Alerts
Secureworks® Taegis™ XDR takes an event or events from a detector and turns it into an alert. Review the alert details to determine if it should be investigated further.
All alerts are available on the Alerts panel, which includes a table of alerts that can be filtered and exported.
Note
The Alerts table is limited to 10,000 results. Apply filters to narrow the results.
Note
Alerts prefixed with RESEARCH indicate that the detector or mechanism that generated the alert is in research mode as a part of our process to verify the feasibility of the detection as well as the false positive rate.
Tip
Threat Score is a new contextually aware priority value assigned to alerts by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.
View All Alerts ⫘
The Alerts panel can be accessed by selecting Alerts from the Taegis Menu.
Alerts
When you open any list of alerts throughout XDR, the Alerts panel displays prepopulated with filtered alerts. For example, select View All from the Recent Alerts widget to view recent alerts.
Select an alert title to view some of its essential details in a preview side panel. This allows you to continue browsing through the results table without losing your place or your filters. To view the full details of the alert, select Open in a New Tab. The alert details panel opens in a new tab.
Tip
Adjust the width of the preview side panel by holding and dragging it.
Different Alert Views
Filter for Alerts ⫘
To filter the Alerts table:
- Use the collapsible filters menu to narrow down the list of matching alerts.
Note
Filter results are aggregated to a maximum of 1,000. Adjust the time period or additional filters to narrow results further.
- Use Include Options in the filters menu to include or exclude custom alerts and triaged alerts. They are excluded by default.
- Change the selected time period using the drop-down date/time picker at the top right of the dashboard. The default time period is 72 Hours, but choosing a custom time period overwrites it. The most recent time period you select becomes the new default.
Filter Alerts
Schema Changes ⫘
XDR’s new Alerts framework has an updated schema which changes how you construct search queries in XDR’s and through the new Alerts GraphQL API. Some fields have been moved, and some have been removed entirely. The following table summarizes the changes:
| Previous | New |
|---|---|
| alert_type | Moved to metadata.creator.detector.detector_id |
| attack_categories | Moved to attack_technique_ids |
| attack_categories_info | Moved to enrichment_details.mitre_attack_info |
| confidence | Moved to metadata.confidence |
| creator | Moved to metadata.creator.detector.detector_id |
| creator_version | Moved to metadata.creator.detector.version |
| data | Moved to enrichment_details or third_party_details |
| description | Moved to metadata.description |
| insert_timestamp | Moved to metadata.created_at |
| investigations | Moved to investigation_ids.id |
| labels_data | Moved to status and resolution_reason |
| message | Moved to metadata.title |
| references | Moved to reference_details |
| related_entities | Moved to entities.entities |
| severity | Moved to metadata.severity |
| timestamp | Moved to metadata.began_at |
| investigation_info | REMOVED. Reference Investigation queries |
| ranking_data | REMOVED |
| source | REMOVED |
Export Alerts ⫘
You can export data from alerts tables in Taegis™ XDR as a CSV file.
Export Selected ⫘
- Use the checkboxes to select the alerts you wish to download.
- From the Actions menu on the upper right-hand of the results table, select Export Selected as CSV. The download request is sent and is processed.
- Navigate to Data Exports to check the status of the request and download any available files.
Export All ⫘
- From the Actions menu on the upper right-hand of the results table, select Export All as CSV. The download request is sent and is processed.
- Navigate to Data Exports to check the status of the request and download any available files.
Note
Downloadable files have an expiration date, which is listed in the Downloads table File Expiration column.
Tip
Files available for download are limited to 100,000 rows. If a data set larger than 100,000 rows in size is needed, you must refine the data table through date picker or search parameters and/or submit multiple requests spanning the full desired dataset.