Secureworks® Taegis™ ManagedXDR FAQ
- What is Taegis™ ManagedXDR?
- Taegis™ ManagedXDR (ManagedXDR) provides you with 24x7 security monitoring and investigations within the Secureworks® Taegis™ XDR application. The Service includes threat detection and investigations, threat response actions, 24x7 access to Secureworks® security analysts within the application, Incident Response services, and additional support and features as described in the Service Description.
- When does my ManagedXDR service and billing begin?
- Service for ManagedXDR begins coincident with Secureworks® Taegis™ XDR service, which occurs once the login credentials for the Secureworks® Taegis™ XDR application are sent (via email) to you. Please contact your account manager or refer to the official terms as stated on your Service Order upon purchase for the most up-to-date details.
- What happens during the ManagedXDR onboarding phase?
- Immediately after your ManagedXDR service starts, a Global Deployment Services (GDS) Specialist will contact you to begin the onboarding phase for ManagedXDR. This is when you will deploy agents, deploy collectors, begin data source integrations, etc. This can take as little as two weeks but is dependent on your level of preparedness to complete these activities. During this time, the GDS Specialist will be available to guide you through the process of setting up any supported integrations, schedule a progress review teleconference with you, and provide technical guidance. You also have access to the Secureworks® Taegis™ XDR Ask the Expert feature to chat real-time with analysts about the application or service. You can find more details on the onboarding phase in Onboarding ManagedXDR.
- What is ManagedXDR steady-state monitoring and when does it begin?
- “Steady-state” is the point at which the ManagedXDR analysts begin monitoring your environment 24x7, investigating high and critical severity alerts, and creating investigations if an alert is deemed to be a credible threat. You are considered to have reached steady-state once you have deployed a supported agent on at least 40% of your Licensed Volume of endpoints and you have acknowledged completion of the training videos within parts one and four of the ManagedXDR Onboarding Overview.
While Secureworks will begin ManagedXDR steady state monitoring once you have reached 40% deployment and have acknowledged completion of the training videos within parts one and four of the ManagedXDR Onboarding Overview, Secureworks highly recommends that you deploy the Taegis™/Red Cloak™ Endpoint Agent software (or other supported endpoint agent software) on all licensed assets to maximize the effectiveness of the ManagedXDR service. Until fully deployed, your organization understands, agrees, and accepts the risk that the ManagedXDR service will have reduced service capabilities.
For those assets that do not have an agent deployed, ManagedXDR cannot complete critical tasks including, but not limited to:
|Limitation (without the agent deployed on the asset)
|Threat Detection and Investigations
|Asset cannot be monitored and threats cannot be detected or investigated
|Threat Response Actions
|Response actions cannot be performed on the asset
|Data from the asset cannot be included in telemetry for threat hunting
|Remote Incident Response
|No analysis or response recommendations will be available
|Data from the asset cannot be analyzed against our CTU threat intelligence
- Why does ManagedXDR steady-state monitoring require 40% deployment of Licensed Volume?
- Before steady-state monitoring can begin, you must complete the onboarding phase, which is considered complete once at least 40% of your endpoints have supported agents deployed and you have acknowledged completion of the training videos within parts one and four of the ManagedXDR Onboarding Overview. This Licensed Volume requirement exists because the analysts need to have adequate visibility into what is happening in your environment, without which they are unable to determine the scope and severity of the alerts that they are receiving. Without that context, the analysts are unable to perform thorough investigations or make actionable recommendations.
- What is the format for the Security Protection Review (SPR) teleconference?
- The SPR is scheduled quarterly by your Customer Success Manager (CSM) and is conducted jointly by your CSM and TEM. In the SPR, we will define and review shared program goals and plans, examine your IT environment and notable alerts and investigations, and identify strategic recommendations to improve your security posture.
- What happens if an SPR gets cancelled or does not get scheduled/rescheduled?
- Secureworks will make three attempts to schedule or reschedule the SPR and if there is no agreed date and time, then the SPR report will be sent through email to the attendees that were specified. This alternative ensures that the report is delivered within the time period to which we commit, and ensures that there are no significant delays between quarterly reporting that is provided to the customer.
- Does ManagedXDR support all of the same endpoint integrations that are supported by Secureworks® Taegis™ XDR?
- As of Feb 2021, ManagedXDR supports all of the same endpoints that are supported by Secureworks® Taegis™ XDR, including Taegis™/Red Cloak™ Endpoint Agent as well as VMware Carbon Black Standard, VMware Carbon Black Enterprise, CrowdStrike, MS Defender for Endpoint, and SentinelOne.
- Is there any impact to features or capabilities if I use a third-party agent instead of Taegis™/Red Cloak™ Endpoint Agent?
- Secureworks® Taegis™ XDR supports multiple third-party endpoint agents in addition to Taegis™/Red Cloak™ Endpoint Agent. Secureworks does everything possible to maximize ManagedXDR outcomes with the telemetry provided by those tools. In some incident response situations, the Secureworks Incident Response team may ask you to temporarily deploy the Taegis™/Red Cloak™ Endpoint Agent or grant Secureworks access to your third-party consoles to perform incident response activities.
- Can I have multiple different EDR agents installed on my endpoints at the same time?
- While two or more EDR tools can operate together on the same host, we expect the user experience in this situation to be suboptimal for several reasons.
- You will need to manage and update multiple agents.
- There is potential for performance impact due to the overhead of having multiple agents running simultaneously on a single host.
- If multiple agents are reporting to Secureworks® Taegis™ XDR, you will see duplicate asset records for all endpoints with multiple agents installed.
- If multiple agents are reporting to Secureworks® Taegis™ XDR, there is a high probability that you will see duplicate alerts due to overlap in detection and reporting from the different agents.
We recommend that you deploy only one supported EDR agent technology per host reporting to Secureworks® Taegis™ XDR for your ManagedXDR service. Having different agents on different hosts is supported, but installing two (or more) agents on a single host is not recommended at this time.
- Can I have multiple different EDR agents in my environment?
- Yes, Secureworks® Taegis™ XDR supports multiple EDR technologies. Some customers use the Taegis™/Red Cloak™ Endpoint Agent for their Windows hosts, but use a different agent for their OSX hosts. This is fully supported. However, please see the question regarding having multiple EDR agents on the same host, which is not recommended at this time.
- Does ManagedXDR include management of my endpoint agents?
- No, ManagedXDR does not include management of endpoint agents. Please see the Service Description for what is managed.
- Will ManagedXDR analysts take actions to contain a threat without consulting me first?
- As part of our standard process, an ManagedXDR analyst will always contact you to explain the circumstances and severity of the threat and to gain your approval prior to taking any action. You may optionally authorize Secureworks to perform proactive response actions using customer-created playbooks within Secureworks Taegis XDR.
- How will you contact me if there is a threat and you need my approval to take action?
- For critical incidents when immediate incident response is warranted, the ManagedXDR analysts will do the following:
- The Secureworks® Taegis™ XDR Investigation will be assigned to you in Secureworks® Taegis™ XDR.
- An email will be sent from Secureworks® Taegis™ XDR to all of your registered users in Secureworks® Taegis™ XDR to inform them of the creation of the Investigation. An in-application notification will also be displayed to all registered users.
- An ManagedXDR analyst will also call the designated points of contact (up to three) as provided by you.
For non-critical incidents, the ManagedXDR analysts will send the Secureworks® Taegis™ XDR in-app notification and email but will not call the points of contact.
- How do you define critical incidents?
- Examples of critical incidents that require response actions, phone escalation to your team, and possibly engaging our Incident Response team include the following:
- Threat actor “hands on keyboard” access to the environment
- Ransomware outbreak, including the presence of ransomware on a single workstation or server
- Credential dumping, as evidenced by Mimikatz activity, webshell activity, or process dumping of LSASS process
- Evidence of successful lateral movement
- Data exfiltration
- Privilege escalation
- How are proactive response actions different from response actions?
- Proactive response actions allow Secureworks to execute actions on critical threats without waiting for case-by-case customer approval.
- How do I enable proactive response actions?
- You must first create relevant proactive response playbooks within Taegis™ XDR and then authorize proactive response in Subscriptions in the Tenant Settings area of Taegis™ XDR for each of your Taegis™ XDR tenants. For more information, see Connectors and Proactive Response Actions Best Practices.
- Is the Incident Response (IR) included in ManagedXDR different from standalone IR?
- Yes. The IR included in ManagedXDR is focused on providing you with remote incident response for emergencies. If you are interested in more extensive IR services, Secureworks provides several options such as a full-service Incident Management Retainer (IMR) that includes expanded emergency response with service level agreements, proactive incident planning, and readiness exercises. The IMR can be purchased with the ManagedXDR service as an add-on. Visit the Incident Response page on our company website for information about our IR services and visit the IMR Services Catalog Overview page for more information about our IMR.
One of the objectives of ManagedXDR is to give you relevant facts and advice so you can make informed decisions about how to handle potential threats. The intent of including remote incident response in ManagedXDR is to accelerate your access to Secureworks Incident Response experts when you need to quickly consult with them (i.e., in an emergency) to obtain facts and advice relevant to a specific incident identified within ManagedXDR.
- How are custom rules supported in ManagedXDR?
- You can create custom rules using the Custom Rules feature within Taegis™ XDR, or in your own security tools integrated with XDR, which alert you when specific criteria that you set are then detected. This feature gives your security team the flexibility to create rules specific to your environment and allow further customization of your internal capabilities. As these can vary greatly from customer to customer, our analysts are unable to monitor your custom rules. Therefore, if you implement custom rules, then you must have internal resources and processes to manage the corresponding alerts.
- Why am I seeing custom suppression rules being used in my security environment by Secureworks?
- Secureworks makes routine updates and changes to Taegis to proactively improve the services and Taegis experience for all customers; as a ManagedXDR customer, you may see customized suppression rules, event filter modifications, and alert tuning designed to minimize low value alerts and focus time on high value alerts.
- Can customer-created automation rules affect the Secureworks investigation process?
- Yes, the Secureworks investigation process relies on relevant alerts being in an Open status and not being previously assigned to an investigation. For more information on how automation rules may inadvertently affect the Secureworks investigation process, please see this more detailed Knowledge Base article.
- Do Secureworks ManagedXDR analysts use automation in delivery of the service?
- Yes, using the automation system built into Taegis as well as tools integration with Taegis via API, our ManagedXDR delivery teams use automation to continuously improve our performance. Automation is used strategically to improve the time needed to complete tasks, ensure consistency in service deliverables, and reliably route information and notifications where they need to go. All automation is designed and controlled by our ManagedXDR delivery teams who continuously monitor the performance and value of their automations.
- Do Secureworks ManagedXDR analysts use AI technologies in delivery of the service?
- Yes. Currently, our ManagedXDR delivery teams use AI technology to contribute to key findings within investigations. At this time, the AI technology is being used to generate human readable text based on the data in the investigation. Our goal is to quickly summarize information from alerts and events associated with an investigation to reduce the time consuming task of creating a basic narrative. Currently, all narratives are reviewed by an analyst prior to distribution to a customer.
- Does Secureworks offer a time-based Service Level Agreement (SLA) for ManagedXDR?
- Yes, Secureworks publicizes a 60-minute guarantee for a key link in the managed detection and response value chain: Threat Investigation = the time from when an investigation is initiated by Secureworks to the time the customer is notified of our analysis. This SLA is further backed by a credit to the customer, which increases as the threat investigation time increases.
- How does the ManagedXDR SLA compare to other vendors?
- The majority of companies in the industry tend to focus on time-based goals and averages for alerts, escalations, and investigations – not backed by SLAs. Secureworks is one of the few companies that publicizes a time-based SLA for its ManagedXDR service and backs the SLA with credits. Outside of Secureworks, there is little to no publicly available information pertaining to time-based SLAs available to customers.
- How is the SLA for ManagedXDR related to Taegis™ XDR?
- ManagedXDR is a managed service and the associated SLA is the time for threat investigations (60 minutes; see the Service Description). Taegis™ XDR is a cloud service and the associated SLA is the availability of the cloud service (99.9% of the time; see the SLA details ). As indicated in the previous FAQ, few competitors offer an SLA associated with their managed service whereas nearly all offer an SLA associated with their cloud service; therefore, it is important to understand the distinction.
- How do I request service credit if Secureworks does not meet stated ManagedXDR SLA?
- To receive a Service Credit, you must submit a claim by opening a ticket in the Secureworks® Taegis™ XDR Support Portal. To be eligible, the credit request must be received by Secureworks within thirty (30) days of the investigation being generated and must include:
- The words “ManagedXDR SLA Credit Request” in the subject line, and
- The dates and times of each Threat Investigation or Remote IR Service Request that you are claiming.
If the claim is confirmed by Secureworks, then Secureworks will issue the Service Credit to you within one billing cycle following the month in which your request is confirmed by Secureworks. Failure to provide the request and other information as required above will disqualify you from receiving a Service Credit.
See the Service Description for details on the SLA measures and credits.
- Can there be High severity alerts in a Critical priority investigation?
- Yes. Alert severity does not necessarily map 1:1 to investigation priority. For example, High severity alerts could be generated by Critical threat activity, in which case Secureworks SecOps would create a Critical priority investigation.
- Does Secureworks SecOps call out for all investigations and alerts?
- Secureworks SecOps only calls out for Critical priority investigations. SecOps does not call out for individual alerts.
- Is Taegis NGAV included with XDR or ManagedXDR?
- No, NGAV is separate software that can be purchased in addition to XDR or ManagedXDR. If you purchase NGAV and also have ManagedXDR, then Secureworks will integrate the NGAV telemetry into XDR and ManagedXDR analysts will monitor and respond to NGAV alerts in XDR.
- How do I contact Security and Product Support?
- Taegis™ ManagedXDR customers have 24x7 access to security analysts through in-application chat, ticket system, and by telephone. If you are a Taegis™ ManagedXDR customer, navigate to Tenant Settings→Subscriptions; the Support telephone number is listed at the bottom of the Subscriptions panel. Before calling, have your Support PIN ready in order to authenticate.