NIDS🔗
The Network Intrusion Detection Systems (NIDS) detector collects and normalizes Intrusion Detection and Prevention (IDP) events from third-party data sources. As part of the normalization process, the events are converted into a detection and assigned a severity and confidence based on the activity observed. The resulting detections are written to the Secureworks® Taegis™ XDR Detection Database and published to the Detection Triage Dashboard for additional review and analysis. The following integrations are currently handled by the NIDS detector:
- Cisco Firepower Threat Defense (FTD)
- Cisco Meraki
- Corelight
- Palo Alto Threat Events
- Taegis™ NDR
- Suricata
In addition, the network telemetry collected by the supported integrations is available to the following XDR detectors:
- Domain Generation Algorithms
- Stolen User Credentials
- Tactic Graphs™ Detector
- Punycode Detector
- IP Watchlist
Requirements🔗
This detector requires the following data sources, integrations, or schemas:
- Ingested and normalized Intrusion Detection and Prevention events from third-party data sources
Inputs🔗
Detections are from the following normalized sources:
- NIDS
Outputs🔗
Detections from this detector are pushed to the XDR Detection Database and Detection Triage Dashboard.
Configuration Options🔗
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category🔗
MITRE mapping is based on detection data provided by relevant device(s). Check the detection for the specific mapping.
Detector Testing🔗
This detector does not have a supported testing method, though an Advanced Search will verify if detections originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any detections came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.