🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Alert Details

alerts


Secureworks® Taegis™ XDR takes an event or events from a detector and turns it into an alert. Review the alert details to determine if it should be investigated further.

Manage an Alert

Users with the required role can take the following actions on alerts:

View Alert Details

Select an alert title anywhere throughout XDR to view its details.

Some areas of the application, like the Alerts page, will open a preview side panel featuring some essential details about the alert. This allows you to continue browsing through multiple alerts without losing your place or your filters.

View Alerts in the Side Panel

View Alerts in the Side Panel

To view the full details of the alert, select the alert title. Or, select the Open in New Tab icon icon to open the details in a new tab.

Other areas of XDR, like the Recent Alerts widget, automatically open the full alert details page.

Note

Alerts prefixed with RESEARCH indicate that the detector or mechanism that generated the alert is in research mode as a part of our process to verify the feasibility of the detection as well as the false positive rate.

Tip

Threat Score is a new contextually aware priority value assigned to alerts by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.

Summary Tab

Summary Tab of a Taegis Watchlist Alert

Summary Tab of a Taegis Watchlist Alert

Affected Entities

The Affected Entities section lists entities that may be threats or at risk from threats, and endpoint agents involved in the alert. Select a magnifying glass icon in the Affected Entities panel to perform a pivot search against that entity for further triage.

Affected Entities Panel

Affected Entities Panel

Alert Details

Depending on the type of alert, the Alert Details panel may contain the following information:

Alert Description

The Alert Description section provides a summary of the alert curated by Secureworks Counter Threat Unit™ (CTU).

Alert Description

Alert Description

Alert CTU Publications

If an alert is linked to a Secureworks Counter Threat Unit™ (CTU)-published Malware Family or Threat Group, an icon and link display in the alert title and description.

Alert CTU Publication

Alert CTU Publication

Select the link from the title or description to open a side panel with the details of the CTU publication.

Alert CTU Publication Panel

Alert CTU Publication Panel

AI Alert Analysis

Taegis AI Alert Analysis reviews the detection logic and associated events and then summarizes the alert in straightforward language. It helps analysts quickly understand and respond to security alerts by prioritizing alerts, providing context, and suggesting actions.

Select View Analysis to generate the Alert Analysis summary.

AI Alert Analysis

Alert Analysis

Review the generated Alert Analysis summary and use the thumbs up or down feedback icons to provide written feedback on the generated content.

Generated AI Alert Analysis

Generated AI Alert Analysis

Detection Logic Explanation

The Taegis AI Detection Logic Explanation helps you understand the detection logic behind Taegis Watchlist alerts. It explains the complex detection rule in an easy to understand language. It shows how the system identified the potential security threat. The Detection Logic Explanation can be viewed on any alert detected by Taegis Watchlist detector when available for explanation.

Note

The explanation may not be available for some rules that are in research mode.

Review the generated Alert Analysis summary and use the thumbs up or down feedback icons to provide written feedback on the generated content.

AI Generated Alert Detection Logic Explanation

AI Generated Alert Detection Logic Explanation

Command Line Explanation

The Command Line Explainer translates complex command lines into easy-to-understand language. This is useful for Security Operations Analysts to quickly understand the command line logic.

Click Explain Command Lines to generate the command line explanation.

Generate Command Line Explanation

Generate Command Line Explanation

Review the generated explanation and use the thumbs up or down feedback icons to provide written feedback on the generated content.

AI Generated Command Line Explanation

AI Generated Command Line Explanation

IDR Alert Enrichment

Taegis™ IDR customers will also see a fingerprint icon fingerprint icon within alerts where applicable identity information has been correlated and enriched with user information collected with the IDR module.

Identity Enrichment for Alerts

Identity Enrichment for Alerts

JSON Tab

JSON Tab of an Alert

JSON Tab of an Alert

The JSON tab displays an expandable JSON view of the alert.

Events Tab

Events Tab of a Password Spray Alert

Events Tab of a Password Spray Alert

The Events tab contains a table of the event(s) that resulted in the creation of the alert.

Select an event to open a side drawer with the event details.

Threat Intelligence Tab

The Threat Intelligence tab provides Threat Intelligence enrichment data from the Secureworks Counter Threat Unit™ (CTU) and APIVoid. For more information, see Threat Intelligence Alert Enrichment.

Vulnerabilities Tab

The Vulnerabilities tab displays vulnerability data related to the asset associated with the alert if the asset has been mapped to a server asset in VDR. For more information on the mapping process, see Asset Mapping Logic.

The data includes vulnerability severity, type, details, host, and CVE, if applicable.

Vulnerabilities Tab of an Alert Mapped to a VDR Asset

Vulnerabilities Tab of an Alert Mapped to a VDR Asset

A flag displayed to the left of a vulnerability row means that our detection logic indicated that the vulnerability is potentially linked to the alert activity. This may be an indication of root cause or that the vulnerability that was attacked or leveraged should be investigated further.

Flagged Vulnerabilities

Flagged Vulnerabilities

Note

The Vulnerabilities tab does not display if there are no vulnerabilities associated with the alert.

History Tab

The History tab contains a full audit log of the alert. Each log includes the timestamp, the category and type of activity, the user’s name and email, and the change logs.

Tip

Toggle the Show Only Update Events option to On to view only logs related to updates made to the alert. Leave Off to view all logs.

History Tab

History Tab

Insights Tab

The Insights tab contains multiple sections that add additional context and list related alerts and investigations.

Insights Tab

Insights Tab

Threat Score

The first section lists the alert Threat Score. For more information, see Threat Score.

The alerts section lists alerts that have factors in common with the displayed alert so analysts can quickly determine if those alerts are in fact related to the displayed alert. They are organized into open and closed alerts, and those are further organized into the entity types they share in common with the displayed alert, such as Agent/Sensor ID, File, Hostname, etc.

Tip

Critical, High, and Medium severity alerts are displayed by default. If you want to include other severities, change the alerts table filter.

The investigations section lists open and closed investigations that include entities related to the displayed alert, organized by entity type. This can help analysts quickly determine if an investigation is already open for an entity during triage to avoid creating duplicate investigations. Closed investigations can add context to how investigations were previously handled for an entity.

Explore an Alert in Detail with Entity Graph

To deep dive into the alert‘s associated entities and explore their relationships and details, select Entity Graph from the top right of the alert details page to launch Entity Graph.

Open Entity Graph from an Alert

Open Entity Graph from an Alert

Share an Alert

To share an alert with another user within the tenant, select the Copy share link icon for a direct URL.

Copy Link to Share Alert

Copy Link to Share Alert

View Alert in CEL Explorer

From the Actions menu, select View in CEL Explorer to test the outcome of CEL expressions against the data being viewed for use in Automations configurations. For more information, see CEL Explorer.

View Alert in CEL Explorer

View Alert in CEL Explorer

 

On this page: