🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Alert Details

alerts


Secureworks® Taegis™ XDR takes an event or events from a detector and turns it into an alert. Review the alert details to determine if it should be investigated further.

Manage an Alert

Users with the required role can take the following actions on alerts:

View Alert Details

Select an alert title anywhere throughout Secureworks® Taegis™ XDR to view its details.

Some areas of the application, like the Alerts page, will open a preview side panel featuring some essential details about the alert. This allows you to continue browsing through multiple alerts without losing your place or your filters.

View Alerts in the Side Panel

View Alerts in the Side Panel

To view the full details of the alert, select the Open in New Tab icon icon. The alert details page will open in a new tab.

Other areas of Secureworks® Taegis™ XDR, like the Recent Alerts widget, automatically open the full alert details page.

Note

Alerts prefixed with RESEARCH indicate that the detector or mechanism that generated the alert is in research mode as a part of our process to verify the feasibility of the detection as well as the false positive rate.

Tip

Threat Score is a new contextually aware priority value assigned to alerts by the patent-pending Taegis™ Prioritization Engine. For more information, see Threat Score.

Summary Tab

Summary Tab of a Stolen Credentials Alert

Summary Tab of a Stolen Credentials Alert

Depending on the type of alert, the alert details Summary tab may contain the following information:

JSON Tab

JSON Tab of an Alert

JSON Tab of an Alert

The JSON tab displays an expandable JSON view of the alert.

Events Tab

Events Tab of a Stolen Credentials Alert

Events Tab of a Stolen Credentials Alert

The Events tab contains a table of the event(s) that resulted in the creation of the alert.

To export the table of events, select the checkmarks of those you wish to export, then choose Actions > Export Selected as CSV.

Select an event to open a side drawer with the event details. Alternatively, select the Event Details sub-tab for collapsible detail sections of each event.

Threat Intel Tab

The Threat Intel tab provides Threat Intelligence enrichment data from the Secureworks Counter Threat Unit™ and APIVoid. For more information, see Threat Intelligence Alert Enrichment.

History Tab

The History tab contains a full audit log of the alert. Each log includes the timestamp, the category and type of activity, the user’s name and email, and the change logs.

Insights Tab

The Insights tab contains multiple sections that add additional context and list related alerts and investigations.

Insights Tab

Insights Tab

Threat Score

The first section lists the alert Threat Score. For more information, see Threat Score.

The alerts section lists alerts that have factors in common with the displayed alert so analysts can quickly determine if those alerts are in fact related to the displayed alert. They are organized into open and closed alerts, and those are further organized into the entity types they share in common with the displayed alert, such as Agent/Sensor ID, File, Hostname, etc.

Tip

Critical, High, and Medium severity alerts are displayed by default. If you want to include other severities, change the alerts table filter.

The investigations section lists open and closed investigations that include entities related to the displayed alert, organized by entity type. This can help analysts quickly determine if an investigation is already open for an entity during triage to avoid creating duplicate investigations. Closed investigations can add context to how investigations were previously handled for an entity.

Share an Alert

To share an alert with another user within the tenant, select the Copy share link icon for a direct URL.

Copy Link to Share Alert

Copy Link to Share Alert

 

On this page: