Alert Severity and Confidence
Severity and confidence scores make it easier for you to prioritize alert triage in your environment and address the most pressing alerts first. Find the severity and confidence for an alert in the Alert Details panel.
Alert Severity and Confidence
-
Severity is a measure of how much of a potential threat the activity poses to your environment. The severity score ranges from 0.01 to 1. The higher the score, the bigger the potential threat posed by the activity. Severities have the following ratings:
- Informational: 0 - 0.199...
- Low: 0.2 to 0.399...
- Medium: 0.4 - 0.599...
- High: 0.6 - 0.799...
-
Critical: 0.8-1
Note
If the alert’s severity level has changed, a message is displayed on the alert details.
-
Confidence is a measure of how confident our systems are that the alert is accurate and represents malicious activity. The confidence score ranges from 1-100. The higher the score, the more confident we are that the alert indicates genuine malicious activity.
Tip
Threat Score is a new contextually aware priority value assigned to alerts by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.
How are Severity and Confidence Determined? ⫘
Each detector collects varying data from your environment to monitor for malicious activity, and uses varying aspects of this data to determine a severity and confidence score.
For example, the DGA Detector is a machine learning model-based detector that computes the probability that a domain is potentially an indicator of malicious activity. Both severity and confidence scores are based on the probability computed by the detector.
Other detectors define both severity and confidence statically, such as the Tactic Graphs™ Detector, which has a static severity and confidence score defined per adversary tactic. Similarly, Secureworks® Taegis™ XDR watchlist detectors use a static severity and confidence score set by the security researchers who created the watchlist.
Third-Party Alerts ⫘
Third-party alerts ingested into XDR are interpreted for severity level and confidence differently depending on the originating device. In general, XDR maps the highest two severity levels of third-party alerts to High and Critical severity, unless the activity was blocked; XDR decreases alert severity for blocked activity to Low severity.