export to CSV the selected rules.

NDR Device Allow/Block Actions

Add Allow or Block ⫘

To add a new Allow or Block rule to the NDR Device:

Select Add Allow or Add Block; the Add Allow/Block Rule form displays.

Add NDR Device Block Rule

Enter at least one Source or Destination address or range.
The Ports are Destination checkbox is checked by default; uncheck this option if the port definitions for the rule are source ports.
Specify the ports for the rule: All (default), a single port, a range of ports, or multiple ports separated by commas.
Select the desired protocol, or leave at the default of all protocols.
Select the desired time frame the rule is to be in effect, or leave at the default of always in effect.
Select Deploy Rule to save the rule and attempt to deploy the rule to the NDR Device.

Registration Tab ⫘

The Registration tab displays the current Registration Key and the Status of that key.

Actions ⫘

If the key is expired, select the Actions menu and choose Reactivate Key to reactivate the key for use with this NDR Device.
Select the Actions menu and choose Download to download the open source files that are used on the NDR Device, and if the device is a virtual device, the virtual device for setup.

NDR Device Registration Actions

Customization Tab ⫘

The Customization tab displays the following editable device variables. Select the link to view more information about each variable.

Edit HOME_NET ⫘

To edit the HOME_NET defined on the NDR Device, follow these steps:

Select the Edit HOME_NET pencil icon. The Edit HOME_NET side drawer displays.
Choose Add Row and enter a new IP address or range. The entry displays red if improperly formatted.
Select one or more rows with the checkboxes and choose Delete Rows to remove those entries.
Once complete, select Save to return to the NDR Device details.
Select Deploy Customizations to update the NDR Device with your changes. Once complete, a message displays the status of the rule deployment. Select More Information to view the complete results.

Edit HOME_NET

Edit EXTERNAL_NET ⫘

To edit the EXTERNAL_NET defined on the NDR Device, follow these steps:

Select the Edit EXTERNAL_NET pencil icon. The Edit EXTERNAL_NET side drawer displays.
Choose one of the following options:
- Any — Traffic from any source
- !$HOME_NET — Traffic from all sources not defined by HOME_NET, which is the traditional configuration
- List — Traffic from a customized list of sources
If choosing the List option:
- Select Add Row to enter a new IP address or range. The entry displays red if improperly formatted.
- Select one or more rows with the checkboxes and choose Delete Rows to remove those entries.
Once complete, select Save to return to the NDR Device details.
Select Deploy Customizations to update the NDR Device with your changes. Once complete, a message displays the status of the rule deployment. Select More Information to view the complete results.

Edit EXTERNAL_NET

Edit HTTP_PORTS ⫘

To edit the HTTP_PORTS defined on the NDR Device, follow these steps:

Select the Edit HTTP_PORTS pencil icon. The Edit HTTP_PORTS side drawer displays.
Choose Add Row and enter a new port number. The entry displays red if improperly formatted.
Select one or more rows with the checkboxes and choose Delete Rows to remove those entries.
Once complete, select Save to return to the NDR Device details.
Select Deploy Customizations to update the NDR Device with your changes. Once complete, a message displays the status of the rule deployment. Select More Information to view the complete results.

Edit HTTP_PORTS

Manage NDR Devices

Adjust the Page View ⫘

View NDR Device Status and Health ⫘

View Detailed NDR Device Information ⫘

Details ⫘

Allow and Block Tabs ⫘

Actions ⫘

Add Allow or Block ⫘

Registration Tab ⫘

Actions ⫘

Customization Tab ⫘

Edit HOME_NET ⫘

Edit EXTERNAL_NET ⫘

Edit HTTP_PORTS ⫘

On this page: