Capabilities At a Glance🔗
The following summarizes the integration and configuration capabilities of Secureworks® Taegis™ XDR, including what data sources are compatible and what data from those sources are needed and/or available to XDR Detectors and the watchlists XDR can ingest.
Tip
Explore our video series to enhance your understanding of data integrations and how they serve effective coverage for threat detection. The training covers how data in Taegis XDR is parsed and normalized into schemas, feeding data into our detectors listed below: Training: Understanding XDR Data.
Regions🔗
Availability of XDR features depend upon the region your environment is deployed in.
For a gathered list of what is not supported in the EU region, see Unsupported Features in EU.
Detector Inputs🔗
The following lists the data sources or schemas that each Taegis detector requires:
- Account Compromise — Auth
- Bring Your Own Threat Intel — Normalized telemetry from supported integrations
- Brute Force — Auth
- Business Email Compromise — CloudAudit
- Cloud Recon to Change — AWS CloudAudit
- Domain Generation Algorithms — DNS
- File Analysis — Taegis Endpoint Agents telemetry where sensor_type:
ENDPOINT_TAEGISand sensor_version is 1.2 and greater; or files fetched from Taegis Endpoint Agents - Hands-On-Keyboard — Process
- Impossible Travel — Auth
- Kerberoasting — Auth
- Network IDS — NIDS
- Password Spray — Auth
- Penetration Test — Alerts
- Portscanning and Broadscanning — Netflow
- Punycode — DNS
- Quick Mail Consent (MS o365) — Cloud Audit (MS O365 Management API Audit Logs)
- Rare Program to Rare IP — Netflow, Process
- SharpHound — Auth, Netflow
- Snapshot Exfiltration — AWS CloudTrail Logs
- Stolen User Credentials — Auth, Observations
- Suspicious DNS Activity — DNS
- Tactic Graphs — Alerts, Auth, DNS, NIDS, Netflow, Process
- Taegis NDR — Alerts, NIDS, Netflow
- Taegis Watchlist — All telemetry normalized into XDR schemas
- Watchlist, Cloud — Auth
- Watchlist, Domain — DNS
- Watchlist, Email — Email
- Watchlist, Endpoint — Normalized endpoint telemetry
- Watchlist, IP — NIDS, Netflow
Data Retention Policy🔗
Secureworks retains event and alert data for 12 months from the date the data is received. All other data concerns are covered in the Secureworks Cloud Services Interface Privacy Statement.
Provided Data from Integrations🔗
Provided data is categorized as Normalized Data, Out-of-the-Box Detections, or Vendor-Specific Detections.
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Cloud🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Amazon GuardDuty | Thirdparty | ||
| AWS Application Load Balancer | HTTP | ||
| AWS CloudTrail | Auth, CloudAudit | ||
| AWS VPC Flow Logs | Netflow | ||
| AWS Web Application Firewall | HTTP | HTTP | |
| Cisco Umbrella | DNS, HTTP, Netflow | ||
| Google Cloud Platform | CloudAudit | Netflow | Thirdparty |
| Google Workspace | Auth, HTTP | Auth, CloudAudit, Thirdparty | |
| MS Azure Active Directory | Auth, CloudAudit | ||
| MS Azure Active Directory Activity Reports | Auth | CloudAudit | |
| MS Azure Active Directory Identity Protection | CloudAudit, Thirdparty | ||
| MS Azure Activity Logs | CloudAudit | ||
| MS Azure Firewall | DNS, HTTP, Netflow | ||
| MS Azure Flow Logs | Netflow | ||
| MS Azure WAF on Application Gateway | HTTP | ||
| MS Azure WAF on Front Door | HTTP | ||
| MS Graph Security | CloudAudit, Thirdparty | ||
| MS Office 365 | Auth | Auth, CloudAudit, Email, Thirdparty | |
| Oracle Cloud Infrastructure (OCI) | CloudAudit | HTTP, Netflow | NIDS, Thirdparty |
| Salesforce Real-Time Event Monitoring | Auth, CloudAudit, HTTP, Thirdparty | Thirdparty |
Email Security🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Abnormal Inbound Email Security | |||
| Mimecast | HTTP | ||
| Proofpoint | HTTP |
Endpoints🔗
| Alerts | Auth | DNS | File Collection | HTTP | NIDS | Netflow | Process | File Modification | API Call | Registry | Scriptblock | Management | Persistence | Thread Injection | Generic | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Taegis Windows Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| Taegis macOS Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||||
| Taegis Linux Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||||
| Red Cloak Windows Endpoint Agent | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||||
| Red Cloak Linux Endpoint Agent | ✓ | ✓ | ✓ | |||||||||||||
| VMware Carbon Black Response Cloud | ✓ | ✓ | ||||||||||||||
| VMware Carbon Black Cloud Endpoint™ Standard | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| VMware Carbon Black Cloud Enterprise EDR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| CrowdStrike | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| Microsoft Defender for Endpoint | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓* | ✓* | ✓ | ✓ | ✓ | ✓* | ✓ | |||
| SentinelOne | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| EDR OCSF Ingest | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Note
The Endpoints table will be updated to use the new integration definitions in a future release.
Firewalls/Next-Gen Firewalls🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Barracuda Firewall | Netflow | ||
| Check Point Firewall | Auth, HTTP, Netflow | Antivirus, Thirdparty | |
| Cisco ASA Firewall | DHCP, Managementevent | Auth, DNS, HTTP, Netflow | NIDS |
| Cisco FTD Firewall (Syslog only, see eStreamer via eNCore for NIDS) | DHCP, Managementevent | Auth, DNS, HTTP, Netflow | NIDS |
| Cisco Meraki Firewall | File | Auth, HTTP, Netflow | NIDS |
| Forecepoint Firewall | DHCP | Auth, HTTP, Netflow | Thirdparty |
| Fortigate Firewall | Auth, DNS, HTTP, Netflow | Antivirus, Thirdparty | |
| Juniper SRX Firewall | File | Auth, HTTP, Netflow | NIDS |
| OPNsense Firewall | Netflow | ||
| Palo Alto Firewall | Auth, HTTP, Netflow | NIDS | |
| pfSense Firewall | Netflow | ||
| SonicWall Firewall | DHCP | Auth, DNS, HTTP, Netflow | NIDS |
| Sophos XGS Firewall | Antivirus, DHCP, Managementevent | Auth, HTTP, Netflow | Email, NIDS |
| WatchGuard Firewall | Auth | DNS, HTTP, Netflow | |
| Zscaler Cloud Firewall | DNS, Netflow |
Host-Based Intrusion Detection Systems🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| McAfee ePO | Antivirus, Auth, Thirdparty | Process | |
| Symantec Endpoint Protection | Antivirus, NIDS | ||
| Trend Micro Deep Security | Filemod, NIDS, Thirdparty | HTTP, Netflow | Antivirus |
Identity and Access Management🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Cisco Duo | Auth | ||
| Cisco ISE | Process | Auth | |
| CyberArk | CloudAudit | Auth | Thirdparty |
| Okta | CloudAudit | Auth |
Infrastructure Management🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| vCenter | Management | Auth |
Microsegmentation Software🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Akamai Guardicore Segmentation | Thirdparty | Netflow, Process |
Network Intrusion Detection Systems🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Taegis NDR | Netflow, NIDS | NIDS | |
| Corelight (Zeek) | DHCP | Auth, DNS, Encrypt, HTTP, Netflow, NIDS | NIDS |
| Darktrace | Thirdparty | ||
| eStreamer via eNCore | Netflow, NIDS | NIDS | |
| LastLine | Auth | NIDS | |
| Suricata | DNS, HTTP, Netflow, NIDS | NIDS |
OT Security🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Claroty CTD | Netflow | Thirdparty | |
| Dragos Platform | Netflow | Thirdparty | |
| Nozomi Guardian | Thirdparty | ||
| SCADAfence | Thirdparty | Netflow, NIDS |
Important
Adding an OT Security integration to your XDR tenant requires XDR for OT. Contact your account manager or CSM to acquire the required license.
Security Service Edge🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Cato Networks | Antivirus, Auth, DHCP, Thirdparty | Netflow | |
| Cloudflare | CloudAudit, NIDS, Thirdparty | DNS, HTTP, Netflow | |
| Netskope | Auth | HTTP, Netflow | Antivirus, NIDS, Thirdparty |
| Palo Alto Prisma Access | Auth, HTTP, Netflow | NIDS |
Server Logs🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| InfoBlox (DNS via named process) | DNS | ||
| Microsoft Windows Event Log (Microsoft-Windows-Security-Auditing) | File, Management, Process, Thirdparty | Auth, Netflow | |
| Microsoft DHCP | DHCP | ||
| Microsoft DNS | DNS | ||
| Microsoft IIS | HTTP | ||
| Non-Microsoft-based servers (processes like sudo/su/sshd/named) | Management | Auth, DNS |
VPN Appliances🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| PulseSecure VPN | Auth |
Web Application Firewalls/LoadBalancers🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Akamai App & API Protector | Thirdparty | HTTP | |
| F5 ASM WAF | HTTP | ||
| F5 LTM* | Management | Auth | |
| Barracuda WAF | HTTP | ||
| Fortinet FortiWeb | Netflow | Thirdparty | |
| Imperva WAF | HTTP | ||
| Imperva Cloud WAF | CloudAudit, Thirdparty | Auth | |
| Citrix ADC | Management | Auth, HTTP, Netflow |
Web Proxies🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Akamai Enterprise Application Access (EAA) | Auth, HTTP | ||
| Forcepoint Web Security | HTTP | ||
| Cisco IronPort | Auth | HTTP | |
| Skyhigh Secure Web Gateway | HTTP | ||
| Symantec (Blue Coat) ProxySG WebProxy | HTTP | ||
| Zscaler Secure Web Gateway | HTTP | Thirdparty |
Other Network Appliances🔗
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Cisco IOS based Switches and Routers | Management | Auth | |
| Aruba ClearPass NAC | Auth |
Other Integrations🔗
HRMS & Identity🔗
Azure Active Directory🔗
Features Supported:
- Enable/Disable AD Account
- Force Password Change
- Login History
How We Integrate
We implement the Microsoft Graph API.
Compatible Detectors
Stolen Credentials, and Tactic Graphs™ Detector.
SIEM/Security🔗
Splunk Heavy Forwarder🔗
Replicates all data sent from Splunk using their Heavy Forwarder to XDR.
How We Integrate
XDR is configured to receive data from Splunk Heavy Forwarder through a TLS encrypted Syslog ingestor. A XDR technical representative can help you get the appropriate TLS certificate issued. Once the certificate has been issued, you can configure a Splunk Heavy Forwarder to send data to XDR. This involves updating the output.conf file for Splunk Heavy Forwarder.
Note
We only support forwarded data types for integrations that are supported by XDR.
Compatible Detectors
All XDR detectors are capable of using Splunk provided data. Usage is dependent on your configuration and the data Splunk is forwarding.
Perimeter/Proxy🔗
NDR🔗
NDR is a Network IDS/IPS available from Secureworks. It leverages our latest threat intelligence to detect network-level threat signatures on the perimeter. NDR is a separately contracted feature that may be included with Secureworks® Taegis™ MDR.
Features Supported
- Inline and passive deep packet inspection
- Integration in TDR Threat Intelligence
- Blocking Devices on the network
Compatible Detectors
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
Palo Alto Networks🔗
We use XDR’s On-Premises Data Collector to pull NetFlow data from PAN devices.
Features Supported
- Netflow Capture
- Integration in TDR Threat Intelligence
Supported Devices
- Palo Alto Firewall PANOS 6.1 - 7.0 - 7.1
- Panorama 6.1 - 6.7, including Wildfire Security Logs
- Palo Alto Firewall PANOS 8.0 - 9.x - 10.0
- Panorama 8.0 - 9.0 - 9.1
How We Integrate
We collect Syslog information from Palo Alto using the XDR Collector. For more information see On-Prem Data Collector.
Compatible Detectors
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist.
Cisco🔗
Features Supported
- WAF features
- Netflow Capture
- Integration in TDR Threat Intelligence
Supported Devices
- Cisco ASA
- Cisco FTD
- Cisco Meraki
How We Integrate
We collect Syslog information from Cisco using the XDR Collector, and use eStreamer to collect security events/logs from FTD devices. For more information see On-Prem Data Collector.
Compatible Detectors
DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist.
Cloud Applications🔗
Office 365 / Azure🔗
Features Supported
- Office 365 Audit Log Data (Logins to Services, Changes to accounts, Sends/Receive E-mail metadata). Normalizing this data into a normalized auth type. Picking out logins across these services, and feeding them into the anomaly detector. Too far away, etc. Looking for behavior.
- XDR’s integration uses a collector that supports Microsoft Graph Security Alerts. These are alerts that are generated across all Microsoft products, including third-party partners like Palo Alto.
- Azure AD Audit Logs.
Compatible Detectors
Stolen Credentials, and Tactic Graphs Detector.
Amazon Web Services🔗
Our AWS Integration uses a custom-developed AWS Collector for supporting GuardDuty Findings, importing findings and displaying those findings to the user. We do not support Cloudwatch or Cloudwatch Agent at this time.
We also support data collected by a custom serverless collector that supports AWS Application Load Balancers, AWS CloudTrail, AWS VPC Flow logs, and AWS WAF. We additionally support integration with Cisco Umbrella services deployed to AWS.
Compatible Detectors
Stolen Credentials, and Tactic Graphs Detector.
Endpoint🔗
Red Cloak Endpoint Agent🔗
The Secureworks Red Cloak™ Endpoint Agent is included with XDR. This agent captures a rich set of telemetry from endpoints, including DNS, IP, Processes, Windows Logs, and Linux Logs.
Compatible Detectors
All of XDR’s proprietary detectors make use of Red Cloak Endpoint Agent telemetry: DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
CrowdStrike🔗
The CrowdStrike agent captures a rich set of telemetry from endpoints, including DNS, IP, Processes, Windows Logs, and Linux Logs.
Note
You must have CrowdStrike Falcon Insight (EDR) for XDR to receive any telemetry from CrowdStrike Falcon Prevent (NGAV). Falcon Insight gathers the telemetry that is sent to XDR. You can purchase the license for Falcon Insight from Secureworks or CrowdStrike.
Falcon Prevent (NGAV) is only an alert provider; therefore, if you only have CrowdStrike Falcon Prevent (NGAV), then XDR will not receive any telemetry from it.
Compatible Detectors
All of XDR’s proprietary detectors make use of CrowdStrike data, including DGA, Rare Program to Rare IP, Stolen Credentials, Tactic Graphs Detector, Punycode, IP Watchlist, and Domain Watchlists.
VMware Carbon Black Cloud Endpoint Standard and Enterprise EDR🔗
Carbon Black’s traditional AV service. XDR has access to Carbon Black telemetry which enables endpoint, detection, and response (EDR) capabilities with this service. Integrated with XDR.
Carbon Black Response Cloud🔗
Carbon Black’s Endpoint, Detection, and Response (EDR) service. We have access to Carbon Black telemetry which enables EDR capabilities with this service.
Okta🔗
This integration further strengthens XDR’s knowledgebase of your security landscape by receiving user information telemetry directly from Okta via an Okta API.
Using an Okta connector, information related to Authentication Events, Policy Changes, and User Management lists are directly fed into the XDR platform, further providing insights to security analysts during investigations.
Unsupported Features in the EU Region🔗
All XDR features except the following are supported in the EU region:
Endpoint Integrations🔗
- NGAV is not supported in the EU region.