Alert Details
Secureworks® Taegis™ XDR takes an event or events from a detector and turns it into an alert. Review the alert details to determine if it should be investigated further.
Manage an Alert ⫘
Users with the required role can take the following actions on alerts:
View Alert Details ⫘
Select an alert title anywhere throughout XDR to view its details.
Some areas of the application, like the Alerts page, will open a preview side panel featuring some essential details about the alert. This allows you to continue browsing through multiple alerts without losing your place or your filters.
View Alerts in the Side Panel
To view the full details of the alert, select the alert title. Or, select the icon to open the details in a new tab.
Other areas of XDR, like the Recent Alerts widget, automatically open the full alert details page.
Note
Alerts prefixed with RESEARCH indicate that the detector or mechanism that generated the alert is in research mode as a part of our process to verify the feasibility of the detection as well as the false positive rate.
Tip
Threat Score is a new contextually aware priority value assigned to alerts by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.
Summary Tab ⫘
Summary Tab of a Taegis Watchlist Alert
Affected Entities ⫘
The Affected Entities section lists entities that may be threats or at risk from threats, and endpoint agents involved in the alert. Select a magnifying glass icon in the Affected Entities panel to perform a pivot search against that entity for further triage.
Affected Entities Panel
Alert Details ⫘
Depending on the type of alert, the Alert Details panel may contain the following information:
- First and Last Activity — The first time an event occurred and the last time an event occurred
- Inserted At — The time that the event(s) were logged
-
Severity — A measure of how much of a potential threat the activity poses to your environment. The severity score ranges from 1-100. The higher the score, the bigger the potential threat posed by the activity.
Note
If the alert’s severity level has changed, a message is displayed.
-
Threat Score — A context aware priority value assigned to the alert
- Detector — The detector type that logged the event(s) that created the alert
- Confidence — A measure of how confident our systems are that the alert is accurate and represents malicious activity. The confidence score ranges from 1-100. The higher the score, the more confident we are that the alert indicates genuine malicious activity.
- Investigations — Any investigation(s) that the alert has been added to
- Process Data — The command line, program hash, process ID, and time window of the process event(s)
Alert Description ⫘
The Alert Description section provides a summary of the alert curated by Secureworks Counter Threat Unit™ (CTU).
Alert Description
Alert CTU Publications ⫘
If an alert is linked to a Secureworks Counter Threat Unit™ (CTU)-published Malware Family or Threat Group, an icon and link display in the alert title and description.
Alert CTU Publication
Select the link from the title or description to open a side panel with the details of the CTU publication.
Alert CTU Publication Panel
AI Alert Analysis ⫘
Taegis AI Alert Analysis reviews the detection logic and associated events and then summarizes the alert in straightforward language. It helps analysts quickly understand and respond to security alerts by prioritizing alerts, providing context, and suggesting actions.
Select View Analysis to generate the Alert Analysis summary.
Alert Analysis
Review the generated Alert Analysis summary and use the thumbs up or down feedback icons to provide written feedback on the generated content.
Generated AI Alert Analysis
Detection Logic Explanation ⫘
The Taegis AI Detection Logic Explanation helps you understand the detection logic behind Taegis Watchlist alerts. It explains the complex detection rule in an easy to understand language. It shows how the system identified the potential security threat. The Detection Logic Explanation can be viewed on any alert detected by Taegis Watchlist detector when available for explanation.
Note
The explanation may not be available for some rules that are in research mode.
Review the generated Alert Analysis summary and use the thumbs up or down feedback icons to provide written feedback on the generated content.
AI Generated Alert Detection Logic Explanation
Command Line Explanation ⫘
The Command Line Explainer translates complex command lines into easy-to-understand language. This is useful for Security Operations Analysts to quickly understand the command line logic.
Click Explain Command Lines to generate the command line explanation.
Generate Command Line Explanation
Review the generated explanation and use the thumbs up or down feedback icons to provide written feedback on the generated content.
AI Generated Command Line Explanation
IDR Alert Enrichment ⫘
Taegis™ IDR customers will also see a fingerprint icon within alerts where applicable identity information has been correlated and enriched with user information collected with the IDR module.
Identity Enrichment for Alerts
JSON Tab ⫘
JSON Tab of an Alert
The JSON tab displays an expandable JSON view of the alert.
Events Tab ⫘
Events Tab of a Password Spray Alert
The Events tab contains a table of the event(s) that resulted in the creation of the alert.
- To export the full table of events, select Actions > Export All as CSV.
- To export a subset of the table of events, select the checkboxes of those you wish to export, then choose Actions > Export Selected as CSV.
- To add events to an investigation, select the checkboxes of those you wish to add, then choose Actions > Add to Existing Investigation or Create New Investigation. For more information, see Start and Add to Investigations.
Select an event to open a side drawer with the event details.
Threat Intelligence Tab ⫘
The Threat Intelligence tab provides Threat Intelligence enrichment data from the Secureworks Counter Threat Unit™ (CTU) and APIVoid. For more information, see Threat Intelligence Alert Enrichment.
Vulnerabilities Tab ⫘
The Vulnerabilities tab displays vulnerability data related to the asset associated with the alert if the asset has been mapped to a server asset in VDR. For more information on the mapping process, see Asset Mapping Logic.
The data includes vulnerability severity, type, details, host, and CVE, if applicable.
Vulnerabilities Tab of an Alert Mapped to a VDR Asset
A flag displayed to the left of a vulnerability row means that our detection logic indicated that the vulnerability is potentially linked to the alert activity. This may be an indication of root cause or that the vulnerability that was attacked or leveraged should be investigated further.
Flagged Vulnerabilities
Note
The Vulnerabilities tab does not display if there are no vulnerabilities associated with the alert.
History Tab ⫘
The History tab contains a full audit log of the alert. Each log includes the timestamp, the category and type of activity, the user’s name and email, and the change logs.
Tip
Toggle the Show Only Update Events option to On to view only logs related to updates made to the alert. Leave Off to view all logs.
History Tab
Insights Tab ⫘
The Insights tab contains multiple sections that add additional context and list related alerts and investigations.
Insights Tab
Threat Score ⫘
The first section lists the alert Threat Score. For more information, see Threat Score.
Related Alerts ⫘
The alerts section lists alerts that have factors in common with the displayed alert so analysts can quickly determine if those alerts are in fact related to the displayed alert. They are organized into open and closed alerts, and those are further organized into the entity types they share in common with the displayed alert, such as Agent/Sensor ID, File, Hostname, etc.
Tip
Critical, High, and Medium severity alerts are displayed by default. If you want to include other severities, change the alerts table filter.
Related Investigations ⫘
The investigations section lists open and closed investigations that include entities related to the displayed alert, organized by entity type. This can help analysts quickly determine if an investigation is already open for an entity during triage to avoid creating duplicate investigations. Closed investigations can add context to how investigations were previously handled for an entity.
Explore an Alert in Detail with Entity Graph ⫘
To deep dive into the alert‘s associated entities and explore their relationships and details, select Entity Graph from the top right of the alert details page to launch Entity Graph.
Open Entity Graph from an Alert
Share an Alert ⫘
To share an alert with another user within the tenant, select the Copy share link icon for a direct URL.
Copy Link to Share Alert
View Alert in CEL Explorer ⫘
From the Actions menu, select View in CEL Explorer to test the outcome of CEL expressions against the data being viewed for use in Automations configurations. For more information, see CEL Explorer.
View Alert in CEL Explorer