☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Secureworks Taegis ManagedXDR for OT

Overview ⫘

New customers of ManagedXDR or ManagedXDR Elite: For customers purchasing Secureworks® Taegis™ ManagedXDR for OT simultaneously with Secureworks® Taegis™ ManagedXDR or Secureworks® Taegis™ ManagedXDR Elite, prior to onboarding, Secureworks will activate Customer’s Service by provisioning access to Customer’s instance of Secureworks® Taegis™ XDR, which will also provide Customer with access to: 1) online documentation; and 2) instructions to access and deploy the Taegis™ XDR Endpoint Agent.
Existing customers of Secureworks® Taegis™ ManagedXDR or Secureworks® Taegis™ ManagedXDR Elite: For customers adding ManagedXDR for OT to an existing ManagedXDR or ManagedXDR Elite subscription, Secureworks will activate Customer’s Service on the effective date of the Transaction Document for ManagedXDR for OT.

The ManagedXDR for OT Service (“Service”) provides Customer with access to a team of security professionals (the (“OT Specialist Team”), herein referred to as the (“Specialist Team”)) to conduct in-depth analysis for investigations as well as orchestrated response and remediation related to Customer’s OT Environment.

The Specialist Team is available 24x7 via chat, email, and ticket. Customer must purchase the ManagedXDR service (“ManagedXDR”) in conjunction with this Service. For more information, see the ManagedXDR service description. As part of ManagedXDR, the ManagedXDR Security Analysts will review and investigate Threats detected within Customer’s XDR (“XDR”) tenant(s). Threats requiring further analysis as determined by Secureworks will result in creation of an Investigation within XDR. The Specialist Team will conduct additional analyses of investigations identified in XDR related to assets associated with Customer’s OT environment. After analysis is completed for each Investigation, the Specialist Team will take appropriate action based on the documentation developed during Onboarding.

All capitalized words and phrases shall have the meanings set forth herein, as defined in the Glossary, or within the Secureworks-applicable agreement, such as the Customer Relationship Agreement.

Service Components ⫘

24x7 Access to OT Specialist Team ⫘

Customer will have access to the OT Specialist Team 24x7 via methods described above. From a remote location, the Specialist Team will conduct work on Customer’s behalf and support Customer as defined herein. The Specialist Team will communicate with Customer through email and Secureworks Ticketing System for support related to the activities described herein. The Specialist Team will also communicate with Customer through telephone solely for OT related investigations deemed by Secureworks to be High or Critical.

Threat Investigations ⫘

The Specialist Team will conduct Threat Investigations aligned to the following categories:

OT-specific alert investigations: When event data is sent by supported OT Monitoring Technology and that data triggers an alert in XDR deemed by Secureworks to be a Threat, the Specialist Team will perform an investigation with the goal of understanding the potential impact of the Threat to the Customer’s OT Environment. The Specialist Team will also review and conduct analyses for Investigations that are automatically created through approved automation playbooks within XDR and add the findings to these Investigations.
Non-OT-specific alert investigations: When event data from non-OT Monitoring Technology triggers an alert in XDR deemed by Secureworks to be a Threat, initial triage, analysis, investigation will be performed by ManagedXDR Security Analysts (as described in the Threat Detection and Investigation section of the ManagedXDR and ManagedXDR Elite service descriptions). At the conclusion of their investigation, the Specialist Team will conduct further analyses for these Investigations with the goal of understanding the potential impact of the Threat to the Customer’s OT Environment.

For all Investigations, upon confirmation of a Threat by the Specialist Team, the Specialist Team will help orchestrate responses and remediation with Customer, which includes communicating with responsible stakeholders and advising Customer about appropriate actions.

Note

The Specialist Team will focus solely on Cybersecurity Threats identified or validated by XDR. Events generated by Customer OT Monitoring Technology related to SCADA alerts, vulnerability scanning, or patching are not considered Threats by this service and will not be investigated. Such out-of-scope events may be data points included in the investigation of a Cybersecurity Threat.

Investigation Procedures ⫘

The Specialist Team will primarily operate within XDR as well as Secureworks internal tools. The Specialist Team will investigate all XDR alerts determined by Secureworks teams to be Threats. The Specialist Team will perform investigations based on Secureworks best practices, the initial findings of ManagedXDR Security Analysts, and business context provided by the Customer during Onboarding and in an on-going fashion, as well as follow the escalation procedures for OT related Threats that will be developed by Customer and Secureworks during Onboarding. Additionally, the Specialist Team will directly access Customer’s supported OT Monitoring Technology, as needed, to enhance their investigations. Access for the Specialist Team to such platforms must be provided and maintained by the Customer. Customer acknowledges that not providing or maintaining this access for the Specialist Team limits the service that the Specialist Team can provide until the access is restored. The Specialist Team will use the Customer’s OT Monitoring Technology to conduct analyses, identify additional business context, and determine their recommendations.

Note

The Specialist Team does not conduct any activities related to managing Customer’s systems and tools (e.g., no software license or platform/configuration management).

Service Phases ⫘

There are two primary phases for delivering the Service: Onboarding and Steady State.

Onboarding ⫘

This phase will be managed by an assigned Program Manager (“PM”). The PM will coordinate the activities that must be completed during this phase. Secureworks will guide Customer through multiple activities to help ensure that the Specialist Team has the access, familiarity, and context needed to deliver the Service to Customer. Onboarding is expected to be completed within 6-8 weeks; timeline will be based on dependencies and the project plan that will be agreed-upon during Onboarding.

Steady State ⫘

Steady State commences when the Onboarding Checklist is completed and Customer has satisfied all Steady State requirements for the standard ManagedXDR service, which must accompany this Service (see ManagedXDR Onboarding Guide). During Steady State, the Specialist Team will conduct investigations and apply Customer’s business context based on their knowledge of OT security and information from Customer’s supported OT Monitoring Technology. When the Specialist Team confirms a Threat, they will advise on response and remediation for Customer and will collaborate with Customer-designated personnel as appropriate.

The table below indicates timing and activities conducted by Secureworks during the Service Phases. Please note that timing is approximate and predicated on Customer performing its responsibilities described herein.

Phase	Activities
Onboarding	*Timing: Upon start of Services Term* Ensure that the Specialist Team can access and use Customer’s Monitoring Technology. Discuss and explain Specialist Team workflows and investigation strategies. Discuss and document escalation processes for OT environment. Discuss and implement Taegis custom alert and suppression rules. Discuss OT Monitoring Technology tuning. Discuss Endpoint tagging and Taegis Data Collector labelling for OT Environment Complete Onboarding Checklist to verify readiness for transitioning to Steady State.
Steady State	*Timing: 6-8 weeks after Onboarding begins* All ManagedXDR investigations and XDR observed alerts from Customer OT Environment are reviewed by Specialist Team for OT risk Engage Customer as needed for orchestrated response and remediation activities

Phase

Activities

Onboarding

Timing: Upon start of Services Term

Ensure that the Specialist Team can access and use Customer’s Monitoring Technology.
Discuss and explain Specialist Team workflows and investigation strategies.
Discuss and document escalation processes for OT environment.
Discuss and implement Taegis custom alert and suppression rules.
Discuss OT Monitoring Technology tuning.
Discuss Endpoint tagging and Taegis Data Collector labelling for OT Environment
Complete Onboarding Checklist to verify readiness for transitioning to Steady State.

Steady State

Timing: 6-8 weeks after Onboarding begins

All ManagedXDR investigations and XDR observed alerts from Customer OT Environment are reviewed by Specialist Team for OT risk
Engage Customer as needed for orchestrated response and remediation activities

Customer Obligations ⫘

Customer is required to perform the obligations listed below and acknowledges and agrees that the ability of Secureworks to perform its obligations hereunder are dependent on Customer’s compliance with these obligations. Noncompliance with Customer obligations relative to this Service may result in limitations and reduced service capabilities or suspension of managed components of the Service.

Customer will do the following:

Ensure that all ManagedXDR obligations are met (see Customer Obligations for ManagedXDR).
Customer must acquire and maintain supported OT Monitoring Technology to provide network telemetry of Customer OT environments.
Provide and maintain Specialist Team access to Customer supported OT Monitoring Technology.
Maintain proper tagging and labeling within XDR to ensure visibility into the OT portion of the Customer environment.
Ensure list of Customer’s authorized contacts remains current, including permissions and associated information.
Obtain consent and authorization from the applicable third party, in form and substance satisfactory to Secureworks, to permit Secureworks to provide the Service if Customer does not own network resources such as IP addresses, tools, systems, hosts, facilities or web applications.

Additional Information ⫘

Billing for the Service begins at the same time as billing for XDR. Contact account manager or refer to the official terms as stated on Customer’s Transaction Document from purchase for the most up-to-date details. See the documentation within XDR for information about compatible browsers, Integrations, detectors, dashboards, and training.

Warranty Exclusion ⫘

While the Service is intended to reduce risk, it is impossible to completely eliminate risk, and therefore Secureworks makes no guarantee that intrusion, compromises, or any other unauthorized activity will not occur on Customer’s systems.

Glossary ⫘

Term	Definition
Alert	Prioritized occurrences of suspicious or malicious behavior detected by a detector in XDR.
Investigation	A central location within XDR that is used to collect evidence, analysis, and recommendations related to a Threat that may be targeting an asset in a Customer’s IT environment. Investigations are categorized into types, such as Security and Incident Response.
Parties	Customer and Secureworks are referenced jointly using this term.
Security Analyst	A Secureworks security expert who analyzes alerts deemed High and Critical for customers, and creates and escalates Investigations. *Note:* A Security Analyst may also be referred to as a ManagedXDR analyst or an MXDR analyst across other Secureworks documentation.
Services Term	Period of time identified in the Transaction Document during which Services will be delivered to Customer.
Threat	Any activity identified by XDR that may cause harm to an asset in a Customer’s IT environment.