🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Transitioning from CTP to Taegis XDR

ndr


Note

Taegis NDR is an evolution of iSensor, but with a new name and soon with expanded capabilities. You may see some references to the iSensor branding as we complete this transition.

For customers transitioning from the Counter Threat Platform (CTP) to Secureworks® Taegis™ XDR, this document provides helpful information on how to perform common tasks and find information you previously did in the CTP Client Portal, as well as other helpful guidance regarding the Taegis upgrade.

Common Tasks

Check the Health of NDR Devices

To check the health of your NDR Devices, select Integrations → Taegis™ NDR from the XDR left-hand side navigation. For more information, see View NDR Device Status and Health.

Review Critical Alerts

Review and Respond to Investigations Rather Than Security Incidents

The equivalent of Security Incidents in CTP are Investigations in XDR. To review and respond to an investigation, select Investigations from the XDR left-hand side navigation. For more information, see Work an Investigation.

You can also view your most recent investigations from the Recent Investigations widget on the Alert Triage Dashboard. For more information, see Recent Investigations.

Search for Alerts and Events

Use Advanced Search to craft queries to find the data you need. There are two advanced search options: Builder and Query Language. For more information, see Advanced Search Builder and Advanced Search Query Language.

Save and Retrieve Search Queries

You can save search queries that you use regularly to more easily find the data you need. To save, view, and execute a search, see Saved Searches.

Access CTU Research

Find the latest research and findings from the Secureworks Counter Threat Unit™ (CTU) research team from the Threat Intelligence Reports widget on the Alert Triage Dashboard. For more information, see Threat Intelligence Reports.

Find Reporting Resources

Create a Report from a Template

Reports in XDR differ somewhat from reports in the CTP Client Portal, but much of the data you're used to gathering can be found.

Several report templates are available, including the Taegis™ NDR Change Management report template and the Secureworks® Taegis™ XDR User Admin Summary report template. For more information on these and other available templates, see Create Reports from a Template.

Instead of the CTP Portal Activity Report, you can check the audit logs, found under Tenant Settings in XDR. For more information, see Audit Logs.

Create a Custom Report

An advanced search query can be used as the basis for creating, running, and scheduling custom reports. For more information, see Configure Custom Reports.

For examples of using advanced search queries to create custom reports with data similar to reports found in the CTP Client Portal, see the Reports FAQ.

FAQ

General

What is the Managed iSensor to XDR upgrade?

Secureworks® is upgrading existing Secureworks® Managed iSensor® subscriptions. Your Managed iSensor service will move from the Secureworks Counter Threat Platform™ (CTP) to Taegis™ NDR on Secureworks® Taegis™ XDR.

How does this impact me?

This upgrade comes with no change to your existing subscription. You will continue to receive your NDR service on Taegis much as you did on CTP. Reference the Taegis™ NDR Service Description. There are no changes to the financial terms of your current agreement with Secureworks.

What are the benefits of this upgrade?

Benefits of this upgrade to Taegis include:

What must I do to receive the upgrade?

Secureworks has set up your XDR account for you. Using the link provided in the email you received from taegis@secureworks.com, log into XDR and set your password and multi-factor authentication. If you did not receive the email, please reach out to taegis@secureworks.com.

Will I be able to still access CTP?

No. Secureworks will disable access to CTP within 24-48 hours after the first contact at your company successfully registers with Taegis. If you have not registered yet, please do so as soon as possible. All Managed iSensor customers are being transitioned to XDR.

Will I receive the same level of service as I did before?

Yes. With this upgrade to Secureworks® Taegis™, Secureworks will continue to perform device management functions, which can include changes, rule/policy modifications, upgrades, and similar functions, upon request. Secureworks also will perform monitoring and alerting for security events. For more information, see the Taegis™ NDR Service Description.

Is my event data within the Secureworks Counter Threat Platform transitioned to XDR?

iSensor event data prior to your tenant creation is located solely in CTP and cannot be integrated within XDR. From the time your tenant was created, event data is searchable within XDR. If historical Secureworks Managed iSensor events are needed from CTP, please submit a help request in XDR and historical reports can be provided.

Has my device configuration changed?

No. Your device configuration remains the same in XDR as it was in CTP.

There are items in XDR that look outside the scope of my NDR subscription. How can I find out more?

Your current service continues to be based on NDR only. If you add other data sources or deploy any agents, additional charges may apply. To discover what XDR offers in addition to your NDR contract, please contact your Account Manager.

What happens to my Secureworks Counter Threat Platform (CTP) access when I log into XDR?

It is important to note that once you or another contact at your organization successfully registers within XDR, Secureworks uses that login as acknowledgment you are ready to receive services through XDR. CTP access, including access for all CTP users, will be cut off within 24-48 hours after logging into XDR. You should ensure all other users register as soon as possible so they have ongoing access.

How do my roles change from CTP to XDR?

The following table shows how we have assigned XDR roles based on the CTP role for each user.
CTP Role XDR Role
Admin Tenant Admin
service-entitlements N/A
TI User N/A
Infrastructure Tenant Auditor
Scan_SSO_Exposures N/A
Scan_SSO N/A
Auditor Tenant Auditor
CarbonBlack User N/A
Threat Intelligence Analyst Tenant Analyst
Security Tenant Analyst
ETDR User N/A
API User N/A
SCAN User N/A
Provisioning Automation User N/A
Log Retention N/A
Analyst Tenant Analyst
User Admin Tenant Admin
TICE PUBLIC API USER N/A
Foresee User N/A
TICE Application User N/A

I'm not interested in transitioning from CTP to XDR. Can I opt out?

Your Managed iSensor subscription is being upgraded from CTP to NDR on XDR for the duration of your existing contract. Please contact your Account Manager for more information. Opt outs are not available.

Using XDR

How do I log in to XDR?

Your notification email from taegis@secureworks.com includes a link to log into XDR and set your password. If you did not receive the email, please reach out to taegis@secureworks.com. For more information, see Log In to XDR. Note that the link in your notification email will direct you to the correct XDR tenant.

To receive support, you’ll need your PIN which is located in the application. For more information, see Secureworks® Taegis™ ManagedXDR Telephone Support.

When I log into XDR, my dashboard is blank. How do I know my migration was completed successfully?

XDR is less prone to false positives. The dashboard appears blank until alerts that XDR classifies as high or critical are received and/or investigations are populated. If a high or critical severity alert is created, an investigation is automatically created. Only when an alert is a true positive or actionable threat to your organization is the investigation escalated to your team.

XDR allows you to leverage advanced search to query for alerts. For more information, see How do I see my NDR data? Additionally, see How are custom rules supported in XDR? for information on creating custom alerts, and How do I get health information on my NDR Devices? to learn how to see your NDR Devices in XDR and confirm a successful migration.

What is the difference between an event, an alert, and an investigation?

An event is a single security-related occurrence on your network.

An alert is a notification in XDR created from event(s) from a detector informing you of activity that may need to be investigated further.

An investigation is used to gather information related to alerts and events seen in XDR.

How do I get health information on my NDR Devices?

NDR Devices appear in XDR under Integrations. From the XDR left-hand side navigation, select Integrations → NDR Devices. Your NDR Devices and health status display. For more information, see Manage NDR Devices.

How do I see my NDR data?

NDR data may be found by using XDR Advanced Search. The following is a query example:

from NIDS where sensor_type='ISENSOR'

For more information on searching for data in XDR, see Advanced Search.

Why am I not being alerted on information I would have been alerted on in CTP?

XDR is tuned and designed to only alert on critical and high events. It is expected that you will receive fewer escalations in XDR than you did in CTP. Note that event data is available in XDR for future reference and for compliance needs.

Custom MPLE rules from CTP do not transfer. Event data is processed by XDR detectors to generate alerts. If you wish to be alerted in particular events, you can create custom alerts. Secureworks does not review customer created alerts for investigations. Please see the next question for more information.

How are custom rules supported in XDR?

You can create custom rules in XDR that alert you when specific criteria that you have set are detected. This feature enables you to create customized rules. Since customization varies greatly from customer to customer, our analysts are unable to monitor your custom rules. You must have internal resources and processes to manage the corresponding alerts.

How does Secureworks communicate with me on security events detected in my environment?

For critical incidents when immediate incident response is warranted, Secureworks analysts:

For non-critical incidents, a Secureworks analyst sends a notification in XDR and an email, but does not call the designated contacts.

For more information on Investigations in XDR, see Work an Investigation.

What happens with my previously configured escalation procedures? How do you communicate with me on security and health events?

Once you have registered onto XDR and if you are a Tenant Admin, you can update your Points of Contacts for escalations. Click on Tenant Settings and Tenant Profile. Here you can add up to three contacts as notification contacts should a phone call be warranted. You can check your role settings in the User Profile section in the upper left-hand corner of the application. You can also enter your network ranges and network information in the Tenant Profile section. For more information, refer to Tenant Profile. If you need assistance you can may use the the chat feature, or open a support ticket and ask to review your current escalation procedures.

What can I do if I suspect that my NDR Device is causing interference in my environment?

Bypass modes are used when the NDR Device is causing network interference, preventing the need to physically remove it from the network. Contact Product Support via Chat or open a support ticket to determine and enable the suitable bypass mode for your NDR Device.

The NDR Device appliance can be placed into two types of bypass mode:

Why am I seeing custom suppression rules being used by Secureworks in my security environment?

Secureworks continuously updates XDR to proactively improve services and the customer experience. As a XDR customer, you may see customized suppression rules, event filter modification, and alert tuning designed to minimize low-value alerts and focus time on high-value alerts.

How do I perform common CTP tasks in XDR?

For an overview of performing key tasks in XDR that are equivalent to CTP tasks, see Common Tasks.

Does XDR have a mobile app?

XDR supports progressive web technology. For more details, see.

Does XDR offer automation to perform any tasks?

For CTP customers currently using API for ticket connectivity, please see Automations Overview and Using the Automation GraphQL APIs prior to registration to understand how you can build new processes within the XDR platform. XDR can also provide automated alerts through a number of third party vendor and customer owned tools, such as PagerDuty or Atlassian Jira.

Some tasks you can automate through XDR include:

For more information, see Automations Overview, Supported Playbooks, and Supported Connectors.

How do I perform Block (Shun) and Allow (Trust) functionality for NDR Devices in XDR?

To add Block and Allow rules to an NDR Device, select Taegis™ NDR from the Secureworks® Taegis™ XDR left-hand side navigation. For more information, see Allow and Block Tabs.

You can also perform Block and Allow actions via Automations. For more information, see Automations Overview and the following Knowledge Base article.

How do I get support?

Contact XDR Support by:

Does the old phone number work?

No. Taegis is supported separately from CTP. To receive support, you need your PIN, which you can find in XDR. Call your XDR Product Support Representative with your PIN. If you don’t have your support telephone number, see Taegis ManagedXDR Telephone Support.

I’m having trouble with the chat support. How can I resolve this?

See Chat Support for information on using the in-app XDR chat support. If you still have issues, please submit a help request.

How can I view my tickets?

Whenever there is an update on your ticket you will receive a notification email from taegis@secureworks.com that includes instructions as well as a link to login to Taegis at https://delta.taegis.secureworks.com/login.

On rare situations you might get redirected to https://ctpx.secureworks.com/login. If this happens, please navigate to https://delta.taegis.secureworks.com/login.

If additional assistance is needed, please reach out to taegis@secureworks.com.

Reports

Preconfigured templates for Executive Summary Report, Alerts Summary Report, Investigation Summary Report, and Taegis™ NDR Change Management Report are currently available and encompass many of the features in CTP reports. For more information, see Create Reports from a Template.

How do I create other reports in XDR?

In addition to the report templates available, you can create custom reports using the search query language in XDR. For more information, see Configure Custom Reports and Advanced Search Query Language Overview.

Compliance Board Reports

The Executive Summary and Alert Summary reports give you visibility into your NDR Devices, but not all components of the CTP Compliance report are available in XDR. Refer to the below XDR queries for other reports and graphics that can be run from Advanced Search:

Total IPS/IDS Attack Events by Action
Total IPS/IDS Attack Events per Day
Total Other Monitoring Attack Events per Day

Search Query — from alert where sensor_types !in ('isensor', 'yourSensorType')

where yourSensorType is the sensor type you want to exclude.

IPS/IDS Authorized Activity

Note

The format of this report is a CSV file that includes all line items.

Monitored Authorized Activity

Note

You must know each sensor_type you want included in this view. It should not contain isensor, as that is covered by Appendix C view.

where 'yourSensorType' and 'yourOtherSensorType' are the sensor types you are looking for.

These queries for reporting are documented for your use to accompany the previously mentioned reports:

Attack Summary
Attacked Ports
Top Attacks
Blocked and Unblocked Attack Trend

Note

The Blocked field contains one of three numeric values: 1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked

Security Events Report

Attack Trend

Note

What appears in this report depends on your preferences. The query provided is the basis, but you must add filtering criteria based on your needs. You can append the query with a where clause and include fields you’d like to filter the report by.

Executive Summary Report

This example of an executive summary report consists of the following four reports:

Attack Summary
Attacked Ports
Top Attacks
Blocked and Unblocked Attack Trend

Note

The Blocked field contains one of three numeric values: 1=NotBlocked, 2=Blocked, 3=WouldHaveBlocked

Note that several CTP reports are not available in XDR. These include:

 

On this page: