Alert Details
Secureworks® Taegis™ XDR takes an event or events from a detector and turns it into an alert. Review the alert details to determine if it should be investigated further.
Manage an Alert ⫘
Users with the required role can take the following actions on alerts:
View Alert Details ⫘
Select an alert title anywhere throughout XDR to view its details.
Some areas of the application, like the Alerts page, will open a preview side panel featuring some essential details about the alert. This allows you to continue browsing through multiple alerts without losing your place or your filters.
View Alerts in the Side Panel
To view the full details of the alert, select the alert title. Or, select the icon to open the details in a new tab.
Other areas of XDR, like the Recent Alerts widget, automatically open the full alert details page.
Note
Alerts prefixed with RESEARCH indicate that the detector or mechanism that generated the alert is in research mode as a part of our process to verify the feasibility of the detection as well as the false positive rate.
Tip
Threat Score is a new contextually aware priority value assigned to alerts by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.
Summary Tab ⫘
Summary Tab of a Stolen Credentials Alert
Depending on the type of alert, the alert details Summary tab may contain the following information:
- First and Last Activity — The first time an event occurred and the last time an event occurred
- Inserted At — The time that the event(s) were logged
-
Severity — A measure of how much of a potential threat the activity poses to your environment. The severity score ranges from 1-100. The higher the score, the bigger the potential threat posed by the activity.
Note
If the alert’s severity level has changed, a message is displayed.
-
Detector — The detector type that logged the event(s) that created the alert
- Confidence — A measure of how confident our systems are that the alert is accurate and represents malicious activity. The confidence score ranges from 1-100. The higher the score, the more confident we are that the alert indicates genuine malicious activity.
- Investigations — Any investigation(s) that the alert has been added to
- Description — A summary of the alert
- Alert JSON — The JSON of the event data that created the alert
- Affected Agents — Agents in XDR that are affected by the event(s)
- Process Data — The command line, program hash, process ID, and time window of the process event(s)
- Related Entities — Alerts that could be potentially related to the displayed alert
JSON Tab ⫘
JSON Tab of an Alert
The JSON tab displays an expandable JSON view of the alert.
Events Tab ⫘
Events Tab of a Stolen Credentials Alert
The Events tab contains a table of the event(s) that resulted in the creation of the alert.
To export the table of events, select the checkmarks of those you wish to export, then choose Actions > Export Selected as CSV.
Select an event to open a side drawer with the event details. Alternatively, select the Event Details sub-tab for collapsible detail sections of each event.
Threat Intel Tab ⫘
The Threat Intel tab provides Threat Intelligence enrichment data from the Secureworks Counter Threat Unit™ and APIVoid. For more information, see Threat Intelligence Alert Enrichment.
History Tab ⫘
The History tab contains a full audit log of the alert. Each log includes the timestamp, the category and type of activity, the user’s name and email, and the change logs.
Tip
Toggle the Show Only Update Events option to On to view only logs related to updates made to the alert. Leave Off to view all logs.
Insights Tab ⫘
The Insights tab contains multiple sections that add additional context and list related alerts and investigations.
Insights Tab
Threat Score ⫘
The first section lists the alert Threat Score. For more information, see Threat Score.
Related Alerts ⫘
The alerts section lists alerts that have factors in common with the displayed alert so analysts can quickly determine if those alerts are in fact related to the displayed alert. They are organized into open and closed alerts, and those are further organized into the entity types they share in common with the displayed alert, such as Agent/Sensor ID, File, Hostname, etc.
Tip
Critical, High, and Medium severity alerts are displayed by default. If you want to include other severities, change the alerts table filter.
Related Investigations ⫘
The investigations section lists open and closed investigations that include entities related to the displayed alert, organized by entity type. This can help analysts quickly determine if an investigation is already open for an entity during triage to avoid creating duplicate investigations. Closed investigations can add context to how investigations were previously handled for an entity.
Share an Alert ⫘
To share an alert with another user within the tenant, select the Copy share link icon for a direct URL.
Copy Link to Share Alert