Capabilities At a Glance๐
The following summarizes the integration and configuration capabilities of Secureworksยฎ Taegisโข XDR, including what data sources are compatible and what data from those sources are needed and/or available to XDR Detectors and the watchlists XDR can ingest.
Tip
Explore our video series to enhance your understanding of data integrations and how they serve effective coverage for threat detection. The training covers how data in Taegis XDR is parsed and normalized into schemas, feeding data into our detectors listed below: Training: Understanding XDR Data.
Regions๐
Note
Availability of XDR features depend upon the region your environment is deployed in.
Detector Inputs๐
The following lists the data sources or schemas that each Taegis detector requires:
- Account Compromise โ Auth
- Bring Your Own Threat Intel โ Normalized telemetry from supported integrations
- Brute Force โ Auth
- Business Email Compromise โ CloudAudit
- Cloud Recon to Change โ AWS CloudAudit
- Domain Generation Algorithms โ DNS
- Hands-On-Keyboard โ Process
- Impossible Travel โ Auth
- Kerberoasting โ Auth
- Network IDS โ NIDS
- Password Spray โ Auth
- Penetration Test โ Detections
- Portscanning and Broadscanning โ Netflow
- Punycode โ DNS
- Quick Mail Consent (MS o365) โ Cloud Audit (MS O365 Management API Audit Logs)
- Rare Program to Rare IP โ Netflow, Process
- SharpHound โ Auth, Netflow
- Snapshot Exfiltration โ AWS CloudTrail Logs
- Stolen User Credentials โ Auth, Observations
- Suspicious DNS Activity โ DNS
- Tactic Graphs โ Detections, Antivirus, ApiCall, Auth, Cloudaudit, Detection Finding, DNS, Email, File Modification, HTTP, Management, Netflow, NIDS, Process, Script Block, Taegis Agent Detection, Third Party
- Taegis NDR โ Detections, NIDS, Netflow
- Taegis Watchlist โ All telemetry normalized into XDR schemas
- Watchlist, Cloud โ Auth
- Watchlist, Domain โ DNS
- Watchlist, Email โ Email
- Watchlist, Endpoint โ Normalized endpoint telemetry
- Watchlist, IP โ Auth, Netflow
Data Retention Policy๐
Secureworks retains event and detection data for 12 months from the date the data is received. All other data concerns are covered in the Secureworks Cloud Services Interface Privacy Statement.
Provided Data from Integrations๐
Provided data is categorized as Normalized Data, Out-of-the-Box Detections, or Vendor-Specific Detections.
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.
Cloud๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Amazon GuardDuty | Thirdparty | ||
| AWS Application Load Balancer | HTTP | ||
| AWS CloudTrail | Auth, CloudAudit | ||
| Amazon S3 Server Access Logs | HTTP | HTTP | |
| AWS VPC Flow Logs | Netflow | ||
| AWS Web Application Firewall | HTTP | HTTP | |
| Box | Auth, CloudAudit, Thirdparty | ||
| Cisco Umbrella | DNS, HTTP, Netflow | ||
| Google Cloud Platform | CloudAudit | Netflow | Thirdparty |
| Google Workspace | Auth, HTTP | Auth, CloudAudit, Thirdparty | |
| MS Azure Active Directory | Auth, CloudAudit | ||
| MS Azure Active Directory Activity Reports | Auth | CloudAudit | |
| MS Azure Active Directory Identity Protection | CloudAudit, Thirdparty | ||
| MS Azure Activity Logs | CloudAudit | ||
| MS Azure Firewall | DNS, HTTP, Netflow | ||
| MS Azure Flow Logs | Netflow | ||
| MS Azure WAF on Application Gateway | HTTP | ||
| MS Azure WAF on Front Door | HTTP | ||
| MS Graph Security API v1 | CloudAudit, Thirdparty | ||
| MS Graph Security API v2 | Antivirus, CloudAudit, Email, Thirdparty | ||
| MS Office 365 | Auth | Auth, CloudAudit, Email, Thirdparty | |
| Oracle Cloud Infrastructure (OCI) | CloudAudit | HTTP, Netflow | NIDS, Thirdparty |
| Salesforce Real-Time Event Monitoring | Auth, CloudAudit, HTTP, Thirdparty | Thirdparty |
Email Security๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Abnormal Inbound Email Security | |||
| Check Point Harmony Email Security | Email, Thirdparty | ||
| Mimecast | HTTP | ||
| Proofpoint | HTTP |
Endpoints๐
| Detections | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | Detection Finding | Technique Finding | Generic | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Sophos Windows Endpoint Agent | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | |||||||
| Sophos Linux Endpoint Agent | โ | โ | โ | โ | โ | โ | โ | โ | ||||||||||
| Taegis Windows Endpoint Agent | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | ||||||
| Taegis macOS Endpoint Agent | โ | โ | โ | โ | โ | โ | โ | |||||||||||
| Taegis Linux Endpoint Agent | โ | โ | โ | โ | โ | โ | โ | โ | ||||||||||
| Red Cloak Windows Endpoint Agent | โ | โ | โ | โ | โ | โ | โ | โ | ||||||||||
| Red Cloak Linux Endpoint Agent | โ | โ | โ | |||||||||||||||
| VMware Carbon Black Response Cloud | โ | โ | ||||||||||||||||
| VMware Carbon Black Cloud Endpointโข Standard | โ | โ | โ | โ | โ | โ | โ | โ | โ | |||||||||
| VMware Carbon Black Cloud Enterprise EDR | โ | โ | โ | โ | โ | โ | โ | โ | โ | |||||||||
| CrowdStrike | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | |||||
| Microsoft Defender for Endpoint | โ | โ | โ | โ | โ | โ | โ* | โ* | โ | โ | โ | โ* | โ | |||||
| SentinelOne | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | โ | |||||
| EDR OCSF Ingest | โ | โ | โ | โ | โ | โ |
Note
The Endpoints table will be updated to use the new integration definitions in a future release.
Firewalls/Next-Gen Firewalls๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Barracuda Firewall | Netflow | ||
| Check Point Firewall | Auth, HTTP, Netflow | Antivirus, Thirdparty | |
| Cisco ASA Firewall | DHCP, Managementevent | Auth, DNS, HTTP, Netflow | NIDS |
| Cisco FTD Firewall (Syslog only, see eStreamer via eNCore for NIDS) | DHCP, Managementevent | Auth, DNS, HTTP, Netflow | NIDS |
| Cisco Meraki Firewall | File | Auth, HTTP, Netflow | NIDS |
| Forecepoint Firewall | DHCP | Auth, HTTP, Netflow | Thirdparty |
| Fortigate Firewall | Auth, DNS, HTTP, Netflow | Antivirus, Thirdparty | |
| Juniper SRX Firewall | File | Auth, HTTP, Netflow | NIDS |
| OPNsense Firewall | Netflow | ||
| Palo Alto Firewall | Auth, HTTP, Netflow | NIDS | |
| pfSense Firewall | Netflow | ||
| SonicWall Firewall | DHCP | Auth, DNS, HTTP, Netflow | NIDS |
| Sophos XGS Firewall | Antivirus, DHCP, Managementevent | Auth, HTTP, Netflow | Email, NIDS |
| WatchGuard Firewall | Auth | DNS, HTTP, Netflow | |
| Zscaler Cloud Firewall | DNS, Netflow |
Host-Based Intrusion Detection Systems๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| McAfee ePO | Antivirus, Auth, Thirdparty | Process | |
| Symantec Endpoint Protection | Antivirus, NIDS | ||
| Trend Micro Deep Security | Filemod, NIDS, Thirdparty | HTTP, Netflow | Antivirus |
Identity and Access Management๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Cisco Duo | Auth | ||
| Cisco ISE | Process | Auth | |
| CyberArk | CloudAudit | Auth | Thirdparty |
| Okta | CloudAudit | Auth |
Infrastructure Management๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| vCenter | Management | Auth |
Microsegmentation Software๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Akamai Guardicore Segmentation | Thirdparty | Netflow, Process |
Network Intrusion Detection Systems๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Taegis NDR | Netflow, NIDS | NIDS | |
| Corelight (Zeek) | DHCP | Auth, DNS, Encrypt, HTTP, Netflow, Detections | Detections |
| Darktrace | Thirdparty | ||
| eStreamer via eNCore | Netflow, NIDS | NIDS | |
| LastLine | Auth | NIDS | |
| Suricata | DNS, HTTP, Netflow, NIDS | NIDS |
OT Security๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Claroty CTD | Netflow | Thirdparty | |
| Dragos Platform | Netflow | Thirdparty | |
| Nozomi Guardian | Thirdparty | ||
| SCADAfence | Thirdparty | Netflow, NIDS |
Important
Adding an OT Security integration to your XDR tenant requires XDR for OT. Contact your account manager or CSM to acquire the required license.
Security Service Edge๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Cato Networks | Antivirus, Auth, DHCP, Thirdparty | Netflow | |
| Cloudflare | CloudAudit, NIDS, Thirdparty | DNS, HTTP, Netflow | |
| Netskope | Auth | HTTP, Netflow | Antivirus, NIDS, Thirdparty |
| Palo Alto Prisma Access | Auth, HTTP, Netflow | NIDS |
Server Logs๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| InfoBlox (DNS via named process) | DNS | ||
| Microsoft Windows Event Log (Microsoft-Windows-Security-Auditing) | File, Management, Process, Thirdparty | Auth, Netflow | |
| Microsoft DHCP | DHCP | ||
| Microsoft DNS | DNS | ||
| Microsoft IIS | HTTP | ||
| Non-Microsoft-based servers (processes like sudo/su/sshd/named) | Management | Auth, DNS |
VPN Appliances๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| PulseSecure VPN | Auth |
Web Application Firewalls/LoadBalancers๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Akamai App & API Protector | Thirdparty | HTTP | |
| F5 ASM WAF | HTTP | ||
| F5 LTM* | Management | Auth | |
| Barracuda WAF | HTTP | ||
| Fortinet FortiWeb | Netflow | Thirdparty | |
| Imperva WAF | HTTP | ||
| Imperva Cloud WAF | CloudAudit, Thirdparty | Auth | |
| Citrix ADC | Management | Auth, HTTP, Netflow |
Web Proxies๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Akamai Enterprise Application Access (EAA) | Auth, HTTP | ||
| Forcepoint Web Security | HTTP | ||
| Cisco IronPort | Auth | HTTP | |
| Skyhigh Secure Web Gateway | HTTP | ||
| Symantec (Blue Coat) ProxySG WebProxy | HTTP | ||
| Zscaler Secure Web Gateway | HTTP | Thirdparty |
Other Network Appliances๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Cisco IOS based Switches and Routers | Management | Auth | |
| Aruba ClearPass NAC | Auth |
Other Integrations๐
HRMS & Identity๐
Azure Active Directory๐
Features Supported:
- Enable/Disable AD Account
- Force Password Change
- Login History
How We Integrate
We implement the Microsoft Graph API.
Compatible Detectors
Stolen Credentials, and Tactic Graphsโข Detector.
SIEM/Security๐
Splunk Heavy Forwarder๐
Replicates all data sent from Splunk using their Heavy Forwarder to XDR.
How We Integrate
XDR is configured to receive data from Splunk Heavy Forwarder through a TLS encrypted Syslog ingestor. A XDR technical representative can help you get the appropriate TLS certificate issued. Once the certificate has been issued, you can configure a Splunk Heavy Forwarder to send data to XDR. This involves updating the output.conf file for Splunk Heavy Forwarder.
Note
We only support forwarded data types for integrations that are supported by XDR.
Compatible Detectors
All XDR detectors are capable of using Splunk provided data. Usage is dependent on your configuration and the data Splunk is forwarding.
Perimeter/Proxy๐
NDR๐
NDR is a Network IDS/IPS available from Secureworks. It leverages our latest threat intelligence to detect network-level threat signatures on the perimeter. NDR is a separately contracted feature that may be included with Secureworksยฎ Taegisโข MDR.
Features Supported
- Inline and passive deep packet inspection
- Integration in TDR Threat Intelligence
- Blocking Devices on the network
Compatible Detectors
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
Palo Alto Networks๐
We use XDRโs On-Premises Data Collector to pull NetFlow data from PAN devices.
Features Supported
- Netflow Capture
- Integration in TDR Threat Intelligence
Supported Devices
- Palo Alto Firewall PANOS 6.1 - 7.0 - 7.1
- Panorama 6.1 - 6.7, including Wildfire Security Logs
- Palo Alto Firewall PANOS 8.0 - 9.x - 10.0
- Panorama 8.0 - 9.0 - 9.1
How We Integrate
We collect Syslog information from Palo Alto using the XDR Collector. For more information see On-Prem Data Collector.
Compatible Detectors
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist.
Cisco๐
Features Supported
- WAF features
- Netflow Capture
- Integration in TDR Threat Intelligence
Supported Devices
- Cisco ASA
- Cisco FTD
- Cisco Meraki
How We Integrate
We collect Syslog information from Cisco using the XDR Collector, and use eStreamer to collect security events/logs from FTD devices. For more information see On-Prem Data Collector.
Compatible Detectors
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist.
Cloud Applications๐
Office 365 / Azure๐
Features Supported
- Office 365 Audit Log Data (Logins to Services, Changes to accounts, Sends/Receive E-mail metadata). Normalizing this data into a normalized auth type. Picking out logins across these services, and feeding them into the anomaly detector. Too far away, etc. Looking for behavior.
- XDRโs integration uses a collector that supports Microsoft Graph Security Alerts. These are alerts that are generated across all Microsoft products, including third-party partners like Palo Alto.
- Azure AD Audit Logs.
Compatible Detectors
Stolen Credentials, and Tactic Graphs Detector.
Amazon Web Services๐
Our AWS Integration uses a custom-developed AWS Collector for supporting GuardDuty Findings, importing findings and displaying those findings to the user. We do not support Cloudwatch or Cloudwatch Agent at this time.
We also support data collected by a custom serverless collector that supports AWS Application Load Balancers, AWS CloudTrail, AWS VPC Flow logs, and AWS WAF. We additionally support integration with Cisco Umbrella services deployed to AWS.
Compatible Detectors
Stolen Credentials, and Tactic Graphs Detector.
Endpoint๐
Red Cloak Endpoint Agent๐
The Secureworks Red Cloakโข Endpoint Agent is included with XDR. This agent captures a rich set of telemetry from endpoints, including DNS, IP, Processes, Windows Logs, and Linux Logs.
Compatible Detectors
All of XDRโs proprietary detectors make use of Red Cloak Endpoint Agent telemetry: DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
CrowdStrike๐
The CrowdStrike agent captures a rich set of telemetry from endpoints, including DNS, IP, Processes, Windows Logs, and Linux Logs.
Note
You must have CrowdStrike Falcon Insight (EDR) for XDR to receive any telemetry from CrowdStrike Falcon Prevent (NGAV). Falcon Insight gathers the telemetry that is sent to XDR. You can purchase the license for Falcon Insight from Secureworks or CrowdStrike.
Falcon Prevent (NGAV) is only a detection provider; therefore, if you only have CrowdStrike Falcon Prevent (NGAV), then XDR will not receive any telemetry from it.
Compatible Detectors
All of XDRโs proprietary detectors make use of CrowdStrike data, including DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
VMware Carbon Black Cloud Endpoint Standard and Enterprise EDR๐
Carbon Blackโs traditional AV service. XDR has access to Carbon Black telemetry which enables endpoint, detection, and response (EDR) capabilities with this service. Integrated with XDR.
Carbon Black Response Cloud๐
Carbon Blackโs Endpoint, Detection, and Response (EDR) service. We have access to Carbon Black telemetry which enables EDR capabilities with this service.
Okta๐
This integration further strengthens XDRโs knowledgebase of your security landscape by receiving user information telemetry directly from Okta via an Okta API.
Using an Okta connector, information related to Authentication Events, Policy Changes, and User Management lists are directly fed into the XDR platform, further providing insights to security analysts during cases.