Schemas🔗
A schema is a category of data to which parsed and normalized data is aligned. Use this reference of available Secureworks® Taegis™ XDR schemas to aid in building your Data Lake Search queries.
Data Types🔗
| Data Type | Description |
|---|---|
| Detections | Output from detectors based on events or event sets that trigger Secureworks® Taegis™ XDR detections. |
| Events | Security telemetry from a single point in time. |
Note
Detections may be searched for any time period.
However, event data is treated differently and can be searched for any period of 31 days or less in duration. Event data can be queried either from Data Lake Search by choosing any non-detection type. When using either of these ways to query event data, a custom date picker allows you to specify a search time range. From this custom date picker, you can select any start date for which the account may have retained data. But when selecting the end date for the search time range, note that the number of days in the range (the difference between the start and end date) must be less than or equal to 31 days.
Event Schemas🔗
| Event Type | Description |
|---|---|
| Antivirus events | Events related to malware activity on hosts and networks. |
| API Call events | Instances in which a process attempted (successfully or not) to call an operating system API. |
| Auth events | Activities including login successes & failures, logoffs, etc. |
| Cloud Audit events | Audit events from cloud-based applications and cloud-hosted infrastructure. |
| Detection Finding events | Detections generated by endpoint agents, or other sources external to XDR. |
| DHCP events | Records of client and server DHCP activity, such as IP address assignments. |
| DNS events | Records of domain name resolution requests by hosts. |
| Email events | Events from email security services related to techniques such as phishing and spam. |
| Encrypt events | Events related to SSL/TLS connection and X.509 certificate metadata. |
| File Modification events | Instances in which a process attempted to create, modify, write, or delete a file. |
| Generic events | Stores all raw log messages from syslog and some other ingestion sources. Note that generic events may also get normalized into other event types. |
| HTTP events | Details on HTTP connections. For example, from proxy server logs. |
| Management events | Instances in which management information has been accessed from hosts in an enterprise environment, for example, via WMI for Windows. |
| Netflow events | Network traffic information from in and out of the box communications, including source/destination IPs and ports. |
| NIDS events | Events from network intrusion detection and/or prevention systems. |
| Persistence events | Events related to techniques such as Run keys, Scheduled Tasks, or Services, commonly used by attackers to maintain persistence in a compromised system. |
| Process events | Arbitrary code execution in other live processes. Process events may have information about program launches and their associated command lines, parent/child relationships, and other information about programs and commands executed on the host, including target programs launched by main parent executables—for example, by PowerShell in Windows. |
| Process Module events | Events generated when libraries have been loaded by different processes. |
| Registry events | Properties of certain Windows registry entries, which may help to detect attacks. |
| Script Block events | Executions of blocks of code (scripts) on a remote endpoint by an attacker or other entity. |
| Taegis Agent events | Detections reported by the Taegis Agent. |
| Technique Finding events | Indicators of potentially malicious behavior observed by endpoint agents, or other sources external to XDR. |
| Third Party Alert events | The event record of alerts produced on sources external to XDR. |
| Thread Injection events | Instances in which a thread has inserted and run code within the memory address space of a different target process. |