🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis™ Managed iSensor FAQ

isensor


General

What is the Managed iSensor® to Taegis upgrade?

Secureworks® is upgrading existing Managed iSensor® subscriptions. Your Managed iSensor® service will move from the Secureworks Counter Threat Platform™ (CTP) to Secureworks® Taegis™ XDR.

How does this impact me?

This upgrade comes with no change to your existing Managed iSensor® subscription. You will continue to receive your Managed iSensor® service on Taegis much as you did on CTP. Reference the Taegis iSensor Service Description. There are no changes to the financial terms of your current agreement with Secureworks.

What are the benefits of this upgrade?

Benefits of this upgrade to Taegis™ include:

What must I do to receive the upgrade?

Secureworks has set up your Taegis™ XDR account for you. Using the link provided in the email you received from taegis@secureworks.com, log into Taegis™ XDR and set your password and multi-factor authentication. If you did not receive the email, please reach out to taegis@secureworks.com.

Will I be able to still access CTP?

No. Secureworks will disable access to CTP within 24-48 hours after the first contact at your company successfully registers with Taegis. If you have not registered yet, please do so as soon as possible. All Managed iSensor® customers are being transitioned to Taegis™ XDR.

Will I receive the same level of service as I did before?

Yes. With this upgrade to Taegis, Secureworks will continue to perform device management functions, which can include changes, rule/policy modifications, upgrades, and similar functions, upon request. Secureworks also will perform monitoring and alerting for security events. For more information, see Secureworks® Managed iSensor® on Taegis™ XDR.

Is my event data within the Secureworks Counter Threat Platform transitioned to Taegis™ XDR?

iSensor event data prior to your tenant creation is located solely in CTP and cannot be integrated within Taegis™ XDR. From the time your tenant was created, event data is searchable within Taegis™ XDR. If historical Secureworks Managed iSensor events are needed from CTP, please submit a help request in Taegis™ XDR and historical reports can be provided.

Has my iSensor configuration changed?

No. Your iSensor configuration remains the same in Taegis™ XDR as it was in CTP.

There are items in Taegis™ XDR that look outside the scope of my Managed iSensor® subscription. How can I find out more?

Your current service continues to be based on Managed iSensor® only. If you add other data sources or deploy any agents, additional charges may apply. To discover what Taegis™ XDR offers in addition to your Managed iSensor® contract, please contact your Account Manager.

What happens to my Secureworks Counter Threat Platform (CTP) access when I log into Taegis™ XDR?

It is important to note that once you or another contact at your organization successfully registers within Taegis™ XDR, Secureworks uses that login as acknowledgment you are ready to receive services through Taegis™ XDR. CTP access, including access for all CTP users, will be cut off within 24-48 hours after logging into Taegis™ XDR. You should ensure all other users register as soon as possible so they have ongoing access.

How do my roles change from CTP to Taegis™ XDR?

The following table shows how we have assigned Taegis™ XDR roles based on the CTP role for each user.
CTP Role Taegis™ XDR Role
Admin Tenant Admin
service-entitlements N/A
TI User N/A
Infrastructure Tenant Auditor
Scan_SSO_Exposures N/A
Scan_SSO N/A
Auditor Tenant Auditor
CarbonBlack User N/A
Threat Intelligence Analyst Tenant Analyst
Security Tenant Analyst
ETDR User N/A
API User N/A
SCAN User N/A
Provisioning Automation User N/A
Log Retention N/A
Analyst Tenant Analyst
User Admin Tenant Admin
TICE PUBLIC API USER N/A
Foresee User N/A
TICE Application User N/A

I’m not interested in transitioning from CTP to Taegis™ XDR. Can I opt out?

Your Managed iSensor® subscription is being upgraded from CTP to Taegis™ XDR for the duration of your existing contract. Please contact your Account Manager for more information. Opt outs are not available.

Using Taegis™ XDR

How do I log in to Taegis™ XDR?

Your notification email from taegis@secureworks.com includes a link to log into Taegis™ XDR and set your password. If you did not receive the email, please reach out to taegis@secureworks.com. For more information, see Log In to Taegis™ XDR. Note that the link in your notification email will direct you to the correct Taegis™ XDR tenant.

To receive support, you’ll need your PIN which is located in the application. For more information, see Taegis™ ManagedXDR Telephone Support.

When I log into Taegis, my dashboard is blank. How do I know my migration was completed successfully?

Taegis™ XDR is less prone to false positives. The dashboard appears blank until alerts that Taegis™ XDR classifies as high or critical are received and/or investigations are populated. If a high or critical severity alert is created, an investigation is automatically created. Only when an alert is a true positive or actionable threat to your organization is the investigation escalated to your team.

Taegis™ XDR allows you to leverage advanced search to query for alerts. For more information, see How do I see my iSensor data? Additionally, see How are custom rules supported in Taegis™ XDR? for information on creating custom alerts, and How do I get health information on my iSensor? to learn how to see your iSensors in Taegis™ XDR and confirm a successful migration.

What is the difference between an event, an alert, and an investigation?

An event is a single security-related occurrence on your network.

An alert is a notification in Taegis™ XDR created from event(s) from a detector informing you of activity that may need to be investigated further.

An investigation is used to gather information related to alerts and events seen in Taegis™ XDR.

How do I get health information on my iSensor?

Your iSensor appears in Taegis™ XDR under Integrations. From the Taegis™ XDR left-hand side navigation, select Integrations → iSensors. Your iSensor(s) and health status display. For more information, see Manage iSensors.

How do I see my iSensor data?

iSensor data may be found by using Taegis™ XDR Advanced Search.
iSensor Query Example

from NIDS where sensor_type='ISENSOR'

For more information on searching for data in Taegis™ XDR, see Advanced Search.

Why am I not being alerted on information I would have been alerted on in CTP?

Taegis™ XDR is tuned and designed to only alert on critical and high events. It is expected that you will receive fewer escalations in Taegis™ XDR than you did in CTP. Note that event data is available in Taegis™ XDR for future reference and for compliance needs.

Custom MPLE rules from CTP do not transfer. Event data is processed by Taegis™ XDR detectors to generate alerts. If you wish to be alerted in particular events, you can create custom alerts. Secureworks does not review customer created alerts for investigations. Please see the next question for more information.

How are custom rules supported in Taegis™ XDR?

You can create custom rules in Taegis™ XDR that alert you when specific criteria that you have set are detected. This feature enables you to create customized rules. Since customization varies greatly from customer to customer, our analysts are unable to monitor your custom rules. You must have internal resources and processes to manage the corresponding alerts.

How does Secureworks communicate with me on security events detected in my environment?

For critical incidents when immediate incident response is warranted, Secureworks analysts:

For non-critical incidents, a Secureworks analyst sends a notification in Taegis™ XDR and an email, but does not call the designated contacts.

For more information on Investigations in Taegis™ XDR, see Work an Investigation.

What happens with my previously configured escalation procedures? How do you communicate with me on security and health events?

Once you have registered onto Taegis™ XDR and if you are a Tenant Admin, you can update your Points of Contacts for escalations. Click on Tenant Settings and Tenant Profile. Here you can add up to three contacts as notification contacts should a phone call be warranted. You can check your role settings in the User Profile section in the upper left-hand corner of the application. You can also enter your network ranges and network information in the Tenant Profile section. For more information, refer to Tenant Profile. If you need assistance you can may use the the chat feature, or open a support ticket and ask to review your current escalation procedures.

What can I do if I suspect that my Secureworks iSensor® is causing interference in my environment?

Bypass modes are used when the iSensor is causing network interference, preventing the need to physically remove it from the network. Contact Product Support via Chat or open a support ticket to determine and enable the suitable bypass mode for your iSensor.

The iSensor appliance can be placed into two types of bypass mode:

Why am I seeing custom suppression rules being used by Secureworks in my security environment?

Secureworks continuously updates Taegis™ XDR to proactively improve services and the customer experience. As a Taegis™ XDR customer, you may see customized suppression rules, event filter modification, and alert tuning designed to minimize low-value alerts and focus time on high-value alerts.

How do I perform common CTP tasks in Taegis™ XDR?

For a quick tutorial on performing key tasks in Secureworks® Taegis™ XDR that are equivalent to CTP tasks, see Using Managed iSensor®. The video covers Device Health, Alert Details, Investigations, Advanced Search, Reports, and Threat Intelligence. For more details on Reports, see the video Managed iSensor® Reports FAQ.

Does Taegis™ XDR have a mobile app?

Secureworks® Taegis™ XDR supports progressive web technology. For more details, see.

Does Secureworks® Taegis™ XDR offer automation to perform any tasks?

For CTP customers currently using API for ticket connectivity, please see Automations Overview and Using the Automation GraphQL APIs prior to registration to understand how you can build new processes within the Secureworks® Taegis™ XDR platform. Taegis™ XDR can also provide automated alerts through a number of third party vendor and customer owned tools, such as PagerDuty or Atlassian Jira.

Some tasks you can automate through Secureworks® Taegis™ XDR include:

For more information, see Automation Overview, Supported Playbooks, and Supported Connectors.

How do I configure the Block (Shun) and Allow (Trust) functionality for iSensors in Taegis™ XDR?

The Block (Shun) and Allow (Trust) actions in Taegis™ XDR are performed using playbooks. In order to use these actions, you need to configure a connector and playbook(s). You only need to configure each playbook once. Once configured, you can run the playbook instance as many times as is necessary to modify iSensor rules. To do so, follow these steps:
  1. Create a new connection for the Secureworks iSensor connector.
  2. See Secureworks iSensor Documentation in-app for more details. (You must be logged in to Secureworks® Taegis™ XDR to view.)
  3. Configure each playbook.

Example

Block IP Playbook Template

Block IP Playbook Template

Using the Block IP playbook as an example, specify these configurations:

  • Playbook Name: Block IP on iSensor
  • Connection: Select the one created in step 1.
  • Trigger Source: User Initiated
  • Category: Response Action
  • Context: Alert2
  • Name: Block IP
  • When does this playbook run?: Select Only When and enter false for the Trigger Filter field. This prevents the response action from showing up in the UI for alerts.

All other fields can be left to default or are optional.

How do I perform the Block (Shun) and Unblock (Trust) functionality for iSensors in Taegis™ XDR?

Once a Block (Shun) or Unblock (Trust) playbook is configured, it can then be executed on demand whenever you need to block or allow an IP address on your iSensors in Taegis™ XDR.

Example

Manually Trigger the Block IP Playbook

Manually Trigger the Block IP Playbook

Using the Block IP playbook as an example, follow these steps to run it:

  1. Open the Block or Allow IP playbook you created under Automations → Playbooks → Configured.
  2. Select More Actions → Trigger Manually.
  3. Enter the IP address(es) to block.
  4. It is optional to specify Target iSensors. If you leave this field blank, it will apply the Block IP action to all iSensors that support blocking.
  5. Select Execute.

For more information, see the following documentation (you must be logged in to Secureworks® Taegis™ XDR to view):

How do I get support?

Contact Secureworks® Taegis™ XDR Support by:

Does the old phone number work?

No. Taegis is supported separately from CTP. To receive support, you need your PIN, which you can find in Taegis™ XDR. Call your Taegis™ XDR Product Support Representative with your PIN. If you don’t have your support telephone number, see Taegis™ ManagedXDR Telephone Support.

I’m having trouble with the chat support. How can I resolve this?

See Chat Support for information on using the in-app Taegis™ XDR chat support. If you still have issues, please submit a help request.

How can I view my tickets?

Whenever there is an update on your ticket you will receive a notification email from taegis@secureworks.com that includes instructions as well as a link to login to Taegis at https://delta.taegis.secureworks.com/login.

On rare situations you might get redirected to https://ctpx.secureworks.com/login. If this happens, please navigate to https://delta.taegis.secureworks.com/login.

If additional assistance is needed, please reach out to taegis@secureworks.com.

Reports

Preconfigured templates for Executive Summary Report, Alerts Summary Report, Investigation Summary Report, and iSensor Change Management Report are currently available and encompass many of the features in CTP reports. For more information, see Create Reports from a Template.

For more information on the Executive Summary Report, see Managed iSensor® Reports.

How do I create other reports in Taegis™ XDR?

In addition to the report templates available, you can create custom reports using the search query language in Taegis™ XDR. For more information, see Configure Custom Reports and Advanced Search Query Language Overview.

Compliance Board Reports

The Executive Summary and Alert Summary reports give you visibility into your iSensors, but not all components of the CTP Compliance report are available in Taegis™ XDR. Refer to the below XDR queries for other reports and graphics that can be run from Advanced Search:

Total IPS/IDS Attack Events by Action
Total IPS/IDS Attack Events per Day
Total Other Monitoring Attack Events per Day

Search Query — from alert where sensor_types !in ('isensor', 'yourSensorType')

where yourSensorType is the sensor type you want to exclude.

IPS/IDS Authorized Activity

Note

The format of this report is a CSV file that includes all line items.

Monitored Authorized Activity

Note

You must know each sensor_type you want included in this view. It should not contain isensor, as that is covered by Appendix C view.

where 'yourSensorType' and 'yourOtherSensorType' are the sensor types you are looking for.

These queries for reporting are documented for your use to accompany the previously mentioned reports:

Attack Summary
Attacked Ports
Top Attacks
Blocked and Unblocked Attack Trend

Note

The Blocked field contains one of three numeric values: 1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked

Security Events Report

Attack Trend

Note

What appears in this report depends on your preferences. The query provided is the basis, but you must add filtering criteria based on your needs. You can append the query with a where clause and include fields you’d like to filter the report by.

Note that several CTP reports are not available in Taegis™ XDR. These include:

 

On this page: