☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Alert Details

Secureworks® Taegis™ XDR takes an event or events from a detector and turns it into an alert. Review the alert details to determine if it should be investigated further.

Manage an Alert ⫘

Users with the required role can take the following actions on alerts:

View Alert Details ⫘

Select an alert title anywhere throughout XDR to view its details.

Some areas of the application, like the Alerts page, will open a preview side panel featuring some essential details about the alert. This allows you to continue browsing through multiple alerts without losing your place or your filters.

View Alerts in the Side Panel

To view the full details of the alert, select the alert title. Or, select the Open in New Tab icon icon to open the details in a new tab.

Other areas of XDR, like the Recent Alerts widget, automatically open the full alert details page.

Note

Alerts prefixed with RESEARCH indicate that the detector or mechanism that generated the alert is in research mode as a part of our process to verify the feasibility of the detection as well as the false positive rate.

Tip

Threat Score is a new contextually aware priority value assigned to alerts by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.

Summary Tab ⫘

Summary Tab of a Stolen Credentials Alert

Depending on the type of alert, the alert details Summary tab may contain the following information:

First and Last Activity — The first time an event occurred and the last time an event occurred
Inserted At — The time that the event(s) were logged
Severity — A measure of how much of a potential threat the activity poses to your environment. The severity score ranges from 1-100. The higher the score, the bigger the potential threat posed by the activity.

Note

If the alert’s severity level has changed, a message is displayed.
Detector — The detector type that logged the event(s) that created the alert
Confidence — A measure of how confident our systems are that the alert is accurate and represents malicious activity. The confidence score ranges from 1-100. The higher the score, the more confident we are that the alert indicates genuine malicious activity.
Investigations — Any investigation(s) that the alert has been added to
Description — A summary of the alert
Alert JSON — The JSON of the event data that created the alert
Affected Agents — Agents in XDR that are affected by the event(s)
Process Data — The command line, program hash, process ID, and time window of the process event(s)
Related Entities — Alerts that could be potentially related to the displayed alert

JSON Tab ⫘

JSON Tab of an Alert

The JSON tab displays an expandable JSON view of the alert.

Events Tab ⫘

Events Tab of a Stolen Credentials Alert

The Events tab contains a table of the event(s) that resulted in the creation of the alert.

To export the table of events, select the checkmarks of those you wish to export, then choose Actions > Export Selected as CSV.

Select an event to open a side drawer with the event details. Alternatively, select the Event Details sub-tab for collapsible detail sections of each event.

Threat Intel Tab ⫘

The Threat Intel tab provides Threat Intelligence enrichment data from the Secureworks Counter Threat Unit™ and APIVoid. For more information, see Threat Intelligence Alert Enrichment.

History Tab ⫘

The History tab contains a full audit log of the alert. Each log includes the timestamp, the category and type of activity, the user’s name and email, and the change logs.

Tip

Toggle the Show Only Update Events option to On to view only logs related to updates made to the alert. Leave Off to view all logs.

Insights Tab ⫘

The Insights tab contains multiple sections that add additional context and list related alerts and investigations.

Insights Tab

Threat Score ⫘

The first section lists the alert Threat Score. For more information, see Threat Score.

The alerts section lists alerts that have factors in common with the displayed alert so analysts can quickly determine if those alerts are in fact related to the displayed alert. They are organized into open and closed alerts, and those are further organized into the entity types they share in common with the displayed alert, such as Agent/Sensor ID, File, Hostname, etc.

Tip

Critical, High, and Medium severity alerts are displayed by default. If you want to include other severities, change the alerts table filter.

The investigations section lists open and closed investigations that include entities related to the displayed alert, organized by entity type. This can help analysts quickly determine if an investigation is already open for an entity during triage to avoid creating duplicate investigations. Closed investigations can add context to how investigations were previously handled for an entity.

To share an alert with another user within the tenant, select the Copy share link icon for a direct URL.

Copy Link to Share Alert

Alert Details

Manage an Alert ⫘

View Alert Details ⫘

Summary Tab ⫘

JSON Tab ⫘

Events Tab ⫘

Threat Intel Tab ⫘

History Tab ⫘

Insights Tab ⫘

Threat Score ⫘

Related Alerts ⫘

Related Investigations ⫘

Share an Alert ⫘

On this page: