☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Alerts

Secureworks® Taegis™ XDR takes an event or events from a detector and turns it into an alert. Review the alert details to determine if it should be investigated further.

All alerts are available on the Alerts panel, which includes a table of alerts that can be filtered and exported.

Note

The Alerts table is limited to 10,000 results. Apply filters to narrow the results.

Note

Alerts prefixed with RESEARCH indicate that the detector or mechanism that generated the alert is in research mode as a part of our process to verify the feasibility of the detection as well as the false positive rate.

Tip

Threat Score is a new contextually aware priority value assigned to alerts by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.

Get to the Alerts Panel ⫘

The Alerts panel can be accessed by selecting Alerts from the XDR side menu bar.

Alerts

When you open any list of alerts throughout XDR, the Alerts panel displays prepopulated with filtered alerts. For example, select View All from the Recent Alerts widget to view recent alerts.

Select an alert title to view some of its essential details in a preview side panel. This allows you to continue browsing through the results table without losing your place or your filters. To view the full details of the alert, select Open in a New Tab. The alert details panel opens in a new tab.

Tip

Adjust the width of the preview side panel by holding and dragging it.

Different Alert Views

Filter for Alerts ⫘

To filter the Alerts table:

Use the collapsible filters menu to narrow down the list of matching alerts.

Note

Filter results are aggregated to a maximum of 1,000. Adjust the time period or additional filters to narrow results further.

Use Include Options in the filters menu to include or exclude custom alerts and triaged alerts. They are excluded by default.
Change the selected time period using the drop-down date/time picker at the top right of the dashboard. The default time period is 72 Hours, but choosing a custom time period overwrites it. The most recent time period you select becomes the new default.

Filter Alerts

Schema Changes ⫘

XDR’s new Alerts framework has an updated schema which changes how you construct search queries in XDR’s and through the new Alerts GraphQL API. Some fields have been moved, and some have been removed entirely. The following table summarizes the changes:

Previous	New
alert_type	Moved to `metadata.creator.detector.detector_id`
attack_categories	Moved to `attack_technique_ids`
attack_categories_info	Moved to `enrichment_details.mitre_attack_info`
confidence	Moved to `metadata.confidence`
creator	Moved to `metadata.creator.detector.detector_id`
creator_version	Moved to `metadata.creator.detector.version`
data	Moved to `enrichment_details or third_party_details`
description	Moved to `metadata.description`
insert_timestamp	Moved to `metadata.created_at`
investigations	Moved to `investigation_ids.id`
labels_data	Moved to `status` and `resolution_reason`
message	Moved to `metadata.title`
references	Moved to `reference_details`
related_entities	Moved to `entities.entities`
severity	Moved to `metadata.severity`
timestamp	Moved to `metadata.began_at`
investigation_info	REMOVED. Reference Investigation queries
ranking_data	REMOVED
source	REMOVED

Export Alerts ⫘

You can export data from alerts tables in Taegis™ XDR as a CSV file.

Export Selected ⫘

Use the checkboxes to select the alerts you wish to download.
From the Actions menu on the upper right-hand of the results table, select Export Selected as CSV. The download request is sent and is processed.
Navigate to Data Exports to check the status of the request and download any available files.

Export All ⫘

From the Actions menu on the upper right-hand of the results table, select Export All as CSV. The download request is sent and is processed.
Navigate to Data Exports to check the status of the request and download any available files.

Note

Downloadable files have an expiration date, which is listed in the Downloads table File Expiration column.

Tip

Files available for download are limited to 100,000 rows. If a data set larger than 100,000 rows in size is needed, you must refine the data table through date picker or search parameters and/or submit multiple requests spanning the full desired dataset.

Alerts

Get to the Alerts Panel ⫘

Filter for Alerts ⫘

Schema Changes ⫘

Export Alerts ⫘

Export Selected ⫘

Export All ⫘

On this page: