Managed iSensor FAQ

isensor

General ⫘

What is the Managed iSensor to Taegis upgrade? ⫘

Secureworks® is upgrading existing Secureworks® Managed iSensor® subscriptions. Your Managed iSensor service will move from the Secureworks Counter Threat Platform™ (CTP) to Secureworks® Taegis™ XDR.

How does this impact me? ⫘

This upgrade comes with no change to your existing Managed iSensor subscription. You will continue to receive your Managed iSensor service on Taegis much as you did on CTP. Reference the Secureworks iSensor® Service Description. There are no changes to the financial terms of your current agreement with Secureworks.

What are the benefits of this upgrade? ⫘

Benefits of this upgrade to Taegis include:

• CTU™ Tips and Threat Analysis — XDR includes threat intelligence reports and guidance from our Counter Threat Unit™ research team.
• Advanced Analytics — iSensor continuously collects telemetry that feeds into a variety of XDR Detectors, including Domain Generation Algorithms, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs™ Detector, Punycode, IP Watchlist, and Domain Watchlist.
• MITRE ATT&CK Mappings — XDR maps defenses and countermeasures against more than 90% of all adversarial tactics, techniques, and procedures (TTPs) used by the malicious software tracked by MITRE, across all framework categories.
• Advanced Query Language Support — A powerful interface that enables you to craft searches for alerts and events.
• Custom Detection Rules — Create custom rules that alert you when specific criteria are detected.
• Custom Suppression Rules — Customize the platform to you specifically by suppressing alerts that are benign to environment.
• Ask An Expert — XDR provides users with live chat functionality 24x7, providing direct access to Secureworks security experts.
• XDR Access — Seamlessly opt in to Secureworks next-generation platform to better protect more of your environment.

What must I do to receive the upgrade? ⫘

Secureworks has set up your XDR account for you. Using the link provided in the email you received from taegis@secureworks.com, log into XDR and set your password and multi-factor authentication. If you did not receive the email, please reach out to taegis@secureworks.com.

Will I be able to still access CTP? ⫘

No. Secureworks will disable access to CTP within 24-48 hours after the first contact at your company successfully registers with Taegis. If you have not registered yet, please do so as soon as possible. All Managed iSensor customers are being transitioned to XDR.

Will I receive the same level of service as I did before? ⫘

Yes. With this upgrade to Secureworks® Taegis™, Secureworks will continue to perform device management functions, which can include changes, rule/policy modifications, upgrades, and similar functions, upon request. Secureworks also will perform monitoring and alerting for security events. For more information, see Secureworks® Managed iSensor® on XDR.

Is my event data within the Secureworks Counter Threat Platform transitioned to XDR? ⫘

iSensor event data prior to your tenant creation is located solely in CTP and cannot be integrated within XDR. From the time your tenant was created, event data is searchable within XDR. If historical Secureworks Managed iSensor events are needed from CTP, please submit a help request in XDR and historical reports can be provided.

Has my iSensor configuration changed? ⫘

No. Your iSensor configuration remains the same in XDR as it was in CTP.

There are items in XDR that look outside the scope of my Managed iSensor subscription. How can I find out more? ⫘

Your current service continues to be based on Managed iSensor only. If you add other data sources or deploy any agents, additional charges may apply. To discover what XDR offers in addition to your Managed iSensor contract, please contact your Account Manager.

What happens to my Secureworks Counter Threat Platform (CTP) access when I log into XDR? ⫘

It is important to note that once you or another contact at your organization successfully registers within XDR, Secureworks uses that login as acknowledgment you are ready to receive services through XDR. CTP access, including access for all CTP users, will be cut off within 24-48 hours after logging into XDR. You should ensure all other users register as soon as possible so they have ongoing access.

How do my roles change from CTP to XDR? ⫘

The following table shows how we have assigned XDR roles based on the CTP role for each user.

CTP Role	XDR Role
Admin	Tenant Admin
service-entitlements	N/A
TI User	N/A
Infrastructure	Tenant Auditor
Scan_SSO_Exposures	N/A
Scan_SSO	N/A
Auditor	Tenant Auditor
CarbonBlack User	N/A
Threat Intelligence Analyst	Tenant Analyst
Security	Tenant Analyst
ETDR User	N/A
API User	N/A
SCAN User	N/A
Provisioning Automation User	N/A
Log Retention	N/A
Analyst	Tenant Analyst
User Admin	Tenant Admin
TICE PUBLIC API USER	N/A
Foresee User	N/A
TICE Application User	N/A

I’m not interested in transitioning from CTP to XDR. Can I opt out? ⫘

Your Managed iSensor subscription is being upgraded from CTP to XDR for the duration of your existing contract. Please contact your Account Manager for more information. Opt outs are not available.

Using XDR ⫘

How do I log in to XDR? ⫘

Your notification email from taegis@secureworks.com includes a link to log into XDR and set your password. If you did not receive the email, please reach out to taegis@secureworks.com. For more information, see Log In to XDR. Note that the link in your notification email will direct you to the correct XDR tenant.

To receive support, you’ll need your PIN which is located in the application. For more information, see Secureworks® Taegis™ ManagedXDR Telephone Support.

When I log into Taegis, my dashboard is blank. How do I know my migration was completed successfully? ⫘

XDR is less prone to false positives. The dashboard appears blank until alerts that XDR classifies as high or critical are received and/or investigations are populated. If a high or critical severity alert is created, an investigation is automatically created. Only when an alert is a true positive or actionable threat to your organization is the investigation escalated to your team.

XDR allows you to leverage advanced search to query for alerts. For more information, see How do I see my iSensor data? Additionally, see How are custom rules supported in XDR? for information on creating custom alerts, and How do I get health information on my iSensor? to learn how to see your iSensors in XDR and confirm a successful migration.

What is the difference between an event, an alert, and an investigation? ⫘

An event is a single security-related occurrence on your network.

An alert is a notification in XDR created from event(s) from a detector informing you of activity that may need to be investigated further.

An investigation is used to gather information related to alerts and events seen in XDR.

How do I get health information on my iSensor? ⫘

Your iSensor appears in XDR under Integrations. From the XDR left-hand side navigation, select Integrations → iSensors. Your iSensor(s) and health status display. For more information, see Manage iSensors.

How do I see my iSensor data? ⫘

iSensor data may be found by using XDR Advanced Search.

iSensor Query Example ⫘

from NIDS where sensor_type='ISENSOR'

For more information on searching for data in XDR, see Advanced Search.

Why am I not being alerted on information I would have been alerted on in CTP? ⫘

XDR is tuned and designed to only alert on critical and high events. It is expected that you will receive fewer escalations in XDR than you did in CTP. Note that event data is available in XDR for future reference and for compliance needs.

Custom MPLE rules from CTP do not transfer. Event data is processed by XDR detectors to generate alerts. If you wish to be alerted in particular events, you can create custom alerts. Secureworks does not review customer created alerts for investigations. Please see the next question for more information.

How are custom rules supported in XDR? ⫘

You can create custom rules in XDR that alert you when specific criteria that you have set are detected. This feature enables you to create customized rules. Since customization varies greatly from customer to customer, our analysts are unable to monitor your custom rules. You must have internal resources and processes to manage the corresponding alerts.

How does Secureworks communicate with me on security events detected in my environment? ⫘

For critical incidents when immediate incident response is warranted, Secureworks analysts:

• Assign the Investigation to you in XDR.

• Send an email through XDR to all your registered XDR users, informing them of the creation of the Investigation. A notification also displays within XDR to all registered users.

• Call the designated points of contact (up to three) as provided by you.

For non-critical incidents, a Secureworks analyst sends a notification in XDR and an email, but does not call the designated contacts.

For more information on Investigations in XDR, see Work an Investigation.

What happens with my previously configured escalation procedures? How do you communicate with me on security and health events? ⫘

Once you have registered onto XDR and if you are a Tenant Admin, you can update your Points of Contacts for escalations. Click on Tenant Settings and Tenant Profile. Here you can add up to three contacts as notification contacts should a phone call be warranted. You can check your role settings in the User Profile section in the upper left-hand corner of the application. You can also enter your network ranges and network information in the Tenant Profile section. For more information, refer to Tenant Profile. If you need assistance you can may use the the chat feature, or open a support ticket and ask to review your current escalation procedures.

What can I do if I suspect that my iSensor is causing interference in my environment? ⫘

Bypass modes are used when the iSensor is causing network interference, preventing the need to physically remove it from the network. Contact Product Support via Chat or open a support ticket to determine and enable the suitable bypass mode for your iSensor.

The iSensor appliance can be placed into two types of bypass mode:

• Software—Prevents traffic coming into iSensor from being assessed by the inspection engine.
• Hardware—Guarantees that data is forwarded over the monitoring interfaces in the event of device failure.

Why am I seeing custom suppression rules being used by Secureworks in my security environment? ⫘

Secureworks continuously updates XDR to proactively improve services and the customer experience. As a XDR customer, you may see customized suppression rules, event filter modification, and alert tuning designed to minimize low-value alerts and focus time on high-value alerts.

How do I perform common CTP tasks in XDR? ⫘

For a quick tutorial on performing key tasks in XDR that are equivalent to CTP tasks, see Using Managed iSensor. The video covers Device Health, Alert Details, Investigations, Advanced Search, Reports, and Threat Intelligence. For more details on Reports, see the video Managed iSensor Reports FAQ.

Does XDR have a mobile app? ⫘

XDR supports progressive web technology. For more details, see.

Does XDR offer automation to perform any tasks? ⫘

For CTP customers currently using API for ticket connectivity, please see Automations Overview and Using the Automation GraphQL APIs prior to registration to understand how you can build new processes within the XDR platform. XDR can also provide automated alerts through a number of third party vendor and customer owned tools, such as PagerDuty or Atlassian Jira.

Some tasks you can automate through XDR include:

• Creating and querying tickets through other ticketing systems
• Creating custom email and instant messaging notifications
• Managing alerts
• Response actions
• Repetitive XDR tasks, such as creating investigations

For more information, see Automation Overview, Supported Playbooks, and Supported Connectors.

How do I configure the Block (Shun) and Allow (Trust) functionality for iSensors in XDR? ⫘

The Block (Shun) and Allow (Trust) actions in XDR are performed using playbooks. In order to use these actions, you need to configure a connector and playbook(s). You only need to configure each playbook once. Once configured, you can run the playbook instance as many times as is necessary to modify iSensor rules. To do so, follow these steps:

1. Create a new connection for the Secureworks iSensor connector.
2. See Secureworks iSensor Documentation in-app for more details. (You must be logged in to XDR to view.)
3. Configure each playbook.

How do I perform the Block (Shun) and Unblock (Trust) functionality for iSensors in XDR? ⫘

Once a Block (Shun) or Unblock (Trust) playbook is configured, it can then be executed on demand whenever you need to block or allow an IP address on your iSensors in XDR.

For more information, see the following documentation (you must be logged in to XDR to view):

• Block (Shun) — This playbook is designed to block (shun) a list of IPs on a tenant’s iSensor.
• Unblock (Trust) — This playbook is designed to unblock (unshun) a list of IPs on a tenant’s iSensor.

How do I get support? ⫘

Contact XDR Support by:

• In-app Chat Support
• Submit a ticket
• Call the Secureworks® Taegis™ Security Operations Center

Does the old phone number work? ⫘

No. Taegis is supported separately from CTP. To receive support, you need your PIN, which you can find in XDR. Call your XDR Product Support Representative with your PIN. If you don’t have your support telephone number, see Taegis ManagedXDR Telephone Support.

I’m having trouble with the chat support. How can I resolve this? ⫘

See Chat Support for information on using the in-app XDR chat support. If you still have issues, please submit a help request.

How can I view my tickets? ⫘

Whenever there is an update on your ticket you will receive a notification email from taegis@secureworks.com that includes instructions as well as a link to login to Taegis at https://delta.taegis.secureworks.com/login.

On rare situations you might get redirected to https://ctpx.secureworks.com/login. If this happens, please navigate to https://delta.taegis.secureworks.com/login.

If additional assistance is needed, please reach out to taegis@secureworks.com.

Reports ⫘

Preconfigured templates for Executive Summary Report, Alerts Summary Report, Investigation Summary Report, and iSensor Change Management Report are currently available and encompass many of the features in CTP reports. For more information, see Create Reports from a Template.

For more information on the Executive Summary Report, see Managed iSensor Reports.

How do I create other reports in XDR? ⫘

In addition to the report templates available, you can create custom reports using the search query language in XDR. For more information, see Configure Custom Reports and Advanced Search Query Language Overview.

Compliance Board Reports ⫘

The Executive Summary and Alert Summary reports give you visibility into your iSensors, but not all components of the CTP Compliance report are available in XDR. Refer to the below XDR queries for other reports and graphics that can be run from Advanced Search:

• Monitored Incident to Event Volume Ratio — No equivalent view.
• Attack Events by Severity and Actions — No equivalent view.

Total IPS/IDS Attack Events by Action ⫘

• Search Query — from nids

• Report Options — Pie Chart
• Chart Data Category —Blocked
• Schedule — Configure as needed
• Report Name and Sharing — Configure as needed

Total IPS/IDS Attack Events per Day ⫘

• Search Query — from nids

• Report Options — Bar Chart
• Chart Axis — X-Axis – Timestamp; Y-Axis – Total Count
• Schedule — Configure as needed
• Report Name and Sharing — Configure as needed

Total Other Monitoring Attack Events per Day ⫘

Search Query — from alert where sensor_types !in ('isensor', 'yourSensorType')

where yourSensorType is the sensor type you want to exclude.

• Query Results Columns to Display — Timestamp
• Report Options — Bar Chart
• Chart Axis — X-Axis – Timestamp; Y-Axis – Total Count
• Schedule — Configure as needed
• Report Name and Sharing — Configure as neede

IPS/IDS Authorized Activity ⫘

• Search Query — from alert where status contains 'Authorized' and sensor_types = 'isensor'

• Report Options — Select the checkbox next to Include data CSV file in report generation. Do NOT select a chart type.
• Schedule — Configure as needed
• Report Name and Sharing — Configure as needed

Monitored Authorized Activity ⫘

• Search Query — from alert where status contains 'Authorized' and sensor_types in ( 'yourSensorType', 'yourOtherSensorType')

where 'yourSensorType' and 'yourOtherSensorType' are the sensor types you are looking for.

• Report Options — Select the checkbox next to Include data CSV file in report generation. Do NOT select a chart type.
• Schedule — Configure as needed
• Report Name and Sharing — Configure as needed

These queries for reporting are documented for your use to accompany the previously mentioned reports: ⫘

Attack Summary ⫘

• Search Query — from nids

• Visualization Type — Pie Chart
• Chart Data Category — Blocked
• Schedule — Configure as needed
• Report Name and Sharing — Configure as needed

Attacked Ports ⫘

• Search Query — from nids

• Visualization Type — Horizontal Bar Chart
• Chart Axes — X-Axis – Total Count; Y-Axis – DESTINATION_PORT
• Schedule —Configure as needed
• Report Name and Sharing —Configure as needed

Top Attacks ⫘

• Search Query — from alert

• Visualization Type — Horizontal Bar Chart
• Chart Axes — X-Axis – Total Count; Y-Axis – Title
• Schedule — Configure as needed
• Report Name and Sharing — Configure as needed

Blocked and Unblocked Attack Trend ⫘

• Search Query — from nids

• Visualization Type — Bar Chart – Stacked
• Chart Axes — X-Axis – Timestamp; Y-Axis – Total Count; Series – Blocked
• Schedule — Configure as needed
• Report Name and Sharing — Configure as needed

Security Events Report ⫘

Attack Trend ⫘

• Search Query — from alert

• Report Options — Bar Chart
• Chart Axis — X-Axis – Timestamp; Y-Axis – Total Count
• Schedule — Configure as needed
• Report Name and Sharing — Configure as needed

Note that several CTP reports are not available in XDR. These include: ⫘

• Portal Activity — While this report is not available in XDR, you can find most of the information for this report in the Managed iSensor Dashboard and under Audit Logs.
• Asset Report
• Service Review
• Device Event Trend
• Event Analysis Statistics
• Top Talkers Report
• Ticket Summary and Detail