Threat Intelligence Overview
Secureworks Threat Intelligence is a core component of Secureworks® Taegis™ XDR and is included as part of XDR subscriptions. Our expert team of 70+ Secureworks Counter Threat Unit™ (CTU) researchers use a wide variety of commercial and proprietary toolsets to analyze, synthesize, validate and produce threat intelligence. In addition, our CTU and Incident Response teams have deep integrations that allow us to extract intelligence from our over 1,000 incident response and targeted threat hunting engagements each year. This intelligence is then automatically correlated against your telemetry to ensure you are protected from the latest threats and adversary behaviors.
XDR Application of Intelligence Data ⫘
Threat Intelligence data is automatically applied to your telemetry in the following ways:
- Network Countermeasures
- XDR applies network countermeasures to normalized HTTP and DNS query telemetry. This means signatures traditionally only applied to an IDS/IPS are now applied to any HTTP and DNS query telemetry sent to and normalized by XDR.
- Customers that have subscribed to the iSensor are automatically protected through our continuously updated network countermeasures that prevent and detect attacks in real-time.
- CTU Network Countermeasures are also available to download in Snort and Suricata formats.
-
Watchlists
- Watchlists identify the tactics and techniques that adversaries are using within the following security telemetry:
- auth
- dnsquery
- filemod
- http
- management-event
- netflow
- nids
- persistence
- process
- registry
- script-block
- thread-injection
- Watchlists identify the tactics and techniques that adversaries are using within the following security telemetry:
-
Reputation Watchlists
- Reputation watchlists are continuously updated with malicious Indicators of Compromise (IOC) and compared to the appropriate telemetry collected from the configured integrations.
-
Tactic Graphs™ Detector
- Tactic Graphs Detector model adversary behavior in order to detect malicious activity by anticipating adversary tactics.
Note
Security telemetry collected by XDR depends upon the configured integrations. Please view the data collected from the supported endpoint and Syslog data sources to determine what data is collected from your integrations.
-
Bring Your Own Threat Intelligence
- Bring Your Own Threat Intelligence Detector enables you to integrate Threat Intel indicator lists and generate alerts when those indicators are found in normalized telemetry.
Threat Intelligence Reports ⫘
As a XDR customer you also have access to CTU Threat Intelligence Reports within the Threat Intelligence Reports Widget on the Alert Triage Dashboard. These reports contain up-to-date information on the evolving threat landscape as identified through CTU threat research, Secureworks incident response engagements, and observations across our 4,000 plus global customers.