Skip to content

Secureworks® Taegis™ Glossary🔗

Note

The definitions used in this glossary and throughout the Secureworks® Taegis™ XDR documentation site are for the purposes of using the XDR application. For legal definitions, please refer to the Secureworks service descriptions applicable to your organization.

Tip

See Data Source Integration Definitions for terms related to integrating data sources.

agent🔗

A device in your organization’s network that XDR is aware of and monitors for reporting and alerts.

alert🔗

A notification in XDR created from event(s) from a detector informing you of activity that may need to be investigated further.

API🔗

Application Programming Interface. A set of software functions made available to customers by the Taegis platform that allows for programmatic access to different capabilities within the platform for purposes of integrating with customer or 3rd party software generally used for automation, reporting, etc.

collector🔗

On-premise and cloud-based (virtual) devices that XDR uses to gather logs.

confidence🔗

A measure of how confident our systems are that an alert is accurate and represents malicious activity, ranging from 1-100. The higher the score, the more confident we are that the alert indicates genuine malicious activity.

connection🔗

In Automation, an instance of a connector that you configure. The connection provides the method that XDR uses to authenticate to an IT tool within your environment, as well as the URL it should authenticate to.

connector🔗

In Automation, the definition that defines how XDR communicates with external IT tools, allowing a playbook to execute API calls that are published by a vendor.

CTU Countermeasures🔗

Rulesets that can be deployed to Snort-based sensors and Suricata-based sensors.

data source🔗

The sensors in your network that send telemetry to XDR.

detector🔗

The devices in your network that continuously monitor your environment data for malicious activity.

edge🔗

In Entity Graph, the directional line representing the relationship or activity between entities.

EDR🔗

Endpoint Detection & Response

endpoint🔗

The devices in your organization’s network that XDR is aware of and monitors for reporting and alerts. Includes any end-user computing instance (e.g., notebook, laptop, workstation, VDI instance), physical server, virtual server, or computing workload (any installation of a server OS, e.g., Linux, Unix, macOS, Windows).

entity🔗

Data extracted from the events that are part of an investigation that played a role in the incident, including but not limited to usernames, hostnames, IP addresses, and files.

event🔗

An individual security-related occurrence(e.g. log entry) within your environment that has been normalized to use a standardized format for efficient access by software and humans. Taegis XDR event fields are available for advanced search, reporting, and detections.

finding🔗

The output of a posture check performed by the Taegis IDR module. Findings have an associated risk level that should be used to prioritize which ones to address first.

identity🔗

A collection of unique identifiers that allow a computer to identify an entity, such as a person, organization, software program, or another computer.

integration🔗

A collector, API, or data source that is integrated with XDR.

investigation🔗

The gathered alerts, events, agents, and other data regarding a potential security incident, which you and other members of your organization work to resolve.

iSensor🔗

The previous name for the current Taegis Network Detection and Response (NDR) solution.

MITRE ATT&CK Framework🔗

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the cybersecurity product and service community.

multi-factor authentication🔗

(MFA) The use of multiple types of authentication to verify a user’s identity for login (e.g. username/password + mobile phone security token).

node🔗

In Entity Graph, the representation of an entity associated with an investigation.

normalized event🔗

A raw event that has been parsed into a database schema, which facilitates common activities such as search, security detections, and other activities.

playbook🔗

In Automation, the definition that defines what actions to take and when to take them using one or more configured connections.

priority🔗

In Investigations, the importance and potential impact to your organization of an investigation’s activities.

query language🔗

An advanced tool in XDR used to craft searches for alerts and events available in your tenant.

research🔗

Alerts prefixed with RESEARCH are generated by detectors / features in the research development stage. This stage is used measure precision and recall. Documentation is updated at later stages.

rule🔗

A pattern match for generated alerts (alert suppression rules) or ingested events (custom alert rules). Upon successful match, the associated action is performed (e.g., suppress alert or create new alert).

severity🔗

In alerts, a measure of how much of a potential threat some activity poses to your environment. The severity score ranges from 0-1. The higher the score, the bigger the potential threat posed by the activity. Severity is also represented by text labels as Info (0-0.199...), Low (0.2 to 0.399...), Medium (0.4 - 0.599...), High (0.6 - 0.799...), and Critical (0.8-1).

Tactic Graphs™🔗

A trademarked name for XDR’s correlation engine that can pattern match across multiple telemetry sources or alerts to create new detections.

Taegis🔗

The platform that supports Secureworks applications such as XDR, MDR, and VDR.

Taegis™ MDR🔗

(Taegis Managed Detection and Response) A fully managed solution delivered through our Taegis security analytics and operations platform, providing advanced threat hunting, detection and rapid response across endpoint, network, and cloud environments.

Taegis™ MDR Elite🔗

(Taegis Managed Detection and Response Elite) A fully managed solution that includes a dedicated Secureworks expert to perform proactive and iterative threat hunting across your endpoint, network, and cloud environments, and bi-weekly updates on your organization's exposure to targeted threats.

Taegis™ NDR🔗

(Taegis Network Detection and Response) This NDR solution monitors traffic across your network to prevent, detect, and respond to threats, and seamlessly integrates with the open Taegis platform for more holistic protection. This is an evolution of iSensor, but with a new name and soon with expanded capabilities.

Taegis™ XDR🔗

(Taegis Extended Detection and Response) An advanced security analytics tool that enables you to detect advanced threats, trust your alerts, streamline and collaborate on investigations, and automate the right action.

telemetry🔗

The collection of real-time data pushing continuously from network devices, such as routers, firewalls, and switches, to one or more centralized locations for storage, processing, and analysis.

tenant🔗

An environment on the Taegis platform that aggregates telemetry from many endpoints into a single holistic view. Most customers have one tenant; those with large-scale needs may require multiple tenants.

threat intelligence🔗

Data produced, analyzed, and validated by our 70+ Counter Threat Unit™ researchers and automatically correlated against your telemetry to ensure you are protected from the latest threats and adversary behaviors.

watchlist🔗

A general term for a group of detection rules which create alerts in XDR. These groups of rules apply to a specific set of telemetry or ingest sources (e.g., IP Watchlist matches Netflow, Domain Watchlist matches DNSquery, etc.).

widget🔗

A dashboard element that displays a snapshot of defined metrics.

Data Source Integration Definitions🔗

Note

The following Data Source Integration terms are for normalization and detection outcomes referenced in the XDR integration documentation.

custom integration🔗

An integration where only the transport of data from a data source into Taegis is guaranteed; downstream outcomes such as normalization, search, and alerting have not been tested and may require additional work beyond ingest to be achieved.

generic schema🔗

A "catch-all" schema that can store all normalized events that don't fit the data structure of other named schemas. Provides for basic time-based correlation and searching but may not be useful for in-depth detection and analysis.

ingest🔗

The process by which Taegis XDR retrieves or receives raw data from a source. In this context, 'raw data' refers to data that has not yet been normalized or structured according to the platform's data model (schemas).

integrate🔗

The process of providing access to Taegis to collect, receive, or otherwise interact with data from a source.

normalization🔗

The process of making unstructured data structured. For Taegis XDR, this means also classifying the data into one or multiple Taegis XDR schemas, and extracting relevant data elements into pre-defined fields within those schemas. Once data is structured, it is referred to as an event. This level of integration provides:

  • Data retention
  • Event search
  • Event reporting
  • Pivot and multi-schema search

normalized data🔗

Unstructured data that has been structured. For Taegis XDR, this means also classifying the data into one or multiple Taegis XDR schemas, and extracting relevant data elements into pre-defined fields within those schemas. Once data is structured, it is referred to as an event. This level of integration provides:

  • Data retention
  • Event search
  • Event reporting
  • Pivot and multi-schema search

optimized integration🔗

An end-to-end integration targeting a data source and ingest path where the downstream outcomes such as normalization, search, and alerting have been predetermined, tested, and documented by XDR.

out-of-the-box detections🔗

Logs from the data source are normalized to one or more XDR schemas and are compatible with XDR native detectors. Alerts may be generated by Watchlists, Tactic Graphs Detector, and/or Advanced Detectors.

roadrunner🔗

Taegis data normalization engine for non-endpoint/EDR data that takes in unstructured data and structures it into events.

schema🔗

A named classification of structured data, such as netflow, auth, http, etc.

TRIP🔗

Taegis Remote Ingest Platform. A platform capable of integrating with a wide variety of REST-capable APIs as well as streaming services. Utilizes scheduled polling to regularly pull data to XDR.

vendor-specific detections🔗

Logs from the data source are normalized to one or more XDR schemas and are compatible with detectors that have been created specifically for this data source. XDR alerts may be generated by promotion of vendor alerts to Watchlists and/or Tactic Graphs Detector.