Secureworks® Taegis™ ManagedXDR - Japan
The Taegis™ ManagedXDR Service (“Service”) provides Customer with security monitoring and Investigations within Secureworks® Taegis™ XDR (“XDR”) 24 hours a day, 7 days a week (“24x7”). The Service includes Threat detection and Investigations, Threat and proactive response actions, 24x7 access to Secureworks® Security Analysts from within Taegis™ XDR, Threat Hunting, and additional support and features as described below. All capitalized words and phrases shall have the meanings set forth herein, as defined in the Glossary, or within the Secureworks-applicable agreement, such as the Customer Relationship Agreement.
- Services and associated support shall be provided in English unless otherwise noted.
- “Endpoint” and “asset” are used interchangeably in this service description.
- For customers with more than one XDR tenant (i.e., Additional Managed Tenant), service components and Service Level Agreements (“SLAs”) are applicable across all of Customer’s tenants, unless otherwise specified below.
Service Components ⫘
24x7 Access to Security Analysts (8x5 in Japanese) ⫘
Security Analysts are available 24x7 through the Taegis™ XDR in-application chat or ticket system, or through telephone. During standard working hours in Japan (defined as Monday to Friday; 9:00-17:00 Japan Standard Time (UTC+9)), Japanese-speaking security analysts are available to assist Customer in Japanese.
Threat Detection and Investigations ⫘
Secureworks will review and investigate Threats detected within Taegis™ XDR. Threats requiring further analysis as determined by Secureworks will result in creation of an Investigation within Taegis™ XDR. Secureworks will notify Customer through Taegis™ XDR, email, or supported integrations after enough evidence is collected and a Threat is deemed malicious, or if Secureworks requires further input from Customer to proceed with the Investigation.
Secureworks makes routine updates and changes to Taegis to proactively improve the services and Taegis experience for all customers; therefore, Customer may see customized suppression rules, event filter modifications, and alert tuning in XDR that is designed to minimize low-value alerts and focus time on high-value alerts.
For customers with more than one XDR tenant (i.e., Additional Managed Tenant), Threats will be monitored, and investigations will be created separately for each of Customer’s XDR tenants. Threat detection and investigations will not be performed across multiple tenants together.
Threat Response Actions ⫘
Secureworks will perform supported Threat response actions within Taegis™ XDR on behalf of Customer, after receiving authorization from Customer. The most current list of supported actions can be provided to Customer upon request. For some supported actions, Customer may optionally authorize Secureworks to perform proactive response actions using Customer-created playbooks within Taegis™ XDR.
For customers with more than one XDR tenant (i.e., Additional Managed Tenant), Threat response actions will be performed separately for each of Customer’s XDR tenants. Threat response actions will not be performed across multiple tenants together.
Threat Hunting ⫘
Secureworks will conduct Threat Hunting through Taegis™ XDR from supported integrations. Secureworks will inspect collected Customer telemetry to detect activity such as threat actors (through their tactics, techniques, and procedures — “TTPs”); anomalous user activity, network communications, and application usage; and persistence mechanisms. In addition, Secureworks conducts Threat Hunting monthly across customers’ information technology (“IT”) environments for relevant indicators of compromise and tactics collected from current incident response engagements. Threats detected as part of Threat Hunting will result in creation of an Investigation and Customer notification through Taegis™ XDR, email, or supported integrations.
For customers with more than one Taegis™ XDR tenant (i.e., Additional Managed Tenant), Threat Hunting will be conducted separately for each of Customer’s Taegis™ XDR tenants monthly.
Remote Incident Response (“RIR”) ⫘
A threat to Customer’s environment may be identified that requires RIR support. Secureworks will determine if RIR is required, continue analysis of the threat as necessary, and communicate with Customer. Communication between Customer and Secureworks for RIR may be through the XDR in-application chat, ticketing system, telephone, and/or IR Hotline. RIR is limited to examination of hosts and infrastructure that have data sources actively integrated with Taegis™ XDR. Additional data that is not within Taegis™ XDR may be gathered and analyzed as part of providing RIR support.
RIR includes the following:
- Incident support and coordination
- Digital media handling guidance and support
- Deployment support for host-based, network-based, and log analysis technologies
- Network analysis services
- Incident response and digital forensic analysis of online and offline infrastructure and datasets from Customer’s on-premises and cloud assets
- Malware analysis and reverse engineering
- Containment planning guidance
Secureworks will provide up to 40 hours of RIR to Customer for each three-month period in Customer’s Services Term. Should more than 40 hours be required in any three-month period, Customer can approve additional hours through email as indicated below. Hours for a future three-month period within Customer’s Services Term cannot be used before the start of such period. Any unused hours at the end of each three-month period of Customer’s Services Term expire.
Customer’s approval for additional RIR hours shall be sent through email to firstname.lastname@example.org. Customer acknowledges and agrees that receipt of such email will be from a Customer representative authorized to commit Customer to the purchase of additional RIR hours and email notification is binding upon Customer. Fees for additional RIR hours are billed monthly in arrears as hours are consumed.
Additional Incident Response services are available for purchase, including but not limited to the following:
- Incident Readiness and Advisory Services
- Workshops and Exercises
- Testing and Validation Services
- Technical Assistance Services
- Threat Intelligence Support Services
- Program Management — proactive planning workshops, emergency IR fundamentals workshop as provided by the Incident Management Retainer service
- Onsite investigations and response support
- For customers with more than one XDR tenant (i.e., Additional Managed Tenant), the 40 hours of RIR for each three-month period in Customer's Services Term will be shared across all of Customer’s XDR tenants. Customer must purchase additional RIR hours, as instructed above, for any RIR hours needed in excess of the 40 hours provided.
- If you purchased ManagedXDR through a Secureworks partner, then you must contact that partner for all additional purchases, such as RIR hours.
Secureworks Threat Intelligence ⫘
Taegis™ XDR is powered by Secureworks Threat Intelligence. Customer’s network and endpoint telemetry is continually compared against network, endpoint, and behavioral indicators to identify threats within Customer’s IT environment.
Threat Engagement Management ⫘
Secureworks will support Customer through providing a security expert who reviews and recommends continuous improvements to Customer’s security posture. For ManagedXDR customers, this support will be provided by a Threat Engagement Manager (“TEM”). Partnered with a Customer Success Manager (“CSM”), the TEM will meet through teleconference with Customer each quarter in a Security Protection Review (“SPR”) to review program goals, review notable activity in Taegis™ XDR, and provide recommendations for improvement. Additional details about the quarterly SPR are in the table further below.
For customers with more than one XDR tenant (i.e., Additional Managed Tenant), Secureworks will provide a single TEM and a single CSM to support all of Customer’s XDR tenants. The TEM and CSM will conduct a single, unified SPR each quarter for all of Customer’s XDR tenants. Each of Customer’s XDR tenants will not receive a separate SPR. The unified SPR will provide a summary-level review of program goals, recommendations, and license usage. Notable activity in XDR including alerts, investigations, and threat hunts will be provided for each of Customer’s XDR tenants.
Service Phases ⫘
There are two primary phases for delivering the Service: Onboarding and Steady State.
Prior to onboarding and deployment, Secureworks will activate Customer’s Service by provisioning access to Customer’s instance of XDR, which will also provide Customer with access to: 1) online documentation; and 2) instructions to access and deploy the Taegis™/Red Cloak™ Endpoint Agent.
Customer is responsible for deployment of the Taegis™/Red Cloak™ Endpoint Agent or other supported third-party Endpoint Agent, as well as the XDR Collector in Customer’s environment. Instructions for downloading the XDR Collector are located in the online documentation. Secureworks will assist Customer remotely through teleconference with questions during this process, as needed.
While Secureworks considers onboarding complete and the Security Investigation service level set forth below to apply when Customer has deployed at least 40% of its Licensed Volume (e.g., deployed compatible Endpoint Agents to endpoints) and Customer has acknowledged completion of the training videos within parts one and four of the ManagedXDR Onboarding Overview, Secureworks highly recommends that Customer completely deploy the Taegis™/Red Cloak™ Endpoint Agent (or other compatible Endpoint Agent) on all endpoints—up to Customer’s Licensed Volume—to maximize the effectiveness of the ManagedXDR service. Until completely deployed, Customer understands, agrees, and accepts the risk that the ManagedXDR service will have reduced capabilities for Customer’s environment. See the ManagedXDR Onboarding Guide for more details on these limitations.
For customers with more than one XDR tenant (i.e., Additional Managed Tenant), Secureworks will provision access to each instance of Customer’s XDR tenants. Customer is responsible for deploying Endpoint Agents and data collectors for each of Customer’s XDR tenants. To reach Steady State for each tenant, at least 40% of the allocated Licensed Volume for that tenant must be deployed and Customer representative for each tenant must acknowledge completion of the training videos within parts one and four of the ManagedXDR Onboarding Overview. During onboarding, Secureworks will work with Customer to determine and document the initial allocation of Licensed Volume for each tenant. After Steady State is reached, Customer has the flexibility to re-allocate the total amount of Endpoint Agents (according to Customer’s Licensed Volume) across each of Customer’s XDR tenants at their discretion. Secureworks strongly recommends Premium Onboarding to support the complexity and project management required to onboard more than one tenant.
Steady State ⫘
Steady State monitoring and Threat Hunting for Customer’s environment commences when Customer has deployed at least 40% of its Licensed Volume (i.e., deployed compatible Endpoint Agents to endpoints) and Customer has acknowledged completion of the training videos within parts one and four of the ManagedXDR Onboarding Overview.
During the beginning of Steady State, Customer’s CSM will contact Customer to schedule the Initial SPR.
|Timing: From XDR activation until Steady State begins
Collect details about Customer including the following:
Customer completes the training videos within parts one and four of the ManagedXDR Onboarding Overview
|Timing: Approximately four (4) weeks after Steady State monitoring begins
|Timing: Quarterly after the Initial SPR is conducted
Customer Obligations ⫘
Customer is required to perform the obligations listed below, and acknowledges and agrees that the ability of Secureworks to perform its obligations hereunder, including meeting the Service Level Agreements (“SLAs”) listed further below, are dependent on Customer’s compliance with these obligations. Noncompliance with Customer obligations relative to this Service may result in limitations and reduced service capabilities, suspension of managed components of the Service and/or SLAs, or a transition to monitor-only components of the Service.
For customers with more than one XDR tenant (i.e., Additional Managed Tenant): The Customer Obligations listed below are required and applicable to each of Customer’s XDR tenants.
Customer will do the following:
- Ensure that Customer’s IT environment has a compatible Endpoint Agent installed on each endpoint that will be licensed for the Service
- Deploy a compatible Endpoint Agent on each endpoint (as explained above, once at least 40% of Licensed Volume is deployed, the transition to Steady State can begin)
- Obtain licenses and/or support for third-party Endpoint Agents from authorized sources
- Ensure availability of sufficient network bandwidth and access to perform the Service
- Perform ongoing monitoring of active integrations and Customer’s associated health to ensure the Service is operating optimally
- Provide appropriate access to Secureworks for integrations as required by Taegis™ XDR
- Ensure its security controls are operating on versions supported by Secureworks integrations
- Manage credentials and permissions for integrations with Taegis™ XDR
- Ensure list of Customer’s authorized contacts remains current, including permissions and associated information
- Provide information and assistance (e.g., files, logs, IT environment context) promptly during Investigations that Secureworks conducts for Threats against Customer
- Schedule reports and conduct ad-hoc reporting within Taegis™ XDR
- Ensure internal support for creation and management of custom rules (i.e., custom alert detection and analysis) as these will vary across customers and will not be supported by Secureworks
Service Level Agreements (“SLAs”) ⫘
The ability of Secureworks to perform an Investigation and decide whether a Threat is malicious is dependent on a compatible Endpoint Agent being installed on a licensed endpoint in Customer’s IT environment. The service levels below apply to endpoints that are licensed as part of the Service and are actively communicating with the Secureworks infrastructure.
The only type of Investigation for which Secureworks provides an SLA is the Security Investigation; no SLA is provided for any other type of Investigation.
|Secureworks will monitor XDR for Threats.
When malicious activity is detected, Secureworks will perform an Investigation, provide an analysis, and notify Customer.
Secureworks will notify Customer electronically which may include using XDR, email, or supported integrations.
Subsequent related activity identified as part of the ongoing Investigation or monitoring will be appended to an existing Investigation.
|Time from Investigation-created timestamp to Customer-notified timestamp as measured by Secureworks
|Less than 60 minutes
|1/100th of the monthly Service fee if difference between the timestamps is 60-240 minutes
1/30th of the monthly Service fee if difference between the timestamps is greater than 240 minutes
Maximum of one credit will be given per calendar day (based on US Eastern time zone)
|Urgent requests for Unlimited Response submitted through the IR Hotline, the XDR in-application chat, or the ticketing system within XDR will be acknowledged by the Secureworks team within four (4) hours.
|1/100th of the monthly Service fee for each calendar day (based on US Eastern time zone) that the SLA is not met
Warranty Exclusion ⫘
While this Service is intended to reduce risk, it is impossible to completely eliminate risk, and therefore Secureworks makes no guarantee that intrusion, compromises, or any other unauthorized activity will not occur on Customer’s network.
Additional Information ⫘
Billing for the Service begins at the same time as billing for XDR, which occurs when the login credentials for XDR are sent to Customer through email. Contact account manager or refer to the official terms as stated on Customer’s Transaction Document from purchase for the most up-to-date details.
See the Taegis documentation for information about compatible browsers, integrations, detectors, dashboards, and training. Other information is also available, including release notes.
|Additional Managed Tenant
|An add-on service for ManagedXDR and ManagedXDR Elite that provides Customer with more than one Taegis™ XDR tenant.
|Prioritized occurrences of suspicious or malicious behavior observed by a detector in Taegis™ XDR.
|An application installed on an endpoint that is used to gather and send information about activities and operating system details of the endpoint to Taegis™ XDR for analysis and detection of Threats.
Use this link to access the list of Endpoint Agents that are compatible with Taegis™ XDR: https://docs.ctpx.secureworks.com/at_a_glance/#endpoints.
|Application Programming Interface (“API”) calls or other software scripts for conducting the agreed-upon Services for the connected technology.
|A central location within Taegis™ XDR that is used to collect evidence, analysis, and recommendations related to a Threat that may be targeting an asset in a Customer’s IT environment. Investigations are categorized into types, such as Security and Incident Response.
|A Secureworks security expert who analyzes alerts deemed High and Critical for customers, and creates and escalates Investigations.
Note: A Security Analyst may also be referred to as a ManagedXDR analyst or an MXDR analyst across other Secureworks documentation.
|A Taegis™ XDR-generated circumstance in which a compromise or suspected compromise has occurred involving a Customer’s environment.
|A type of Investigation that is conducted for a Critical or High alert or event in XDR after a Security Analyst completes preliminary investigative procedures to determine whether a Threat is valid.
|Service Level Agreements (“SLAs”)
|A binding agreement to meet defined Service delivery standards.
|Period of time identified in the Transaction Document during which Services will be delivered to Customer.
|Any activity identified by Taegis™ XDR that may cause harm to an asset in a Customer’s IT environment.
|To proactively and iteratively discover current or historical threats that evade existing security mechanisms and to use that information to develop future countermeasures and increase cyber resilience.