☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

CTU Countermeasures

The Secureworks Counter Threat Unit™ (CTU) Countermeasures consist of high-fidelity, high-priority Rulesets that can be deployed to Snort-based sensors and Suricata-based sensors. Countermeasures can be downloaded via the API or by using the CTU Countermeasures download utility within Secureworks® Taegis™ XDR.

Note

CTU Countermeasures are available for download by Tenant Administrators.

Snort Sensors 2.9.x ⫘

Snort Talos Supplement

Note

Updates for the Snort Talos Supplement Ruleset have been discontinued as of April 2023, but they are available for download.

Suricata Sensors 2.0.x and later ⫘

Suricata Enhanced (Recommended) ⫘

High-fidelity, broad Ruleset composed of malware and other security-related countermeasures with additional metadata that conforms to the v1 of the BETTER Schema.

Suricata Security ⫘

High-fidelity, broad Ruleset composed of malware and other security-related countermeasures.

Suricata Malware ⫘

High-fidelity, high-priority Ruleset composed mainly of malware-related countermeasures.

Note

Suricata Rulesets are usually updated during United States business days (Monday - Friday).

Download Countermeasures ⫘

You can download the CTU Countermeasures using the Countermeasure API or you can follow the steps below to download them from XDR.

Download CTU Countermeasures

From the XDR. left-hand side navigation, select Downloads → Countermeasures.
Choose the Ruleset and Policy corresponding to the device type to which you plan to import the ruleset:

Note

The download links expire 15 minutes after you navigate to the CTU Countermeasure Download page. Refresh the page to generate new links.

The Ruleset downloads in the form of a gzip compressed tar archive file with a .tgz extension. The Rules can be found in the XML file for the PAN Policy or the ’Rules’ directory for the Snort and Suricata Policies.

Sourcefire Installation Instructions ⫘

This section describes the steps to follow to unpack CTU countermeasures, configure a shared Policy, add a shared layer, and import/update Rules for Sourcefire & Firepower sensors.

Updating CTU Countermeasure Rulesets ⫘

This section describes the contents of the Countermeasures file downloaded in the preceding section. The CTU rulesets discussed in this document are intended to complement the Talos (formerly VRT) rules from Sourcefire.

Note

When establishing rulesets, the CTU takes into account duplicate coverage provided by Talos rules and performance metrics.

Ruleset Unpacking ⫘

After service implementation, follow the steps in the preceding sections to download the latest Countermeasures file. The following is a sample screenshot showing the unpacking of the ruleset download and the files contained.

RuleSet Unpacking

Unpacking Ruleset

Ruleset files ⫘

The following files are included as part of the ruleset file.

sw.rules ⫘

This file is located in the ’rules’ directory and contains the full ruleset that is updated at least twice weekly. New rules will be added to the complete ruleset. Modified rules will be modified with an increased revision number. Existing rules will have rule collisions (expected).

sw.rules

Count Number of Lines in sw.rules File

sw.rules.md5 ⫘

An md5sum file provides integrity of the file. The entries should match before importing any rules. The following screenshot displays an example of an md5sum with matching entries.

sw.rules.md5

Check and Compare Md5 of sw.rules

release_number.txt ⫘

This file displays the rule’s release version. The following screenshot displays ruleset 261.

release_number.txt

View Release Number

previous_release_number.txt ⫘

This file displays the rule’s previous release number. The following screenshot displays ruleset 260.

previous_release_number.txt

View Previous Release Number

sw_rules_added.txt ⫘

This file displays newly added and changed rules since the previous release. The following screenshot displays 12 lines, corresponding to 10 rules with the header and trailing blank line discounted.

sw_rules_added.txt

View Count of Rules Added

sw_rules_removed.txt ⫘

This file is a diff of rules that were in the previous ruleset but have been removed in this release. The following screenshots display one rule with two lines for comment.

Note

Please review and then manually delete these rules from the Defense Center.

sw_rules_added.txt

View Count of Rules Removed

sw_rules_added.txt

View Rules Removed

notification_text ⫘

This is an informational text file describing the files in the ruleset download.

Sourcefire v4.10 Policy Layering ⫘

This section describes the steps to follow to configure a shared policy, add a shared layer, and import/update rules for a Sourcefire v4.10 sensor.

Note

Sourcefire v4.10 has been classified as End of Life by Sourcefire and is no longer supported by Secureworks. The following instructions for applying Countermeasures to a v4.10 sensor are included as a courtesy to our clients.

Configuring Shared Policy ⫘

There are many ways to configure the Policy layers in a Sourcefire Policy. The following is a recommendation explaining how Secureworks deploys Rules to the devices we manage.

Log in to the Defense Center and click Policy and Response → IPS → Intrusion Policy.
Create a new Policy named CTU Signatures Layer.

Note

Variables are unnecessary, as we are creating this Policy as Rules layer to be used in existing IPS Policies. Hence, No Rules Active is the base Policy.

Create Intrusion Policy

Select Create and Edit Policy to open the Policy for editing.
Expand the Policy Layers menu on the left and select My Changes.
Rename the layer CTU Rules and make it a shareable layer by clicking the checkbox.
Click Policy Information → Commit Changes.

Edit CTU Signatures Layer

Note

Custom signatures are disabled by default when imported to the Defense Center

Adding a Shared Layer ⫘

Now that you have a shareable Policy layer that can be used by any other Policy, you can add this Shared Layer to other Policies.

Note

Please ensure that signatures are enabled only on the Policies you’ve chosen.

To add a shared layer, perform the following steps:

Select or edit an existing Policy to which you wish to add the CTU layer.
Select Policy Layers.
Select Add Shared Layer.
Select the CTU Rules layer from the Dropdown menu, and then click OK.

Add Shared Layer

Click Policy Information → Commit Changes
Repeat step 5 for every Policy on the Defense Center to which you wish to add this layer.

Importing/Updating Rules ⫘

Click Policy and Response → IPS → SEU.
Select the Import SEU.

Note

Only import the sw.Rules file.

**Import Rules**

Import Rules

Browse to the extracted file and select Open → Import. After the rule import is complete, a message displays indicating a successful import.
Click Policy and Response → IPS → Intrusion Policy. Select or edit your CTU Signatures Layer Policy.
Browse to the CTU Rules Layer, expand, and select the Rules and the Local category.

Important

This step is critical to select the correct context.

Edit CTU Rules Layer

Select the top-level checkbox to select all.
Select Rule State → Generate Events or Drop and Generate Events.

Note

Determine whether you want the signature in a blocking or alerting-only state, and be mindful of the rule count to ensure you performed step 6 correctly.

CTU Rules Layer Actions

Set CTU Rules Layer Actions

Click Policy Information → Commit Changes. An alert displays stating that all Policies to which the layer is added will be affected.

Note

You can push/apply the Policy during your normally scheduled change window.