Onboarding for Taegis ManagedXDR Elite

Overview ⫘

Prior to onboarding and deployment, Secureworks will activate your Service by provisioning access to your instance of Secureworks® Taegis™ XDR, which will also provide you with access to: 1) online documentation; and 2) instructions to access and deploy the Secureworks® Taegis™/Red Cloak™ Endpoint Agent.

XDR is designed to support self-guided onboarding. For an overview on self-guided onboarding, see the Secureworks® Taegis™ ManagedXDR Onboarding Overview. Together with guidance from your Customer Success Manager (CSM) and Threat Hunter, this overview will help you take control of and complete your onboarding process.

Secureworks Personnel ⫘

Secureworks will provide additional personnel and support during the onboarding process. Throughout the process, it is important to understand the roles and responsibilities for you and Secureworks, as well the Secureworks points of contact during the onboarding process. For more support in these areas or additional training of your teams, Secureworks offers a suite of professional services, including Premium Onboarding for ManagedXDR.

Customer Success Manager (CSM) ⫘

The CSM will partner with you and serve as your primary operational point of contact during onboarding. The CSM will coordinate with the Secureworks Solutions Engineer and sales team to review and validate all information collected during the pre-sales process, including the proposed architecture and solution map, as applicable. The CSM is available to guide you through the process of setting up supported integrations and tracking deployment progress until transition to steady state.

Threat Hunter ⫘

Threat engagement management responsibilities are provided by your Threat Hunter, who will be the security expert that reviews and recommends continuous improvements to your security posture. Partnered with your CSM, the Threat Hunter will meet through teleconference with you each quarter in a Quarterly Update to review program goals, notable activity in XDR, and provide recommendations for security posture improvement.

Onboarding Time Frame ⫘

The graphic and table below indicate the phases, milestones, responsibilities, and resources. The time frame is approximate; actual time required varies from customer to customer and depends primarily on the speed at which each customer deploys data collectors and endpoint agents. After deploying at least 40% of your Licensed Volume to endpoints and acknowledging completion of the training videos within parts one and four of the ManagedXDR Onboarding Overview, Secureworks will schedule and conduct the Quarterly Update with you.

For more information on the phases and steps required for onboarding, see the XDR Onboarding Overview.

Onboarding Time Frame Graphic

Phase	Secureworks Responsibilities	Customer Responsibilities	Resources
Activation	Send activation e-mail with activation instructions and credentials (billing for XDR and ManagedXDR Elite commences)	Activate XDR and ManagedXDR Elite	Onboarding Specialist/CSM
Getting Started	Schedule and conduct onboarding preparatory teleconferences (Onboarding Specialist/CSM) Provide Taegis/Red Cloak endpoint agent	Set up XDR Attend scheduled teleconferences Complete the training videos within part one of the ManagedXDR Onboarding Overview	Progress checks with onboarding team 24x7 access to security analysts through XDR in-application chat and toll-free telephone Access to XDR support agents Response, not limited by time or number of incidents, for in-scope environment Access to latest Secureworks CTU team Threat Intelligence reports
Deploy Endpoint Agent and Connect Data Sources	Schedule and conduct deployment progress review (Onboarding Specialist/CSM)	Deploy data collectors Deploy endpoint agents (minimum of 40% of Licensed Volume)* Attend scheduled teleconferences	Progress checks with onboarding team 24x7 access to security analysts through XDR in-application chat and toll-free telephone Access to XDR support agents Response, not limited by time or number of incidents, for in-scope environment Access to latest Secureworks CTU team Threat Intelligence reports
Readiness and Steady State	Schedule and conduct Initial Baseline Review (Onboarding Specialist/CSM/Threat Hunter)	Finish deploying endpoint agents to endpoints, up to your Licensed Volume* Attend scheduled teleconferences Complete the training videos within part four of the ManagedXDR Onboarding Overview	24x7 monitoring and investigation of threats detected by XDR Threat response actions as approved by you Threat hunting on a continuing basis across your environment for relevant indicators of compromise and tactics Quarterly Update with CSM and Threat Hunter 24x7 access to security analysts through XDR in-application chat and toll-free telephone Access to XDR support agents Response, not limited by time or number of incidents, for in-scope environment Access to latest Secureworks CTU team Threat Intelligence reports

Onboarding Time Frame Table

*While Secureworks will consider onboarding complete after 40% deployment of Licensed Volume, Secureworks highly recommends that you deploy the Taegis/Red Cloak Endpoint Agent (or other compatible endpoint agent) on all endpoints—up to your Licensed Volume—to maximize the effectiveness of the ManagedXDR Elite service.Until deployment of Licensed Volume on all endpoints is completed, your organization understands, agrees, and accepts the risk that the ManagedXDR Elite service will have reduced service capabilities for your environment.

Suggested Resources ⫘

As part of your onboarding plans to ensure productive onboarding and integration of the Service in your security practice, listed below are the roles we suggest that you include from your organization.

Roles	Responsibilities
Security Engineer/Analyst	Management of XDR, application users, supported log source integrations, and event handling
System Administrator	Deployment of endpoint agent and XDR collector, and hypervisor configuration
Network Engineer/Administrator	Configuration of logging for supported network devices
Security Manager	Integration of XDR into your organization's security practice and operating processes
Project Management	Initiating, planning, executing, controlling, and closing the work of your team in alliance with the Secureworks project management resource, to achieve activation of XDR and the ManagedXDR Elite service

Customer Responsibilities ⫘

Below are your primary responsibilities during onboarding to ensure a smooth transition from initiation to steady state. Additional responsibilities may arise as needed to support aspects of the implementation that are unique to your specific information systems and environment.

1. Provide contact information for initial XDR Administrator (Tenant Admin) registrant to be used by Secureworks to provision the XDR application.
2. Create user accounts for additional users of XDR and maintain all user accounts, ensuring that contact information for each user is complete and accurate.
3. Configure and manage hypervisor resources to support the deployment of Taegis™ XDR Collector.
4. Configure and maintain supported on-premises log source and cloud integrations in accordance with XDR log format requirements.
5. Deploy the XDR Collector and successfully configure at least one supported integration.
6. Deploy compatible Endpoint Agents on endpoints (once at least 40% of Licensed Volume is deployed, the transition to Steady State can begin)
7. Respond to Secureworks communications in a timely manner and ensure attendance of the necessary customer POCs for all teleconferences to ensure timely completion of onboarding.

Onboarding FAQs ⫘

Is Process Disruption available in XDR? ⫘

No, although Process Blocking and Safe-Listing are on the roadmap for consideration.

Will SecOps isolate hosts on behalf of the customer without authorization? (Critical Investigations Only) ⫘

No, unless you have agreed to sign a legal document. That document can be verified in XDR under Tenant Settings→Subscriptions.

Can I use my Incident Response (IR) hours for a tabletop exercise? ⫘

IR hours cannot be used for tabletop exercise for customers who purchased this service prior to February 2, 2023.

For customers who purchased this service on or after February 2, 2023, IR hours cannot be used for tabletop exercise; however, you can use Service Units for a tabletop exercise if you buy the Secureworks Services for ManagedXDR Add-on.

Can you engage the Threat Hunter at any time? ⫘

No, scheduled meetings with the Threat Hunter occur within the mutually agreed upon time periods.

Can you tune in XDR? ⫘

Yes, by leveraging Suppression Rules or Custom Rules, which are located under Tenant Settings→Rules.

Can you use Red Cloak Ignition Module in XDR? ⫘

No, however, it is on the roadmap.

If I have ManagedXDR, what is my Incident Response support? ⫘

For complete details on Remote Incident Response (RIR) support, see ManagedXDR’s Service Description.

If I have XDR, do I have access to Unlimited Response for Investigations? ⫘

No. Only ManagedXDR customers have access to Unlimited Response for Investigations.

Does the Service Now Orchestration communicate bi-directional on the updates? ⫘

It is one-way. Bi-directional is on the roadmap.

How long do the Investigations stay in XDR? ⫘

Investigations are retained for the life of your contract. However, Alert and Event data is retained for, and no longer appears in Investigations, beyond the retention period. See our Data Retention Policy for more information.

How do I use CyberChef? ⫘

For a complete overview of CyberChef, including information on how to access and use the tool, see CyberChef.

How do I enable Customer Use Cases and Suppression Rules? ⫘

After creating either a custom use case or suppression rule, it defaults to Disabled. You must go into the rule and enable it after creating it.

Can I change the timezone in the XDR application? ⫘

The default time setting is UTC. To set the timezone to control the time and date displayed within XDR, see Profile Settings.

Can multiple endpoint agents be deployed to the same endpoint? ⫘

Yes; however, certain Red Cloak modules must be disabled to avoid duplicate telemetry. Note that this requires approval during your Pre-Sales phase.

How are log flows modified if I have both Taegis and Log Vault? ⫘

All devices that are to be monitored should be sent to Taegis. All logs that need to be retained should be sent to the Log Vault. There is no forwarding capability from either of these solutions.

Can I email support@secureworks.com and receive a response? ⫘

No. Secureworks can only interact with registered authenticated users. Support can be accessed by using the chat feature in the application or by raising a ticket. For more information see Where Can I Open a Ticket?.

We are having issue deploying the Red Cloak agent via Group policy. Will Secureworks support us in trying to resolve this? ⫘

There may be occasions where Secureworks can provide guidance, however, this is limited. Secureworks is not responsible for the endpoint rollout.

Where do I go for Carbon Black support? ⫘

• To raise a Case (support request/ticket) with Carbon Black, or to make use of their training and support documents, you must create an account in the Carbon Black Community.
• We suggest you use the same email address as the email address provided to set up your access to the Carbon Black GUI.

Where do I go for Snare support? ⫘

For Snare support, send an email to snaresupport@prophecyinternational.com.